JP2003218864A - Authentication method of subject and system thereof - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an authentication method and of the subject system therefor which realize reliable and flexible protection of identity according to a user's intention. <P>SOLUTION: An application transmission step s203 for transmitting an electronic application to a registrant terminal, an application reception step s204 for receiving, from a verifier terminal, the electronic application to which necessary information which is a condition of an issue of an electronic certificate and selection information which is all or a part of registered contents of the electronic certificate, and is designated or not designated on the electronic certificate are inputted with regard to the registrant, a registered contents selection step s211 for selecting the registered contents of the electronic certificate according to the selection information included in the electronic application, and a certification transmission step s213 for generating the electronic certificate having the selected registered contents to be transmitted to the verifier terminal are performed. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a personal authentication method using public key infrastructure technology, and more particularly to a digital certificate issuing method for protecting personal information.

[0002]

BACKGROUND OF THE INVENTION Public key infrastructure has become widespread as a basic technology for realizing data communication ensuring security on an open network such as the Internet.
In Japan, some certification authorities have already started the service, and from 2003, the certification authorities by public organizations will start the personal authentication service.

These certificate authorities play a role of authenticating and certifying the identity of the user who has made an electronic signature based on the public key cryptosystem (so-called personal authentication). As a result of the personal authentication process, the certification authority writes the user's public key and personal information indicating the identity of the user to the person requesting the personal certification (verifier), and the digital signature of the certification authority. Issue a digital certificate with When communicating with the other party on the open network, the user can prove his / her identity by sending this electronic certificate to the other party (verifier).

[0004]

On the other hand, there are cases where the electronic certificate contains information that the recipient does not want to know. Therefore, from the viewpoint of personal information protection, it can be said that it is desirable to control the content described in the electronic certificate according to the transmission partner. Therefore, a means for controlling the disclosure of personal information has been proposed.
The invention described in Japanese Patent No. 149504 corresponds to that. The present invention is a technique in which personal information is registered in advance in a reliable institution, while the registrant of this personal information allows the personal information to be viewed only by the person who has notified the institution in advance. .

However, the present invention is not intended for the personal authentication technology based on the public key infrastructure, and the improvement that the browsing range of the personal information cannot be set and controlled for each browser. Points were also left. That is, in the personal authentication technology using the public key infrastructure, which will be the main security technology in the communication on the open network, the technology that flexibly and reliably responds to the protection of personal information has not been provided.

Therefore, the present invention has been made in view of such conventional problems, and it is an object of the present invention to provide a personal authentication method and system which realizes reliable and flexible protection of personal information according to a user's intention. To aim.

[0007]

The application processing service providing method of the present invention that achieves the above object is a personal authentication method using a public key infrastructure, in which a certificate authority server, which is an issuing authority of a digital certificate, uses an electronic certificate. Application sending step for sending an electronic application, which is an application for issuing a certificate, to the registrant terminal that the registrant of the electronic certificate has, the necessary conditions for issuing the electronic certificate, and the contents of the electronic certificate The electronic application form in which all or part of the information regarding whether or not to be clearly indicated on the electronic certificate and the registrant is input is received from the verifier terminal of the verifier requesting the registrant's electronic certificate. Application form receiving step and description content selection step for selecting the description content of the electronic certificate according to the selection information included in the received electronic application form, and generation and verification of the electronic certificate with the selected description content Party And certificate transmitting step of transmitting to,
A personal authentication method comprising:

[0008]

DETAILED DESCRIPTION OF THE INVENTION Referring to the accompanying drawings,
Embodiments of the present invention will be described in detail. FIG. 1 is a network configuration diagram including a system for realizing a personal authentication method of the present invention. As the background of this embodiment, the personal authentication method of the present invention is applied when the data communication accompanied by the personal authentication is performed between the users who use the certification authority on the Internet, and the personal information of the user is appropriately protected. Assume the situation. Of course, the scope of application of the present invention is not limited to the present embodiment, and the present invention can be applied to any situation in which personal authentication is performed on a network using a public key infrastructure. Needless to say.

