JP2007108832A - Individuals confirmation method and program and transaction processor - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent the unauthorized use of a portable medium even when a portable medium for individual authentication is altered or forged. <P>SOLUTION: The biometrics information of a user is stored in a first storage part 11 and a second storage part 12 of a user card 10 as a first template 102 and a second template 103, and a hash value 105 of the second template 103 is stored in a third storage part of a senter 40. A transaction processor 30 acquires the biometrics information of the user as a sample, and collates the sample with the first template 102 and the second template 103, and when it is decided that any of them is the same figure as the sample, calculates the hash value of the second template 103, and compares the hash value with the hash value 105, and when those hash values are matched, authenticates the confirmation of the principal. Then, the second template 103 is updated by the sample, and the hash value 105 is updated by the hash value calculated from the sample. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an identity verification method, a program, and a transaction processing device for performing identity verification using a portable medium in which biometric information is recorded as authentication information.

  In transaction processing devices such as ATMs (Automatic Teller Machines) installed at financial institutions and convenience stores, knowledge (such as a PIN) or personal belongings (such as a cash card) to verify that the user is the person. Authentication using is widely performed. However, in recent years, malicious third parties illegally read information recorded from portable media for authentication of others (such as cash cards using magnetic cards) by means of skimming, etc. There are frequent cases in which a similar portable medium is counterfeited and transactions are carried out by impersonating the person with the counterfeit portable medium.

  With respect to the problem that the portable medium is counterfeited, Patent Document 1 records the serial number updated for each transaction in both the portable medium and the center and reads the serial number of the portable medium read by the transaction processing device. And the center serial number are compared, and if they do not match, it is disclosed that there is a forged portable medium and the identity verification method for canceling the transaction is disclosed.

  According to this identity verification method, if the information recorded on the authentication portable medium is illegally read by a third party, the entire information is copied and a separate portable medium is forged. The center is asked for identity verification from two portable media having the same serial number, and if one is given a regular serial number, the other serial number will not match. Accordingly, when the serial number does not match in the confirmation of the serial number at the center, a forged portable medium exists, so the center immediately cancels the transaction.

Further, Patent Document 2 discloses a method for identifying a person using biometric information (information such as fingerprint, vein, voiceprint, iris, handwriting). According to the identity verification method, biometric information serving as a reference for the user is registered in advance on the authentication device side, and the identity verification is performed by comparing with the biometric information of the identity input at the time of use. In addition, according to this identity verification method, by registering biometric information serving as a user's reference in the authentication IC card held by the user, the function of the authentication device can be provided in the authentication IC card. It can be held.
JP 2002-133498 A JP 2003-308302 A

  However, in the identity verification method disclosed in Patent Document 1, a third party forges a portable medium for authentication, and before a legitimate user performs a legitimate transaction using a legitimate portable medium. When a transaction is performed using a forged portable medium, the transaction cannot be prevented. Also, in the method of identity verification using an authentication IC card as disclosed in Patent Document 2, a third party copies the entire information recorded on the authentication IC card, and serves as a reference biometric. When the metric information is falsified and the authentication IC card is forged, it is not possible to prevent transactions using the forged IC card.

  As described above, in the prior art, even when biometric information is used as authentication information, the portable medium is stolen as long as the information used as the reference for authentication is recorded on the portable medium. If tampered with, it could not prevent its unauthorized use.

  Therefore, an object of the present invention is to store biometric information as authentication information on a portable medium for personal authentication, and the portable authentication medium is stolen or recorded on the portable authentication medium. A personal identification method, a program, and a transaction processing apparatus capable of preventing unauthorized use even if the stored information is illegally read and the authentication portable medium is falsified or forged There is.

  The present invention relates to user biometric information, and first authentication information and second authentication information stored in a first storage unit and a second storage unit provided in an authentication portable medium, respectively. And a third party authentication information stored in a third storage means provided in the center, and a transaction processing device for verifying the identity of the user, a method for verifying the identity of the processing device, It is a program. Then, the transaction processing apparatus includes a sample acquisition unit that acquires the user's biometric information from the user as a sample, and the first authentication unit and the first storage unit. An authentication information read / write unit that reads the information and the second authentication information and writes the sample to the second storage unit, and the sample acquired by the sample acquisition unit is stored in the authentication portable medium. Each of the first authentication information and the second authentication information read out from each other is collated, and as a result of the collation, both the first authentication information and the second authentication information are If it is determined that they belong to the same person, a hash value of the second authentication information is further calculated based on a predetermined hash function, and the calculation is performed. When the calculated hash value matches the third authentication information as a result of the comparison, the hash value is compared with the third authentication information read from the third storage unit. The second authentication information is updated by writing the sample in the second storage unit, and the hash value of the updated second authentication information is calculated based on the predetermined hash function, and the calculated The third authentication information is updated by writing a hash value in the third storage unit.

  According to the present invention, one or both of the first authentication information and the second authentication information stored in the first storage means and the second storage means of the authentication portable medium is a malicious third party. Even if it is altered by the above, the third storage unit of the center stores the hash value calculated from the biometric information of the authorized user before the alteration. Therefore, since the hash value is compared with the altered hash value, the alteration can be detected, and unauthorized use of the altered authentication portable medium can be prevented.

  According to the present invention, when a portable medium for personal authentication is stolen, or information recorded on the portable portable medium for authentication is illegally read and the portable portable medium for authentication is falsified or forged. Even if it exists, the unauthorized use can be prevented.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings as appropriate.

