JP2003085150A - Individual authenticating system, individual authenticating method, portable information terminal, portable authenticating medium, authenticating device and storage medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To safely change the setting of the individual authenticating function of a portable authenticating medium with excellent operability. SOLUTION: An individual is authenticated by transmitting individual authenticating information by radio transmission to an authenticating device from the portable authenticating medium possessed by a user. A transmission of the individual authenticating information on the portable authenticating medium is controlled by operation on a portable terminal by transmitting control information corresponding to the operation executed by the user on the portable terminal to the portable authenticating medium by radio transmission. Since the individual authenticating function and a user interface are physically separated, there is no need to frequently treat the portable authenticating medium for changing the setting on individual authentication of the portable authenticating medium so that safety and convenience are enhanced.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a personal authentication technique for identifying a person, and in particular, personal authentication by wirelessly transmitting personal authentication information from a portable authentication medium held by a user to a personal authentication device. The personal authentication system and the personal authentication method, the portable information terminal, the portable authentication medium, and the storage medium.

More specifically, the present invention relates to a personal authentication system and a personal authentication method for controlling transmission of personal authentication information from a portable authentication medium by a user operation, a portable information terminal, a portable authentication medium, and a storage medium, and in particular, The present invention relates to a personal authentication system and a personal authentication method for controlling transmission of personal authentication information from a mobile authentication medium by an operation on a mobile information terminal owned by a user, a mobile information terminal, a mobile authentication medium, and a storage medium.

[0003]

2. Description of the Related Art Personal authentication for identifying a person has been widely used in various industries for a long time, and is an essential procedure that has deeply penetrated into daily life.

In addition, in recent years when information processing and information communication technology have advanced to a high degree, there are increasing opportunities to connect a plurality of devices to share and exchange data and to collaborate between remote places. There is. The combination of devices that connect to each other is not fixed and spans many. Therefore, in order to prevent information leakage and illegal use due to so-called “spoofing”, an authentication procedure for confirming the identity of the user has been widely adopted.

For example, when using a cash card in a bank or other financial institution, the cash
Authentication is performed by entering the password and password with a dispenser. Personal authentication is used to input a security code in a safety box installed in a hotel or other accommodation facility, to input a password when logging in to a computer, or to keep information on an information terminal confidential.

Recently, a contactless IC card or I
Mobile authentication media such as C chips are becoming widespread, and IC
By storing user information for personal authentication on the chip, it can be used for personal authentication by wireless communication. For example, an IC card reader / writer installed at a cash dispenser, an entrance / exit of a concert hall, a ticket gate at a station, or the like can access an IC card held by a user without contact. In addition, such a portable authentication medium is used as a portable telephone or a PDA (Personal Digital A
ssistant), wearable devices, and other portable information terminals improve convenience in user input operations and information processing for personal identification.

For example, Japanese Unexamined Patent Publication No. 11-262061 discloses a wristwatch type portable device capable of wirelessly transmitting personal identification information to an external device to perform personal authentication. That is, a wristwatch is equipped with a wireless communication means for personal identification ID code, and communication setting is performed by a combination of an ID transmitter and a communication terminal. Also, on the service network side,
By providing the database management function for the correspondence between the personal identification ID and the terminal identification ID, the user can freely change the other terminal or rental terminal of the moving destination and communicate by simply wearing the wristwatch. Communication charges can be charged according to the ID.

In such a case, the user of the terminal does not need to perform a special operation for personal authentication and can easily perform personal authentication.

If you do not want to perform personal authentication,
Some portable information terminals are provided with operation means for disabling the personal authentication function so that the personal authentication procedure can be omitted if necessary.

Further, the portable information terminal itself is provided with means for inputting personal identification information such as a password and biometric information, and the personal authentication function is enabled only when the personal identification information input is correct. There are also things.

However, when the portable information terminal itself is provided with an operating means for enabling / disabling the personal authentication function or a means for inputting personal identification information, the portable information terminal is placed in a wallet. When storing in a place where it is difficult to take out, such as a bag or the back of a bag, it is troublesome to take out the portable information terminal before performing the operation.

If the portable information terminal is stored in a place where it can be easily taken out or is frequently taken in and out in order to eliminate the inconvenience, the portable information terminal may be stolen or lost. There is a risk of unauthorized use by others.

[0013]

An object of the present invention is to provide excellent personal authentication by wirelessly transmitting personal authentication information from a portable authentication medium carried by a user to a personal authentication device. An object is to provide an individual authentication system and an individual authentication method, a mobile information terminal, a mobile authentication medium, an authentication device, and a storage medium.

A further object of the present invention is to provide an excellent personal authentication system and personal authentication method, a mobile information terminal, a mobile authentication medium, and an authentication that can control the transmission of personal authentication information from a mobile authentication medium by a user operation. An object is to provide an apparatus and a storage medium.

A further object of the present invention is to provide an excellent personal authentication system and personal authentication method capable of controlling the transmission of personal authentication information from a mobile authentication medium by an operation on a mobile information terminal possessed by a user. A portable information terminal, a portable authentication medium, an authentication device, and a storage medium are provided.

[0016]

The present invention has been made in consideration of the above problems, and a first aspect thereof is an individual who performs an authentication process for a predetermined authentication device based on personal authentication information. An authentication system, a portable information terminal that provides an operating environment for a user to perform an operation of inputting personal identification information and a setting change operation of a personal authentication function, and an individual for personal authentication processing with the authentication device. Mobile authentication for holding the authentication information and changing the setting of the personal authentication function based on the setting change operation on the mobile information terminal after the user's identity is confirmed using the personal identification information input on the mobile information terminal A personal authentication system comprising a medium, wherein personal authentication processing is performed between the portable authentication medium and the authentication device according to the setting content of the personal authentication function.

However, the term "system" as used herein refers to a logical assembly of a plurality of devices (or functional modules that realize a specific function), and each device or functional module has a single housing. It does not matter whether it is in the body or not.

The second aspect of the present invention is a personal authentication method for physically changing the setting of the personal authentication function separately from the personal authentication processing, wherein the personal identification information by the user on the portable information terminal is used. And performing a setting change operation of the personal authentication function, transferring the setting change information of the personal authentication function including the personal identification information from the portable information terminal to the portable authentication medium, and the setting on the portable authentication medium. Steps to perform user identity verification processing using the identity verification information included in the modification information, steps to change the personal authentication function settings in response to successful identity verification, and the personal authentication function to be turned on. If the personal authentication information is transmitted from the portable authentication medium to the authentication device, the personal authentication process is performed, and in response to the success of the personal authentication process, A personal authentication method characterized by comprising the step of releasing the use of the authentication device limit, the.

According to the personal identification system of the first aspect of the present invention or the personal identification method of the second aspect of the present invention, the setting change information corresponding to the operation performed by the user on the portable information terminal. Is wirelessly transmitted to the mobile authentication medium, the ON / OFF setting of the personal authentication function by the mobile authentication medium can be controlled by an operation on the mobile information terminal.
Therefore, it is not necessary to physically separate the personal authentication function and the user interface and frequently handle the personal authentication medium for changing the personal authentication setting of the personal authentication medium, thereby improving safety and convenience.

Here, it is preferable that data is transmitted and received between the portable information terminal, the portable authentication medium and the authentication device by wireless cryptographic communication.

When the personal authentication function is turned on, personal authentication processing is performed between the portable authentication medium and the authentication device, and the authentication device responds to the success of the personal authentication. It is also possible to release the above-mentioned usage restriction for the user and provide the user with a predetermined business processing service. Further, the authentication device may again limit the use to the user in response to a lapse of a predetermined time after the last reception of the personal authentication information from the portable authentication medium is detected.

As the personal identification information, a personal identification number or biometric information obtained from the user's body or a part thereof can be used. The biometric information mentioned here includes fingerprints,
Unique information for each user, such as the iris, retinal blood vessel pattern, vein pattern, etc., is included.

Further, a third aspect of the present invention is a portable information terminal for changing the setting of the personal authentication function using a portable authentication medium, wherein a transmitting / receiving means for transmitting / receiving data to / from the portable authentication medium and a user Based on the user input means for inputting the personal identification information and the setting change operation of the personal authentication function, and the setting change information including the personal identification information based on the setting change operation input through the user input means. A portable information terminal comprising: a setting change information generating unit that generates the setting change information; and a unit that transmits the generated setting change information to the portable authentication medium via the transmitting and receiving unit.

Here, it is preferable that the transmitting / receiving unit transmits / receives data to / from the portable authentication medium by wireless cryptographic communication.

Further, the user input means may accept a user input of a personal identification number as the personal identification information, and the setting change information generation means may include the input personal identification number in the setting change information.

Alternatively, the user input means acquires biometric information from the user's body or a part thereof, and the setting change information generation means uses the biometric information of the user or characteristic data extracted from the biometric information as the personal identification information. It may be included in the setting change information.

Further, a fourth aspect of the present invention is a portable authentication medium for performing a personal authentication process with a predetermined authenticating device according to a setting change of the personal authentication function from the portable information terminal. A transmitting / receiving unit that transmits / receives data to / from the authentication device, a personal identification unit that verifies the identity based on the personal identification information included in the setting change information received from the portable information terminal, and an individual who holds the personal authentication information of the user. Authentication information holding means, personal authentication function changing means for changing the setting of the personal authentication function according to the setting change information in response to the success of the personal identification by the personal identification means, and the personal authentication function is set to ON. In this case, the personal authentication information transmission control means for transmitting the personal authentication information held in the personal authentication information holding means to the authentication device is provided. Is a portable authentication medium that.

Here, it is preferable that the transmitting / receiving unit transmits / receives data to / from the portable information terminal and the authentication device by wireless cryptographic communication.

The personal identification information may be a personal identification number. In such a case, the personal identification means may collate the personal identification number included in the setting change information received from the portable information terminal with a personal identification number of a genuine user stored in advance.

Alternatively, the personal identification information may be biometric information acquired from the user's body or a part thereof. In such a case, the personal identification means may collate the biometric information contained in the setting change information received from the portable information terminal or its characteristic data with the biometric information of the authentic user or its characteristic data stored in advance. You can do this.

Further, a fifth aspect of the present invention is an authentication device for performing personal authentication with a portable authentication medium, the transmitting / receiving means for transmitting / receiving data to / from the portable authentication medium, and the portable authentication medium. It is characterized by comprising personal authentication processing means for performing personal authentication using the received personal authentication information, and usage restriction control means for releasing the usage restriction for the user in response to the success of the personal authentication processing. Is an authentication device.

Here, it is preferable that the transmitting / receiving means transmits / receives data to / from the portable authentication medium by wireless cryptographic communication.

Further, the use restriction control means may again restrict the use of the authentication device for the user in response to the lapse of time.

A sixth aspect of the present invention is a personal authentication system for performing an authentication process for a predetermined authentication device based on the personal authentication information, which is an operation of inputting personal identification information for a user and a personal authentication function. The operation environment for performing the setting change operation of, and the portable information terminal that outputs the setting change information of the personal authentication function after the user's identity confirmation using the input identity confirmation information, and the authentication device In addition to holding personal authentication information for personal authentication processing,
A portable authentication medium for changing the setting of the personal authentication function based on the setting change operation on the portable information terminal, and personal authentication processing is performed between the portable authentication medium and the authentication device according to the setting content of the personal authentication function. It is a personal authentication system that is characterized by:

A seventh aspect of the present invention is a personal authentication method for physically changing the setting of the personal authentication function separately from the personal authentication processing, wherein the personal identification information by the user on the portable information terminal is used. And a step of changing the setting of the personal authentication function, a step of confirming the identity of the user on the portable information terminal, and a step of performing the identity verification in response to the success of the identity verification. The step of transferring the setting change information of the function from the portable information terminal to the portable authentication medium, the step of changing the setting of the personal authentication function based on the setting change information from the portable information terminal, and the setting of the personal authentication function being turned on. The personal authentication information from the portable authentication medium to the authentication device to perform the personal authentication process, and in response to the success of the personal authentication process, the authentication for the user is performed. A personal authentication method characterized by comprising the step of releasing the restriction of the use of device.

According to the personal identification system of the sixth aspect of the present invention or the personal identification method of the seventh aspect of the present invention, the setting change information corresponding to the operation performed by the user on the portable information terminal. Is wirelessly transmitted to the mobile authentication medium, the ON / OFF setting of the personal authentication function by the mobile authentication medium can be controlled by an operation on the mobile information terminal.
Therefore, it is not necessary to physically separate the personal authentication function and the user interface and frequently handle the personal authentication medium for changing the personal authentication setting of the personal authentication medium, thereby improving safety and convenience.

Here, it is preferable that data is transmitted and received between the mobile information terminal, the mobile authentication medium, and the authentication device by wireless cryptographic communication.

