JP2005341226A - Service providing system and communication terminal device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a service provision system which performs user authentication in a communication terminal, comprises high privacy protective function, and carries out reduction of server load and improves complicated processings accompanying service utilization. <P>SOLUTION: The communication terminal 100a transmits a service request, which requires service permission of the communication terminal 100b, to a network 300. The communication terminal 100b receives the service request, and discriminates whether the communication terminal 100a is authenticated in the own communication terminal. If it is authenticated, the communication terminal 100b transmits a service request to a service provision server 200a. The service provision server 200a performs necessary processing, in order to offer the service based on the received service request, and offers service provision to the communication terminal 100a. By this method, it is not necessary to register all the user information permitted by a permitting user in a server with a authentication function, before receiving a service which is necessary to get partner's permission. Accordingly, a database is not required for information registration which is set for every service users in the server side, or network traffic accompanying the access is eliminated, and the load of the server and necessary resources accompanying the authentication processing are reduced. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a service providing system using authentication between communication terminals, and particularly to a service providing system using authentication using shared information between communication terminals registered in the communication terminals.

  In general, as one of the services that require the partner's permission, there is a service that checks the partner's location information. An example of a service providing system that handles position information as an example is disclosed in Patent Document 1. Hereinafter, the position notification telephone system described in Patent Document 1 will be described with reference to FIG. Here, a case where the subscriber side device 750 requests location information of the mobile terminal 705 is taken as an example.

  First, the subscriber side device 750 requests the location information of the mobile terminal 705 from the base station 704 via the gateway stations 702 and 703. The base station 704 receives a request from the subscriber side device 750 and sends a location notification call to the mobile terminal 705.

  This mobile terminal 705 has a configuration for selecting whether to permit or not to accept the position notification request signal. If it is permitted, the mobile terminal 705 automatically performs a position response, and conversely, if it is not permitted, a rejection signal is sent. It will be returned.

  The base station 704 analyzes the position of the mobile terminal 705 only when the position response from the mobile terminal 705 is received. Thereafter, the location information of the mobile terminal 705 is notified to the subscriber side device 750 via the base station 704 based on the analysis result. As described above, the subscriber side device 750 can recognize the position information of the mobile terminal 705 that is a communication partner.

  In addition to the above, there is a system disclosed in Patent Document 2 as a service providing system that handles location information that requires permission of the other party. Hereinafter, the position search method of the mobile communication terminal described in Patent Document 2 will be described with reference to FIG. Here, a case where the portable wireless terminal requests location information of another portable wireless terminal is taken as an example.

First, the portable wireless terminal 810a sends a position registration information inquiry request signal and a password to the network 830 in order to check the position of the portable wireless terminal 810b. The network 8300 obtains the position information of the portable wireless terminal 810b from the personal communication service control database 840 existing on the same network based on the input position registration information inquiry request signal only when the authentication by the password is completed. The location information is returned to the portable wireless terminal 810a that has transmitted the inquiry request signal, and a signal indicating that the inquiry has been made to the terminal 810b that has inquired the location registration information is supplied. The portable wireless terminal 810a can recognize the position information of the portable wireless terminal 810b that is the communication partner by displaying the returned position information on the display unit.
Japanese Patent Laid-Open No. 6-189359 JP 11-239379 A

  However, in the above-mentioned Patent Document 1, although it is possible to set whether or not location notification access is permitted, when location notification access is permitted, an automatic response is returned for all location notification request signals. The position of the communication terminal is also notified to the user who is not intended.

  In addition, when location notification access is not permitted, a rejection signal is returned for all location notification request signals, so in the unlikely event that you forgot to change the setting from non-permitted to permitted, the communication terminal was lost. In some cases, or when it is impossible to respond to the communication terminal, the location notification service cannot be received, and in such a case, there is a problem that the person himself is often in an emergency and cannot be used in the emergency.

  Further, in the above-mentioned Patent Document 2, even when the user is authenticated by the service providing server with an authentication function, and when the authentication server and the service providing server are provided independently, the server side And the necessary settings for authentication such as who authenticates who must be performed on the server for each user, the network traffic increases with the setting process, and the service expands. The effect will be stronger. For this reason, there are problems that the communication cost for the service user increases, the problem of service quality deterioration due to processing delay, and the cost for maintaining the service quality for the service provider continue to increase.

  Further, since it is necessary to have all the registration information set by the service user as a database on the server side, the service user also needs to change the contents after accessing the server even when changing the registration information.

  The present invention solves the above-described problems, and provides a service providing system that performs user authentication in a communication terminal, has a high privacy protection function, and reduces troublesome processing associated with server load reduction and service usage. The purpose is to do.

  In order to solve the conventional problem, the service providing system and the communication terminal device according to the present invention are configured as follows.

  A service providing system according to claim 1 is a request communication terminal device for creating a service request, an authentication communication terminal device for performing an authentication process based on the service request, and a service providing server device for providing a service. And a service providing system comprising a network having a function of transmitting information by wireless or wired connection, wherein the requesting communication terminal device includes an input means for processing input from outside the device, A communication means for transmitting and receiving information via a network; a storage means for recording data; a service request means for creating a service request including information necessary for authentication for a desired communication terminal device; Control means for controlling processing, and display means for displaying the processing contents in the requesting communication terminal device. An input means for processing input from the outside, a communication means for transmitting and receiving information via the network, a storage means for recording data, and authentication from a service request received using the communication terminal device An authentication unit that extracts necessary information, uses the information to authenticate a communication terminal apparatus that has transmitted a service request, and transmits a request conforming to the service request to the service providing server apparatus, and controls each process Control means; display means for displaying processing contents in the own communication terminal device; and the service providing server device, communication means for transmitting and receiving information via the network, and storage means for recording data A service providing means for providing a service based on the service request; and a control means for controlling each process, the request communication terminal device. Based on the authentication result performed between the communication terminal device for the authentication, a service provided.

