JP2007058340A - Authentication system, authentication method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To construct an authentication system whose security level is high. <P>SOLUTION: An information storing device 2 having a confidential data storing part 11 in which confidential data are stored; a biological information detecting part 12 for detecting biological information; a biological information authenticating part 13 for authenticating the biological information; a serial number storing part 14 in which serial numbers are stored; a password for authentication storage part 15 in which a password for authentication is stored; a data authenticating part 16 for authenticating data supplied from external equipment 3 and a permitting part 17 for permitting access to the confidential data storing part 11 according to the authentication result of the biological information storing part 13 or the data authenticating part 16 is connected to external equipment having a first decoding part 21 for decoding a temporary password acquired from a center server 4 based on the serial numbers and date information; a second decoding part 23 for decoding the password for authentication based on the decoded data and a supply part 24 for supplying the decoded data to the data authenticating part 16. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention is connected to an external device via a predetermined interface, can write and read data by a predetermined file system, and uses a removable information storage device to authenticate the external device. The present invention relates to an authentication system, an authentication method, and a program.

  With regard to network security via a network such as PC security or domain logon, such as Logon to a personal computer (PC), security is becoming impossible with password authentication based on human knowledge and memory. Therefore, the introduction of personal authentication using biometrics (biological information) is being actively performed.

Japanese Patent Publication No. 3-38621

  However, as a problem different from passwords in biometrics, not all people can use it, and the performance may vary depending on the use environment. If an important event makes it impossible to collate with biometrics for some reason and it becomes impossible to start the PC storing the necessary data, it is necessary to start up the PC suddenly using some alternative means. .

  However, the above-mentioned problems can be avoided if a system that allows the activation of a PC is used if authentication by biometrics and authentication by input of a password are used in combination, and either one can be authenticated. However, the security level eventually becomes the level of authentication by entering a password, and the meaning of adopting biometrics authentication is lost.

  Therefore, the present invention has been devised to solve such a problem, and the level of authentication based on biometrics is used as the security level while using both biometric authentication and password input authentication. An object of the present invention is to provide an authentication system, an authentication method, and a program that maintain and make an authentication process to an external device robust.

  In order to achieve the above-described object, an authentication system according to the present invention is configured such that an information storage device having connection means defined by a predetermined format is connected to an external device, and access to the external device is authenticated by the information storage device. In the authentication system, the information storage device is supplied from at least confidential data storage means for storing confidential data necessary for access to an external device, biological information detection means for detecting biological information, and biological information detection means Biometric information authentication means for authenticating whether biometric information matches the registered biometric information, serial number storage means for storing a unique serial number, and authentication for storing an authentication password Password storage means, data authentication means for authenticating whether the data supplied from the external device is correct, And an authorization unit that permits an external device to access the confidential data storage unit according to the authentication result of the authentication unit or the data authentication unit, and the external device reads a unique serial number stored in the serial number storage unit. Serial number reading means; unique serial number read by the serial number reading means; and first decoding means for decoding a temporary password with a fixed period obtained from the center server by a predetermined method based on date information; The authentication password reading means for reading the authentication password stored in the authentication password storage means and the authentication read by the authentication password reading means based on the data obtained by the decryption processing of the first decryption means Decrypted by the second decryption means for decrypting the password for use and the second decryption means The resulting data and a supply means for supplying the data authentication means.

  In order to achieve the above-described object, an authentication method according to the present invention includes an information storage device having connection means defined by a predetermined format connected to an external device, and access to the external device by the information storage device. A biometric information detecting step for detecting biometric information, a biometric information authenticating step for authenticating whether the biometric information supplied from the biometric information detecting step matches the registered biometric information, A serial number reading step for reading a unique serial number from a serial number storage unit storing a unique serial number provided in the information storage device, a unique serial number read by the serial number reading step, and a date A first decryption step of decrypting data with a fixed period obtained from the center server by a predetermined method based on the information An authentication password reading means for reading an authentication password from an authentication password storage unit storing an authentication password provided in the information storage device, and authentication based on the data obtained by the first decryption step A second decryption step for decrypting the authentication password read by the password read step, a supply step for supplying the data obtained by the second decryption step to the information storage device, and the data supplied by the supply step A data authentication process for authenticating whether the data is correct, and access to a confidential data storage unit storing at least confidential data necessary for accessing an external device according to the authentication result of the biometric information authentication process or the data authentication process And a permission step for permitting the external device.