When the personal authentication function is turned on, personal authentication processing is performed between the portable authentication medium and the authentication device, and the authentication device responds to the success of the personal authentication. It is also possible to release the above-mentioned usage restriction for the user and provide the user with a predetermined business processing service. Further, the authentication device may again limit the use to the user in response to a lapse of a predetermined time after the last reception of the personal authentication information from the portable authentication medium is detected.

As the personal identification information, a personal identification number or biometric information obtained from the user's body or a part thereof can be used. The biometric information mentioned here includes fingerprints,
Unique information for each user, such as the iris, retinal blood vessel pattern, vein pattern, etc., is included.

The eighth aspect of the present invention is a portable information terminal for changing the setting of a personal authentication function using a portable authentication medium, wherein a transmitting / receiving means for transmitting / receiving data to / from the portable authentication medium and a user User input means for performing an operation of inputting personal identification information and an operation of changing the setting of the personal authentication function, personal identification means for performing personal identification using the personal identification information input via the user input means, and personal identification In response to the success of the setting change information generation means for generating setting change information based on the setting change operation via the user input means, and the generated setting change information via the transmitting / receiving means. A means for transmitting to a portable authentication medium, and a portable information terminal.

Here, it is preferable that the transmitting / receiving means transmits the setting change information with the electronic signature to the portable authentication medium by wireless cryptographic communication.

Further, the user input means receives the user input of the personal identification number as the personal identification information, and the personal identification means compares the personal identification number input by the user with the personal identification number of the authentic user stored in advance. You may do it.

Alternatively, the user input means acquires biometric information from the user's body or a part thereof, and the personal identification means stores in advance the biometric information input by the user or the characteristic data extracted from the biometric information. You may make it collate with the existing authentic user's characteristic data or its biometric information.

Further, a ninth aspect of the present invention is a portable authentication medium for performing a personal authentication process with a predetermined authenticating device according to a setting change of the personal authentication function from the portable information terminal. A transmitting / receiving means for transmitting / receiving data to / from the authentication device, a personal authentication information holding means for holding personal authentication information of the user, and a personal authentication function for changing the setting of the personal authentication function according to the setting change information received from the portable information terminal. And a personal authentication information transmission control means for transmitting the personal authentication information held in the personal authentication information holding means to the authentication device when the personal authentication function is set to ON. It is a portable authentication medium characterized by

Here, it is preferable that the transmitting / receiving unit transmits / receives data to / from the portable information terminal and the authentication device by wireless cryptographic communication and confirms an electronic signature received from the portable information terminal.

Further, a tenth aspect of the present invention is a computer described so as to execute on a computer system a personal authentication process for physically changing the setting of the personal authentication function separately from the personal authentication process. A storage medium that physically stores the software in a computer-readable format,
The computer software includes a step of inputting personal identification information and a setting change operation of the personal authentication function by the user on the portable information terminal, and setting change information of the personal authentication function including the personal identification information from the portable information terminal. The step of transferring to the mobile authentication medium, the step of performing identity verification processing of the user using the identity verification information included in the setting change information on the mobile authentication medium, and the personal authentication in response to the successful identity verification. The step of changing the setting of the function,
When the personal authentication function is set to ON, a step of performing personal authentication processing by transmitting personal authentication information from the portable authentication medium to the authentication device, and responding to the success of the personal authentication processing to the user And a step of releasing the use restriction of the authentication device.

Further, an eleventh aspect of the present invention is a computer described so as to execute on a computer system a personal authentication process for physically changing the setting of the personal authentication function separately from the personal authentication process. A storage medium that physically stores the software in a computer-readable format,
The computer software has a step of inputting personal identification information and a setting change operation of the personal authentication function by the user on the mobile information terminal, a step of performing the personal identification processing of the user on the mobile information terminal, and succeeding in the personal identification. In response to this, a step of transferring the personal authentication function setting change information including the personal identification information from the portable information terminal to the portable authentication medium, and the personal authentication function setting information based on the setting change information from the portable information terminal. If the personal authentication function is set to ON, the step of changing the setting, the step of transmitting the personal authentication information from the portable authentication medium to the authentication device to perform the personal authentication process, and And a step of releasing the use restriction of the authentication device to the user in response to the storage medium.

The storage medium according to each of the tenth and eleventh aspects of the present invention provides computer software in a computer-readable format to a general-purpose computer system capable of executing various program codes, for example. It is a medium. Such a medium is, for example, a CD (Comp
act Disc), FD (Floppy Disc), MO (Magneto-Opt)
ical disc) is a removable and portable storage medium. The storage medium mentioned here may be realized not only as a package medium but also as a semiconductor memory or a magnetic disk in which a program is temporarily or permanently stored.
Alternatively, it is technically possible to provide computer software to a specific computer system via a transmission medium such as a network (whether the network is wireless or wired).

Such a storage medium defines a structural or functional cooperative relationship between the computer software and the storage medium for realizing a predetermined function of the computer software on the computer system. Is. In other words, the predetermined computer software is installed in the computer system via the program storage medium according to each of the tenth and eleventh aspects of the present invention, whereby the cooperative action is exerted on the computer system. , The same effects as the personal authentication system or the personal authentication method according to the first and second aspects of the present invention, or the personal authentication system or the personal authentication method according to the sixth and seventh aspects of the present invention. Obtainable.

Still other objects, features and advantages of the present invention are as follows.
It will be clarified by a more detailed description based on embodiments of the present invention described below and the accompanying drawings.

[0051]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below in detail with reference to the drawings.

First Embodiment: FIG. 1 shows a first embodiment of the present invention.
1 schematically shows the overall configuration of the personal authentication system according to the exemplary embodiment. As shown in the figure, this personal authentication system includes an authentication device 3 that authenticates a user individually, and personal authentication information (user ID) possessed by each user who needs personal authentication.
Etc.) and a portable authentication medium 2 that can be transmitted at the same time,
The portable information terminal 1 is provided with a user interface for switching on / off the personal authentication function of the authentication device 3.

A user who needs personal authentication uses the portable authentication medium 2 and the portable information terminal 1 in combination. In addition,
Although not shown in order to prevent the drawing from becoming complicated, usually, a large number of sets of mobile authentication media 2 and mobile information terminals 1 can be connected to one authentication device 3.

The authentication device 3 is, for example, an ATM (Automatic Te) which allows the start of a predetermined processing procedure through personal authentication.
ller Machine) and other authentication devices.

The portable authentication medium 2 is composed of an IC card, a memory stick, a wearable device, etc., and is not particularly limited as long as it can transmit personal authentication information by wireless communication and is convenient to carry.

The mobile information terminal 1 is a mobile phone or P
DA (Personal Digital Assistant), notebook,
It is composed of a device, such as a computer, which can be carried by a user and provides a user interface for performing a user input operation.

The operation of the portable information terminal 1 is totally controlled by the control unit 7. The control unit 7, for example,
RAM (Random) that consists of a microcomputer and is used to load programs and save work data
Access Memory), a ROM (Read Only Memory) for permanently storing a program code and predetermined data (neither is shown). The control unit 7 includes
The operation unit 12, the received signal management unit 8, the setting change information generation unit 9, and the display 13 are connected by a bus (not shown) or the like to control each unit.

The setting change information generation unit 9 is connected to the transmission / reception unit 4 via the encryption unit 11, and the received signal processing unit 8 is also included.
Is connected to the transmission / reception unit 4 via the decoding unit 10,
The transmission / reception operation with the portable authentication medium 2 can be controlled respectively.

The encryption unit 11 is connected to the encryption key storage unit 15. The encryption key storage unit 15 stores an encryption key E1 for decryption only with the decryption key D1 stored in the decryption key storage unit 29 of the portable authentication medium 2.

The decryption unit 10 is connected to the decryption key storage unit 14. The decryption key storage unit 14 stores a decryption key D2 for decrypting the data encrypted with the encryption key E2 stored in the encryption key storage unit 28 of the portable authentication medium 2.

The transmitting / receiving section 4 is adapted to wirelessly transmit / receive data to / from a device outside the portable information terminal 1, and the communicable distance thereof is, for example, about several meters. Upon receiving the encrypted data from the encryption unit 11, the transmission / reception unit 4 transmits this to the outside. Further, the encrypted data received by the transmission / reception unit 4 is decrypted by the decryption unit 10.

The operation section 12 constitutes a user interface of the portable information terminal 1 together with the display 13. In this embodiment, the operation unit 12 provides a means for the user to select ON / OFF of the personal authentication function in the portable authentication medium 2 and an operation means for inputting the personal identification information.

The means for selecting ON / OFF of the personal authentication function is implemented in the form of a selection button, for example, and the ON / OFF of the personal authentication function is selected from the menu displayed on the display 13. This selection means
With a single button, pressing the button may be regarded as selecting the command opposite to the current state.

In response to the user's selection by the ON / OFF selection means, a message prompting the user to enter the personal identification information is displayed on the display 13. The means for inputting the personal identification information can be composed of, for example, a ten-key pad capable of inputting a personal identification number. When the personal identification number is input, it is output to the encryption unit 11 together with the authentication function ON / OFF signal corresponding to the command selected by the ON / OFF selection means.

The operating means may be constructed by using a keyboard, and in this case, a personal identification number or a password can be input as the personal identification information.

Alternatively, the operating means may be a biometrics sensor unit (described later), in which case biometric information (fingerprint, iris, retinal blood vessel pattern, vein pattern, etc.) can be input as the personal identification information. When the operation means is a biometrics sensor unit, the portable information terminal 1 is provided with means for extracting the characteristic data of the input biometric information, and outputs the extracted characteristic data to the encryption unit 11. It is preferable to configure.

When the operating means is used only for inputting the personal identification information, the on / off selecting means may be omitted. Further, when the selected command is a command for turning off the personal authentication function, the input of the personal identification information may be omitted.

The setting change information generating section 9 generates setting change information including the personal identification information and the authentication function ON / OFF signal input from the operating section 12.

When the transmission / reception unit 4 receives a setting change confirmation signal transmitted from the portable authentication medium 2 which will be described later, the reception signal processing unit 8 confirms the content and displays a message or symbol displayed on the display 12. Make a decision.

The operation of the portable authentication medium 2 is totally controlled by the control unit 17. The control unit 17 is bus-connected to the reception management unit 18, the personal authentication confirmation signal generation unit 22, the operator authentication unit 23, and the personal authentication information transmission control unit 21, and controls each unit.

The personal authentication information transmission control section 21 and the setting change confirmation signal generation section 22 are connected to the transmission / reception section 5 via the encryption section 20, and the operator authentication section 23 is connected to the decryption section 19.
It is connected to the transmission / reception unit 5 via the, and generates and manages information transmitted / received.

The transmission / reception unit 5 is adapted to transmit / receive data to / from a device outside the portable authentication medium 2, the communicable distance is, for example, about several meters, and the eyes of the user carrying the portable authentication medium 2 are visible. The communication range is the distance within reach. The transmission / reception unit 5 receives the encrypted data from the encryption unit 20 and transmits it to the outside. Further, the encrypted data received by the transmission / reception unit 5 is decrypted by the decryption unit 19.

The encryption unit 20 is connected to the encryption key storage unit 28. The encryption key storage unit 28 includes an encryption key E2 for decryption only with the decryption key D2 stored in the decryption key storage unit 14 of the mobile information terminal 1, and the decryption key storage unit 34 of the authentication device 3. Decryption key D3 stored in (described later)
An encryption key E3 for encryption so that it can be decrypted is stored.

The decryption unit 19 is connected to the decryption key storage unit 29. The decryption key storage unit 29 stores a decryption key D1 for decrypting the data encrypted with the encryption key E1 stored in the encryption key storage unit 15 of the mobile information terminal 1.

The personal authentication flag storage section 24 is adapted to store a "personal authentication flag" indicating whether or not the portable authentication medium 2 permits the authentication device 3 to transmit the authentication information. The personal authentication flag has a value of either on or off.

The personal identification number storage section 25 stores the personal identification number of the user in advance. Operator authentication unit 23
When the setting change information decrypted by the decryption key D1 is received via the reception management unit 18, compares the personal identification number included in the setting change information with the personal identification number stored in the personal identification number storage unit 25. If they match, the personal authentication flag stored in the personal authentication flag storage unit 24 is changed to a value corresponding to the personal authentication on / off signal. After that, the personal authentication confirmation signal generation unit 22 generates a personal authentication confirmation signal, the encryption unit 20 encrypts the signal with the encryption key E2, and the transmission / reception unit 5 transmits the signal to the authentication device 3.

The personal authentication information storage unit 27 stores personal authentication information including the user ID of the owner of the card, that is, the portable authentication medium.

The personal authentication information transmission control unit 21 uses the oscillator 2
According to the clock oscillated by 6, the personal authentication flag stored in the personal authentication flag storage unit 24 is checked at predetermined time intervals, and the transmission of the personal authentication information is controlled according to the content of the personal authentication flag. That is, the personal authentication flag is confirmed, and if the personal authentication flag is on, the personal authentication information stored in the personal authentication information storage unit 27 is sent to the encryption unit 28. The encryption unit 28 encrypts the received personal authentication information with the encryption key E3, and the transmission / reception unit 5 transmits this to the authentication device 3.