  With this configuration, when a service request that requires the permission of the other party is made, service is provided by providing a verification function in the communication terminal owned by the user independently of the service providing server device In addition to reducing the load on the server device, it is possible to easily set and change the authentication method and authentication level performed on the communication terminal without each user accessing the server.

  In the service providing system according to the second aspect of the present invention, the service request unit included in the requesting communication terminal device can uniquely identify the requesting communication terminal device and the authentication communication terminal device. Or a plurality of divided information is included in the service request.

  With this configuration, in the authentication means included in the authentication communication terminal device, using information that can uniquely identify the request communication terminal device and the authentication communication terminal device included in the service request, The validity of the service request can be verified.

  According to a third aspect of the present invention, there is provided a communication terminal device comprising: input means for processing input from outside the apparatus; communication means for transmitting / receiving information via the network; storage means for recording data; and desired communication Service request means for creating a service request including information necessary for authentication with respect to the terminal device, and extracting information necessary for authentication from the service request received using the communication terminal device, and using the information An authentication unit that authenticates a communication terminal device that has transmitted a service request and transmits a request according to the service request to a service providing server device, a control unit that controls each process, and processing contents in the own communication terminal device Display means for displaying is provided.

  With this configuration, it is possible to configure a communication terminal apparatus used in the invention of claim 1 having the authentication unit and the service request unit.

  A communication terminal device according to a fourth aspect of the present invention is the communication terminal device according to the third aspect, comprising either one of the service request means and the authentication means.

  With this configuration, it is possible to configure a communication terminal device used in the invention of claim 1 having either one of the authentication unit or the service request unit.

  According to a fifth aspect of the present invention, there is provided a communication terminal device comprising: a weighting according to a type of the service request in the communication terminal device; and a stepwise authentication level for the communication terminal device that sends the service request. The authentication means does not authenticate the service request exceeding the authentication level set for each communication terminal device.

  With this configuration, since the authentication level can be set without accessing the server, a stepwise authentication level can be introduced in the authentication means without imposing a load on the network and the server. A highly versatile service system can be realized.

  The communication terminal device of the invention of claim 6 sets whether to require re-authentication in the communication terminal device according to the type of the service request in the communication terminal device, and the authentication means receives the received In response to the service request, it is checked whether re-authentication is necessary. If the request requires re-authentication, the input means requests the self-communication terminal device for input necessary for re-authentication.

  With this configuration, it is possible to make a determination as to whether or not to authenticate the service request using the input unit according to the importance of the service request.

  The communication terminal device of the invention of claim 7 performs registration or change of the communication terminal device to be requested for service or the communication terminal device to be authenticated for service in the communication terminal device, or re-authentication of claim 6. Before execution, it has personal authentication means for proving that it is the person who requests or authenticates service provision, and the personal authentication means uses the input means provided in the own communication terminal device.

  With this configuration, it is possible to prevent unintended alteration of information from a user.

  According to an eighth aspect of the present invention, the service request unit includes a conversion processing unit that performs an encryption process or a one-way data conversion process on information used by the authentication unit included in the communication terminal apparatus.

  With this configuration, it is not necessary to handle the information included in the service request in plain text, so that the content of the information can be protected.

  In the communication terminal device according to the ninth aspect of the invention, the authentication unit performs a decoding process or the one-way data conversion process on the information converted by the conversion processing unit or the information recorded in the communication terminal device. Conversion processing means.

  With this configuration, the information according to claim 8 is returned to the original plaintext for authentication, or after the one-way data conversion process is performed on the information recorded in the own communication terminal device The information can be compared with the information included in the service request, and the match between them can be verified to verify the validity of the information.

  The communication terminal device according to claim 10 receives the service request program or the authentication program used by the service request unit or the authentication unit included in the communication terminal device from the service providing server device to the own communication terminal device. The received program can be used as a service request program or an authentication program.

  With this configuration, the self-communication terminal device can freely receive a program corresponding to a service from the network, and a highly versatile system can be realized.

  The communication terminal device according to an eleventh aspect of the present invention is the communication terminal device, wherein the service request program and the authentication program provided by the service providing server device correspond to each service from the plurality of server devices to the own communication terminal device. The program can be received, recorded and used.

  With this configuration, the self-communication terminal device can receive and use a plurality of programs corresponding to services from the network, and the system can be realized more flexibly.

  In the communication terminal apparatus according to claim 12, when the communication terminal apparatus that has transmitted the service request is not authenticated by the authentication means in the communication terminal apparatus, the service request is rejected by the authentication means. By providing service request rejection notification determination means for determining whether or not to notify the communication terminal device that has transmitted the service request, it is possible to perform a response process at the time of non-authentication.

  With this configuration, a service refusal notice can be sent to the communication terminal device that sent the service request.

  The communication terminal device according to claim 13 is a communication terminal device in which, in the communication terminal device, when the communication terminal device that has sent the service request is not authenticated by the authentication means, the communication that has sent the service request to the authentication device. By having an access refusal means for refusing access from the terminal device, it is possible to perform a response process at the time of non-authentication.

  With this configuration, it is possible to deny access to a communication terminal apparatus that has transmitted the service request.

  The communication terminal device of the invention of claim 14 is the communication terminal device according to claim 14, wherein when the communication terminal device sending the service request is not authenticated by the authentication means, the communication device sending the service request to the authentication means. By having a registration means for registering information related to the terminal device, it is possible to perform a corresponding process at the time of non-authentication.

  With this configuration, it is possible to register the authentication unit so that the communication terminal device that has transmitted the service request is authenticated.