The certificate authority server 10 is provided in the certificate authority (CA) in the public key infrastructure (PKI) in order to realize the personal authentication method of the present invention. The certificate authority server 10 executes various processes that guarantee that the public key is valid when an electronic signature based on the public key cryptography is used in electronic transactions and the like. It is possible to prevent fraudulent acts such as fraud by certifying that the company or individual who distributes the public key is not fake (that is, authenticating the person). For example,
The orderer who received the order form electronically signed by the orderer of a certain product using the private key from the orderer verifies that the signature is correct using the public key distributed by the orderer on the network. To do. If the public key used at this time is the one with the electronic certificate received from the certificate authority server 10, the contractor can safely engage in the transaction.

The electronic certificate may include, for example, a personal certificate.
Classes are classified according to the level of certification, such as a class for authenticating WWW browsers and emails, a class for certificates issued by companies to employees, and a class for authenticating the existence of companies. For example, an electronic certificate for individuals includes certificate identification information such as a serial number, the name of the certificate authority that issued this certificate, the expiration date, the owner name, and the owner's public key. The basic format of the contents of this digital certificate conforms to ITU-T X.509.

The certificate authority server 10 uses the CP as shown in the figure.
The computer system includes an arithmetic / control unit 11 including U, an information storage unit 12 such as a hard disk, an input / output unit 13 such as a keyboard, a mouse, a display, and a communication unit 14 such as a modem. Therefore, the communication means 14 connects to a communication line such as the Internet to perform data communication with a registrant terminal 20 and a verifier terminal 30 described later, and the data such as the electronic application form 40 acquired by this data communication is stored as information. It is appropriately stored in the means 12. For example, the contents of the electronic certificate described above are stored in a database for each registrant of the electronic certificate, and an appropriate electronic signature verification process and an electronic signature are performed in response to a signature verification request from the verifier terminal 30. The process of issuing the certificate 50 is performed. The certificate authority server 10 is, of course, a computer that can function as both a WWW server and a mail server.

In the certificate authority server 10 provided in the certificate authority, it is the registrant who has registered his own electronic certificate. This registrant will be asked to issue his / her own electronic certificate from the certificate authority server 10 in response to the request of the data communication partner on the network, and to electronically prove his / her identity. This registrant has a registrant terminal 20.
Is. The registrant terminal 20 is the same as the certificate authority server 10,
Arithmetic / control means 21, information storage means 22, input / output means 2
3 is a computer system including communication means 24. The registrant terminal 20 accepts, via the electronic application form 40, the input of selection information for reflecting the matters that the registrant may or may not disclose to the verifier in the description of the electronic certificate 50, and the electronic certificate With the necessary input items (necessary items) for issuing the certificate, the electronic application form 40 is transmitted to the verifier terminal 30.

On the other hand, the verifier terminal 30 receives the electronic application form 40, applies the electronic signature of the verifier, and transfers the electronic signature to the certificate authority server 10 to request verification. The verifier terminal 30, like the certificate authority server 10 and the registrant terminal 20, is a computer system including an arithmetic / control unit 21, an information storage unit 22, an input / output unit 23, and a communication unit 24.

The registrant terminal 20 and the verifier terminal 3
0 is not limited to a general personal computer, but may be a device including any network-connectable computer chip, such as a network-connectable mobile phone, PDA, game machine, fax machine, digital TV, or Kiosk terminal. In addition, the network connecting the certificate authority server 10, the registrant terminal 20, and the verifier terminal 30 may be not only the Internet but also various networks such as ATM line, personal computer communication line, WAN, LAN, and wireless network. .

FIG. 2 is a flow chart showing the processing procedure of the personal identification method in this embodiment. The actual procedure of the personal authentication method of the present invention will be described below with reference to FIG.
A registrant who has already registered the electronic certificate 50 in the certificate authority server 10 uses the registrant terminal 20 to send a commodity purchase order 60 accompanying an electronic commerce transaction or the like to the verifier terminal 3 of the verifier who is the contractor.
Suppose you want to send it to 0. In this case, before sending the product order form 60 to the verifier terminal 30, the certificate authority server 10 is requested to issue the electronic application form 40.

On the other hand, the certificate authority server 10 accepts the issue request and issues the electronic application form 40 (s
201). An example of the data structure of the electronic application form 40 is shown in FIG. The electronic application form 40 is, for example, the electronic application form 40.
Identifier of the certificate authority, the identifier of the certification authority, the selection field of the description / non-statement (approval or not) in the electronic certificate 50, the maximum number of times the electronic application 40 can be used, the signature of the certification authority, the signature of the registrant,
Fields (301-301) for entering the respective verifier's signatures
310).