Further, the portable authentication medium 2 according to this embodiment.
Includes mobile communication means (not shown). The portable authentication medium 2 can receive the personal authentication function off signal from the mobile communication means, and the user can use the portable information terminal 1 to identify the individual of the portable authentication medium 2 even if the portable authentication medium 2 is not near the portable authentication medium 2. The authentication function can be turned off.

The authentication device 3 is an ATM (Automatic Tell) that allows the start of a predetermined processing procedure through, for example, personal authentication.
er Machine) and other authentication devices, and the control unit 3
The operation is controlled comprehensively by 5.

The control section 35 is composed of, for example, a microcomputer, and is a RAM (Random Access Memory) used for loading programs and storing work data.
In addition, a ROM (Read Only Memory) for permanently storing a program code and predetermined data (none of them is shown) is provided. The reception information management unit 30 and the personal authentication unit 31 are connected to the control unit 35 and control each unit.

The reception information management unit 30 is connected to the transmission / reception unit 6 via the decoding unit 32, and manages the data received by the transmission / reception unit 6.

The transmission / reception unit 6 is adapted to wirelessly transmit / receive data to / from a device outside the authentication device 3, and its communicable distance is, for example, about several meters. The encrypted data received by the transmitting / receiving unit 6 is decrypted by the decrypting unit 32.

The decryption unit 32 is connected to the decryption key storage unit 34. The decryption key storage unit 34 stores a decryption key D3 for decrypting the data encrypted with the encryption key E3 stored in the encryption key storage unit 28 of the portable authentication medium 2.

The personal information storage unit 33 stores at least one user ID of a person who is permitted to use the authentication device 3.
I remember more than one. Further, setting information for customizing the authentication device 3 for each successfully authenticated user may be stored together.

The personal authentication unit 31 searches the personal information storage unit 33 for a user ID that matches the user ID included in the personal authentication information transmitted from the portable authentication medium 2, and if found, corresponds to that user ID. Authenticate individual users. Then, in response to the successful authentication, the use restriction in the authentication device 3 is released.

Further, in response to the lapse of a predetermined time (detection of unused), the personal authentication section 31 shifts the authentication device 3 to the use restricted state again.

When a plurality of records are stored in the personal information storage unit 33 so that only one person can use the authentication device 3 at the same time, the personal authentication unit 3 can be used while the personal authentication of the authentication device 3 is being performed. It is desirable to lock the function of 31.

Next, the operation of the personal identification system shown in FIG. 1 will be described with reference to FIG.

First, a processing procedure for switching on / off the personal authentication function on the portable authentication medium 2 will be described.

When the personal authentication function of the portable authentication medium 2 is turned off, a message to that effect or a symbolic symbol is displayed on the display 13 of the portable information terminal 1.

The user can select a command to turn on the personal authentication function of the portable authentication medium 2 by operating the operation unit 12.

In response to such a user selection operation, a message prompting the input of the personal identification number is displayed on the display 13. When the user inputs the personal identification number using the ten-key pad or the like, the personal identification number is temporarily stored in the personal identification number register 16.

The setting change information generating unit 9 generates setting change information including the personal identification number stored in the personal identification number register 16 and the authentication function ON signal, and sends it to the encryption unit 11. The encryption unit 11 uses the encryption key E stored in the encryption key storage unit 15.
1, the setting change information is encrypted, and the transmission / reception unit 4 transmits this to the portable authentication medium 2.

On the portable authentication medium 2 side, when the setting change information encrypted by the transmission / reception unit 5 is received, it is sent to the decryption unit 19 and the decryption key D1 stored in the decryption key storage unit 29.
Is decrypted using. The decrypted setting change information is
It is sent to the operator authentication unit 23 via the reception management unit 18.

The operator authenticating section 23 compares the personal identification number included in the setting change information with the personal identification number stored in the personal identification number storage section 25. And if they match,
The personal authentication flag stored in the personal authentication flag storage unit 24 is changed to the value ON corresponding to the personal authentication function ON signal. At the same time, the setting change confirmation signal generation unit 22 generates an authentication function ON confirmation signal.

The authentication function ON confirmation signal is encrypted by the encryption unit 20 using the encryption key E2, and then the transmission / reception unit 5
Replies to the portable information terminal 1.

On the portable information terminal 1 side, when the transmission / reception unit 4 receives the authentication function ON confirmation signal transmitted from the portable authentication medium 2, the decryption unit 10 decrypts it using the decryption key D2 and then the received signal. The management section 8 confirms the content. Then, the display 13 displays a message indicating that the personal authentication function of the mobile authentication medium 2 is set to ON, a symbolic symbol, or the like.

On the contrary, when it is desired to switch the personal authentication function of the mobile authentication medium 2 from on to off, the user operates the operation unit 12 to operate the personal authentication function of the mobile authentication medium 2 as described above. Select the command to turn off.

In response to such a user selection operation, a message prompting the input of the personal identification number is displayed on the display 13. When the user inputs the personal identification number using the ten-key pad or the like, the personal identification number is temporarily stored in the personal identification number register.

The setting change information generating unit 9 generates setting change information including the personal identification number stored in the personal identification number register 16 and the authentication function off signal, and sends it to the encryption unit 11. The encryption unit 11 uses the encryption key E stored in the encryption key storage unit 15.
1, the setting change information is encrypted, and the transmission / reception unit 4 transmits this to the portable authentication medium 2.

On the portable authentication medium 2 side, when the setting change information encrypted by the transmitting / receiving unit 5 is received, it is sent to the decrypting unit 19 and the decryption key D1 stored in the decryption key storage unit 29.
Is decrypted using. The decrypted setting change information is
It is sent to the operator authentication unit 23 via the reception management unit 18.

The operator authenticating section 23 compares the personal identification number contained in the setting change information with the personal identification number stored in the personal identification number storage section 25. And if they match,
At the same time as changing the personal authentication flag stored in the personal authentication flag storage unit 24 to the value off corresponding to the personal authentication function off signal, the setting change confirmation signal generation unit 22 generates the authentication function off confirmation signal. The authentication function off confirmation signal is encrypted by the encryption unit 20 using the encryption key E2, and then returned from the transmission / reception unit 5 to the portable information terminal 1.

On the portable information terminal 1 side, when the transmission / reception unit 4 receives the authentication function off confirmation signal transmitted from the portable authentication medium 2, the decryption unit 10 decrypts it using the decryption key D2 and then the received signal. The management section 8 confirms the content. Then, on the display 13, a message indicating that the personal authentication function of the mobile authentication medium 2 is set to OFF, a symbolic symbol, or the like is displayed.

Next, a processing procedure for performing personal authentication of the authentication device 3 using the portable authentication medium 2 will be described.

In the portable authentication medium 2, the personal authentication information transmission control unit 21 confirms the personal authentication flag stored in the personal authentication flag storage unit 24 at predetermined time intervals according to the clock oscillated by the oscillator 26.

When the personal authentication flag is on, personal authentication information is generated and sent to the encryption section 20. The personal authentication information is encrypted by the encryption unit 20 using the encryption key E3, and then transmitted from the transmission / reception unit 5 to the authentication device 3. on the other hand,
If the personal authentication information transmission control unit 21 confirms that the personal authentication flag is OFF, the process ends.

On the authentication device 3 side, when the encrypted personal authentication information is received by the transmission / reception unit 6, it is decrypted by the decryption unit 32.
Then, the data is decrypted using the decryption key D3 and then sent to the personal authentication unit 31.

The personal authentication section 31 searches the personal information storage section 33 for a record having the same user ID as the user ID included in the personal authentication information, and if found, releases the use restriction of the authentication device 3. Further, various settings of the authentication device 3 may be performed based on the setting contents stored in the record. On the other hand, if no record is found, this processing ends.

Further, when a predetermined time has passed since the last reception of the personal authentication information was detected (unused detection), each unit is controlled so as to restrict the use of the authentication device 3 again.

Second Embodiment: FIG. 2 shows a second embodiment of the present invention.
1 schematically shows the overall configuration of the personal authentication system according to the exemplary embodiment. As shown in the figure, this personal authentication system includes one or more authentication devices 103 for authenticating individual users.
And a portable authentication medium 102, which is possessed by each user who needs personal authentication and holds personal authentication information (such as a user ID), and which can be transmitted, and a user for turning on / off the personal authentication function of the authentication device 103. A mobile information terminal 101 that provides an interface.

A user who needs personal authentication uses the portable authentication medium 102 and the portable information terminal 101 in combination. Although not shown in order to prevent the drawing from becoming complicated,
Usually, a large number of sets of portable authentication media 102 and portable information terminals 101 can be connected to one authentication device 103.

The authentication device 103 is, for example, an ATM (Automati) that is permitted to start a predetermined processing procedure through personal authentication.
c Teller Machine) and other authentication devices.

The portable authentication medium 102 is composed of an IC card, a memory stick, a wearable device, etc., and is not particularly limited as long as it can transmit personal authentication information by wireless communication and is convenient to carry.

The portable information terminal 101 is a device such as a mobile phone, a PDA (Personal Digital Assistant), a notebook computer, etc. that can be carried by the user and provides a user interface for user input operation. Composed.

The authentication device 103, the portable authentication medium 102, and the portable information terminal 101 are respectively the wireless communication module 10.
6, 105, 104 are provided, and wireless communication can be performed between these wireless communication modules. Also, in the wireless communication module, connection establishment / disconnection between specific terminals,
Processing related to various communications such as encryption of data transmitted wirelessly is performed. The maximum communicable distance between the wireless communication modules may be about 10 m, for example. For example, IEEE80
The wireless communication module can be configured by using a short-distance wireless communication means such as 2.11, Bluetooth.

The operation of the portable authentication medium 102 is totally controlled by the control unit 122. Control unit 122
Is a personal authentication information generation unit 124 and a setting change control unit 12
3, the characteristic data matching unit 129, and the personal authentication control unit 12
It is connected to 5 and controls each part.

The valid authentication device ID storage section 128 is adapted to store a list of authentication device IDs of terminals, that is, the authentication device 103, which the portable authentication medium 120 permits to transmit personal authentication information.

The characteristic data storage unit 126 stores characteristic data extracted from the biometric information of the authentic user of the portable authentication medium 102.

When the characteristic data matching unit 129 receives the setting change information (described later) transmitted from the portable information terminal 101 via the wireless communication module 105, the characteristic data storage unit 126 stores the characteristic data included in the setting change information. It is compared with the feature data that has been recorded. Then, when it is determined that both are the characteristic data obtained from the same person, the list of the authentication device IDs stored in the valid authentication device ID storage unit 128 is changed to the list of the authentication device IDs included in the setting change information. .

The personal authentication information storage unit 127 stores personal authentication information including the user ID of the owner of the portable authentication medium 102.

Authentication device 103 or portable information terminal 10
When the connection with the wireless communication module 1 is established between the wireless communication modules, the personal authentication control unit 125 causes the valid authentication device ID storage unit 128 to store the authentication device ID of the authentication device 103 or the portable information terminal 101 as the communication partner. Check if it is in the list of authenticator IDs. And
If found in the authentication device ID list, the personal authentication information generation unit 124 causes the personal authentication information storage unit 127.
Authentication device 103 using the personal authentication information stored in
Data to be transmitted to the wireless communication module 10
Send through 5. On the other hand, the valid authentication device ID storage unit 1
If the corresponding authentication device ID is not found even after searching 28, the present process is terminated.

Further, the portable authentication medium 10 according to the present embodiment.
2 includes mobile communication means (not shown). The mobile authentication medium 102 can receive the personal authentication function OFF signal from the mobile communication means, and the user can use the mobile information terminal 101 even when the mobile authentication medium 102 is not near the mobile authentication medium 102.
The personal authentication function of the portable authentication medium 102 can be turned off.

The authentication device 103 is an ATM (Automatic) that allows the start of a predetermined processing procedure through, for example, personal authentication.
(Teller Machine) and other authentication devices, and the operation is centrally controlled by the control unit 133.

The control unit 133 is composed of, for example, a microcomputer, and is used as a RAM (Random Access Memor) for loading programs and storing work data.
y), a ROM (Read Only Memory) for permanently storing a program code and predetermined data (neither is shown). The control unit 133 is connected to each functional module in the device 103 such as the personal authentication unit 112 and controls each unit.

The authentication device 103 also includes a personal information database 119. The personal information database 119 stores at least one record of a user who is permitted to use the authentication apparatus 103. At least a user ID is stored in each record.

As shown in FIG. 2, the personal information database 119 can be constructed on the database server 108 outside the authentication device 103. In such cases,
The network 107 by the network connection unit 131
It is configured to connect to the authentication device 103 via.