  The communication terminal device of the invention of claim 15 sets a stepwise level for the response processing at the time of non-authentication in the communication terminal device in the response processing at the time of non-authentication according to claims 11 to 13, By setting the handling level in the self-communication terminal device, the handling process corresponding to the handling level is performed when the handling process at the time of non-authentication is performed.

  With this configuration, it is possible to freely configure the handling process at the time of non-authentication.

  By using the present invention as described above, in the case of making a service request that requires the permission of the other party, the communication verification function for authentication is included in the communication terminal owned by the user independently of the service providing server device By reducing the load on the service providing server device, it is possible to easily set and change the authentication method and the authentication level performed on the communication terminal without each user accessing the server. .

  Embodiments of the present invention will be described below with reference to the drawings. However, the drawings are only for explanation, and do not limit the technical scope of the present invention.

(Embodiment 1)
FIG. 1 shows the configuration of a service providing system according to an embodiment of the present invention. This embodiment is configured as a system for investigating the position of a desired communication terminal using a communication terminal.

  As shown in FIG. 1, the service providing system includes a plurality of communication terminals including the communication terminals 100a and 100b, a plurality of service providing servers including the service providing servers 200a and 200b, and wireless communication with each communication terminal. The network 300 has a role of transmitting information by wired connection.

  FIG. 2 shows the internal configuration of the communication terminal 100 (100a, 100b). The communication terminal 100 is a communication terminal such as a mobile phone or a personal computer, and includes a display unit 101, an input unit 102, a control unit 103, a communication unit 104, an authentication unit 105, a service request unit 106, The storage unit 107 is included. When the communication terminal 100 is a personal computer, a display device having a display function and a keyboard or mouse having an input function are separately required. In the above description, the communication terminal 100 is an authentication / requesting terminal including both the authentication unit 105 and the service requesting unit 106. However, the communication terminal 100 may be provided with only one of the authentication function and the requesting function and authenticates the service request. If the authentication terminal performs only the service request, the authentication terminal 105 is provided, and if the request terminal performs only the service request, the service request unit 106 is provided.

  The authentication unit 105 performs an authentication process for determining whether the request is appropriate for the service request received by the communication unit 104, and if appropriate, sends the service request to the service providing server 200 via the communication unit 104. Have a role. If a database for authentication is necessary to perform the authentication process, the authentication unit 105 may include a database. The information recorded in the database preferably includes at least information that can uniquely identify the other party, such as a user ID, a personal identification number, or an e-mail address.

  The service request unit 106 has a role of creating a service request that requires permission of a desired communication terminal and sending it to the network 300 via the communication unit 104. If a database is necessary for making a service request, the service request unit 106 may include a database. It is desirable that the information recorded in the database includes at least information that can uniquely identify the other party, as in the database possessed by the authentication unit 105.

  FIG. 3 shows an internal configuration of the service providing server 200 (200a, 200b). The service providing server 200 is a server for providing a requested service, and includes a control unit 201, a communication unit 202, a service processing unit 203, and a storage unit 204.

  The service processing unit 203 has a role of performing processing that satisfies a request for a service request from the authentication unit 105 of the communication terminal 100. If a database is necessary to perform service processing, the service processing unit 203 may include a database. In the database, for example, when the service providing server 200 provides a location information notification service, location information associated with each communication terminal is recorded.

  Next, the details of the operation in this embodiment will be described with reference to the flowchart shown in FIG. Hereinafter, the present embodiment will be described using a communication terminal as a mobile phone. Here, the service request side terminal is 100a, the owner of the service request side terminal 100a is user A, the service authentication side terminal is 100b, the owner of the service authentication side terminal 100b is user B, and the service providing server is 200a. The service providing server 200a is a location information notification server provided with a database in which location information associated with each communication terminal is recorded in the service processing unit 203a.

  In step 1000 of FIG. 4 (hereinafter abbreviated as S1000), the service request side terminal 100a causes the service request unit 106a to create a service request in order to check the position of the service authentication side terminal 100b. This service request includes information indicating that the service request side terminal 100a makes a service request to the service authentication side terminal 100b. For example, both the service request side terminal 100a and the service authentication side terminal 100b are uniquely identified. Contains information such as each other's phone numbers that can be identified. This will be described later. In S1001, a service request is sent from the communication unit 104a to the service authentication side terminal 100b. The service authentication side terminal 100b can know that the request is from the service request side terminal 100a based on the information that can uniquely identify each other included in the service request received in S1003.

  In S1004, authentication processing is performed using information included in the service request received in S1003. Since the details of the authentication process will be described later, a brief description will be given here. If the service request from the service request side terminal 100a is authenticated in the service authentication side terminal 100b, the service request is sent to the service providing server 200a in S1004. If the service request is not authenticated, the processing result is displayed. It is sent to the service request side terminal 100a. The service requesting terminal 100a receives the result in S1002 and knows that the service request has been rejected.

  When the service request is authenticated in S1004, the service providing server 200a receives the service request from the service authentication side terminal 100b in S1005, and in S1006, the service processing unit 203 obtains the location information of the service authentication side terminal 100b from the database. In step S1007, the service providing server 200a sends position information to the service requesting terminal 100a. In S1002, the service request side terminal 100a receives the location information of the service authentication side terminal 100b from the service providing server 200a, and displays the result on the display unit 101a. As described above, the service requesting side terminal 100a can know the position of the service authentication side terminal 100b.

  In the present embodiment, the location information of the service authentication side terminal 100b is recorded in the database of the service providing server 200a. After receiving the service request from the service authentication side terminal 100b in S1005, Alternatively, the service processing unit 203a may check the position of the service authentication side terminal 100b in S1006 and send the result to the service request side terminal 100a in S1007. A number of methods for checking the position of a communication terminal, not limited to a mobile phone, have been proposed and are well known. Therefore, it is not mentioned here.