  In order to achieve the above-mentioned object, the program according to the present invention is configured such that an information storage device having connection means defined by a predetermined format is connected to an external device, and the information storage device accesses the external device. In a program to be executed by a computer for authentication, a biometric information detection process for detecting biometric information and biometric information supplied from the biometric information detection process are authenticated to match the registered biometric information. A biometric information authentication step, a serial number reading step for reading a unique serial number from a serial number storage unit storing a unique serial number provided in the information storage device, and a unique number read by the serial number reading step Based on the serial number and date information of the A first decrypting step for decrypting the limited data; an authentication password reading means for reading an authentication password from an authentication password storage unit storing an authentication password provided in the information storage device; A second decryption step for decrypting the authentication password read by the authentication password reading step based on the data obtained by the first decryption step, and the data obtained by the second decryption step in the information storage device Necessary for at least access to external devices according to the supply process, the data authentication process for authenticating whether the data supplied by the supply process is correct, and the authentication result of the biometric information authentication process or the data authentication process Allowing a computer to execute an authorization process for permitting an external device to access a confidential data storage unit storing confidential data. It is for.

  In the present invention, the security level is maintained by the biometric authentication level, and when the biometric authentication is impossible, the authentication operation can be executed using a temporary password.

  Hereinafter, the best mode for carrying out the present invention will be described in detail with reference to the drawings. In addition, this invention is not limited to the following examples, It cannot be overemphasized that it can change arbitrarily in the range which does not deviate from the summary of this invention. In the authentication system according to the present invention, fingerprint authentication is adopted as biometric authentication as one of the authentication methods. However, the authentication system is not limited to this, and may be, for example, vein authentication or iris authentication.

  In the authentication system 1 according to the present invention, as shown in FIG. 1, an information storage device 2 having a connection unit 10 defined by a predetermined format is connected to an external device (host device) 3, and the information storage device 10 This is a system for authenticating access to the external device 3. In the authentication system 1, the details will be described later, but an external center server 4 is used to improve the authentication level.

  In the information storage device 2, the connection unit 10 is formed by a plug having a predetermined shape defined by USB (Universal Serial Bus), and the USB plug is connected to a USB jack provided in a PC (Personal Computer) which is the external device 3. It can be used by being plugged in. As described above, the information storage device 2 functions as a data storage, that is, an external memory of the external device 3 by being directly connected to the external device 3.

  The external device 3 to which the information storage device 2 is connected operates under the control of a predetermined OS (Operating System). The external device 3 also includes a monitor 5 for displaying the processing result. The monitor 5 is also used to display a password input GUI (graphical user interface) defined by a predetermined program in a password input operation by the information storage device 2 described later.

  The information storage device 2 is a USB device connected to the external device 3 via the USB interface. However, the present invention is not limited to the connection interface as described above, and is a connection interface provided in the external device 3. Any connection interface may be provided.

  Here, the configuration of the information storage device 2 will be described. As shown in FIG. 2, the information storage device 2 includes a confidential data storage unit 11 that stores confidential data, a biological information detection unit 12 that detects biological information, and biological information supplied from the biological information detection unit 12. The biometric information authenticating unit 13 for authenticating whether or not it matches the registered biometric information, the serial number storing unit 14 storing the unique serial number, and the authentication password storing the authentication password Depending on the authentication result of the storage unit 15, the data authentication unit 16 that performs authentication as to whether the data supplied from the external device 3 is correct, and the confidential data storage unit 11 according to the authentication result of the biometric information authentication unit 13 or the data authentication unit 16 And a permission unit 17 that permits access to the external device 3.