[0128] The personal authenticating section 112 uses the portable authentication medium 102
User ID included in the personal authentication information sent from
The personal information database 119 is searched for a user ID that matches. Then, when the corresponding record is found, the user individual corresponding to the user ID is authenticated,
The use restriction of the authentication device 103 is released.

Further, the personal authentication unit 112 disconnects the communication between the wireless communication module 106 of the authentication device 103 and the wireless communication module 105 of the portable authentication medium 102, such as when the user carrying the portable authentication medium 102 leaves the authentication device. If it is detected, the use of the authentication device 103 is restricted again. In addition, the personal information database 119
If a plurality of records are stored in the authentication device 103 but only one authentication device 103 can be used at the same time, the function of the personal authentication unit 112 should be locked while the personal authentication of the user of the authentication device 103 is being performed. Is desirable.

The operation of the portable information terminal 101 is totally controlled by the control unit 109. Control unit 109
Is, for example, a microcomputer that is used for loading programs and storing work data.
AM (Random Access Memory), ROM (Read Only) that permanently stores program code and predetermined data
Memory) etc. (none of them are shown). The control unit 109 includes an operation unit 114 and a characteristic data extraction unit 11
0, the setting change information generation unit 111, and the personal authentication unit 112
And the display 113 are connected to each other by a bus (not shown) or the like to control each unit.

As with the authentication device 103, the portable information terminal 10
The personal authentication unit 112 of No. 1 is connected to the personal information database 119, and can perform personal authentication by searching the personal information database 119 for a user ID included in the personal authentication information transmitted from the mobile authentication medium 102. it can. When personal authentication of the portable information terminal 101 is not performed, the setting change information is restricted except for the portion related to transmission.

In the example shown in FIG. 2, the personal information database 119 is provided in the portable information terminal 101, but of course, the personal information database is constructed on a database server outside the portable information terminal 101, The mobile information terminal 101 may access this via a network.

The operation unit 114 allows the user to carry the portable authentication medium 1
Authentication device 10 for permitting transmission of personal authentication information from 02.
An operation panel 115 for selecting 3 and a biometrics sensor 116 for inputting biometric information are provided.

The operation panel 115 is provided with a selection button for accepting a user operation, and the display 113 is provided.
It is possible to select (a plurality of selections are allowed) from the list of the authentication devices 103 displayed above that the transmission is permitted. Information on the authentication device 103 displayed on the display 113 is acquired from the authentication device database 134. The information of the authentication device 103 stored in the authentication device database 134 may be acquired when the mobile information terminal 101 connects to the authentication device for the first time and stored in the authentication device database 134. Alternatively, the authentication device 103
The information may be acquired via an information transmission unit such as a storage medium or a network and stored in the authentication device database 134. Alternatively, it may be stored at the time of manufacturing, shipping itself, or selling. The authentication device database 134 is a database server (not shown) outside the portable information terminal 101.
It may be constructed on the above and accessible by a predetermined communication means such as a network.

When the user selects the desired authentication device 103 via the operation panel 115, the authentication device ID of the authentication device 103 is temporarily stored in the authentication device ID register 121 and biometric information is input. A message prompting the user is displayed on the display 113.

Also, the biometrics sensor 116
Is input with biometric information. The biometric information referred to here is
For example, it is unique information for each user acquired from the body of the user or a part thereof, such as a fingerprint, a vein pattern, an iris pattern, a voiceprint, and a face image acquired from the body of the user of the portable information terminal 101. is there.

The characteristic data extracting section 110 extracts characteristic data representing the characteristic of the biometric information input from the biometrics sensor 116.

The setting change information generating section 111 is connected to the wireless communication module 104, and the characteristic data extracting section 1
Setting change information including the characteristic data extracted in 10 and the authentication device ID of the authentication device 103 selected via the operation panel 115 is generated. Then, the generated setting change information is transferred to the portable authentication medium 1 via the wireless communication module 104.
Wirelessly transmitted to 02.

Next, the operation of the personal authentication system shown in FIG. 2 will be described with reference to FIG.

First, a procedure for changing the authentication device 103 which permits the portable authentication medium 102 to transmit personal authentication information by an operation on the portable information terminal 101 will be described.

The user brings the portable information terminal 101 close to the portable authentication medium 102, and the wireless communication module 10 of both sides is moved.
A connection between 4 and 105 is established.

The user operates the operation panel 115 of the portable information terminal 101 to operate the portable authentication medium 102.
The setting change command of can be selected.

In response to such a user selection operation, the authentication device database 134 is displayed on the display 113.
A list of authentication devices 103 stored in is displayed. The user selects the portable authentication medium 102 from this list.
It is possible to select (a plurality of selections are possible) the authentication device 103 that is allowed to send personal authentication information.

Further, the user inputs biometric information from the biometrics sensor 116 in accordance with the selection of the authentication device 103. The characteristic data extraction unit 110 extracts characteristic data from the input biometric information. The setting change information generation unit 111 generates setting change information including a list of authentication device IDs of the selected authentication device 103 and characteristic data. Then, after the setting change information is subjected to a predetermined process such as encryption, the setting change information is transmitted to the mobile authentication medium 102 by the wireless communication module 104.

On the side of the portable authentication medium 102, when the wireless communication module 105 receives the setting change information, the characteristic data collating unit 129 stores the characteristic data included in the setting change information in the characteristic data storage unit 126. To match. Then, when it is determined that both are the characteristic data obtained from the same person, the valid authentication device ID
The list of authentication device IDs stored in the storage unit 128 is changed to the list of authentication device IDs included in the setting change information.

Next, a processing procedure for performing personal authentication of the authentication device 103 by the portable authentication medium 102 will be described.

The user brings the portable authentication medium 102 close to the authentication device 103 and establishes a connection between the wireless communication modules 105 and 106 of both.

On the portable authentication medium 102 side, the personal authentication control unit 125 confirms whether or not the same authentication device ID as the authentication device ID of the authentication device 103 of the connection destination exists in the valid authentication device ID storage unit 128. Then, if the corresponding authentication device ID is found in the valid authentication device ID storage unit 128, after the personal authentication information generation unit 124 generates the personal authentication information and performs a predetermined process such as encryption, It is transmitted to the authentication device 103 by the wireless communication module 104.
On the other hand, when the corresponding authentication device ID is not found, this processing is ended as it is.

On the authentication device 103 side, when the personal authentication information is received by the wireless communication module 106, the personal authentication unit 1
12 is a personal information database 119 for records having the same user ID as the user ID included in the personal authentication information.
Search from. Then, when the corresponding user ID is found, the use restriction of the authentication device 103 is released, and various settings of the authentication device 103 are performed based on the setting content stored in the record. On the other hand, the applicable user ID
If is not found, this processing is ended as it is.

Mutual wireless communication modules 105 and 10
When the communication between the six is disconnected, the authentication device 103 is again provided.
Each part is controlled so as to limit the use of. The same personal authentication is performed on the mobile information terminal 101, but the setting change operation is not limited even if the personal authentication information is not transmitted.

Third Embodiment: FIG. 3 shows a third embodiment of the present invention.
1 schematically shows the overall configuration of the personal authentication system according to the exemplary embodiment. As shown in the figure, this personal authentication system includes an authentication device 203 that authenticates a user individually, and a portable device that is possessed by each user who needs personal authentication and that holds personal authentication information (such as a user ID) and that can be transmitted. Authentication medium 2
02 and a portable information terminal 201 that provides a user interface for switching on / off the personal authentication function of the authentication device 3.

A user who needs personal authentication uses the portable authentication medium 202 and the portable information terminal 201 in combination. Although not shown in order to prevent the drawing from becoming complicated,
Normally, a large number of sets of mobile authentication media 202 and mobile information terminals 201 can be connected to one authentication device 203.

The authentication device 203 is, for example, an ATM (Automati) that allows the start of a predetermined processing procedure through personal authentication.
c Teller Machine) and other authentication devices.

Further, the portable authentication medium 202 is composed of an IC card, a memory stick, a wearable device, etc., and is not particularly limited as long as it can transmit personal authentication information by wireless communication and is convenient for carrying.

The mobile information terminal 201 is a device such as a mobile phone, a PDA (Personal Digital Assistant) or a notebook computer that can be carried by the user and provides a user interface for user input operation. Composed.

The operation of the portable information terminal 201 is comprehensively controlled by the control unit 207. Control unit 207
Is, for example, a microcomputer that is used for loading programs and storing work data.
AM (Random Access Memory), ROM (Read Only) that permanently stores program code and predetermined data
Memory) etc. (none of them are shown). The control unit 207 includes an operation unit 212 and a received signal management unit 20.
8, the setting change information generation unit 209, and the display 213.
Are connected by a bus (not shown) or the like to control each unit.

The personal identification number register 216 is provided on the operation unit 212.
The personal identification number input by the user via is temporarily stored. The personal identification number storage unit 242 stores the personal identification number of the authentic user of the portable information terminal 201. The personal identification number collating unit 241 has a personal identification number register 216.
Is compared with the personal identification number stored in the personal identification number storage unit 242, and in response to the coincidence, the setting change information generation unit 209 is permitted to generate setting change information. It is like this.

The setting change information generating section 209 has the encryption section 2
11 is connected to the transmission / reception unit 204, and the reception signal processing unit 208 is connected to the transmission / reception unit 20 via the decoding unit 210.
4 are connected to each other and can control the transmission / reception operation with the portable authentication medium 202.

The encryption section 211 is connected to the encryption key storage section 215 and the random number generation section 243. Encryption key storage unit 2
Reference numeral 15 stores an encryption key E1 for decryption only with the decryption key D1 stored in the decryption key storage unit 229 of the portable authentication medium 202. The encryption unit 211
An electronic signature is generated from the random number generated by the random number generation unit 243 and the setting change information generated by the setting change information generation unit 209. This electronic signature is transmitted to the portable authentication medium 202 via the transmission / reception unit 204, and the signature is confirmed by the decryption unit 219 (described later).

The decryption unit 210 is connected to the decryption key storage unit 214. The decryption key storage unit 214 stores the encryption key E stored in the encryption key storage unit 228 of the portable authentication medium 202.
Decryption key D2 for decrypting the data encrypted by 2
I remember.

The transmission / reception unit 204 wirelessly transmits / receives data to / from a device outside the portable information terminal 201, and the communicable distance thereof is, for example, about several meters. Transmitter / receiver 4
When the encrypted data is received from the encryption unit 211, the external data is transmitted to the outside. The encrypted data received by the transmitting / receiving unit 204 is decrypted by the decrypting unit 210.

The operation unit 212 constitutes a user interface of the portable information terminal 201 together with the display 213. In the present embodiment, the operation unit 212 provides a means for the user to select ON / OFF of the personal authentication function in the portable authentication medium 202 and an operation means for inputting the personal identification information.

The means for selecting ON / OFF of the personal authentication function is implemented in the form of a selection button, for example, and the ON / OFF of the personal authentication function is selected from the menu displayed on the display 213. This selection means may be such that pressing a single button assumes that a command opposite the current state has been selected.

In response to the user's selection by the ON / OFF selection means, a message prompting the user to enter the personal identification information is displayed on the display 213. The means for inputting the personal identification information can be composed of, for example, a ten-key pad capable of inputting a personal identification number. When the correct personal identification number is input, it is output to the encryption unit 211 together with the authentication function ON / OFF signal corresponding to the command selected by the ON / OFF selection means.

The operating means may be constructed by using a keyboard, and in this case, a personal identification number and a password can be input as the personal identification information. Alternatively, the operating means may be a biometrics sensor unit.
Further, when the operation means is used only for inputting the personal identification information, the on / off selection means may be omitted. Further, when the selected command is a command for turning off the personal authentication function, the input of the personal identification information may be omitted.

The setting change information transmission generation unit 209 generates the setting change information including the personal identification information and the authentication function ON / OFF signal input from the operation unit 212.

The reception signal processing unit 208 uses the portable authentication medium 2
The setting change confirmation signal transmitted from
When it is received by, confirm the contents and display 2
The message or symbol displayed in 13 is determined.

The operation of the portable authentication medium 202 is totally controlled by the control unit 217. Control unit 217
Is bus-connected to the reception management unit 218, the setting change unit 244, and the personal authentication information transmission control unit 221 to control each unit.

The personal authentication information transmission control unit 221 and the setting change confirmation signal generation unit 222 are connected to the transmission / reception unit 205 via the encryption unit 220, and the setting change unit 244 is the decryption unit 219 and the reception management unit 218. It is connected to the transmission / reception unit 205 via the, and generates / manages information transmitted / received respectively.

The transmitting / receiving unit 205 is adapted to transmit / receive data to / from a device outside the portable authentication medium 202, and the communicable distance is, for example, about several meters.
The communication range is such that the eyes of the user who owns 02 are within reach. The transmission / reception unit 205 receives the encrypted data from the encryption unit 220 and transmits it to the outside. The encrypted data received by the transmitting / receiving unit 205 is decrypted by the decrypting unit 219.