  Next, FIG. 5 shows an authentication processing flow performed in S1004. First, in step S1003, the authentication unit 105b determines whether the information (email address, telephone number) regarding the service authentication side terminal 100b included in the service request received from the service request side terminal 100a is authentic. In step S1102, it is checked whether the information recorded in the storage unit 107b of the terminal matches the received information. If they match, it is checked in step S1104 whether the information (email address, telephone number) related to the service request side terminal 100a included in the received service request is authenticated. A service authentication user table, which will be described later, is used for authentication determination. If the information received from the service requesting terminal 100a does not match the information recorded in the table, the information is compared with the next information recorded in the table until all the information in the table is searched. If the service request side terminal 100a is authenticated, a service request is created in S1106, and the service request is sent to the service providing server 200a in S1107. The service request includes at least information that can uniquely identify the service requesting terminal 100a, and includes, for example, the mail address of the service requesting terminal 100a.

  Next, information that can uniquely identify each other recorded in the service request database and the authentication database used in the present embodiment will be described.

  The service request unit 106a of the service request side terminal 100a has a service request user table 400 shown in FIG. 12 in the service request database, and creates a service request using this table. The service request unit 106a extracts the mail address and telephone number of the service authentication side terminal 100b from the table as information that can uniquely identify the service authentication side terminal 100b, and includes it in the service request. Then, the mail address and the telephone number recorded in the storage unit 107a are also included in the service request and transmitted from the communication unit 104a to the service authentication side terminal 100b.

  When the service request is received by the service authenticating terminal 100b, the authenticating unit 105b receives the service authentication user shown in FIG. 13 recorded in the authentication database, with its own mail address and telephone number recorded in the storage unit 107b. Authentication is performed using the mail address and telephone number of the service request side terminal 100a in the table 410. Thereby, it becomes possible to perform an authentication process using information that can uniquely identify communication terminals.

  In FIG. 5, if there is an error in the information received in S1102, and if the service request side terminal 100a is not registered in the service authentication table 400 of the service authentication side terminal 100b in S1104, in S1101 Perform error handling. An example of error handling processing is given below.

  In the flowchart of the error handling process shown in FIG. 8, it is determined whether or not to notify that the service has been rejected in S2000, and if so, a rejection notification is sent to the service requesting terminal 100a, 100a receives the result in S1002. If no notification is given, the process ends.

  In the flowchart of the error handling process shown in FIG. 9, it is determined in step S2100 whether to set access rejection.

  If access denial is set, the service denial table 420 shown in FIG. 14 held by the authentication unit 105b of the service authenticating side terminal 100b is updated so as not to react to the service request from the service requesting side terminal 100a in S2101. To do.

  Thereafter, even if the service authentication side terminal 100b receives a service request from the service request side terminal 100a, the process can be terminated as a request from the rejected user by referring to the service rejection user table 420.

  In the flowchart of the error handling process shown in FIG. 10, it is determined whether or not new registration is performed in the service authentication user table 400 for an unauthenticated terminal in S2200. Information related to the service requesting terminal 100a received from 100a is registered in the service authentication user table 400.

  Of course, various forms of error handling processing described above are possible, including the simultaneous use of a plurality of error handling processes and the simple display of log information on the service authentication side terminal other than the above-described error handling process.

  The error handling process may be registered in the authentication database of the terminal 100b on the service authentication side, for example, so that it is always executed or not always executed. For example, the error handling process table shown in FIG. As shown in 900, an error handling level is set for each error process, and when an error occurs, the error handling level shown in the error handling level table 910 shown in FIG. 25 is referred to when an error occurs. Thus, only error processing for which an error handling level higher than the level set there may be performed.

  In this embodiment, an e-mail address and a telephone number are specified as information for uniquely identifying each other, but the present invention is not limited to this, and any information that can identify each other such as a user ID or a personal identification number may be used.

  In the present embodiment, the operation in which the service request terminal 100a obtains the location information of the service authentication terminal 100b has been described. However, a communication terminal other than the mobile phone connected to the network 300 can detect the location of the service authentication terminal 100b. Of course, information can be obtained in the same manner as described above.

  Note that the authentication unit 105 and the service request unit 106 included in the communication terminal 100 are not necessarily independent, and may be a single authentication / request unit having two functions, or an authentication database and a service request database. May be included in the storage unit 107.

  For example, in a mobile phone, personal information such as an address book and a telephone number list is often recorded in the storage unit 107, and therefore it is also possible to use them as shared information. In addition, the service request unit 106 does not need to have a separate database.

  Note that it is not always necessary for each piece of information to uniquely identify the other party, such as an email address or telephone number. One is set differently for each group, and the other is a different value for each user in the group. May be used to uniquely identify a partner from a plurality of pieces of information.

  In the present embodiment, it is assumed that information related to the user B in the service authentication side terminal 100b is recorded in the storage unit 107b. However, the service authentication user table possessed by the service authentication side terminal 100b is described. The information regarding the user B may be recorded in 410, and the authentication may be performed using the service authentication user table 410 during the authentication process.

  The personal information is not used as it is for service request and authentication as it is, but for example, the service request side terminal 100a includes the encrypted shared information in the service request and the service authentication side terminal 100b decrypts it. The processing described in this embodiment may be performed on the information. Alternatively, the service request side terminal 100a performs one-way data conversion on the shared information of each other, and includes the converted information in the service request and sends it to the service authentication side terminal 100b. Performs the same one-way conversion on the shared information recorded in its own device, and then determines the validity of the service request by looking at the match between the received information and the information calculated by the own device. May be performed.