  The confidential data storage unit 11 stores confidential data such as an ID / password necessary for logging on to the external device 3.

  The biological information detection unit 12 is configured by a fingerprint reading sensor, and is a sensor that reads the peaks and valleys of the fingerprint of the finger placed on the sensor, that is, the unevenness of the fingerprint. For example, the biological information detection unit 12 detects the unevenness of the fingerprint by a capacitance method and generates a two-dimensional image. An electrostatic capacitance type fingerprint reading sensor has electrodes arranged at a pitch of 80 μm, which is sufficiently finer than the pitch of the concave and convex portions of the fingerprint, and the amount of charges accumulated between the concave and convex portions of the fingerprint and the electrodes (electrostatic capacitance). Capacity). Since the detected capacitance is low in the fingerprint concave portion and the electrostatic capacitance is high in the fingerprint convex portion, a two-dimensional image representing the irregularities of the fingerprint is generated from this capacitance difference.

  The biological information detection unit 12 may be not only the capacitance method as described above but also an optical method, a pressure-sensitive method, a heat-sensitive method, etc. Any detection method can be used as long as it can detect a two-dimensional image showing fingerprint irregularities. It may be.

  The biometric information authenticating unit 13 reads out template data obtained by extracting only the characteristic part of the fingerprint image stored in advance in the memory 18 during the fingerprint matching process, the fingerprint image detected by the biometric information detecting unit 12, and the read template Compare with data.

  The memory 18 stores template data, which is fingerprint information serving as a reference used in the fingerprint collation process. When the fingerprint collation process using the information storage device 2 is executed, the user needs to register the user's own fingerprint information in the memory 18 in advance. The fingerprint information stored in the memory 18 is template data obtained by extracting the characteristic part of the fingerprint image.

  The serial number storage unit 14 stores a serial number S unique to the information storage device 2. The serial number storage unit 14 uses a rewritable flash memory, but is designed so that it can be written only at the initial stage, that is, once data is written, it cannot be rewritten.

  Although details will be described later, the authentication password storage unit 15 stores, for example, an authentication password generated in advance at the time of factory shipment.

  The data authentication unit 16 authenticates whether the data supplied from the external device 3 through the connection unit 10 matches a password stored in advance.

  Here, the authentication password stored in advance in the authentication password storage unit 15 and the password stored in advance in the data authentication unit 16 will be described. The producer of the information storage device creates an encryption key K corresponding to the unique serial number S assigned to each information storage device before the device is sold. At this time, a table of the serial number S and the encryption key K corresponding to the serial number S is created and stored in the center server 4.

  In addition, the producer of the information storage device is in a state where the authentication by the biometric information detection unit 12 or the biometric information authentication unit 13 becomes impossible for some reason, and login to the external device 3 becomes impossible. The secret password P is generated in order to proceed with the authentication operation and enable login to the external device 3. The producer stores the generated secret password P in the data authentication unit 16. The producer creates, for example, a 128-byte confidential password P using a random number.

  For example, the producer generates an authentication password K (P) by encrypting the secret password P with an 8-byte encryption key K, and stores the authentication password K (P) in the authentication password storage unit 15. Keep it.

  The external device 3 can freely access the authentication password storage unit 15 and can read K (P) freely, but cannot read the confidential password P stored in the data authentication unit 16. It has become.

  The permission unit 17 basically permits the external device 3 to access the confidential data storage unit 11 in accordance with the authentication result from the biometric information authentication unit 13. In addition, the permission unit 17 exceptionally permits the external device 3 to access the confidential data storage unit 11 according to the authentication result from the data authentication unit 16. The external device 3 can obtain, for example, an ID / password stored in the confidential data storage unit 11 according to the permission of the permission unit 17.

  Next, the configuration of the external device 3 will be described. As shown in FIG. 3, the external device 3 includes a serial number reading unit 20 that reads a unique serial number S stored in the serial number storage unit 14 and a unique serial number read by the serial number reading unit 20. S, a first decryption unit 21 for decrypting a temporary password S · D (K) with a fixed period obtained from the center server 4 by a predetermined method based on date information D obtained from the internal timer, and an authentication password Based on the authentication password reading unit 22 that reads the authentication password K (P) stored in the storage unit 15 and the data K obtained by the decryption processing of the first decryption unit 21, the authentication password reading unit 22 The second decryption unit 23 that decrypts the read authentication password K (P) and the data P obtained by decryption by the second decryption unit 23 are connected. And a supply unit 24 supplies the data authentication unit 16 via the section 10.

  Here, the configuration of the center server 4 will be described. As shown in FIG. 4, when the serial number S of the information storage device 2 is notified, the center server 4 refers to the table, reads the encryption key K corresponding to the serial number S, and the notification A generating unit 31 that encrypts the encryption key K read by the reading unit 30 based on the serial number S and the notification date D, and generates a temporary password S · D (K) with a fixed period; A notification unit 32 that notifies the user of a temporary password S · D (K) with a fixed period generated by the generation unit 31 is provided.

  For example, the generation unit 31 generates an 8-byte temporary password S · D (K), separates the 8 bits constituting each word of the 8 bytes into 4 bits × 2, and quantifies it as Hex data (0 to 0). F) and convert to 16 words.

  The notification unit 32 notifies the user of the 16-word temporary password S · D (K) generated by the generation unit 31.

  Here, a procedure for authenticating access to the external device 3 by another route when authentication by the biometric information detection unit 12 or the biometric information authentication unit 13 of the information storage device 10 becomes impossible is a time chart shown in FIG. Will be described.

  The user notifies the center server 4 of the unique serial number S recorded on the outer periphery of the information storage device 2 so as to be visible (step S1).

  Based on the notified serial number S, the reading unit 30 searches the corresponding encryption key K with reference to the table. The generation unit 31 encrypts the retrieved encryption key K with the notified serial number S and the notified date D to generate a temporary password S · D (K) (step S2). The temporary password S · D (K) generated by the generation unit 31 is a password that is valid only for a certain period, and after the period has elapsed, the temporary password S · D (K) is stored in the external device 3. Recognized as invalid data. In this embodiment, the temporary password S · D (K) is valid only for one day, but the validity period may be determined in units of time (minutes or seconds), or valid in units of several days. The period may be determined.

  The notification unit 32 notifies the user of the encrypted temporary password S · D (K) (step S3).

  For example, the user performs a predetermined operation using a keyboard and a mouse connected to the external device 3, displays a password input GUI defined by a predetermined program on the monitor 5, and displays the GUI of the GUI. The temporary password S · D (K) obtained in the process of step S3 is input to a predetermined place (step S4). The program is installed in the external device 3 in the initial setting operation of the external device 3 and the information storage device 2.

  Next, the serial number reading unit 20 acquires the serial number S from the serial number storage unit 14 (step S5). The first decryption unit 21 decrypts S · D (K) input in the step S4 based on the serial number S acquired in the step S5 and today's date D obtained from the timer, and the encryption key K Is obtained (step S6).

  Thereafter, the authentication password reading unit 22 reads the authentication password K (P) from the authentication password storage unit 15 (step S7). The second decryption unit 23 decrypts the authentication password K (P) obtained in step S7 with the encryption key K obtained in step S6, and obtains data P (step S8). The supply unit 24 supplies the data P obtained by the process of step S8 to the data authentication unit 16 (step S9).

  The data authentication unit 16 authenticates whether or not the data P supplied from the supply unit 24 matches a prestored password (secret password) (step S10). The data authentication unit 16 supplies the authentication result to the permission unit 17. When the permission unit 17 receives a notification that the authentication work is matched from the data authentication unit 16, for example, the permission unit 17 reads the data stored in the confidential data storage unit 11, and reads the read data through the connection unit 10. It supplies to the apparatus 3 (step S11). The external device 3 performs a login operation based on the supplied data and can be used by the user.

  Further, when the permission unit 17 receives a notification from the data authentication unit 16 that the authentication work does not match, the permission unit 17 notifies the external device 3 of “error” (step S11). The external device 3 may be configured such that the power supply is automatically turned off when “error” is notified three times in succession.

  Here, the process of step S1-step S3 mentioned above is further explained in full detail using FIG. In the following, it is assumed that the center server 4 is automated.

  The user connects to the center server 4 using the telephone function (step S20).

  The center server 4 prompts input of a user ID by voice (step S21).

  The user inputs a user ID using a push button or a keyboard (step S22). When the user purchases the information storage device 2, the user registers with the center server 4. The center server 4 issues a unique user ID to the user. The center server 4 associates the issued user ID and the serial number of the information storage device 2 owned by the user into a table. In step S22, the user inputs the user ID issued from the data server 4 at the time of user registration.

  The center server 4 confirms whether the user ID input by the process of step S22 is registered (step S23). If the user ID is registered, the center server 4 proceeds to step S24. If the user ID is not registered, the center server 4 informs the user that it is an “error” and prompts the user ID to be input again. . In the case of “error”, the center server 4 may disconnect communication without prompting the user ID again.

  When the center server 4 confirms that the user ID is registered in the step S23, the center server 4 prompts the input of the serial number (step S24).

  The user inputs the serial number assigned to the information storage device 2 owned by the user in the same manner as in step S22 (step S25).

  The center server 4 searches the corresponding encryption key K based on the notified serial number S and searches for the corresponding encryption key K based on the notified serial number S, and is notified of the searched encryption key K. Encryption is performed using the serial number S and the notified date D to generate a temporary password S · D (K) (step S26).

  The center server 4 notifies the temporary password S · D (K) by voice (step S27).

  Further, as shown in FIG. 2, the information storage device 2 may include a data storage unit 40 that can store document data created by the user. The data storage unit 40 includes a first area A1 where the external device 3 can freely read and write data, and a second area A2 where access to the external device 3 is restricted. .

  In the case of such a configuration, the information storage device 2 includes an access control unit 41 that controls access to the data storage unit 40. The permission unit 17 issues a permission signal to the access control unit 41 when notified from the biometric information authentication unit 13 or the data authentication unit 16 that authentication has been made.

  When the permission signal is supplied from the permission unit 17, the access control unit 41 allows the external device 3 to access the second area A <b> 2.

  In this way, in the authentication system 1 according to the present invention, the information storage device 2 having the connection unit 10 defined by a predetermined format is connected to the external device 3, and authentication by normal biometric authentication by the information storage device 10 is performed. Since the access operation by the external device 3 is authenticated by the work or the authentication work by the data with an emergency time limit, the security level is maintained when the biometric authentication level is maintained and the biometric authentication is impossible. Authentication can be performed using a typical password.

  In the present invention, the series of processing by the composite storage device 2 described above can also be performed by software. When a series of processing is performed by software, a program constituting the software is installed in a general-purpose computer or the like. The program may be recorded on a removable medium such as a CD-ROM and distributed to the user, or may be distributed by being downloaded to the user's computer via a network.

It is a block diagram which shows the structure of the authentication system which concerns on this invention. It is a block diagram which shows the structure of the information storage device shown in FIG. FIG. 2 is a block diagram illustrating a configuration of an external device illustrated in FIG. 1. It is a block diagram which shows the structure of the center server shown in FIG. It is a flowchart for demonstrating the procedure in the case of access authentication to an external apparatus. It is a flowchart with which it uses for description about automation of a center server.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 Authentication system, 2 Information storage device, 3 External apparatus, 4 Center server, 10 Connection part, 11 Confidential data storage part, 12 Biometric information detection part, 13 Biometric information authentication part, 14 Serial number storage part, 15 Password storage for authentication Unit, 16 data authentication unit, 17 permission unit, 20 serial number reading unit, 21 first decryption unit, 22 authentication password reading unit, 23 second decryption unit, 24 supply unit, 30 reading unit, 31 generation unit, 32 Notification section

Claims (4)

In an authentication system in which an information storage device having connection means defined by a predetermined format is connected to an external device, and access to the external device is authenticated by the information storage device,
The information storage device
Confidential data storage means for storing at least confidential data necessary for access to the external device;
Biological information detection means for detecting biological information;
Biometric information authenticating means for authenticating whether the biometric information supplied from the biometric information detecting means matches the registered biometric information;
Serial number storing means for storing a unique serial number;
An authentication password storage means in which an authentication password is stored;
Data authentication means for authenticating whether the data supplied from the external device is correct;
According to the authentication result of the biometric information authenticating means or the data authenticating means, and a permitting means for permitting the external device to access the confidential data storing means,
The external device
Serial number reading means for reading the unique serial number stored in the serial number storage means;
First decryption means for decrypting a temporary password with a fixed period obtained from the center server by a predetermined method based on the unique serial number read by the serial number reading means and date information;
Authentication password reading means for reading the authentication password stored in the authentication password storage means;
Second decryption means for decrypting the authentication password read by the authentication password reading means based on the data obtained by the decryption processing of the first decryption means;
An authentication system comprising: a supply unit that supplies data obtained by decryption by the second decryption unit to the data authentication unit. The center server
The unique serial number is notified, and based on the date information on which the unique serial number is notified and the unique serial number, the registered data registered in advance is encrypted and generated as a temporary password with a fixed period. Generating means for
Notification means for notifying the temporary password with a fixed period generated by the generation means,
The authentication system according to claim 1, wherein the first decryption unit decrypts the data with the fixed period notified by the notification unit based on the unique serial number and date information. In an authentication method in which an information storage device having connection means defined by a predetermined format is connected to an external device, and the information storage device authenticates access to the external device.
A biological information detection step for detecting biological information;
A biometric information authentication step for authenticating whether the biometric information supplied from the biometric information detection step matches the registered biometric information;
A serial number reading step of reading the unique serial number from a serial number storage unit storing the unique serial number provided in the information storage device;
A first decryption step of decrypting the fixed serial data obtained by a predetermined method from the center server based on the unique serial number read by the serial number read step and date information;
An authentication password reading means for reading out the authentication password from an authentication password storage unit storing an authentication password provided in the information storage device;
A second decryption step of decrypting the authentication password read out by the authentication password read step based on the data obtained by the first decryption step;
A supplying step of supplying the data obtained by the second decoding step to the information storage device;
A data authentication process for authenticating whether the data supplied by the supply process is correct;
A permission step of permitting the external device to access at least a confidential data storage unit in which confidential data necessary for access to the external device is stored in accordance with an authentication result of the biometric information authentication step or the data authentication step; An authentication method comprising: In a program for causing an information storage device having connection means defined by a predetermined format to be connected to an external device, and causing the computer to execute access to the access to the external device by the information storage device,
A biological information detection step for detecting biological information;
A biometric information authentication step for authenticating whether the biometric information supplied from the biometric information detection step matches the registered biometric information;
A serial number reading step of reading the unique serial number from a serial number storage unit storing the unique serial number provided in the information storage device;
A first decryption step of decrypting the fixed serial data obtained by a predetermined method from the center server based on the unique serial number read by the serial number read step and date information;
An authentication password reading means for reading out the authentication password from an authentication password storage unit storing an authentication password provided in the information storage device;
A second decryption step of decrypting the authentication password read out by the authentication password read step based on the data obtained by the first decryption step;
A supplying step of supplying the data obtained by the second decoding step to the information storage device;
A data authentication process for authenticating whether the data supplied by the supply process is correct;
A permission step of permitting the external device to access at least a confidential data storage unit in which confidential data necessary for access to the external device is stored in accordance with an authentication result of the biometric information authentication step or the data authentication step; A program that causes a computer to execute.

Images