The encryption section 220 is connected to the encryption key storage section 228. The encryption key storage unit 228 stores the decryption key D stored in the decryption key storage unit 214 of the portable information terminal 201.
An encryption key E2 for encryption so that only 2 can decrypt
An encryption key E3 is stored for decryption only with a decryption key D3 stored in a decryption key storage unit 234 (described later) of the authentication device 203.

The decryption unit 219 is connected to the decryption key storage unit 229. The decryption key storage unit 229 stores the encryption key E stored in the encryption key storage unit 215 of the portable information terminal 201.
A decryption key D1 for decrypting the data encrypted by 1 and confirming the electronic signature is stored.

The personal authentication flag storage section 224 is adapted to store a "personal authentication flag" indicating whether or not the portable authentication medium 202 permits the authentication device 203 to transmit the authentication information. The personal authentication flag has a value of either on or off.

When the setting change section 244 receives the setting change information decrypted by the decryption key D1 via the reception management section 218, the individual authentication flag stored in the individual authentication flag storage section 224 is turned on / off. Change to the value corresponding to the signal. After that, the personal authentication confirmation signal generation unit 222
Then, the personal authentication confirmation signal is generated, encrypted by the encryption unit 220 with the encryption key E2, and transmitted from the transmission / reception unit 205 to the portable information terminal 201.

The personal authentication information storage section 227 stores personal authentication information including the user ID of the card or portable authentication medium owner.

The personal authentication information transmission control unit 221 confirms the personal authentication flag stored in the personal authentication flag storage unit 224 at predetermined time intervals in accordance with the clock oscillated by the oscillator 226, and according to the content of the personal authentication flag. Control the transmission of personal authentication information. That is, the personal authentication flag is confirmed, and if the personal authentication flag is on, the personal authentication information stored in the personal authentication information storage unit 227 is sent to the encryption unit 220. The encryption unit 220 encrypts the received personal authentication information with the encryption key E3, and the transmission / reception unit 20
5 transmits this to the authentication device 203.

The portable authentication medium 20 according to the present embodiment.
2 includes mobile communication means (not shown). The mobile authentication medium 202 can receive the personal authentication function off signal from the mobile communication means, and the user can use the mobile information terminal 201 even when the mobile authentication medium 202 is not near the mobile authentication medium 202.
The personal authentication function of the portable authentication medium 202 can be turned off.

The authentication device 203 is, for example, an ATM (Automatic) that allows the start of a predetermined processing procedure through personal authentication.
(Teller Machine) and other authentication devices, and the operation of the control unit 235 is comprehensively controlled.

The control unit 235 is composed of, for example, a microcomputer, and is used for loading a program and storing work data, RAM (Random Access Memor).
y), a ROM (Read Only Memory) for permanently storing a program code and predetermined data (neither is shown). The reception information management unit 230 and the personal authentication unit 231 are connected to the control unit 235 and control each unit.

The reception information management section 230 has a decoding section 232.
Is connected to the transmission / reception unit 206 via
The data received at 06 is managed.

The transmission / reception unit 206 wirelessly transmits / receives data to / from a device outside the authentication device 203, and the communicable distance thereof is, for example, about several meters. Transmitter / receiver 206
The encrypted data received in 1 is decrypted by the decrypting unit 232.

The decryption unit 232 is connected to the decryption key storage unit 234. The decryption key storage unit 234 stores the encryption key E stored in the encryption key storage unit 228 of the portable authentication medium 202.
A decryption key D3 for decrypting the data encrypted in 3 is stored.

The personal information storage unit 233 stores the authentication device 203.
At least one user ID of a person who is permitted to use is stored. Further, setting information for customizing the authentication device 203 for each successfully authenticated user may be stored together.

[0184] The personal authentication section 231 uses the portable authentication medium 202.
User ID included in the personal authentication information sent from
A user ID matching with is searched from the personal information storage unit 233, and if found, the user individual corresponding to the user ID is authenticated. And in response to the successful authentication,
The use restriction in the authentication device 203 is released.

Further, the personal authenticating section 231 shifts the authentication device 203 to the use restricted state again in response to the lapse of a predetermined time since the authentication information was last received (detection of unused).

When a plurality of records are stored in the personal information storage unit 233 so that only one person can use the authentication device 203 at the same time, the personal authentication unit is activated while the personal authentication of the authentication device 203 is being performed. It is desirable to lock the function of 231.

Next, the operation of the personal authentication system shown in FIG. 3 will be described with reference to FIG.

First, a processing procedure for switching on / off the personal authentication function on the portable authentication medium 202 will be described.

When the personal authentication function of portable authentication medium 202 is turned off, a message to that effect or a symbolic symbol is displayed on display 213 of portable information terminal 201.

The user can select a command for turning on the personal authentication function of the portable authentication medium 202 by operating the operation unit 212.

In response to such a user selecting operation, a message prompting the input of the personal identification number is displayed on the display 313. When the user inputs the personal identification number using the ten-key pad or the like, the personal identification number is temporarily stored in the personal identification number register 16.

The personal identification number collating unit 241 stores the personal identification number stored in the personal identification number register 216 in the personal identification number storage unit 2.
The password is compared with the personal identification number stored in 42, and if the two match, the setting change information generation unit 209 is permitted to generate the setting change information. However, if they do not match, this processing ends.

The setting change information generation unit 209 generates setting change information including the authentication function ON signal, and the encryption unit 211.
Send to. The encryption unit 211 encrypts the setting change information using the encryption key E1 stored in the encryption key storage unit 215, and also generates an electronic signature from the random number generated by the random number generation unit 243 and the setting change information. The transmission / reception unit 204 transmits the encrypted data and the electronic signature to the portable authentication medium 202.

On the portable authentication medium 202 side, the transmitting / receiving unit 20
When the decryption unit 5 receives the encrypted setting change information, the decryption unit 2
Sent to 19. The decryption unit 219 uses the decryption key storage unit 22.
After the digital signature is confirmed using the decryption key D1 stored in 9, the encrypted data is decrypted. The decrypted setting change information is sent to the setting change unit 244 via the reception management unit 218.

The setting changing unit 244 changes the personal authentication flag stored in the personal authentication flag storage unit 224 to the value ON corresponding to the personal authentication function ON signal. At the same time, the setting change confirmation signal generation unit 222 generates an authentication function ON confirmation signal.

The authentication function ON confirmation signal is sent to the encryption unit 220.
After being encrypted using the encryption key E2 in (1), it is returned from the transmitting / receiving unit 205 to the portable information terminal 201.

On the portable information terminal 201 side, the transmitting / receiving unit 20
4 receives the authentication function ON confirmation signal transmitted from the mobile authentication medium 202, the decryption unit 210 decrypts the decryption key D.
After being decoded using 2, the received signal management unit 208 confirms the content. Then, the display 213 displays a message indicating that the personal authentication function of the mobile authentication medium 202 is set to ON, a symbolic symbol, or the like.

On the contrary, when the personal authentication function of the portable authentication medium 202 is desired to be switched from ON to OFF, the user operates the operation unit 212 in the same manner as described above.
A command for turning off the personal authentication function of the portable authentication medium 202 is selected.

In response to such a user selection operation, a message prompting the input of the personal identification number is displayed on the display 213. When the user inputs the personal identification number using the ten-key pad or the like, the personal identification number is temporarily stored in the personal identification number register 216.

The personal identification number collating unit 241 stores the personal identification number stored in the personal identification number register 216 in the personal identification number storage unit 2.
The password is compared with the personal identification number stored in 42, and if the two match, the setting change information generation unit 209 is permitted to generate the setting change information. However, if they do not match, this processing ends.

The setting change information generation unit 209 generates setting change information including the authentication function off signal, and the encryption unit 211.
Send to. The encryption unit 211 encrypts the setting change information using the encryption key E1 stored in the encryption key storage unit 215, and also generates an electronic signature from the random number generated by the random number generation unit 243 and the setting change information. The transmission / reception unit 204 transmits the encrypted data and the electronic signature to the portable authentication medium 202.

On the portable authentication medium 202 side, the transmitting / receiving unit 20
When the decryption unit 5 receives the encrypted setting change information, the decryption unit 2
Sent to 19. The decryption unit 219 uses the decryption key storage unit 29.
After the electronic signature is confirmed by using the decryption key D1 stored in, the encrypted data is decrypted. The decrypted setting change information is sent to the setting change unit 2 via the reception management unit 218.
Sent to 44.

The setting changing unit 244 changes the individual authentication flag stored in the individual authentication flag storage unit 224 to the value OFF corresponding to the individual authentication function OFF signal. At the same time, the setting change confirmation signal generation unit 222 generates an authentication function off confirmation signal.

The authentication function OFF confirmation signal is sent to the encryption unit 220.
After being encrypted using the encryption key E2 in (1), it is returned from the transmitting / receiving unit 205 to the portable information terminal 201.

On the portable information terminal 201 side, the transmitting / receiving unit 20
4 receives the authentication function off confirmation signal transmitted from the mobile authentication medium 202, the decryption unit 210 decrypts the decryption key D.
After being decoded using 2, the received signal management unit 208 confirms the content. Then, on the display 213, a message or a symbolic symbol indicating that the personal authentication function of the mobile authentication medium 202 is set to off is displayed.

Next, a processing procedure for performing personal authentication of the authentication device 203 using the portable authentication medium 202 will be described.

In the mobile authentication medium 202, the personal authentication information transmission control unit 221 has the personal authentication flag storage unit 224 at predetermined time intervals according to the clock oscillated by the oscillator 226.
Check the personal authentication flag stored in.

If the personal authentication flag is on, personal authentication information is generated and sent to the encryption section 220. The personal authentication information is encrypted by the encryption unit 220 using the encryption key E3, and then transmitted from the transmission / reception unit 205 to the authentication device 203. On the other hand, if the personal authentication information transmission control unit 221 confirms that the personal authentication flag is OFF, the present process ends.

On the authentication device 203 side, when the encrypted personal authentication information is received by the transmission / reception unit 206, it is decrypted by the decryption unit 232 using the decryption key D3, and then sent to the personal authentication unit 231. To do.

The personal authentication unit 231 searches the personal information storage unit 233 for a record having the same user ID as the user ID included in the personal authentication information, and if found, releases the use restriction of the authentication device 203. Further, various settings of the authentication device 203 may be performed based on the setting contents stored in the record. On the other hand, if no record is found, this processing ends.

Further, when a predetermined time has passed since the last reception of the personal authentication information was detected (unused detection), each unit is controlled so that the use of the authentication device 203 is restricted again.

Fourth Embodiment: FIG. 4 shows a fourth embodiment of the present invention.
1 schematically shows the overall configuration of the personal authentication system according to the exemplary embodiment. As shown in the figure, this personal authentication system includes one or more authentication devices 303 that authenticate individual users.
And a portable authentication medium 302, which is possessed by each user who needs personal authentication and holds personal authentication information (user ID, etc.) and which can be transmitted, and a user for switching on / off the personal authentication function of the authentication device 303. A mobile information terminal 301 that provides an interface.

A user who needs personal authentication uses the portable authentication medium 302 and the portable information terminal 301 in combination. Although not shown in order to prevent the drawing from becoming complicated,
Normally, a large number of sets of portable authentication media 302 and portable information terminals 301 can be connected to one authentication device 303.

The authentication device 303 is, for example, an ATM (Automati) that is permitted to start a predetermined processing procedure through personal authentication.
c Teller Machine) and other authentication devices.

The mobile authentication medium 302 is composed of an IC card, a memory stick, a wearable device, etc., and is not particularly limited as long as it can transmit personal authentication information by wireless communication and is convenient for carrying.

The mobile information terminal 301 is a device such as a mobile phone, a PDA (Personal Digital Assistant), and a notebook computer that can be carried by the user and provides a user interface for user input operation. Composed.

The operation of the portable information terminal 301 is totally controlled by the control unit 307. Control unit 307
Is, for example, a microcomputer that is used for loading programs and storing work data.
AM (Random Access Memory), ROM (Read Only) that permanently stores program code and predetermined data
Memory) etc. (none of them are shown). The control unit 307 includes an operation unit 314 and a characteristic data matching unit 34.
1, the setting change information generation unit 309, and the reception signal management unit 3
08 and the display 213 are respectively connected by a bus (not shown) to control each unit.

The operation unit 314 is used by the user for the portable authentication medium 3
Authentication device 30 that permits transmission of personal authentication information from
An operation panel 348 for selecting No. 3 and a biometrics sensor 349 for inputting biometric information are provided. The user can select ON / OFF of the personal authentication function via the operation panel 348.

Also, the biometrics sensor 349
Is input with biometric information. The biometric information referred to here is
For example, it is information such as a fingerprint, a vein pattern, an iris pattern, a voiceprint, and a face image acquired from the body of the user of the portable information terminal 301. The biometric information acquired by the biometrics sensor 349 is stored in the biometric information register 34.
5 is temporarily stored.