  Needless to say, all the processes performed by the service authentication side terminal according to the present embodiment can be performed automatically.

  As described above, according to the present embodiment, the service request side terminal 100a has at least information related to the service authentication side terminal 100b necessary for authentication, and the service request side terminal 100a is authenticated in the service authentication side terminal 100b. Therefore, the service requesting terminal 100a cannot receive the service only by knowing the information related to the service authenticating terminal 100b necessary for authentication. As a result, the service is not provided to the user who is not intended, and the privacy protection of the user B who owns the service authentication side terminal 100b can be realized.

  Further, since each communication terminal 100 has functions (authentication unit 105, service request unit 106) necessary for authentication, the service request side terminal 100a is authenticated by the service authentication side terminal 100b on the service providing server 200 side. It is no longer necessary to have an authentication server for determining whether or not it is necessary and an authentication database that is necessary for performing the processing, so that the server load can be reduced.

  In addition, since the user only needs to perform various settings required for authentication on the own communication terminal, there is no need to perform server access associated with registration or change of settings, resulting in a reduction in network traffic and server load. Reduction and improvement of processing performed by the user accompanying use of the service can be achieved.

  Further, the number of users authenticated by the service authentication side terminal 100b is not enormous due to the nature of the service system that involves user authentication, so the load on the service authentication side terminal 100b does not increase.

(Embodiment 2)
This embodiment is configured as a system for making a payment using a credit card corresponding to a desired communication terminal using the communication terminal.

  As shown in FIG. 1, the service providing system includes communication terminals 100a and 100b, a service providing server 200b that performs credit card payment, and a network 300 to which the service terminal belongs. Hereinafter, taking the case where the service request side terminal 100a performs payment using a credit card corresponding to the service authentication side terminal 100b as an example, the present embodiment will be described using each communication terminal as a mobile phone.

  The overall processing flow is the same as that in the first embodiment, and is omitted from FIG.

  In the present embodiment, in S1000 of FIG. 4, the service request side terminal 100a causes the service request unit 106a to create a service request in order to make a payment using a credit card corresponding to the service authentication side terminal 100b. This service request includes information indicating that the service request side terminal 100a makes a service request to the service authentication side terminal 100b. For example, both the service request side terminal 100a and the service authentication side terminal 100b are uniquely identified. Contains information such as each other's phone numbers that can be identified. This will be described later.

  Next, FIG. 6 shows the authentication processing flow performed in S1004. First, the authentication unit 105b of the service authentication side terminal 100b has the information (email address, telephone number, credit card number) related to the service authentication side terminal 100b included in the service request received from the service request side terminal 100a in S1003 as a regular one. In step S1202, it is checked whether the information recorded in the storage unit 107b of the communication terminal matches the received information. If they match, it is checked in step S1204 if the information (email address, telephone number) regarding the service requesting terminal 100a included in the received service request is authenticated. A service authentication user table, which will be described later, is used for authentication determination. If the information received from the service requesting terminal 100a does not match the information in the table, the information is compared with the next information recorded in the table, and the information is one by one until all the information in the table is searched. If the service requesting terminal 100a is authenticated, the authentication level is checked in S1206. The authentication level refers to a level that is set stepwise as to whether or not the service authentication side terminal 100b authenticates the service request of the service request side terminal 100a. A detailed description of the authentication level will be described later.

  If an authentication level check is performed in S1206 and the service request received from the service request side terminal 100a is an appropriate level request, the authentication unit 105b of the service authentication side terminal 100b creates a service request in S1208. In step S1209, a service request is sent to the service providing server 200b. The service request transmitted at this time includes at least information that can uniquely identify the service request side terminal 100a.

  The processing after the service providing server 200b receives the service request from the service authenticating terminal 100b is the same as the method shown in the first embodiment, although the content of the service processing is different. To do. As a result, the service requesting side terminal 100a receives the processing result from the service providing server 200b, and displays on the display unit 101a that the credit card payment has been completed. As described above, the service requesting side terminal 100a can make a payment using the credit card corresponding to the service authentication side terminal 100b.

  Next, information that can uniquely identify each other recorded in the service request database and the authentication database used in the present embodiment will be described.

  The service request unit 106a of the service request side terminal 100a has a service request user table 500 shown in FIG. 15 in the service request database, and uses this table to create a service request. The service request unit 106a extracts the mail address, the telephone number, and the credit card number of the service authentication side terminal 100b from the table as information that can uniquely identify the service authentication side terminal 100b, and includes them in the service request. Then, the mail address and the telephone number recorded in the storage unit 107a are also included in the service request and transmitted from the communication unit 104a to the service authentication side terminal 100b.

  When the service request is received by the service authentication side terminal 100b, the authentication unit 105b is recorded in its own mail address, telephone number, credit card number, and authentication database held by the authentication unit 105b. Authentication processing is performed using the mail address and telephone number of the service requesting terminal 100a in the service authentication user table 510 shown in FIG. Thereby, it becomes possible to perform an authentication process using information that can uniquely identify communication terminals.

  An example of the authentication level will be described with reference to FIGS. As shown in the service level table 530 of FIG. 18, the authentication level required to know the position of the other party is defined as 0b100, and the authentication level for the credit card settlement service is defined as 0b111. Accordingly, referring to the authentication level table 520 of FIG. 17, it can be seen that a higher authentication level is required to receive the credit card payment service than to the location information notification service. The service authentication side terminal 100b registers the authentication level corresponding to each service request side terminal in the service authentication user table 510 in advance. In the service authentication user table 510 of the service authentication side terminal 100b, since the authentication level of the service request side terminal 100a is set to 0b111, the service request side terminal 100a provides a request regarding the location information notification service and the credit card settlement service. When sent to the authenticating terminal 100b, both are authenticated in the service authenticating terminal 100b, and the service requesting terminal 100a can receive either service.