  FIG. 1 is a diagram showing an overall configuration of an identification system according to an embodiment of the present invention. As shown in FIG. 1, the identity verification system 1 includes a user card 10, a registration processing device 20, a transaction processing device 30, a center 40, and an administrator card 60, and the registration processing device 20 and the transaction processing device 30. Are connected to the center 40 via the network 50. The identity verification system 1 is applied to an online ATM system of a financial institution, for example.

  Here, the user card 10 is a small and lightweight information storage medium distributed to users of an application system (for example, an online ATM system) to which the identification system 1 is applied, and possessed by each of the users. As the information storage medium, an IC (Integrated Circuits) card or a magnetic card is usually used.

  The user card 10 is provided with a first storage unit 11 and a second storage unit 12 as storage areas, and the first storage unit 11 includes a user identifier 101 for uniquely identifying the user, The user's biometric information is held as one template 102. The second storage unit 12 holds a second template 103 that is updated every time transaction processing is performed. The first template 102 and the second template 103 are authentication information for authenticating the user of the user card 10.

  In the present embodiment, when the user card 10 is stolen or skimmed, it is assumed that the authentication information such as the first template 102 and the second template 103 can be falsified or forged.

  The administrator card 60 is a small and lightweight information storage medium that is distributed only to a person (registration manager) who has the authority to operate the registration processing device 20. The information storage medium is the same as the user card 10. Usually, an IC card or a magnetic card is used. The administrator card 60 is provided with a storage unit 61 as a storage area, and the storage unit 61 holds biometric information of a registered administrator as a template 106.

  The registration processing device 20 is a device for registering the user's biometric information as the first template 102 in the first storage unit 11 of the user card 10. For example, the registration processing device 20 is installed at a window of a financial institution, It is a terminal device operated by a staff member (that is, a registration manager).

  Further, the transaction processing apparatus 30 receives the authentication information from the user card 10 and confirms whether or not the user is a registered user in cooperation with the center 40. And when it confirms that it is a user himself / herself, predetermined transaction processing as an application of the identity verification system 1 is performed. The transaction processing device 30 is an ATM terminal device installed in, for example, a financial institution or a convenience store, and provides transaction processing such as cash deposit and withdrawal to the user.

  The center 40 is a computer having at least a CPU (Central Processing Unit) and a storage device (not shown), and a third storage unit 42 is provided in the storage device. The third storage unit 42 calculates the user identifier 104 for uniquely identifying the user and the second template 103 stored in the second storage unit 12 of the user card 10. Information with the hash value 105 is held in pairs. The information of the set of the user identifier 104 and the hash value 105 is held for the number of users registered by the registration processing device 20, and the center 40 is stored in the user card 10 using the hash value 105. The validity of the second template 103 is checked.

  Note that the control unit 41 of the center 40 executes reading or updating processing of the hash value 105 held in the third storage unit 42 in response to a request from the registration processing device 20. Such a function of the control unit 41 is realized by the CPU (not shown) executing a predetermined program stored in the storage device.

  FIG. 2 is a diagram showing a block configuration of the transaction processing apparatus according to the present embodiment. As shown in FIG. 2, the transaction processing device 30 includes a CPU 301, a memory 302, an auxiliary storage device 303, a center communication unit 304, a card read / write unit 305, a display unit 306, an operation unit 307, a cash module unit 308, a security chip 309, and the like. And are connected to each other via a bus 310.

  Here, the memory 302 is constituted by a RAM (Random Access Memory) of a semiconductor memory, and is loaded with a program executed by the CPU 301. The auxiliary storage device 303 is configured by a hard disk or the like in which stored data is saved even when the power is turned off. The center communication unit 304 communicates with the center 40 via a network 50 such as a dedicated line or an ISDN (Integrated Services Digital Network) line using TCP / IP (Transmission Control Protocol / Internet Protocol) or a unique protocol. Configured by a communication device.

  The card read / write unit 305 is a device that reads data held by the user card 10 (or the administrator card 60) and writes data to the user card 10 (or the administrator card 60). Further, the display unit 306 is configured by an LCD (Liquid Crystal Display) or the like, and is a device that displays a result processed by the CPU 301.

  The operation unit 307 includes a keypad for inputting a personal identification number and a transaction amount, various buttons for instructing the type of transaction, a touch panel configured on the display unit 306, and a user's bio It is a device configured by a biometric input device for inputting metrics information. Further, the cash module unit 308 stores banknotes and coins related to deposits and withdrawals, has a deposit port or a withdrawal port, and carries in or dispenses banknotes and coins from the deposit port according to a transaction requested by the user. It is a device that conveys to the mouth.

  The security chip 309 is a tamper-resistant storage device, and a unique identifier is recorded for each security chip 309. It is difficult to forge a chip equivalent to the security chip 309.

  The transaction processing apparatus 30 configured as described above further includes functional blocks such as a sample acquisition unit 31, a collation unit 32, and a template update unit 33. The functions of these functional blocks are realized by the CPU 301 loading a predetermined program from the auxiliary storage device 303 to the memory 302 and executing it. Here, the sample acquisition unit 31 has a function of reading the biometric information (sample) of the user by the biometric input device of the operation unit 307. The collation unit 32 has a function of collating the first template 102 or the second template 103 held in the user card 10 with the sample acquired by the sample acquisition unit 31. Moreover, the template update part 33 is provided with the function etc. which update the 2nd template 103 of the user card 10 by the sample acquired by the sample acquisition part 31 after predetermined | prescribed transaction processing establishment. Note that details of processing executed by the CPU 301 as functions of these functional blocks will be separately described with reference to FIG.

  Although a detailed description is omitted, the registration processing device 20 has the same configuration as the transaction processing device 30 shown in FIG. However, as a difference, the registration processing device 20 does not include the cache module unit 308. The registration processing device 20 includes an administrator confirmation unit 21 that determines whether or not a person who operates the user has authority, a sample acquisition unit 22 that reads biometric information of the user, and a use that is read by the sample acquisition unit 22. A function such as a template initialization unit 23 that stores and initializes the first template 102 and the second template 103 of the user card 10 with the biometric information of the user is provided. These functions are realized by the CPU 301 of the registration processing device 20 loading a predetermined program from the auxiliary storage device 303 into the memory 302 and executing it.

  Next, the flow of the personal identification process in the personal identification system 1 will be described with reference to FIG. 3 and FIG. 4 (see also FIG. 1 and FIG. 2 as appropriate). Here, FIG. 3 is a diagram showing a flow of user card registration processing in the registration processing device according to the present embodiment, and FIG. 4 is a flow of identity verification processing in the transaction processing device according to the present embodiment. FIG.

  In FIG. 3, the registration processing device 20 first displays a message for prompting the administrator card 60 to be inserted into the card read / write unit 305 on the display unit 306 as processing of the administrator confirmation unit 21, and the user (in this case) Requests registration of the administrator card 60 (step S201). When the administrator inserts a card, the registration processing device 20 reads information on the inserted card and determines whether or not the card is a predetermined administrator card 60 (step S202). As a result of the determination, if the inserted card is not the administrator card 60 (No in step S202), the registration processing device 20 returns the inserted card (step S204) and ends the registration process. . If the inserted card is the administrator card 60 (Yes in step S202), the template 106 is read from the storage unit 61 of the administrator card 60 (step S203), and the administrator card 60 is returned (step S203). Step S205).

  Next, the registration processing apparatus 20 displays a message prompting the administrator to input biometric information on the display unit 306 as the processing of the sample acquisition unit 22, and the administrator uses his / her operation unit 307 to display his / her own biometric information. When the metrics information is input, the input biometric information is read as a sample (step S206). Then, the read sample and the template 106 are collated to determine whether or not the administrator himself / herself (step S207). If the result of the determination is that the user is not the administrator (No in step S207), the registration process is terminated. On the other hand, if the user is the administrator (Yes in Step S207), the registration processing device 20 next performs the processing of the template initialization unit 23.

  In step S207, biometric information such as two fingerprints is collated. In the collation, for example, a well-known pattern matching process is performed on the two biometric information, and the pattern matching obtained by the process is matched. If the value such as degree is equal to or greater than a predetermined value, it is regarded as biometric information of the same person.

  The registration processing device 20 displays a message prompting the user to insert the user card 10 into the card read / write unit 305 on the display unit 306 as a process of the template initialization unit 23 and requests the user to insert the user card 10. (Step S208). When the user inserts a card, the registration processing device 20 reads information on the inserted card and determines whether or not the card is a predetermined user card 10 (step S209). As a result of the determination, if the inserted card is not the user card 10 (No in step S209), the registration processing device 20 returns the inserted card (step S217) and ends the registration process. . If the inserted card is the user card 10 (Yes in step S209), the registration processing device 20 displays on the display unit 306 to input the user's biometric information from the operation unit 307. When the user inputs his / her biometric information via the operation unit 307, the input biometric information is read as a sample of the user (step S210).

  Subsequently, the registration processing device 20 creates the first template 102 based on the read sample of the user (step S211), stores it in the first storage unit 11 of the user card 10 (step S212), and further Then, the same data as the first template 102 is stored in the second storage unit 12 of the user card 10 as the second template 103 (step S213). Furthermore, the registration processing device 20 calculates a hash value of the second template 103 based on a predetermined hash function (step S214), and the calculated hash value is stored in the security chip 309 of the registration processing device 20. The identifier information is transmitted to the center 40.

  As a process of the control unit 41, the center 40 determines whether or not the device that transmitted the information is a valid device based on the transmitted identifier information (step S215). If the result of the determination is that the device is not valid (No in step S215), the registration processing device 20 is notified that the device is invalid. If it is a legitimate device (Yes in step S215), the center 40 stores the transmitted hash value in the third storage unit 42 (step S216), indicating that “the hash value has been stored”. Is notified to the registration processing device 20.

  Upon receiving these notifications, the registration processing device 20 returns the user card 10 to the user (step S217), and ends the registration processing. However, when a notification that “the device is not valid” is received, the registration process is not completed, and the returned user card 10 cannot be used as a valid user card 10. On the other hand, when the notification that “the hash value is stored” is received, the registration of the user card 10 is completed, and the returned user card 10 is used as a valid user card 10. Will be able to.

  Note that the registration processing in the registration processing device 20 described above can also be used when the first template 102 of the user card 10 is updated.

  Next, with reference to FIG. 4, the identity verification process which the transaction processing apparatus 30 performs is demonstrated. That is, the transaction processing apparatus 30 confirms that the person who intends to use himself / herself by the user card 10 is not different from the person registered in the user card 10.

  First, the transaction processing device 30 displays a message prompting the user to insert the user card 10 into the card read / write unit 305 on the display unit 306 as processing of the sample acquisition unit 31, and prompts the user to insert the user card 10. A request is made (step S501). Furthermore, the transaction processing apparatus 30 displays a message that prompts the user to input biometric information on the display unit 306. When the user inputs his / her biometric information via the operation unit 307, the transaction processing apparatus 30 reads the input biometric information as a sample (step S502).

  Next, the transaction processing device 30 reads the first template 102 from the first storage unit 11 and the second template 103 from the second storage unit 12 of the user card 10 as processing of the verification unit 32 (step S503). Each of the read first template 102 and second template 103 is collated with a sample of user biometric information read in step S502 (step S504).

  In step S504, two pieces of biometric information are collated. In the collation, for example, a well-known pattern matching process is performed on the two pieces of biometric information, and a value such as a pattern matching degree obtained by the process is obtained. Is equal to or greater than a predetermined value, it is regarded as biometric information of the same person.

  Therefore, as a result of the collation, when it is determined that at least one of the first template 102 and the second template 103 is not the same person as the sample (No in step S505), the transaction processing device 30 determines that “user It is determined that the registrant and the user of the card 10 are different ”, the user card 10 is returned (step S518), and the identity verification process is terminated. Further, when it is determined that both the first template 102 and the second template 103 are of the same person as the sample (Yes in step S505), the transaction processing device 30 performs a step based on a predetermined hash function. The hash value of the second template 103 read in S503 is calculated (step S506). The transaction processing apparatus 30 reads the hash value 105 stored in the third storage unit 42 from the center 40 (step S507), and whether or not the hash value 105 matches the hash value calculated in step 506. Is determined (step S508).

  As a result of the determination, if these hash values do not match (No in step S508), the transaction processing device 30 determines that “the registrant and user of the user card 10 are different”, The user card 10 is returned (step S518), and the identity verification process is terminated.

  If the hash values match (Yes in Step S508), the transaction processing apparatus 30 uses the sample of the user's biometric information read in Step S502 as the template update unit 33 to process the second template 103. Update (step S509), and further overwrite the updated second template 103 on the second storage unit 12 of the user card 10 (step S510). Then, it is checked whether or not the update of the overwrite to the second storage unit 12 is successful (step S511). If the update is not successful (No in step S511), the second storage unit 12 is checked. The data of the second template to be saved is restored (step S517).

  If the update has succeeded (Yes in step S511), the hash value of the second template 103 updated based on a predetermined hash function is calculated (step S512), the calculated hash value, and the transaction processing device The identifier information stored in the 30 security chips 309 is transmitted to the center 40.

  The center 40 determines, as processing of the control unit 41, based on the identifier information transmitted from the transaction processing device 30 whether the device that transmitted the information is a valid device (step S513). As a result of the determination, if the device is not a valid device (No in step S513), the transaction processing device 30 is notified that “the device is not valid”. If the device is a legitimate device (Yes in step S513), the hash value transmitted from the transaction processing device 30 is overwritten in the third storage unit 42 (step S514), and the overwriting is updated. It is checked whether or not it is successful (step S515). If the update has not succeeded (No in step S515), the transaction processing apparatus 30 is notified of “update failure”. If the update is successful (Yes in step S515), the transaction processing apparatus 30 is notified of “update successful”.

  When the transaction processing apparatus 30 receives a notification from the center 40 that “the apparatus is not valid” or “update failure”, the data of the second template 103 stored in the second storage unit 12 of the user card 10 Is returned (step S517), the user card 10 is returned (step S518), and the identity verification process is terminated as “confirmation failure”. Further, when the transaction processing device 30 receives a notification of “update success” from the center 40, the transaction processing device 30 starts executing predetermined transaction processing (for example, processing such as depositing cash or withdrawal) (step). At the same time, the user card 10 is returned (step S518), and the identity verification process is terminated.

  Next, the security effect of identity verification in the identity verification system 1 described above will be described with reference to FIGS. 5 and 6. Here, FIG. 5 shows a case where the transaction processing apparatus according to the present embodiment uses the user card to perform transaction processing up to the Nth time after registering the user card, and compares the sample with the template. It is the figure which showed a mode. FIG. 6 shows the state of matching between the sample and the template when a malicious third party falsifies the user card after the Nth transaction in the identity verification in the transaction processing apparatus according to the present embodiment. (A) is a figure explaining the case where the 1st template is falsified, (b) is the figure explaining the case where both the 1st template and the 2nd template are falsified.

  As shown in FIG. 5, in the first identity verification, the identity verification system 1 authenticates the user A of the user card 10 with a sample of biometric information of the user A (hereinafter simply referred to as a sample). ) “S (1)” and the first template “T (1)” are collated, and the hash value of the second template “U (1) (first time is the same as T (1))” and stored in the center 40 The stored hash value “C (1)” is checked, and the sample “S (1)” is checked against the second template “U (1)”. Then, when all these verifications are successful, the user A of the user card 10 is authenticated and the second template “U (1)” is sampled “ S (1) ”is updated to“ U (2) ”, and the hash value“ C (1) ”is updated to the hash value“ C (2) ”calculated from“ U (2) ”. This completes the first identity verification.

  Next, in the second identity verification, similarly, the sample “S (2)” of the user A is collated with the first template “T (1)”, and the second template “U (2)” is checked. The hash value and the hash value “C (2)” stored in the center 40 are collated, and the sample “S (2)” is collated with the second template “U (2)”. Authenticate that person A is the principal. Then, the second template “U (2)” is updated to “U (3)” by the sample “S (2)”, and the hash value “C (2)” is calculated from “U (3)”. Update to the value “C (3)”.

  Further, similarly, in the N-th identity verification, the sample “S (N)” of the user A is collated with the first template “T (1)”, and the hash value of the second template “U (N)” is verified. And the hash value “C (N)” stored in the center 40, and further, by comparing the sample “S (N)” with the second template “U (N)”, the user A Authenticate that is the person. Then, the second template “U (N)” is updated to “U (N + 1)” by the sample “S (N)”, and the hash value “C (N)” is calculated from “U (N + 1)”. Update to the value “C (N + 1)”.

  In the above verification process, when the sample is bimetric information, the sample “S (i)” and the template “T (1)” can hardly coincide with each other. The sample “S (i)” in the second transaction and the sample “S (i + 1)” in the (i + 1) th transaction can hardly coincide with each other. For example, when fingerprint information is used as a sample, even if the user is the same, the angle when the finger is placed on the operation unit 307, the degree of pressing against the contact surface, or the degree of roughness of the fingers may be different. The fingerprint information acquired by the sample acquisition unit 31 is different information each time.

  However, even if the acquired fingerprint information does not completely match, it is necessary to determine that the fingerprint information acquired from the same user matches. Therefore, in this embodiment, when biometric information such as fingerprint information is collated, a known pattern matching process is performed on the image information of biometric information to be collated, and information such as the degree of coincidence of images is obtained. Ask. If the information such as the degree of coincidence is equal to or greater than a predetermined value, it is determined that the two pieces of biometric information match, that is, the information on the two pieces of biometrics belongs to the same person.

  On the other hand, in the case of biometrics information, since the acquired sample “S (i)” is different each time, the i-th second template “U (i)” and the i + 1-th second template “U (i + 1)” Are unlikely to be the same. Accordingly, the hash value “C (i)” calculated from the second template “U (i)” becomes a different value each time. That is, C (i) ≠ C (i + 1). By utilizing this fact, the safety of the user card 10 can be improved as will be described next.

  Next, it is assumed that a malicious third party (user B) obtains the recorded information by stealing or skimming the user A's user card 10. In this case, since the first template 102 recorded on the user card 10 is the biometric information of the user A, the user B cannot naturally use it. Therefore, the user B alters the user card 10 of the user A and replaces the first template 102 with his / her biometric information.

  That is, as shown in FIG. 6A, the user A uses the user card 10 used N times for a predetermined transaction, and the user B changes the contents of the first template from “T (1)” to “T (2) "and use for the N + 1th transaction. In this case, the sample “S (N + 1)” of the user B matches the first template “T (2)”. However, the sample “S (N + 1)” of the user B does not match the second template “U (N + 1)”. Accordingly, since the identity verification of the user B by the altered user card 10 is not successful, the user B cannot perform a predetermined transaction.

  Similarly, when the user B replaces the second template 103 with his / her biometric information and the user card 10 of the user A is altered and used, the user using the altered user card 10 is similarly used. B's identity verification is not successful. Therefore, the user B cannot perform a predetermined transaction.

  Next, the user B falsifies the user card 10 of the user A and replaces both the first template 102 and the second template 103 with his / her biometric information. That is, as shown in FIG. 6B, after N transactions are performed by the user A, the user B changes the content of the first template from “T (1)” to “T (2)”. Also, the contents of the second template are altered from “U (N + 1)” to “U (N + 2)” and used for the N + 1th transaction. In this case, the sample “S (N + 1)” of the user B matches both the first template “T (2)” and the second template “U (N + 2)”.

  However, the hash value calculated from the second template “U (N + 2)” does not match the hash value “C (N + 1)” stored in the third storage unit 42 of the center 40. This is because the hash value “C (N + 1)” is a value calculated based on the biometric information of the user A input at the time of the previous (Nth) transaction. Therefore, also in this case, the identity verification of the user B by the altered user card 10 is not successful, and the user B cannot perform a predetermined transaction.

  As described above, according to the present embodiment, even if one or both of the first template 102 and the second template 103 recorded on the user card 10 are falsified, the user card 10 can be used in the identity verification process. Therefore, it is possible to prevent fraudulent transactions pretending to be the person by falsification or forgery of the user card 10.

  In this embodiment, the information transmitted / received between the transaction processing device 30 and the center 40 via the network 50 is a hash value of biometric information, and a user sample, that is, a user's biometric information is transmitted / received. It will never be done. The biometric information is information having a large amount of information such as image information and personal information related to personal privacy. Therefore, since information with a large amount of information is not transmitted / received via the network 50, it is not necessary to apply a communication load on the network 50. Moreover, since personal information is not transmitted / received via the network 50, it is possible to prevent the personal information from being illegally acquired by a third party by eavesdropping or the like on the network 50.

(Modification of the embodiment)
Next, in the embodiment described above with reference to FIGS. 7 to 10, either the first storage unit 11 or the second storage unit 12 of the user card 10 is not used. A modification will be described. Here, FIG. 7 is a diagram illustrating a method of using the first storage unit, the second storage unit, and the third storage unit in the present embodiment and a modification of the present embodiment, and FIG. It is the figure which showed the mode of collation with the sample and template in the 1st case of a modification. FIG. 9 is a diagram showing the flow of the identity verification process in the transaction processing apparatus according to the first case of the modification of the present embodiment. FIG. 10 is related to the second case of the modification of the present embodiment. It is the figure which showed the flow of the personal identification process in a transaction processing apparatus.

  In the first case of the modification of the embodiment, the first template is stored in the first storage unit 11 and the second template is stored in the third storage unit 42, as shown in the column (b) of FIG. The second storage unit and the hash value are not used. Further, in the second case of the modification of the embodiment, as shown in the column of (c) of FIG. 7, the second template is stored in the second storage unit 12, and the first template and the hash value are stored in the third storage. The data is stored in the unit 42, and the first storage unit is not used. Note that the column (a) in FIG. 7 shows the storage destination of the first template, the second template, and the hash value in the embodiment described so far for reference.

(First Case of Modification of Embodiment)
Next, a first case of a modified example of the embodiment will be described with reference to FIG. 8, indicating that the user card 10 that has been tampered with cannot be verified.

  First, as shown in FIG. 8 (a), when user A performs a transaction up to the Nth time, transaction processing apparatus 30 uses sample “S (i)”, which is biometric information of user A, and the first template. “T (1)” is collated, sample “S (i)” and second template “U (i)” are collated, and when the collation is successful, the user is identified. The predetermined transaction process is started and the second template “U (i)” is updated to “U (i + 1)” by the sample “S (i)” (where i = 1,..., N). .

  In this way, after the N-th transaction is performed by the user A, the user B is tampered with, and the first template “T (1)” is replaced with his / her biometric information, and “T (2) And the altered user card 10 is used. In this case, as shown in FIG. 8B, the sample “S (N + 1)” of the user B matches the first template “T (2)”, but is stored in the third storage unit 42 of the center 40. This does not match the second template “U (N + 1)”. Therefore, the identity verification of the user B by the altered user card 10 is not successful, and the user B cannot perform a predetermined transaction.

  Next, with reference to FIG. 9 (see also FIG. 1 and FIG. 2 as appropriate), the flow of identity verification processing in the first case of the modification of the embodiment will be described. In this case, the second storage unit 12 of the user card 10 in FIG. 1 is not used, and may not be physically provided. The second template 103 is stored in the third storage unit 42, and the hash value 105 is not used.

  First, the transaction processing device 30 displays a message prompting the user to insert the user card 10 into the card read / write unit 305 on the display unit 306 as processing of the sample acquisition unit 31, and prompts the user to insert the user card 10. A request is made (step S901). Furthermore, the transaction processing apparatus 30 displays a message that prompts the user to input biometric information on the display unit 306. When the user inputs his / her biometric information via the operation unit 307, the transaction processing apparatus 30 reads the input biometric information as a sample (step S902).

  Next, the transaction processing device 30 reads out the first template 102 from the first storage unit 11 of the user card 10 (step S903) as processing of the verification unit 32, and on the other hand, inquires of the center 40 (step S904). The second template 103 is read from the third storage unit 42 of the center 40 (step S905). Then, each of the read first template 102 and second template 103 is collated with the sample of the user's biometric information read in step S902, and at least one of the first template 102 and the second template 103 is the same as the sample. When it is determined that it is not a person (No in step S906), transaction processing apparatus 30 determines that “the registrant of user card 10 is different from the user” and returns user card 10. (Step S913), and the identity verification process is terminated.

  If it is determined in the collation that both the first template 102 and the second template 103 belong to the same person as the sample (Yes in step S906), the transaction processing apparatus 30 reads in step S903. A new template is created based on the sample of the user's biometric information, and the center 40 is requested to update the second template with the new template (step S907).

  The center 40 uses the information of the security chip 309 of the transaction processing device 30 transmitted from the transaction processing device 30 as a process of the control unit 41 and attached to the user biometrics information template. It is determined whether or not the device that transmitted the message is a valid device (step S908). If the result of the determination is that the device is not valid (No in step S908), the transaction processing device 30 is notified that “the device is not valid”. If the device is a legitimate device (Yes in step S908), the biometric information of the user transmitted from the transaction processing device 30 is overwritten on the third storage unit 42 (step S909), and further, It is checked whether or not the overwrite update has succeeded (step S910). If the update is successful (Yes in step S910), the transaction processing apparatus 30 is notified of “update successful”. If the update has not succeeded (No in step S910), the data of the second template in the third storage unit 42 is restored (step S912), and the transaction processing device 30 indicates that the update has failed. To notify.

  When the transaction processing apparatus 30 receives a notification from the center 40 that the “apparatus is not valid” or “update failure”, the transaction processing apparatus 30 returns the user card 10 (step S913), and confirms the identity confirmation process. Exit as "failed". Further, when the transaction processing device 30 receives a notification of “update success” from the center 40, the transaction processing device 30 starts executing predetermined transaction processing (for example, processing such as depositing cash or withdrawal) (step). At the same time, the user card 10 is returned (step S913), and the identity verification process is terminated.

(Second case of modification)
In the second case of the modified example, the principle that the tampered user card 10 is detected is the same as described with reference to FIG. However, in this case, the first template 102 is stored in the center 40 instead of the card 10. Accordingly, in FIG. 7C, the first storage unit 11 of the card 10 is not used, and the first template 102 is stored in the third storage unit 42 of the center 40 together with the hash value. If the storage unit 12 is not in the card 10 but in the center 40, the description of FIG. 6 can be applied to this case as it is. That is, even in this case, the identity verification by the altered user card 10 is not successful, and the altered third party cannot perform a predetermined transaction.

  Next, with reference to FIG. 10 (see also FIG. 1 and FIG. 2 as appropriate), the flow of identity verification processing in the second case of the modification of the embodiment will be described. Here, the first storage unit 11 will be described as being in the center 40 instead of the card 10.

  First, the transaction processing device 30 displays a message prompting the user to insert the user card 10 into the card read / write unit 305 on the display unit 306 as processing of the sample acquisition unit 31, and prompts the user to insert the user card 10. A request is made (step S101). Furthermore, the transaction processing apparatus 30 displays a message that prompts the user to input biometric information on the display unit 306. When the user inputs his / her biometric information via the operation unit 307, the transaction processing apparatus 30 reads the input biometric information as a sample (step S102).

  Next, the transaction processing device 30 reads out the second template 103 from the second storage unit 12 of the user card 10 (step S103) as a process of the verification unit 32, and on the other hand, inquires of the center 40 (step S104). ), The first template 102 is read from the third storage unit 42 of the center 40 (step S105). Then, each of the read first template 102 and second template 103 is collated with the sample of the user's biometric information read in step S102, and at least one of the first template 102 and the second template 103 is the same as the sample. If it is determined that it is not a person (No in step S106), the transaction processing device 30 determines that “the registrant and user of the user card 10 are different” and returns the user card 10. (Step S119), and the identity verification process is terminated.

  If it is determined in the collation that both the first template 102 and the second template belong to the same person as the sample (Yes in step S106), the transaction processing device 30 uses a predetermined hash function. Based on this, the hash value of the second template 103 read in step S103 is calculated (step S107). The transaction processing device 30 reads the hash value 105 stored in the third storage unit 42 from the center 40 (step S108), and whether or not the hash value 105 matches the hash value calculated in step S107. Is determined (step S109).

  Hereinafter, the processing from step S109 to step S119 is the same as the processing from step S508 to step S518 in FIG.

  In addition to this, the embodiment can be variously modified. For example, in the above-described embodiment, the registration processing device 20 is connected to the center 40 via the network 50, but the function of the center 40 may be included in the registration processing device 20. Absent. In the above embodiment, the hash value 105 is calculated based on the second template 103, and the calculated hash value 105 is stored in the third storage unit 42 of the center 40. However, the hash value 105 is calculated based on the second template 103. Instead of the hash value 105, the value may be a remainder code or a checksum used in fields such as data communication.

It is a figure showing the whole personal identification system composition concerning an embodiment of the present invention. It is the figure which showed the block configuration of the transaction processing apparatus which concerns on embodiment of this invention. It is the figure which showed the flow of the registration process of the user card in the registration processing apparatus which concerns on embodiment of this invention. It is the figure which showed the flow of the personal identification process in the transaction processing apparatus which concerns on embodiment of this invention. It is the figure which showed the mode of the collation of a template about the case where a user himself / herself uses a user card and performs the transaction process to N times after user card registration by the transaction processing apparatus which concerns on embodiment of this invention. In the identity verification which concerns on the transaction processing apparatus which concerns on embodiment of this invention, it is the figure which showed the mode of collation with a sample and a template about the case where the malicious third party altered the user card after the Nth transaction. (A) is a figure explaining the case where the 1st template is tampered, (b) is the figure explaining the case where both the 1st template and the 2nd template are tampered. It is the figure which showed the usage method of the 1st preservation | save part, the 2nd preservation | save part, and the 3rd preservation | save part in the modification of embodiment of this invention and embodiment. It is the figure which showed the mode of collation with the sample and template in the 1st case of the modification of embodiment of this invention. FIG. 10 is a diagram showing a flow of identity verification processing in a transaction processing apparatus according to a first case of a modified example of the present embodiment. It is the figure which showed the flow of the personal identification process in the transaction processing apparatus which concerns on the 2nd case of the modification of this embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Identity verification system 10 User card 11 1st preservation | save part 12 2nd preservation | save part 20 Registration processing apparatus 21 Administrator confirmation part 22 Sample acquisition part 23 Template initialization part 30 Transaction processing apparatus 31 Sample acquisition part 32 Collation part 33 Template update Unit 40 center 41 control unit 42 third storage unit 50 network 60 administrator card 61 storage unit 101 user identifier 102 first template 103 second template 104 user identifier 105 hash value 106 template 301 CPU
302 Memory 303 Auxiliary storage device 304 Center communication unit 305 Card read / write unit 306 Display unit 307 Operation unit 308 Cache module unit 309 Security chip 310 Bus

Claims (9)

The user's biometric information, the first authentication information and the second authentication information respectively stored in the first storage means and the second storage means provided in the authentication portable medium, and the center A method for verifying the identity of a transaction processing apparatus for verifying the identity of a user using the third authentication information stored in a third storing means provided,
The transaction processing apparatus is
Sample acquisition means for acquiring the user's biometric information as a sample from the user;
Authentication information read / write means for reading the first authentication information and the second authentication information from the first storage means and the second storage means, respectively, and writing the sample into the second storage means And
The sample acquired by the sample acquisition means is collated with the first authentication information and the second authentication information read from the authentication portable medium,
As a result of the collation, when it is determined that both the first authentication information and the second authentication information are the same person as the sample, the second authentication information is further based on a predetermined hash function. The hash value of the authentication information is calculated, and the calculated hash value is compared with the third authentication information read from the third storage unit.
As a result of the comparison, when the calculated hash value and the third authentication information match, the second authentication information is updated by writing the sample into the second storage unit, A hash value of the updated second authentication information is calculated based on the predetermined hash function, and the third authentication information is updated by writing the calculated hash value in the third storage unit. Identification method characterized by User biometric information, first authentication information based on user biometric information stored in a first storage means provided in the authentication portable medium, and second information provided in the center Using the second authentication information stored in the storage means, an identity verification method in a transaction processing apparatus for performing user identity verification,
The transaction processing apparatus is
Sample acquisition means for acquiring the user's biometric information as a sample from the user;
Authentication information reading means for reading the first authentication information from the first storage means,
Collating the sample acquired by the sample acquisition means with the first authentication information read from the authentication portable medium;
As a result of the collation, when it is determined that the first authentication information is the same person as the sample, the second authentication is performed by reading the sample from the second storage unit of the center. Check with the information for
As a result of the collation, when it is determined that the second authentication information is the same person as the sample, the second authentication information is updated by writing the sample to the second storage unit. An identity verification method characterized by: User biometrics information, first authentication information stored in first storage means provided in the authentication portable medium, second storage means and third storage means provided in the center Each of the second authentication information and the third authentication information stored respectively in the transaction processing apparatus for verifying the identity of the user,
The transaction processing apparatus is
Sample acquisition means for acquiring the user's biometric information as a sample from the user;
Reading out the first authentication information from the first storage means, and comprising an authentication information read / write means for writing the sample into the first storage means,
Collating the sample acquired by the sample acquisition means with the first authentication information read from the authentication portable medium;
As a result of the collation, when it is determined that the first authentication information is the same person as the sample, the second authentication is performed by reading the sample from the second storage unit of the center. Check with the information for
As a result of the collation, when it is determined that the second authentication information is the same person as the sample, a hash value of the first authentication information is further calculated based on a predetermined hash function, The calculated hash value is compared with the third authentication information read from the third storage means,
As a result of the comparison, when the calculated hash value and the third authentication information match, the first authentication information is updated by writing the sample into the first storage unit, Calculating a hash value of the updated first authentication information by the predetermined hash function, and updating the third authentication information by writing the calculated hash value in the third storage unit. The identity verification method that is characteristic.   The program for making a computer perform the identity verification method of any one of Claim 1 thru | or 3. The user's biometric information, the first authentication information and the second authentication information respectively stored in the first storage means and the second storage means provided in the authentication portable medium, and the center A transaction processing apparatus that performs identity verification of a user using third authentication information stored in a third storage means provided,
Sample acquisition means for acquiring the user's biometric information as a sample from the user;
Authentication information read / write means for reading the first authentication information and the second authentication information from the first storage means and the second storage means, respectively, and writing the sample into the second storage means And
The sample acquired by the sample acquisition means is collated with the first authentication information and the second authentication information read from the authentication portable medium,
As a result of the collation, when it is determined that both the first authentication information and the second authentication information are the same person as the sample, the second authentication information is further based on a predetermined hash function. The hash value of the authentication information is calculated, and the calculated hash value is compared with the third authentication information read from the third storage unit.
As a result of the comparison, when the calculated hash value and the third authentication information match, the second authentication information is updated by writing the sample into the second storage unit, A hash value of the updated second authentication information is calculated based on the predetermined hash function, and the third authentication information is updated by writing the calculated hash value in the third storage unit. A transaction processing apparatus. User biometric information, first authentication information based on user biometric information stored in a first storage means provided in the authentication portable medium, and second information provided in the center A transaction processing apparatus that performs identity verification of a user using the second authentication information stored in the storage means,
Sample acquisition means for acquiring the user's biometric information as a sample from the user;
Authentication information reading means for reading the first authentication information from the first storage means,
Collating the sample acquired by the sample acquisition means with the first authentication information read from the authentication portable medium;
As a result of the collation, when it is determined that the first authentication information is the same person as the sample, the second authentication is performed by reading the sample from the second storage unit of the center. Check with the information for
As a result of the collation, when it is determined that the second authentication information is the same person as the sample, the second authentication information is updated by writing the sample to the second storage unit. A transaction processing apparatus characterized by: User biometrics information, first authentication information stored in first storage means provided in the authentication portable medium, second storage means and third storage means provided in the center A transaction processing apparatus for verifying the identity of the user using the second authentication information and the third authentication information stored respectively in
Sample acquisition means for acquiring the user's biometric information as a sample from the user;
Reading out the first authentication information from the first storage means, and comprising an authentication information read / write means for writing the sample into the first storage means,
Collating the sample acquired by the sample acquisition means with the first authentication information read from the authentication portable medium;
As a result of the collation, when it is determined that the first authentication information is the same person as the sample, the second authentication is performed by reading the sample from the second storage unit of the center. Check with the information for
As a result of the collation, when it is determined that the second authentication information is the same person as the sample, a hash value of the first authentication information is further calculated based on a predetermined hash function, The calculated hash value is compared with the third authentication information read from the third storage means,
As a result of the comparison, when the calculated hash value and the third authentication information match, the first authentication information is updated by writing the sample into the first storage unit, Calculating a hash value of the updated first authentication information by the predetermined hash function, and updating the third authentication information by writing the calculated hash value in the third storage unit. A characteristic transaction processing apparatus. The transaction processing apparatus according to any one of claims 5 to 7, wherein the transaction processing apparatus is connected to the center via a network. The transaction processing apparatus according to any one of claims 5 to 7, wherein the transaction processing apparatus includes the center.

Images