The characteristic data extracting section 346 extracts the biometric information stored in the biometric information register 345, extracts the characteristic data thereof, and stores it in the characteristic data register 347.
To be temporarily stored in. In addition, the feature data storage unit 342
The characteristic data of the authentic user of the portable information terminal 201 is stored in the. The characteristic data collating unit 341 collates the characteristic data stored in the characteristic data register 347 with the characteristic data stored in the characteristic data storage unit 342, and responds to the fact that the two coincide with each other. Generation of the setting change information by the generation unit 309 is permitted.

The setting change information generating section 309 generates setting change information according to a user input from the operation panel 348. The setting change information generation unit 309 is connected to the transmission / reception unit 304 via the encryption unit 311, and the mobile authentication medium 30.
2 and the transmission operation with 2.

The encryption section 311 is connected to the encryption key storage section 315 and the random number generation section 343. Encryption key storage unit 3
Reference numeral 15 stores an encryption key E1 for decryption only with the decryption key D1 stored in the decryption key storage unit 329 of the portable authentication medium 302. The encryption unit 311
An electronic signature is generated from the random number generated by the random number generation unit 343 and the setting change information generated by the setting change information generation unit 309. This electronic signature is transmitted to the portable authentication medium 302 via the transmission / reception unit 304, and the signature is confirmed by the decryption unit 319 (described later).

The decryption unit 310 is connected to the decryption key storage unit 314. The decryption key storage unit 314 stores the encryption key E stored in the encryption key storage unit 328 of the portable authentication medium 302.
Decryption key D2 for decrypting the data encrypted by 2
I remember.

The transmitter / receiver 304 is adapted to wirelessly transmit / receive data to / from a device outside the portable information terminal 301, and the communicable distance thereof is, for example, about several meters. Transmitter / receiver 4
Receives the encrypted data from the encryption unit 311, and transmits it to the outside. Further, the encrypted data received by the transmitting / receiving unit 304 is decrypted by the decrypting unit 310.

The reception signal processing unit 308 is connected to the transmission / reception unit 304 via the decoding unit 310, and controls the reception operation from the portable authentication medium 302. Received signal processing unit 30
When the transmitter / receiver 304 receives the setting change confirmation signal transmitted from the portable authentication medium 302, the receiver 8 confirms the content and determines the message or symbol displayed on the display 313.

The operation of the portable authentication medium 302 is totally controlled by the control unit 317. Control unit 317
Is connected to the reception management unit 318, the setting change unit 344, and the personal authentication information transmission control unit 321 by a bus, and controls each unit.

The personal authentication information transmission control unit 321 and the setting change confirmation signal generation unit 322 are connected to the transmission / reception unit 305 via the encryption unit 320, and the setting change unit 344 is the decoding unit 319 and the reception management unit 318. It is connected to the transmission / reception unit 305 via the, and is configured to generate and manage the information transmitted / received.

The transmission / reception unit 305 is adapted to transmit / receive data to / from a device outside the portable authentication medium 302, and the communicable distance is, for example, about several meters.
The communication range is such that the eyes of the user who owns 02 are within reach. The transmission / reception unit 305, when receiving the encrypted data from the encryption unit 320, transmits the data to the outside. The encrypted data received by the transmitting / receiving unit 305 is decrypted by the decrypting unit 319.

The encryption section 320 is connected to the encryption key storage section 328. The encryption key storage unit 328 stores the decryption key D stored in the decryption key storage unit 314 of the portable information terminal 301.
An encryption key E2 for encryption so that only 2 can decrypt
An encryption key E3 is stored for decryption only with a decryption key D3 stored in a decryption key storage unit 334 (described later) of the authentication device 303.

The decryption unit 319 is connected to the decryption key storage unit 329. The decryption key storage unit 329 stores the encryption key E stored in the encryption key storage unit 215 of the portable information terminal 201.
A decryption key D1 for decrypting the data encrypted in 1 and confirming the electronic signature is stored.

The personal authentication flag storage section 324 is adapted to store a "personal authentication flag" indicating whether or not the portable authentication medium 302 permits the authentication device 303 to transmit the authentication information. The personal authentication flag has a value of either on or off.

When the setting change unit 344 receives the setting change information decrypted by the decryption key D1 via the reception management unit 318, the individual authentication flag stored in the individual authentication flag storage unit 324 is turned on / off. Change to the value corresponding to the signal. After that, the personal authentication confirmation signal generation unit 322
At, a personal authentication confirmation signal is generated, encrypted by the encryption unit 320 with the encryption key E2, and transmitted from the transmission / reception unit 305 to the portable information terminal 301.

The personal authentication information storage unit 327 stores personal authentication information including the user ID of the owner of the card, that is, the portable authentication medium 302.

The personal authentication information transmission control unit 321 confirms the personal authentication flag stored in the personal authentication flag storage unit 324 at predetermined time intervals according to the clock oscillated by the oscillator 326, and according to the contents of the personal authentication flag. Control the transmission of personal authentication information. That is, the personal authentication flag is confirmed, and if the personal authentication flag is on, the personal authentication information stored in the personal authentication information storage unit 327 is sent to the encryption unit 320. The encryption unit 320 encrypts the received personal authentication information with the encryption key E3, and the transmission / reception unit 30
5 transmits this to the authentication device 303.

Also, the portable authentication medium 30 according to the present embodiment.
2 includes mobile communication means (not shown). The mobile authentication medium 302 can receive the personal authentication function off signal from the mobile communication means, and the user can use the mobile information terminal 301 even when the mobile authentication medium 302 is not near the mobile authentication medium 302.
The personal authentication function of the portable authentication medium 302 can be turned off.

The authentication device 303 is an ATM (Automatic) device that allows the start of a predetermined processing procedure through, for example, personal authentication.
(Teller Machine) and other authentication devices, and the operation of the control unit 235 is comprehensively controlled.

The control section 335 is composed of, for example, a microcomputer, and is used for loading a program and storing work data in a RAM (Random Access Memor).
y), a ROM (Read Only Memory) for permanently storing a program code and predetermined data (neither is shown). The reception information management unit 330 and the personal authentication unit 331 are connected to the control unit 335 and control each unit.

The reception information management section 330 has a decoding section 332.
Is connected to the transmission / reception unit 306 via the
The data received at 06 is managed.

The transmission / reception unit 306 is adapted to wirelessly transmit / receive data to / from a device outside the authentication device 303, and its communicable distance is, for example, about several meters. Transmitter / receiver 306
The encrypted data received in step 3 is decrypted by the decryption unit 332.

The decryption unit 332 is connected to the decryption key storage unit 334. The decryption key storage unit 334 stores the encryption key E stored in the encryption key storage unit 328 of the portable authentication medium 302.
A decryption key D3 for decrypting the data encrypted in 3 is stored.

The personal information storage unit 333 has the authentication device 303.
At least one user ID of a person who is permitted to use is stored. Further, setting information for customizing the authentication device 303 for each successfully authenticated user may be stored together.

The personal authentication unit 331 is a portable authentication medium 302.
User ID included in the personal authentication information sent from
A user ID matching with is searched from the personal information storage unit 333, and if found, the user individual corresponding to the user ID is authenticated. And in response to the successful authentication,
The use restriction in the authentication device 303 is released.

Further, the personal authenticating section 331 shifts the authenticating apparatus 303 to the use restricted state again in response to the lapse of a predetermined time since the authentication information was last received (detection of unused).

When a plurality of records are stored in the personal information storage unit 333 and only one authentication device 303 can be used at the same time, the personal authentication unit is operated while the personal authentication of the authentication device 303 is being performed. It is desirable to lock the function of 331.

Next, the operation of the personal authentication system shown in FIG. 4 will be described with reference to FIG.

First, a processing procedure for switching on / off the personal authentication function on the portable authentication medium 302 will be described.

When the personal authentication function of the mobile authentication medium 302 is turned off, a message to that effect or a symbolic symbol is displayed on the display 313 of the mobile information terminal 301.

By operating the operation panel 348, the user can select a command to turn on the personal authentication function of the portable authentication medium 302.

In response to such a user selection operation, a message prompting the input of biometric information is displayed on the display 313. When the user inputs biometric information from the biometrics sensor 349, the biometric information is temporarily stored in the biometric information register 345. After that, the characteristic data extraction unit 346 extracts the biometric information from the biometric information register 345, extracts the characteristic data thereof, and temporarily stores it in the characteristic data register 347.

The characteristic data collating unit 341 detects the characteristic data
The characteristic data stored in the register 347 is collated with the personal identification number stored in the characteristic data storage unit 342, and if the two match, the setting change information generation unit 309 permits generation of the setting change information. If they do not match, this processing is ended as it is.

The setting change information generation unit 309 generates setting change information including the authentication function ON signal, and the encryption unit 311
Send to. The encryption unit 311 encrypts the setting change information using the encryption key E1 stored in the encryption key storage unit 315, and also generates an electronic signature from the random number generated by the random number generation unit 343 and the setting change information. The transmitting / receiving unit 304 transmits the encrypted data and the electronic signature to the portable authentication medium 302.

On the portable authentication medium 302 side, the transmitting / receiving unit 30
When 5 receives the encrypted setting change information, the decryption unit 3
Sent to 19. The decryption unit 319 uses the decryption key storage unit 32.
After the digital signature is confirmed using the decryption key D1 stored in 9, the encrypted data is decrypted. The decrypted setting change information is sent to the setting change unit 344 via the reception management unit 318.

The setting changing unit 344 changes the personal authentication flag stored in the personal authentication flag storage unit 324 to the value ON corresponding to the personal authentication function ON signal. At the same time, the setting change confirmation signal generation unit 322 generates an authentication function ON confirmation signal.

The authentication function ON confirmation signal is sent to the encryption unit 320.
After being encrypted by using the encryption key E2, the transmission / reception unit 305 returns the information to the portable information terminal 301.

On the portable information terminal 301 side, the transmitting / receiving unit 30
4 receives the authentication function ON confirmation signal transmitted from the portable authentication medium 302, the decryption unit 310 decrypts the decryption key D.
After being decoded using 2, the received signal management unit 308 confirms the content. Then, on the display 313, a message indicating that the personal authentication function of the mobile authentication medium 302 is set to ON, a symbolic symbol, or the like is displayed.

On the contrary, when the personal authentication function of the mobile authentication medium 302 is to be switched from on to off, the user operates the operation panel 348 to operate the personal authentication function of the mobile authentication medium 302 as described above. Select the command to turn off.

In response to such a user selection operation, a message prompting the input of biometric information is displayed on the display 313. When the user inputs biometric information from the biometrics sensor 349, the biometric information is temporarily stored in the biometric information register 345. After that, the characteristic data extraction unit 346 extracts the biometric information from the biometric information register 345, extracts the characteristic data thereof, and temporarily stores it in the characteristic data register 347.

The characteristic data collating unit 341 detects the characteristic data
The characteristic data stored in the register 347 is collated with the personal identification number stored in the characteristic data storage unit 342, and if the two match, the setting change information generation unit 309 permits generation of the setting change information. If they do not match, this processing is ended as it is.

The setting change information generator 309 generates setting change information including the authentication function off signal, and the encryption unit 311.
Send to. The encryption unit 311 encrypts the setting change information using the encryption key E1 stored in the encryption key storage unit 315, and also generates an electronic signature from the random number generated by the random number generation unit 343 and the setting change information. The transmitting / receiving unit 304 transmits the encrypted data and the electronic signature to the portable authentication medium 302.

On the portable authentication medium 302 side, the transmitting / receiving unit 30
When 5 receives the encrypted setting change information, the decryption unit 3
Sent to 19. The decryption unit 319 uses the decryption key storage unit 32.
After the digital signature is confirmed using the decryption key D1 stored in 9, the encrypted data is decrypted. The decrypted setting change information is sent to the setting change unit 344 via the reception management unit 318.

The setting changing unit 344 changes the individual authentication flag stored in the individual authentication flag storage unit 324 to the value OFF corresponding to the individual authentication function OFF signal. At the same time, the setting change confirmation signal generation unit 322 generates an authentication function off confirmation signal.

The authentication function OFF confirmation signal is sent to the encryption unit 320.
After being encrypted by using the encryption key E2, the transmission / reception unit 305 returns the information to the portable information terminal 301.

On the portable information terminal 301 side, the transmitting / receiving unit 30
4 receives the authentication function off confirmation signal transmitted from the portable authentication medium 302, the decryption unit 310 decrypts the decryption key D.
After being decoded using 2, the received signal management unit 308 confirms the content. Then, on the display 313, a message or a symbolic symbol indicating that the personal authentication function of the mobile authentication medium 302 is set to off is displayed.

Subsequently, a processing procedure for performing personal authentication of the authentication device 303 by the portable authentication medium 302 will be described.