  Further, although not described in the present embodiment, since the authentication level is 0b001 in the service request side terminal 100d owned by the user D, the requests relating to the location information notification service and the credit card settlement service are not authenticated. The service requesting terminal 100d cannot receive either service.

  In the setting of the authentication level, in the above embodiment, the authentication level is expressed by a binary number of 3 bits. However, this is not optimal for the data format, and it can be replaced if the format can express the stage. The authentication level width may be two stages or further subdivided.

  In addition to setting the authentication level for each user, it is of course possible to create a group for each of a plurality of users and set the authentication level for each group.

  The error handling process in the present embodiment is as described in the first embodiment.

  The various items described in the first embodiment, such as the type of information for uniquely identifying each other and the use of encrypted shared information, can be similarly applied in the present embodiment. Of course, the matters described in the present embodiment, such as setting the authentication level, can be similarly applied in the first embodiment.

  Thus, according to the present embodiment, a service system with higher versatility can be realized by introducing stepwise authentication levels in authentication.

  Compared to a server authentication type service system, the processing required for setting the authentication level can be performed on the communication terminal, so there is no need to perform server access for registration or change of those settings. Accordingly, the network traffic can be reduced, the server load can be reduced, and the processing performed by the user when using the service can be improved.

(Embodiment 3)
This embodiment is configured as a system for collecting log information recorded in a desired communication terminal using a communication terminal. This includes, for example, a questionnaire or monitor service that collects log information indicating the type and frequency of use of the service used by the user who owns the communication terminal in the past, or the usage status of the function of the communication terminal and examines the result. It is one of similar service forms.

  As shown in FIG. 21, the service providing system includes communication terminals 100a, 100b, and 100c, a service providing server 200c that provides authentication / service request software, and a network 300 to which the service provision server 200c belongs. The configurations of the communication terminal 100 and the service providing server 200 are as shown in FIGS. 2 and 3 as in the first or second embodiment.

  Hereinafter, taking the case where the service request side terminal 100c collects log information held by the service authentication side terminals 100a and 100b as an example, this embodiment will be described with the communication terminals 100a and 100b as mobile phones and the 100c as a personal computer.

  The communication terminal 100 (100a, 100b, 100c) takes out the authentication program and the service request program stored in the service providing server 200c, receives them in its own communication terminal, and records them in the authentication unit 105 and the service request unit 106. To do. Thereafter, the authentication unit 105 and the service request unit 106 use the newly recorded program for authentication and service request creation.

  Next, the details of the operation in this embodiment will be described with reference to the flowchart shown in FIG. In S4000 of FIG. 26, the service request side terminal 100c causes the service request unit 106c to create a service request in order to extract log information held by the service authentication side terminal 100a. This service request includes information indicating that the service request side terminal 100c makes a service request to the service authentication side terminal 100a. For example, both the service request side terminal 100c and the service authentication side terminal 100a are uniquely identified. Contains information such as each other's phone numbers that can be identified. This will be described later. In step S4001, a service request is sent from the communication unit 104c to the service authentication side terminal 100a. The service authentication side terminal 100a can know that it is a request from the service request side terminal 100c based on the information that can uniquely identify each other included in the service request received in S4003.

  In S4004, an authentication process is performed using information included in the service request received in S4003. Since the details of the authentication process will be described later, a brief description will be given here. When the service request from the service requesting side terminal 100c is authenticated in the service authenticating side terminal 100a, service information, in this case log information, is sent to the service requesting side terminal 100c in S4004, and the service request is not authenticated. If it is, the processing result is sent to the service requesting terminal 100c. The service request side terminal 100c receives the result in S4002 and knows that the service request has been rejected.

  When the service request is authenticated in S4004, the service request side terminal 100c receives the log information from the service authentication side terminal 100a in S4002, and displays on the display unit 101c that it has been successfully received. In the present embodiment, the service request side terminal 100c and the service authentication side terminal 100a have been described. However, the service request side terminal 100c and the service authentication side terminal 100b can also perform processing in the same flow. As described above, the log information of the service authentication side terminals 100a and 100b can be recorded in the service request side terminal 100c.

  Next, FIG. 7 shows an authentication processing flow performed in S4004. First, the authentication unit 105a of the service authentication side terminal 100a determines whether the information (email address, user ID) regarding the service authentication side terminal 100a included in the service request received from the service request side terminal 100c in S4003 is authentic. In order to check, it is checked in step S4104 whether the information recorded in the storage unit 107a of the communication terminal and the received information match. If they match, it is checked in step S4106 whether the information (email address, user ID) regarding the service request side terminal 100c included in the received service request is authenticated. A service authentication user table, which will be described later, is used for authentication determination. If the information received from the service requesting terminal 100c does not match the information recorded in the table, the information is compared with the next information recorded in the table until all the information in the table is searched. If the service request side terminal 100c is authenticated, the request type is checked in step S4108.

  In the request type check, it is checked whether or not the service request from the service requesting terminal 100c needs to be re-authenticated by the service authenticating terminal 100a. If it is a service request that requires re-authentication, in S4102, the service authentication side terminal 100a is requested for some input as re-authentication processing. As an example, there is a method in which a determination sentence asking whether to authenticate is displayed on the display unit of the communication terminal, and the user selects one of them. If authenticated, the authentication unit 105a of the service authentication side terminal 100a retrieves log information as service information from the storage unit 107a in S4110, and sends the log information to the service request side terminal 100c in S4111.

  Here, whether or not re-authentication is necessary is determined by referring to the re-authentication table 620 shown in FIG. 27, for example. If the requested service is set to ON, re-authentication processing is required. If it is set to OFF, re-authentication processing is not required.

  Next, information that can uniquely identify each other recorded in the service request database and the authentication database used in the above embodiment will be described.

  The service request unit 106c of the service request side terminal 100c has a service request user table 600 shown in FIG. 19 in the service request database, and uses this table to create a service request. The service request unit 106c extracts the mail address and user ID of the service authentication side terminal 100a from the table as information that can uniquely identify the service authentication side terminal 100a, and includes it in the service request. Then, the mail address and the user ID recorded in the storage unit 107c are also included in the service request and sent from the communication unit 104c to the service authentication side terminal 100a.

  When the service request is received by the service authentication side terminal 100a, the authentication unit 105a receives the service authentication user shown in FIG. 20 recorded in the authentication database, with its own mail address and user ID recorded in the storage unit 107a. Authentication is performed using the mail address and user ID of the service request side terminal 100c in the table 610. Thereby, it becomes possible to perform an authentication process using information that can uniquely identify communication terminals.

  The error handling process in the present embodiment is as described in the first embodiment.

  In this embodiment, the authentication program and the service request program are received from the service providing server 200c and used. However, the service providing server 200 only distributes service software provided by the own server. Instead, software for services that are not provided by the server itself can also be distributed. Accordingly, each communication terminal can record a plurality of software corresponding to each service and use them as necessary.

  In the present embodiment, the log information in the service authentication side terminal 100a is directly sent to the service request side terminal 100c, but this is an example, and the log information is recorded in the service providing server 200c. When the service authentication side terminal 100a authenticates the service request from the service request side terminal 100c, the service authentication side terminal 100a sends a service request to the service providing server 200c, and in response to the request, the service providing server 200c Log information may be sent to the service requesting terminal 100c.

  In this embodiment, input from the person is requested in the re-authentication process. As shown in the personal authentication routine in FIG. 11, authentication is performed before the re-authentication to verify whether or not the user is the identity, and only when the identity is recognized as a result of the authentication, the re-authentication is input. You may make it do.

  In the personal authentication process performed in S3001 in the personal authentication routine of FIG. 11, the input of a personal identification number may be requested, or if it is a terminal that can use authentication using the biometric information of the person, It may be used.

  The personal authentication is not limited to before the re-authentication, but may be performed before the new registration at the time of the error handling process of FIG. 10 which is the first embodiment, or the second embodiment. This may be performed before the authentication level is changed, or may be performed anywhere before the process that requires proof of identity.

  It should be noted that the present embodiment relates to the various items described in the first and second embodiments, such as the type of information for uniquely identifying each other, the use of encrypted personal information, and the setting of the authentication level. Of course, the matters described in this embodiment, such as performing re-authentication, can be similarly applied in the first and second embodiments.

  Thus, according to the present embodiment, a more secure service system can be realized by requiring re-authentication by the principal in accordance with the type of service request.

  Further, if the re-authentication process is to be realized by a server authentication type service system, communication always occurs between the user and the server in response to the re-authentication request. In the above embodiment, the service request side terminal 100c Since the re-authentication process for the service request is performed in the service authentication side terminals 100a and 100b, network access does not occur, and the re-authentication process is also processed in the own communication terminal. It does not take.

  The service providing system and the communication terminal device according to the present invention are useful as a service providing system using authentication between communication terminals. In particular, it is useful as a service providing system that uses authentication using shared information between communication terminals registered in the communication terminal.

  As a specific service providing system, as shown in the embodiment, it can be applied to various systems such as a system that provides location information, a payment system using a credit card, etc., and an information collection system in a communication terminal such as a log. .

The system block diagram in Embodiment 1 and 2 of this invention Internal configuration diagram of communication terminal 100 according to Embodiment 1-3 of the present invention Internal configuration diagram of service providing server 200 according to Embodiment 1-3 of the present invention The flowchart which shows the flow of the whole process in Embodiment 1 and 2 of this invention The flowchart which shows the flow of the authentication process in Embodiment 1 of this invention. The flowchart which shows the flow of the authentication process in Embodiment 2 of this invention. The flowchart which shows the flow of the authentication process in Embodiment 3 of this invention. Flowchart showing the flow of error handling processing in Embodiment 1-3 of the present invention Flowchart showing the flow of error handling processing in Embodiment 1-3 of the present invention Flowchart showing the flow of error handling processing in Embodiment 1-3 of the present invention The flowchart which shows the flow of the personal authentication process in Embodiment 1-3 of this invention. The figure which shows the service request user list in Embodiment 1 of this invention. The figure which shows the service authentication user list in Embodiment 1 of this invention. The figure which shows the service refusal user list in Embodiment 1 of this invention. The figure which shows the service request user list in Embodiment 2 of this invention. The figure which shows the service authentication user list in Embodiment 2 of this invention. The figure which shows the authentication level in Embodiment 2 of this invention The figure which shows the service level in Embodiment 2 of this invention The figure which shows the service request user list in Embodiment 3 of this invention. The figure which shows the service authentication user list in Embodiment 3 of this invention. System configuration diagram according to Embodiment 3 of the present invention Configuration diagram of the invention disclosed in Japanese Patent Laid-Open No. 6-189359 Configuration diagram of the invention disclosed in Japanese Patent Laid-Open No. 11-239379 The figure which shows the error handling level corresponding to each error processing in Embodiment 1 of this invention The figure which shows the error countermeasure level set to the terminal in Embodiment 1 of this invention The flowchart which shows the flow of the whole process in Embodiment 3 of this invention. The figure which shows whether each service request requires re-authentication in Embodiment 3 of this invention