When the certificate authority server 10 issues the electronic application form 40, among the above-mentioned fields, the identifier information corresponding to the identifier field 301 of the electronic application form 40 and the identifier field 302 of the certificate authority are provided. Described (s202), an electronic signature is given to the signature field 308 of the certificate authority. In this example, the identifier of the electronic application form is "1", the identifier of the certification authority is "C", and the signature of the certification authority is "3GDE9aB". Among the entries in these fields, the electronic application identifier, usage limit number, and verifier's signature (public key) are stored in the electronic application information table 70 (see FIG. 7) included in the certificate authority server 10 for electronic application. Register and update each book to manage it. The electronic application form 40 is transmitted from the certification authority server 10 to the registrant terminal 20 (s203).

Electronic application form 40 with the above description
The registrant terminal 20 receives from the certificate authority server 10.
FIG. 4 is a diagram showing an example of the electronic application form when the registrant browses and fills it out. The registrant terminal 20 has an electronic certificate 50.
Selection field (303 to 30)
Accept the input or selection event by registrant for 6). In this example, "1" can be described and "0" is not described. The name field 303, gender field 304, date of birth field 305, address field 3
"1", "1", "1", and "0" are set in 06, respectively. That is, only the "address" is not disclosed to the verifier.

In addition to this, if the registrant determines the maximum number of times the electronic application form 40 can be used, the electronic application form 4
The number of times is set in the field 307 of 0. In FIG. 4, “3” is described to indicate that the usage limit number is limited to three times. The setting of this usage limit number is
It may be performed by the certificate authority server 10. When the selection of the contents described in the electronic certificate 50 is set in the selection fields 303 to 306, the electronic signature "SqG10P" of the registrant is attached to the field 309, and this electronic application form 40 becomes the product purchase order 60. It is attached and transferred to the verifier terminal 30. Although not shown, if the public key information (verifier identification information) of the verifier that can previously identify the verifier who can use the electronic application form 40 is known, this is to be included in the electronic application form 40. Please note.

FIG. 5 is a view showing an example of an electronic application form at the time when the verifier browses and fills it out. The verifier terminal 30 receives the electronic application form 40 and the product purchase order 60 sent from the registrant terminal 20. The verifier browses the merchandise purchase order 60 on the verifier's terminal 30 to recognize the details of the order, and at the same time, “0h
LD2J ”is the electronic signature of the verifier himself. Verifier terminal 3
The electronic application form 40, which is electronically signed at 0, is sent to the certificate authority server 10.

The certificate authority server 10 receives from the verifier terminal 30 the electronic application form 40 in which necessary items are described (s
204). Here, the certificate authority server 10 determines the validity of the electronic application form 40 as follows. Regarding the signature of the certificate authority, the signature of the registrant, and the signature of the verifier attached to the electronic application form 40, the public key of each person is acquired and verified (s20).
5). As the public key of the verifier among the public keys, the public key registered in the electronic application information table 70 described above may be used (verification 1).

If there is a problem in the verification result of this digital signature, the process ends. On the other hand, if there is no problem in the verification result of the electronic signature (s206), the usage limit number of the electronic application form 40 is recognized (s207). Identifier described in the field 301 of the electronic application form 40 (“1” in the embodiment)
The electronic application information table 70 that matches with is searched. If the usage limit number of the searched table 70 is not initialized, the value obtained by subtracting 1 from the value described in the usage limit number field 307 of the electronic application form 40 is copied to the field 702. Then, it is determined that the value of the usage limit number field 702 of the electronic application information table 70 is positive (s208). This is referred to as verification 2.
In both verification 1 and verification 2, if there is a problem in the result, the process ends.

On the other hand, if there is no problem in the verification result, the verifier identification information (public key here) described in the field 310 of the electronic application form 40 is recognized (s209). Then, it is determined whether or not this public key is a public key registered as a verifier who can use the electronic application form 40 (s210), and if it is determined that there is use permission, the electronic application form is determined. 40 is finally determined to be valid. If it is determined that there is no use permission, the process ends.

If it is confirmed that the electronic application form 40 is valid, the registered contents of the electronic application form information table 70 are updated. Then, the selection field (30
3 to 306), each field of the registrant's electronic certificate 50 is described (s211), and the electronic certificate 50 is issued (s212). In the electronic application form 40 of the embodiment, the address of the registrant is set not to be disclosed to the verifier, and thus the electronic certificate 50 shown in FIG. 6 describes personal information other than the address. This digital certificate 50
Is sent to the verifier terminal 30 after the digital signature of the certificate authority is given in the field 606 (s213).

According to the present invention, since the registrant terminal sends the electronic application form to the verifier terminal, it is possible to limit the description content of the electronic certificate that each verifier can refer to. Therefore, it is possible to easily and surely protect the personal information of the registrant of the electronic certificate. Also, register the public key of the verifier and the maximum number of times the electronic application can be used with the CA server, and when this CA server accepts the electronic application, the information such as the registered public key and the electronic application are registered. By verifying the consistency with the document, it is possible to prevent unauthorized use of the electronic application form.

The embodiment of the present invention may be as follows in order to achieve the above object. In the personal authentication method, a setting step of setting or receiving from the registrant terminal the application identification information for each electronic application and the usage limit number of the electronic application, and registering in a table; and the electronic received from the verifier terminal. Based on the application identification information attached to the application, a number recognition step of recognizing the corresponding usage limit number from the table, and a process of issuing a digital certificate if the recognized usage limit number is positive The method includes a number-of-times determination step of making a determination, and a subtraction step of performing a subtraction process of the usage limit number of times set in the application according to the number of times of issuing processing of the electronic certificate.

Further, in the above personal authentication method, a verifier information registration step of registering the verifier identification information of the verifier authorized to use the electronic application for each electronic application for which the use is permitted, and the verifier terminal. If the verifier identification information attached to the received electronic application form is that of the verifier authorized to use the electronic application form, a permission determination step of determining that the electronic certificate issuance process will be performed. , Are included.

Further, in the personal authentication method, the public key of the verifier is registered as the verifier identification information of the verifier who is permitted to use the electronic application, and the electronic mail of the verifier attached to the electronic application is registered. The signature will be verified with this public key.

In addition, in a server system that realizes a personal authentication method using a public key infrastructure, a certificate authority server that is an issuing authority of a digital certificate sends an electronic application form, which is a digital certificate issuance application, to an electronic certificate. Application form transmission means to be sent to the registrant terminal that the registrant of the certificate is equipped with, necessary conditions for issuing the electronic certificate, and whether or not all or part of the contents described in the electronic certificate can be clearly stated on the electronic certificate Included in the received electronic application form is an electronic application form in which the selection information of the above is input from the verifier terminal of the verifier who requests the electronic certificate of the registrant. Includes description content selection means for selecting the description content of the electronic certificate according to the selection information, and certificate transmission means for generating an electronic certificate having the selected description content and transmitting it to the verifier terminal. Characterized by And it is made a person authentication system.

Further, a program for causing the above-mentioned personal authentication method to function on a computer, in which a certificate authority server, which is an issuing authority of the electronic certificate, issues an electronic application, which is an application for issuing the electronic certificate, with an electronic certificate. Application sending step to send to the registrant terminal that the registrant of the certificate has, the necessary conditions for issuing the electronic certificate, and whether all or part of the contents described in the electronic certificate can be clearly indicated on the electronic certificate. An application reception step of receiving an electronic application in which the selection information is input for the registrant from the verifier terminal of the verifier requesting the registrant's electronic certificate, and the selection included in the received electronic application According to the information, a description content selection step of selecting the description content of the electronic certificate, and a certificate transmission step of generating an electronic certificate having the selected description content and transmitting it to the verifier terminal. And it is made a personal authentication program characterized Mukoto.

Further, a computer-readable recording medium in which the above-mentioned personal identification method program is recorded is formed.

[0032]

According to the present invention, a personal authentication method and system can be provided.

[Brief description of drawings]

FIG. 1 is a network configuration diagram including a system for realizing a personal authentication method of the present invention.

FIG. 2 is a flowchart showing a processing procedure of a personal authentication method according to the present embodiment.

FIG. 3 is a diagram showing an example of an electronic application form issued by a certificate authority.

FIG. 4 is a diagram showing an example of an electronic application form when a registrant browses and fills it out.

FIG. 5 is a diagram showing an example of an electronic application form when a verifier browses and fills it out.

FIG. 6 is a diagram showing an example of an electronic certificate issued by a certificate authority.

FIG. 7 is a diagram showing an example of an electronic application form information table.

[Explanation of symbols]

s203 Application form sending step s204 Application reception step s211 Content selection step s213 Certificate transmission step

─────────────────────────────────────────────────── ─── Continuation of front page (51) Int.Cl. ⁷ Identification code FI theme code (reference) H04L 9/00 675B 675Z (72) Inventor Junichi Takeuchi 1-6-27 Shinsuna, Koto-ku, Tokyo Stock company Hitachi, Ltd. Public Systems Division (72) Inventor Hiroko Hieda 1-6-27 Shinsuna, Koto-ku, Tokyo Stock Company Hitachi Ltd. Public Systems Division (72) Inuma Yoshimasa 2-chome, Toyo 2-4, Koto-ku, Tokyo Issue Hitachi Kokyo System Engineering Co., Ltd. F-term (reference) 5B085 AE00 AE29 5J104 AA07 AA09 EA19 JA21 KA05 LA03 LA06 MA01 NA02 PA07

Claims (7)

[Claims] 1. A personal authentication method using a public key infrastructure, wherein a certificate authority server, which is an issuing authority of a digital certificate, sends an electronic application, which is a digital certificate issuance application, to a digital certificate registrant. The steps to send the application to the registrant terminal, the necessary conditions for issuing the digital certificate, and the selection information of whether or not the whole or part of the contents of the digital certificate can be clearly shown on the digital certificate. In accordance with the application receiving step of receiving the electronic application entered for the registrant from the verifier terminal of the verifier requesting the registrant's electronic certificate, and the selection information included in the received electronic application. , A description content selection step of selecting the description content of the electronic certificate, and a certificate transmission step of generating an electronic certificate having the selected description content and transmitting it to the verifier terminal. Authentication method . 2. A setting step of setting or accepting from the registrant terminal the application identification information for each electronic application and the maximum number of times the electronic application can be used, and the electronic application received from the verifier terminal. Based on the application identification information attached to the certificate, the step of recognizing the corresponding number of times of use is recognized from the table, and if the recognized number of times of use is positive, it is determined that the electronic certificate issuance process will be performed. And a subtraction step for performing subtraction processing of the usage limit number set in the application according to the number of times of issuing processing of the electronic certificate,
The personal authentication method according to claim 1, further comprising: 3. A permission information registration step for registering the verifier identification information of the verifier authorized to use the electronic application for each electronic application for which the use is permitted, and the electronic application received from the verifier terminal. If the verifier identification information attached to the verifier is that of a verifier authorized to use the electronic application, a permission determination step of determining that the process of issuing a digital certificate is performed is included. The personal authentication method according to claim 2. 4. The public key of the verifier is registered as verifier identification information of the verifier authorized to use the electronic application, and the verification of the electronic signature of the verifier attached to the electronic application is published. The personal identification method according to claim 3, wherein the identification is performed with a key. 5. A server system for realizing a personal authentication method using a public key infrastructure, wherein a certificate authority server, which is an issuing authority of a digital certificate, sends an electronic application form, which is a digital certificate issuance application, to an electronic certificate. Application form transmission means to be sent to the registrant terminal that the registrant of the certificate is equipped with, necessary conditions for issuing a digital certificate, and whether or not all or part of the contents described in the digital certificate can be clearly stated on the digital certificate Included in the received electronic application form is an electronic application form in which the selection information of is input for the registrant from the verifier terminal of the verifier who requests the electronic certificate of the registrant. Includes description content selection means for selecting the description content of the electronic certificate according to the selection information, and certificate transmission means for generating an electronic certificate having the selected description content and transmitting it to the verifier terminal. A book featuring Authentication system. 6. A program for causing the personal authentication method according to claim 1 to function on a computer, wherein a certificate authority server, which is an issuing authority of the electronic certificate, issues an application for issuing the electronic certificate. Application step that sends an electronic application, which is a certificate, to the registrant terminal that the registrant of the electronic certificate has, the necessary items that are the conditions for issuing the electronic certificate, and all or part of the content of the electronic certificate About the application acceptance step of receiving the electronic application form in which the selection information on the approval or disapproval on the electronic certificate is input for the registrant from the verifier terminal of the verifier requesting the registrant's electronic certificate, , The description content selection step of selecting the description content of the electronic certificate according to the selection information included in the received electronic application form, and the generation of the electronic certificate with the selected description content and transmission to the verifier terminal Authentication program characterized by comprising a Akirasho transmitting step. 7. A computer-readable recording medium in which the personal identification method program according to claim 6 is recorded.