In the portable authentication medium 302, the personal authentication information transmission control unit 321 has the personal authentication flag storage unit 224 at predetermined time intervals according to the clock oscillated by the oscillator 326.
Check the personal authentication flag stored in.

When the personal authentication flag is on, personal authentication information is generated and sent to the encryption section 320. The personal authentication information is encrypted by the encryption unit 320 using the encryption key E3, and then transmitted from the transmission / reception unit 5 to the authentication device 303. On the other hand, if the personal authentication information transmission control unit 321 confirms that the personal authentication flag is OFF, the present process ends.

On the side of the authentication device 303, when the encrypted personal authentication information is received by the transmission / reception unit 306, it is decrypted by the decryption unit 332 using the decryption key D3, and then sent to the personal authentication unit 331. To do.

The personal authentication unit 331 searches the personal information storage unit 333 for a record having the same user ID as the user ID included in the personal authentication information, and if found, releases the use restriction of the authentication apparatus 303. Further, various settings of the authentication device 303 may be performed based on the setting contents stored in the record. On the other hand, if no record is found, this processing ends.

When a predetermined time has passed since the last reception of the personal authentication information was detected (unused detection), each unit is controlled so as to restrict the use of the authentication device 303 again.

Fifth Embodiment: FIG. 5 shows the fifth embodiment of the present invention.
1 schematically shows the overall configuration of the personal authentication system according to the exemplary embodiment. As shown in the figure, this personal authentication system includes one or more authentication devices 403 for authenticating individual users.
And a portable authentication medium 402 that is possessed by each user who needs individual authentication and that can hold and transmit individual authentication information (such as a user ID), and a user for turning on / off the individual authentication function of the authentication device 403. A mobile information terminal 401 that provides an interface.

A user who needs personal authentication uses the portable authentication medium 402 and the portable information terminal 401 in combination. Although not shown in order to prevent the drawing from becoming complicated,
Normally, a large number of sets of portable authentication media 402 and portable information terminals 401 can be connected to one authentication device 403.

The authentication device 403 is, for example, an ATM (Automati) that allows the start of a predetermined processing procedure through personal authentication.
c Teller Machine) and other authentication devices.

The portable authentication medium 402 is composed of an IC card, a memory stick, a wearable device, etc., and is not particularly limited as long as it can transmit personal authentication information by wireless communication and is convenient to carry.

The portable information terminal 401 is a device such as a mobile phone, a PDA (Personal Digital Assistant), a notebook computer, etc. that can be carried by the user and provides a user interface for user input operation. Composed.

The authentication device 403, the portable authentication medium 402, and the portable information terminal 401 are respectively the wireless communication module 40.
6, 405 and 404 are provided, and wireless communication can be performed between these wireless communication modules. Also, in the wireless communication module, connection establishment / disconnection between specific terminals,
Processing related to various communications such as encryption of data transmitted wirelessly is performed. The maximum communicable distance between the wireless communication modules may be about 10 m, for example. For example, IEEE80
The wireless communication module can be configured by using a short-distance wireless communication means such as 2.11, Bluetooth.

The operation of the portable information terminal 401 is totally controlled by the control unit 409. Control unit 409
Is, for example, a microcomputer that is used for loading programs and storing work data.
AM (Random Access Memory), ROM (Read Only) that permanently stores program code and predetermined data
Memory) etc. (none of them are shown). The control unit 409 includes an operation unit 410 and a setting change information generation unit 4
15 and the display 413 are respectively connected by a bus (not shown) to control each unit.

[0277] The operation unit 410 is used by the user for the portable authentication medium 4
Authentication device 40 for permitting transmission of personal authentication information from 02.
An operation panel 411 for selecting 3 and a biometrics sensor 412 for inputting biometric information are provided. The user can select ON / OFF of the personal authentication function via the operation panel 411.

Further, the biometrics sensor 412
Is input with biometric information. The biometric information referred to here is
For example, it is information such as a fingerprint, a vein pattern, an iris pattern, a voiceprint, and a face image acquired from the body of the user of the portable information terminal 401. The biometric information acquired by the biometrics sensor 412 is stored in the biometric information register 41.
4 is temporarily stored.

The setting change information generating section 415 generates setting change information according to the user input from the operation panel 411. The biometric information stored in the biometric information register 414 is attached to the setting change information. Also, the setting change information generation unit 415 is connected to the wireless communication module 404 and controls the transmission operation with the portable authentication medium 402.

The operation of the portable authentication medium 402 is totally controlled by the control unit 422. Control unit 422
Is a personal authentication information generation unit 424 and a setting change control unit 42.
3, a characteristic data matching unit 429, and a personal authentication control unit 42
It is connected to 5 and controls each part.

The characteristic data storage unit 426 stores characteristic data extracted from the biometric information of the authentic user of the portable authentication medium 102. The setting change information (described above) transmitted from the portable information terminal 401 is stored in the wireless communication module 40.
When it is received via 5, the biometric information included in the setting change information is extracted, and the characteristic data extraction unit 441 extracts the characteristic data.

The characteristic data collating unit 429 collates the characteristic data extracted from the biometric information included in the setting change information with the characteristic data stored in the characteristic data storage unit 126. Then, when it is determined that both are the characteristic data obtained from the same person, the flag value stored in the personal authentication flag storage unit 442 is changed to the value indicated by the setting change information.

The personal authentication information storage unit 427 stores personal authentication information including the authentic user ID of the portable authentication medium 402.

When the connection with the portable information terminal 401 is established between the wireless communication modules of each other, the personal authentication information generation unit 1
24 is generated from the personal authentication information stored in the personal authentication information storage unit 427 and transmitted through the wireless communication module 105.

The clock unit 443 is used for the wireless communication module 40.
The personal authentication flag is turned off in response to the elapse of a predetermined time by measuring the elapsed time from when the mobile communication terminal 5 becomes unable to communicate with the portable information terminal 401 or the authentication device 403.
On the authentication device 403 side, when the communication with the portable authentication medium is disconnected, the use restriction for canceling the personal authentication restarts.

Also, the portable authentication medium 40 according to the present embodiment.
2 includes mobile communication means (not shown). The mobile authentication medium 402 can receive the personal authentication function OFF signal from the mobile communication means, and the user can use the mobile information terminal 401 even when the mobile authentication medium 402 is not near the mobile authentication medium 402.
The personal authentication function of the portable authentication medium 402 can be turned off.

The authentication device 403 is an ATM (Automatic) that allows the start of a predetermined processing procedure through, for example, personal authentication.
(Teller Machine) and other authentication devices, and the operation is comprehensively controlled by the control unit 433.

The control unit 433 is composed of, for example, a microcomputer, and is used for loading a program or storing work data in a RAM (Random Access Memor).
y), a ROM (Read Only Memory) for permanently storing a program code and predetermined data (neither is shown). The control unit 433 is connected to each functional module in the device 403 such as the personal authentication unit 412 and controls each unit.

Further, the authentication device 403 has a personal information database 419. The personal information database 419 stores at least one record of a user who is permitted to use the authentication device 403. At least a user ID is stored in each record.

As shown in FIG. 5, the personal information database 419 can be built on the database server 408 outside the authentication device 403. In such cases,
The authentication device 403 is configured to connect to the personal information database 419 via the network 407 by the network connection unit 431.

[0291] The personal authentication unit 412 uses the portable authentication medium 402.
User ID included in the personal authentication information sent from
A user ID matching with is searched for from the personal information database 419. Then, when the corresponding record is found, the user individual corresponding to the user ID is authenticated,
The use restriction of the authentication device 403 is released.

Further, the personal authentication section 412 again restricts the use of the authentication device 403 when a predetermined time has passed since the authentication information was last received (when unused is detected). If a plurality of records are stored in the personal information database 419 but only one authentication device 403 can be used at the same time, the personal authentication unit 412 is used while the user of the authentication device 403 is being personally authenticated. It is desirable to lock the function of.

The operation of the personal identification system shown in FIG. 5 will be described below with reference to FIG.

First, a procedure for turning on the personal authentication function of the authentication device 403 which permits the mobile authentication medium 402 to transmit personal authentication information will be described.

[0295] The user brings the portable information terminal 401 close to the portable authentication medium 402, and the wireless communication modules 40
4. Establish a connection between 4 and 405.

The user operates the operation panel 412 of the portable information terminal 401 to operate the portable authentication medium 402.
Select the setting change command to turn on the personal authentication function of.

Further, the user inputs biometric information from the biometrics sensor 411 along with this command selection. The input biometric information is stored in the biometric information register 41.
4 is temporarily stored.

The setting change information generating section 415 generates setting change information including the biometric information stored in the biometric information register 414. Then, after a predetermined process such as encryption is performed on the setting change information, the wireless communication module 404.
Is transmitted to the portable authentication medium 402.

On the portable authentication medium 102 side, when the wireless communication module 105 receives the setting change information, the characteristic data extracting section 441 extracts the characteristic data from the biometric information included in the setting changing information, and further the characteristic data collating section. 42
Reference numeral 9 collates the extracted characteristic data with the characteristic data stored in the characteristic data storage unit 426. Then, when it is determined that both are the characteristic data obtained from the same person, the personal authentication flag stored in the personal authentication flag storage unit 442 is changed to the personal authentication function ON according to the setting change information.

The portable authentication medium 402 is the portable information terminal 40.
A confirmation signal indicating that the authentication function has been changed is returned to 1.

After that, the timer 443 continues to monitor the state of the wireless communication module 406. Then, when a predetermined time elapses after the communication with the mobile information terminal 401 is cut off, the personal authentication flag stored in the personal authentication flag storage unit 442 is set so as to turn off the personal authentication function in the mobile authentication medium 402. rewrite.

Next, a processing procedure for performing personal authentication of the authentication device 403 using the portable authentication medium 402 will be described.

The user brings the portable authentication medium 402 close to the authentication device 403 and establishes a connection between the wireless communication modules 405 and 406 of both.

On the portable authentication medium 402 side, the personal authentication information generation unit 424 generates personal authentication information, performs predetermined processing such as encryption, and then transmits it to the authentication device 403 by the wireless communication module 404.

On the authentication device 403 side, when the personal authentication information is received by the wireless communication module 406, the personal authentication unit 4
12 is a personal information database 419 for records having the same user ID as the user ID included in the personal authentication information.
Search from. Then, when the corresponding user ID is found, the use restriction of the authentication device 403 is released, and various settings of the authentication device 403 are performed based on the setting content stored in the record. On the other hand, the applicable user ID
If is not found, this processing is ended as it is.

When the communication between the wireless communication modules 405 and 406 is cut off, each unit is controlled so as to restrict the use of the authentication device 403 again. The same personal authentication is performed on the portable information terminal 401, but the setting change operation is not limited even if the personal authentication information is not transmitted.

[Supplement] The present invention has been described in detail with reference to the specific embodiments. However, it is obvious that those skilled in the art can modify or substitute the embodiments without departing from the scope of the present invention. That is, the present invention has been disclosed in the form of exemplification, and the contents of this specification should not be construed in a limited manner. In order to determine the gist of the present invention, the section of the claims described at the beginning should be taken into consideration.

[0308]

As described above in detail, according to the present invention,
An excellent personal authentication system and personal authentication method, a personal digital assistant, and a mobile authentication medium, which can suitably perform personal authentication by wirelessly transmitting personal authentication information from a mobile authentication medium possessed by a user to a personal authentication device , Authentication device,
In addition, a storage medium can be provided.

Further, according to the present invention, an excellent personal authentication system and personal authentication method, a personal digital assistant, a mobile authentication medium, and an authentication capable of controlling the transmission of personal authentication information from a mobile authentication medium by a user operation. A device and a storage medium can be provided.

Further, according to the present invention, an excellent personal authentication system and personal authentication method capable of controlling transmission of personal authentication information from a mobile authentication medium by an operation on a mobile information terminal possessed by a user, A mobile information terminal, a mobile authentication medium, an authentication device, and a storage medium can be provided.

According to the present invention, the portable authentication medium for transmitting the authentication information to the external device does not need to be taken in and out at the time of operation while being stored in the purse or the back of the bag. In addition, since the mobile information terminal itself does not have the function of performing personal authentication with an external device, it is like putting the mobile information terminal in and out normally, and even if it is lost or stolen, it is impersonated by another person. It is not used illegally.

[Brief description of drawings]

FIG. 1 is a diagram schematically showing an overall configuration of a personal authentication system according to a first exemplary embodiment of the present invention.

FIG. 2 is a diagram schematically showing an overall configuration of a personal authentication system according to a second exemplary embodiment of the present invention.

FIG. 3 is a diagram schematically showing an overall configuration of a personal authentication system according to a third exemplary embodiment of the present invention.

FIG. 4 is a diagram schematically showing an overall configuration of a personal authentication system according to a fourth exemplary embodiment of the present invention.

FIG. 5 is a diagram schematically showing an overall configuration of a personal authentication system according to a fifth exemplary embodiment of the present invention.