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Communication terminal 101 Display part 102 Input part 103 Control part 104 Communication part 105 Authentication part 106 Service request part 107 Storage part 200 Service provision server 201 Control part 202 Communication part 203 Service processing part 204 Storage part 300 Network 400 Service request user table 410 Service authentication user table 420 Service denial user table 500 Service request user table 510 Service authentication user table 520 Authentication level table 530 Service level table 600 Service request user table 610 Service authentication user table 620 Re-authentication table 900 Error handling table 910 Error handling level table

Claims (15)

A communication terminal device for request for creating a service request, an authentication communication terminal device for performing an authentication process based on the service request, a service providing server device for providing a service, and a wireless or wired line connection, information Is a service providing system composed of a network with a function to transmit
The communication terminal device for request includes an input unit that processes input from outside the device, a communication unit that transmits and receives information via the network, a storage unit that records data, and a desired communication terminal device In contrast, service request means for creating a service request including information necessary for authentication, control means for controlling each process, and display means for displaying the processing content in the communication terminal device for the request,
The authentication communication terminal device comprises: input means for processing input from outside the apparatus; communication means for transmitting / receiving information via the network; storage means for recording data; and the communication terminal apparatus. The information required for authentication is extracted from the service request received using it, the communication terminal device that sent the service request is authenticated using the information, and the request corresponding to the service request is sent to the service providing server device Authentication means, control means for controlling each process, and display means for displaying the processing contents in the own communication terminal device,
The service providing server device controls a communication means for transmitting / receiving information via the network, a storage means for recording data, a service providing means for providing a service based on the service request, and each process. Control means to
A service providing system for providing a service based on an authentication result performed between the requesting communication terminal device and the authentication communication terminal device. The service request means included in the requesting communication terminal device services one or more pieces of information that can uniquely identify the requesting communication terminal device and the authentication communication terminal device, or a plurality of divided pieces of information. The service providing system according to claim 1, wherein the service providing system is included in a request. Information necessary for authentication with respect to input means for processing input from the outside of the apparatus, communication means for transmitting and receiving information via the network, storage means for recording data, and a desired communication terminal device A service request means for creating a service request including the information required for authentication from the service request received using the communication terminal device, and authenticating the communication terminal device that sent the service request using the information And authentication means for sending a request conforming to the service request to the service providing server apparatus, a control means for controlling each process, and a display means for displaying the processing content in the own communication terminal apparatus. Communication terminal device. 4. The communication terminal apparatus according to claim 3, further comprising one of the service request unit and the authentication unit. In the communication terminal device, a weighting according to the type of the service request and a stepwise authentication level for the communication terminal device that sends the service request are set in the communication terminal device, and the authentication unit includes each communication terminal 5. The communication terminal apparatus according to claim 3, wherein the service request exceeding the authentication level set in the apparatus is not authenticated. In the communication terminal device, a setting is made as to whether or not re-authentication is required in the communication terminal device according to the type of the service request, and the authentication means requires re-authentication for the received service request. 5. The communication terminal apparatus according to claim 3, wherein if there is a request that requires re-authentication, an input necessary for re-authentication is obtained from the input means to the self-communication terminal apparatus. The communication terminal apparatus requests or authenticates service provision before executing registration or change of a communication terminal apparatus that is a service request target or a communication terminal apparatus that is a service authentication target, or re-authentication according to claim 6. Have personal authentication means to prove that you are
The communication terminal apparatus according to claim 3 or 4, wherein the personal authentication means uses the input means included in the own communication terminal apparatus. 5. The communication according to claim 3, wherein the service request unit includes a conversion processing unit that performs encryption processing or unidirectional data conversion processing on information used in the authentication unit included in the communication terminal device. Terminal device. The authentication means further comprises a conversion processing means for performing a decoding process or a one-way data conversion process on the information converted by the conversion processing means or the information recorded in the own communication terminal device. The communication terminal device according to 3 or 4. A service request program or an authentication program used in the service request means or the authentication means included in the communication terminal apparatus is received from the service providing server apparatus to the own communication terminal apparatus, and the received program is a service request program. 5. The communication terminal apparatus according to claim 3, wherein the communication terminal apparatus can be used as an authentication program. In the communication terminal device, the service request program and the authentication program provided by the service providing server device are received from the plurality of server devices in the communication terminal device, and the program corresponding to each service is recorded. The communication terminal device according to claim 3 or 4, wherein the communication terminal device can be used. In the communication terminal apparatus, when the communication terminal apparatus that sent the service request is not authenticated by the authentication means, the communication terminal that sent the service request to the authentication means that the service request was rejected. 5. The communication terminal apparatus according to claim 3, wherein a service request rejection notification determination unit that determines whether or not to notify the apparatus can be used to perform a response process at the time of non-authentication. In the communication terminal apparatus, when the communication terminal apparatus that has sent the service request is not authenticated by the authentication means, an access denial means that denies access from the communication terminal apparatus that has sent the service request to the authentication means. 5. The communication terminal device according to claim 3, wherein the communication terminal device can perform a response process at the time of non-authentication. In the communication terminal apparatus, when the communication terminal apparatus that sent the service request is not authenticated by the authentication means, a registration means that registers information related to the communication terminal apparatus that sent the service request in the authentication means. 5. The communication terminal apparatus according to claim 3, wherein the communication terminal apparatus can perform a corresponding process at the time of non-authentication. 14. The handling process at the time of non-authentication according to claim 11 to 13, wherein a stepwise level is set in the own communication terminal apparatus for the handling process at the time of non-authentication, and a handling level is set in the own communication terminal apparatus. 5. The communication terminal device according to claim 3, wherein when performing the handling process at the time of non-authentication, the handling process according to the handling level is performed.

Images