FIG. 6 is a chart showing an operation in the personal identification system shown in FIG.

FIG. 7 is a chart showing an operation in the personal identification system shown in FIG.

FIG. 8 is a chart showing an operation in the personal identification system shown in FIG.

9 is a chart showing an operation in the personal identification system shown in FIG.

10 is a chart showing an operation in the personal authentication system shown in FIG.

[Explanation of symbols]

1 ... Portable information terminal 2. Mobile authentication medium 3 ... Authentication device 4, 5, 6 ... Transceiver 7 ... Control unit 8 ... Received signal management unit 9 ... Setting change information generation unit 10 ... Decryption unit, 11 ... Encryption unit 12 ... Operation unit, 13 ... Display 14 ... Decryption key storage unit, 15 ... Encryption key storage unit 16 ... PIN code register 17 ... Control unit 18 ... Received signal management unit 19 ... Decryption unit, 20 ... Encryption unit 21 ... Personal authentication information transmission control unit 22 ... Setting change confirmation signal generator 23 ... Operator authentication section 24 ... Individual authentication flag storage unit 25 ... PIN code storage 26 ... Oscillator 27 ... Individual authentication information storage unit 28 ... Encryption key storage unit, 29 ... Decryption key storage unit

Claims (37)

[Claims] 1. A personal authentication system for performing authentication processing for a predetermined authentication device based on personal authentication information, the operation for performing an operation of inputting personal identification information and a setting change operation of a personal authentication function for a user. A portable information terminal providing an environment, and holding personal authentication information for personal authentication processing with the authentication device, and after the user's identity confirmation using the personal identification information input on the portable information terminal, A mobile authentication medium for changing the setting of the personal authentication function based on the setting change operation on the mobile information terminal, and a personal authentication process is performed between the mobile authentication medium and the authentication device according to the setting content of the personal authentication function. A personal authentication system characterized by: 2. The personal authentication system according to claim 1, wherein data is transmitted and received between the portable information terminal, the portable authentication medium, and the authentication device by wireless cryptographic communication. 3. When the personal authentication function is set to ON, personal authentication processing is performed between the portable authentication medium and the authentication device, and the authentication device responds to the success of the personal authentication. The personal authentication system according to claim 1, wherein the use restriction for the user is released. 4. The authentication device, in response to a lapse of a predetermined time since the last reception of the personal authentication information from the portable authentication medium, is restricted again for use by the user. The personal authentication system according to claim 1. 5. A personal identification number or biometric information obtained from the body of the user or a part thereof is used as the personal identification information.
The personal authentication system according to claim 1, wherein: 6. The personal authentication processing is a personal authentication method for physically changing the setting of the personal authentication function, wherein the user inputs personal identification information on the portable information terminal and changes the setting of the personal authentication function. The step of performing the operation, the step of transferring the personal authentication function setting change information including the personal identification information from the portable information terminal to the portable authentication medium, and the personal identification information included in the setting change information on the portable authentication medium. If the personal authentication function is set to ON, the step of performing the user identification process of the used user, the step of changing the setting of the personal authentication function in response to the success of the personal identification, and the mobile authentication medium when the personal authentication function is set to ON. From the personal authentication information to the authentication device to perform the personal authentication process, and in response to the success of the personal authentication process, release the use restriction of the authentication device for the user. The method comprising the steps of,
A personal authentication method comprising: 7. The personal authentication method according to claim 6, wherein data is transmitted and received among the portable information terminal, the portable authentication medium, and the authentication device by wireless encrypted communication. 8. The method further comprises the step of again restricting the use of the authentication device to the user in response to the lapse of a predetermined time since the last reception of the personal authentication information from the portable authentication medium was detected. The personal authentication method according to claim 6, wherein: 9. A personal identification number or biometric information obtained from the body of the user or a part thereof is used as the personal identification information.
The personal authentication method according to claim 6, wherein: 10. A mobile information terminal for changing settings of a personal authentication function using a mobile authentication medium, comprising a transmitting / receiving means for transmitting / receiving data to / from the mobile authentication medium, a user's input operation of personal identification information and personal authentication. User input means for performing a setting change operation of the function, setting change information generation means for generating setting change information including personal identification information based on the setting change operation via the user input means, and the generated A means for transmitting setting change information to the portable authentication medium via the transmitting / receiving means, the portable information terminal. 11. The portable information terminal according to claim 10, wherein the transmitting / receiving unit transmits / receives data to / from the portable authentication medium by wireless cryptographic communication. 12. The user input means receives a user input of a personal identification number as personal identification information, and the setting change information generating means includes the input personal identification number in the setting change information. The mobile information terminal according to item 10. 13. The user input means acquires biometric information from the user's body or a part thereof, and the setting change information generation means uses the biometric information of the user or characteristic data extracted from the biometric information as personal identification information. The mobile information terminal according to claim 10, wherein the mobile information terminal is included in the setting change information as. 14. A portable authentication medium for performing a personal authentication process with a predetermined authentication device according to a setting change of a personal authentication function from the portable information terminal, which transmits and receives data to and from the portable information terminal and the authentication device. Transmission / reception means, personal identification means for performing personal identification based on the personal identification information included in the setting change information received from the portable information terminal, personal authentication information holding means for holding personal authentication information of the user, the personal identification Personal authentication function changing means for changing the setting of the personal authentication function according to the setting change information in response to the success of the personal authentication by the means; and if the personal authentication function is set to ON, the personal authentication function A personal authentication information transmission control means for transmitting the personal authentication information held in the information holding means to the authentication device, the portable authentication medium. 15. The portable authentication medium according to claim 14, wherein the transmitting / receiving unit transmits / receives data to / from the portable information terminal and the authentication device by wireless cryptographic communication. 16. The personal identification information is a personal identification number, and the personal identification confirmation means includes the personal identification number included in the setting change information received from the portable information terminal as a personal identification number of a genuine user stored in advance. 15. The portable authentication medium according to claim 14, which is collated. 17. The personal identification information is biometric information acquired from the user's body or a part thereof, and the personal identification means is biometric information included in the setting change information received from the portable information terminal or the biometric information thereof. Feature data,
The biometric information of a genuine user or its characteristic data stored in advance is compared, and the comparison is performed.
The portable authentication medium according to 4. 18. An authentication device for performing personal authentication with a portable authentication medium, comprising: a transmitting / receiving means for transmitting / receiving data to / from the portable authentication medium; and an individual using the personal authentication information received from the portable authentication medium. An authentication apparatus comprising: a personal authentication processing means for performing authentication; and a usage restriction control means for releasing a usage restriction for the user in response to the success of the personal authentication processing. 19. The authentication apparatus according to claim 18, wherein the transmitting / receiving unit transmits / receives data to / from the portable authentication medium by wireless cryptographic communication. 20. The use restriction control means restarts the use of the authentication device for the user in response to a lapse of a predetermined time after the last reception of the personal authentication information from the portable authentication medium is detected. The authentication device according to claim 18, wherein the authentication device is restricted. 21. A personal authentication system for performing authentication processing for a predetermined authentication device based on personal authentication information, the operation for performing an operation of inputting personal identification information and a setting change operation of a personal authentication function for a user. A personal digital assistant that provides an environment and outputs the setting change information of the personal authentication function after the personal identification of the user using the input personal identification information, and personal authentication information for personal authentication processing with the authentication device. And a portable authentication medium for changing the setting of the personal authentication function based on the setting change operation on the portable information terminal, and between the portable authentication medium and the authentication device according to the setting content of the personal authentication function. An individual authentication system characterized in that an individual authentication process is performed. 22. The portable information terminal, the portable authentication medium,
22. The personal authentication system according to claim 21, wherein data is transmitted and received between the authentication devices by wireless cryptographic communication. 23. When the personal authentication function is set to ON, personal authentication processing is performed between the portable authentication medium and the authentication device, and the authentication device responds to the success of the personal authentication. 22. The personal authentication system according to claim 21, wherein the use restriction on the user is released. 24. The authentication device limits the use to the user again in response to a lapse of a predetermined time after the last reception of the personal authentication information from the portable authentication medium is detected. The personal authentication system according to claim 21. 25. The personal authentication system according to claim 21, wherein a personal identification number or biometric information obtained from the body of the user or a part thereof is used as the personal identification information. 26. The personal authentication process is a personal authentication method for physically changing the setting of the personal authentication function, wherein the user inputs personal identification information and changes the setting of the personal authentication function on the portable information terminal. A step of performing an operation, a step of confirming the identity of the user on the mobile information terminal, and, in response to the success of the identity verification, setting change information of the personal authentication function including the identity verification information is sent to the mobile information terminal. From the mobile authentication medium to the mobile authentication medium, changing the settings of the personal authentication function based on the setting change information from the mobile information terminal, and authenticating from the mobile authentication medium when the personal authentication function is set to ON. The step of performing personal authentication processing by transmitting personal authentication information to the device, and releasing the use restriction of the authentication device for the user in response to the success of the personal authentication processing. And the step that,
A personal authentication method comprising: 27. The portable information terminal, the portable authentication medium,
27. The personal authentication method according to claim 26, wherein data is transmitted and received between the authentication devices by wireless cryptographic communication. 28. Re-limiting the use of the authentication device to the user in response to a lapse of a predetermined time since the last reception of personal authentication information from the portable authentication medium was detected. 27. The personal authentication method according to claim 26. 29. The personal authentication method according to claim 26, wherein a personal identification number or biometric information obtained from a user's body or a part thereof is used as the personal identification information. 30. A portable information terminal for changing settings of a personal authentication function using a portable authentication medium, comprising a transmitting / receiving means for transmitting / receiving data to / from the portable authentication medium, a user input operation of personal identification information and personal authentication. User input means for performing a setting change operation of the function, identity verification means for identity verification using the identity verification information input via the user input means, in response to successful identity verification, Setting change information generation means for generating setting change information based on a setting change operation via the user input means, means for transmitting the generated setting change information to the portable authentication medium via the transmission / reception means, A portable information terminal comprising: 31. The portable information terminal according to claim 30, wherein the transmitting / receiving unit transmits the setting change information with an electronic signature to the portable authentication medium by wireless cryptographic communication. 32. The user input means receives a user input of a personal identification number as personal identification information, and the personal identification means compares the personal identification number input by the user with a personal identification number of a genuine user stored in advance. The portable information terminal according to claim 30, wherein: 33. The user input means acquires biometric information from a user's body or a part thereof, and the personal identification means stores in advance biometric information input by the user or characteristic data extracted from the biometric information. 31. The portable information terminal according to claim 30, wherein the portable information terminal is collated with characteristic data of a genuine user or biometric information thereof. 34. A portable authentication medium for performing a personal authentication process with a predetermined authentication device according to a setting change of a personal authentication function from the portable information terminal, which transmits and receives data to and from the portable information terminal and the authentication device. A transmitting / receiving unit, a personal authentication information holding unit that holds personal authentication information of the user, a personal authentication function changing unit that changes the setting of the personal authentication function according to the setting change information received from the portable information terminal, and the personal authentication function And a personal authentication information transmission control means for transmitting the personal authentication information held in the personal authentication information holding means to the authentication device, when the portable authentication medium is turned on. . 35. The transmitting / receiving means transmits / receives data to / from the portable information terminal and the authentication device by wireless cryptographic communication and confirms an electronic signature received from the portable information terminal. The portable authentication medium described. 36. Computer software physically written in a computer-readable format so as to execute a personal authentication process on a computer system for physically changing the personal authentication function from the personal authentication process. And a step of performing a user's input of personal identification information and a setting change operation of the personal authentication function on the portable information terminal, the personal computer having the personal identification function including the personal identification information. Transfer the setting change information from the mobile information terminal to the mobile authentication medium, perform the user identification process using the personal identification information included in the setting change information on the mobile authentication medium, and succeed in the personal identification. Responding to this, the step to change the setting of the personal authentication function, and when the personal authentication function is set to ON A step of sending a personal authentication information from the portable authentication medium to the authentication apparatus performs personal authentication processing, in response to individual successfully authenticated process, and releasing the restriction of the use of the authentication device for the user,
A storage medium comprising: 37. A computer software written in a computer-readable format to execute personal authentication processing for changing the setting of the personal authentication function physically separated from the personal authentication processing on a computer system. The computer software includes a step of inputting personal identification information and a setting change operation of a personal authentication function by the user on the mobile information terminal, and a personal identification processing of the user on the mobile information terminal. In response to the successful identification of the person, the step of transferring the personal authentication function setting change information including the personal identification information from the portable information terminal to the portable authentication medium, and the setting from the portable information terminal. Steps to change the settings of the personal authentication function based on the change information, and if the personal authentication function is set to on, carry it Performing a personal authentication process by sending the personal authentication information from the authentication medium to the authentication apparatus, in response to a successful personal authentication, the step of releasing the restriction of the use of the authentication device for the user,
A storage medium comprising: