JP2008152612A - Authentication system and authentication method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a system and a method performing a plurality of authentications within a short time by simple operation. <P>SOLUTION: An authentication system is provided with an on-line service server, an authentication server and a mobile information terminal provided with a non-contact IC chip and an authentication client to previously store identification information and generate authentication information. When the information terminal determines necessity of terminal user authentication and determines that the it is unnecessary and when the information terminal determines that it is necessary, and that the terminal user authentication succeeds in terminal user authentication by using the previously stored owner identification information, a means in the information terminal generates authentication information based on information read out from the non-contact IC chip, writes the generated authentication information in the non-contact IC chip and ends an authentication client. Then the information terminal reads out the authentication information from the non-contact IC chip through a non-contact IC reader/writer and transmits the authentication information to the on-line service server. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to an authentication system and an authentication method in various online service systems.

Conventionally, authentication using an ID and a fixed password has been widely used for online service authentication. However, authentication with a fixed password means that if an ID and password are stolen and used by a third party, it cannot be checked for access by an unauthorized user, and the user can easily be impersonated. There's a problem.
Also, with fixed password authentication, brute force attacks are prevented by periodically changing the password used for authentication, but such frequent password changes place a heavy burden on users. There is.

Therefore, as a method for enhancing the security of authentication and reducing the burden on the user's password management, a technique using a portable information terminal owned by the user has been proposed.
For example, in Patent Document 1, in an arrangement in which an online service server, an information terminal, a portable information terminal, and a portable information terminal company mail server are connected via the Internet, an online service server responds to an authentication request from the information terminal. Generate a one-time password that can be used only once for a specified time in response to an authentication request, create an email with the generated one-time password, and send the email to the user's By sending the one-time password written in the email received by the user to the mobile information terminal and entering the information terminal instead of the conventional fixed password, the information terminal sends the one-time password to the online service server, A technique for performing authentication is disclosed.

  Patent Document 2 discloses an authentication request from an information terminal in a configuration in which an online service server and an information terminal are connected via the Internet, and the online service server is connected to a portable information terminal via a public telephone line. On the other hand, the online service server calls the portable information terminal, and the user receives the call at the portable information terminal and inputs personal identification information such as a personal identification number to the portable information terminal. A technique is disclosed in which authentication is performed by transmitting input identity verification information to an online service server via a public telephone line.

According to these conventional technologies, it is possible to construct a mechanism in which only a user who owns a portable information terminal in which an e-mail address or a telephone number is registered in advance can be authenticated. Security can be strengthened.
Furthermore, the user of the authentication system can use the authentication system without having to remember the password or change it periodically.

JP 2005-209083 A JP 2006-33780 A Sumitomo Mitsui Banking Corporation Help changing Internet banking password (www.smbc.co.jp/kojin/direct/ib/help_anshouhenko.html02)

However, the prior art has the following problems.
First, the authentication system cannot be used depending on the radio wave reception status of the portable information terminal. In the prior art, there is a possibility that the acquisition of authentication information at the portable information terminal may be delayed or failed in places where radio waves of the portable information terminal are difficult to reach, such as underground or in buildings.
Secondly, the operation burden on the user's terminal is large, and it is difficult to execute authentication multiple times in a short time. In the prior art, the user needs to operate the portable information terminal every time authentication is performed. For example, in the prior art described in Patent Document 1, it is necessary to read the received mail by operating the mailer of the portable information terminal every time authentication is performed. In the prior art described in Patent Document 2, a telephone call must be received every time authentication is performed. Furthermore, in the case of Patent Document 1, the user must input the one-time password by operating the information terminal while looking at the portable information terminal, which also increases the user's terminal operation burden.

In recent years, some of the online service sites that require advanced security, such as Internet banking, include the password used to log in to the online service site when providing important services such as account transfer and changing the maximum amount of money to be handled. In addition, there is one that requires password authentication for each transaction (see Non-Patent Document 1).
When strengthening the security of an online service site that requires authentication for each transaction, authentication takes time in the prior art, and the convenience of the online service may be greatly impaired.

  An object of the present invention is to provide an authentication system and an authentication method that can be used regardless of the radio wave reception status of a portable information terminal and that can be authenticated multiple times in a short time with a simple operation. .

In order to achieve the above object, an invention according to claim 1 is provided with an online service server that provides an online service and a non-contact IC chip reader / writer, and provides the online service by transmitting service request contents to the online service server. Service request contents comprising: an information terminal that receives the information; an authentication server that performs processing related to authentication of the service request content in the online service; and a user who receives the online service in the information terminal, and a contactless IC chip and an authentication client An authentication system composed of a portable information terminal that generates authentication information used for authentication of
The information terminal is
Means for transmitting a service request content to the online service server together with an authentication request;
The online service server is
The service request content received from the information terminal is transmitted to the authentication server, the random number information and the authentication client activation code generated by the authentication server are received, and the random number information, the authentication client activation code, and the service request content are included. Means for generating a non-contact IC chip reader / writer control code and displaying an authentication client operation screen incorporating the non-contact IC chip reader / writer control code on the information terminal;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code incorporated in the authentication client operation screen is executed, and a random number is applied to the non-contact IC chip via the non-contact IC chip reader / writer. Means for writing information and service request content, and means for transmitting an authentication client activation code to the portable information terminal;
The portable information terminal is
The authentication client activation code is received from the information terminal, the authentication client is activated, a service request content confirmation screen including the service request content is displayed, and authentication is performed based on the random number information read from the non-contact IC chip and the service request content Means for generating information, writing the generated authentication information into a contactless IC chip, and terminating the authentication client;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Means for reading and sending authentication information to the online service server;
The online service server is
Means for transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. Features.

The invention described in claim 2 includes an online service server that provides an online service, a non-contact IC chip reader / writer, an information terminal that transmits a service request content to the online service server and receives the online service, An authentication server that performs processing related to authentication of service request contents in a service, and a user who receives an online service at the information terminal, includes a contactless IC chip and an authentication client, stores personal identification information in advance, An authentication system composed of a mobile information terminal that generates authentication information used for content authentication,
The information terminal is
Means for transmitting a service request content to the online service server together with an authentication request;
The online service server is
The service request content received from the information terminal is transmitted to the authentication server, the random number information and the authentication client activation code generated by the authentication server are received, and the random number information, the authentication client activation code, and the service request content are included. Means for generating a non-contact IC chip reader / writer control code and displaying an authentication client operation screen incorporating the non-contact IC chip reader / writer control code on the information terminal;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code incorporated in the authentication client operation screen is executed, and a random number is applied to the non-contact IC chip via the non-contact IC chip reader / writer. Means for writing information and service request content, and means for transmitting an authentication client activation code to the portable information terminal;
The portable information terminal is
The authentication client activation code is received from the information terminal, the authentication client is activated, a service request content confirmation screen including the service request content is displayed, and the terminal user authentication means is executed using the personal identification information stored in advance. The terminal user authentication is performed, and when the terminal user authentication is determined to be successful, the authentication information is generated based on the random number information read from the non-contact IC chip and the content of the service request. Means for writing information to the contactless IC chip and terminating the authentication client;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Means for reading and sending authentication information to the online service server;
The online service server is
Means for transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. Features.

According to a third aspect of the present invention, there is provided an online service server for providing an online service, a non-contact IC chip reader / writer, an information terminal for transmitting the service request contents to the online service server and receiving the online service, An authentication server that performs processing related to the authentication of service request contents in a service, and a user who receives an online service at the information terminal, includes a contactless IC chip and an authentication client, stores personal identification information in advance, An authentication system composed of a mobile information terminal that generates authentication information used for content authentication,
The information terminal is
Means for transmitting a service request content to the online service server together with an authentication request;
The online service server is
The service request content received from the information terminal is transmitted to the authentication server, the random number information generated by the authentication server, the authentication client activation code, and the terminal user authentication determination information are received, and the random number information and the authentication client activation code are received. Generating a non-contact IC chip reader / writer control code including service request contents and terminal user authentication determination information, and displaying an authentication client operation screen incorporating the non-contact IC chip reader / writer control code on the information terminal When,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code incorporated in the authentication client operation screen is executed, and a random number is applied to the non-contact IC chip via the non-contact IC chip reader / writer. Writing information, service request content and terminal user authentication determination information, and means for transmitting an authentication client activation code to the portable information terminal;
The portable information terminal is
The authentication client activation code is received from the information terminal, the authentication client is activated, a service request content confirmation screen including the service request content is displayed, and the terminal user authentication determination information read from the non-contact IC chip is used. The terminal user authentication necessity determination means is executed to determine the necessity of terminal user authentication, and when it is determined that the necessity determination is unnecessary, and the necessity determination is determined to be necessary, and The terminal user authentication is executed by executing the terminal user authentication means using the personal identification information stored in advance, and when the terminal user authentication is determined to be successful, it is read from the non-contact IC chip. Generating authentication information based on the random number information and the service request content, writing the generated authentication information to the non-contact IC chip, and terminating the authentication client;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Means for reading and sending authentication information to the online service server;
The online service server is
Means for transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. Features.

According to a fourth aspect of the present invention, there is provided an online service server for providing an online service, a non-contact IC chip reader / writer, an information terminal for transmitting the service request content to the online service server and receiving the online service, An authentication server that performs processing related to authentication of service request contents in a service, and a user who receives an online service at the information terminal, includes a contactless IC chip and an authentication client, stores personal identification information in advance, An authentication system composed of a mobile information terminal that generates authentication information used for content authentication,
The information terminal is
Means for transmitting a service request content to the online service server together with an authentication request;
The online service server is
Means for transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Necessity of terminal user authentication by generating random number information, authentication client activation code and terminal user authentication determination information, and using the terminal user authentication determination information to execute terminal user authentication necessity determination means Performing determination, obtaining the result of the necessity determination as a terminal user authentication request flag, and transmitting random number information, an authentication client activation code, and a terminal user authentication request flag to the online service server;
The online service server is
A contactless IC chip reader that receives random number information, an authentication client activation code, and a terminal user authentication request flag from the authentication server, and includes random number information, an authentication client activation code, service request contents, and a terminal user authentication request flag Means for generating a writer control code and displaying an authentication client operation screen incorporating the non-contact IC chip reader / writer control code on the information terminal;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code incorporated in the authentication client operation screen is executed, and a random number is applied to the non-contact IC chip via the non-contact IC chip reader / writer. Writing information, service request content and terminal user authentication request flag, and means for transmitting an authentication client activation code to the portable information terminal;
The portable information terminal is
The authentication client activation code is received from the information terminal, the authentication client is activated, a service request content confirmation screen including the service request content is displayed, and the terminal user authentication request flag read from the non-contact IC chip is unnecessary. Terminal user authentication request flag read from a non-contact IC chip is necessary, and terminal user authentication is performed by executing terminal user authentication means using pre-stored personal identification information When the terminal user authentication is determined to be successful, authentication information is generated based on the random number information read from the contactless IC chip and the service request content, and the generated authentication information is stored in the contactless IC chip. Means to write and exit the authentication client;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Means for reading and sending authentication information to the online service server;
The online service server is
Means for transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. Features.

Invention of Claim 5 is an authentication system in any one of Claim 3 and Claim 4,
The terminal user authentication determination information is a time at which the authentication server generates random number information used as an argument when generating authentication information, and the terminal user authentication determination means immediately before the authentication request being processed. When the mobile information terminal generates the authentication information, the time difference between the random number generation time acquired as the terminal user authentication determination information and the random number generation time acquired as the terminal user authentication determination information is calculated, and the calculated time difference is When it is less than the time difference set in advance in the authentication system, the execution result of the terminal user authentication determination means is determined to be unnecessary, and when the calculated time difference is greater than or equal to the time difference set in advance in the authentication system, It is characterized in that the execution result of the terminal user authentication determining means is determined to be necessary.

Invention of Claim 6 is the authentication system in any one of Claim 3 and Claim 4,
The terminal user authentication determination information is a transaction amount included in the service request content transmitted by the information terminal together with the authentication request, and the terminal user authentication determination unit is configured to obtain the transaction amount acquired as the terminal user authentication determination information. If the amount of money is less than the amount previously determined in the authentication system, the execution result of the terminal user authentication determination means is determined to be unnecessary, and the transaction amount acquired as the terminal user authentication determination information is determined in advance in the authentication system. When the amount is more than the specified amount, the execution result of the terminal user authentication determination unit is determined to be necessary.

The invention according to claim 7 is the authentication system according to any one of claims 3 and 4,
The terminal user authentication determination information includes transaction amount and customer information included in the service request content transmitted by the information terminal together with the authentication request, and history information of the service request content executed by the user before the authentication request being processed. And
The terminal user authentication determination means is configured such that the transaction amount acquired as the terminal user authentication determination information is higher or lower than an amount determined in advance in the authentication system, and the terminal user authentication determination information The terminal user authentication determination means is executed by a combination of the condition determinations that the customer information acquired as the terminal user authentication determination information is included or not included in the history information of the service request content acquired as The result is determined to be necessary or unnecessary.

The invention according to claim 8 is the authentication system according to any one of claims 3 and 4,
The terminal user authentication determination information is a login determination flag included in the service request content transmitted by the information terminal together with the authentication request,
If the login determination flag acquired as the terminal user authentication determination information is a value indicating that a request other than login to the online service is requested as the service request content, the terminal user authentication determination means If the login determination flag acquired as the terminal user authentication determination information is a value indicating that login to the online service is requested as the service request content, the terminal determines that the execution result of the authentication determination means is unnecessary. The execution result of the user authentication determination unit is determined to be necessary.

The invention according to claim 9 is the authentication system according to any one of claims 2 to 8,
The terminal user authentication means executed by the authentication client prompts the user to input identity verification information, and if the entered identity verification information matches the identity verification information stored in advance in the portable information terminal, the terminal use It is characterized in that the person authentication is determined to be successful.

  A tenth aspect of the present invention is the authentication system according to any one of the second to ninth aspects, wherein the personal identification information is a personal identification number.

  The invention according to claim 11 is the authentication system according to any one of claims 2 to 9, wherein the identity verification information is position information.

  According to a twelfth aspect of the present invention, in the authentication system according to any one of the second to ninth aspects, the identification information is biometric information of a user.

  The invention according to claim 13 is the authentication system according to any one of claims 1 to 12, wherein the authentication information is a one-time password.

The invention according to claim 14 is the authentication system according to any one of claims 1 to 12, wherein the authentication information is a digital signature.
The invention according to claim 15 is the authentication system according to any one of claims 1 to 14,
The means for terminating the authentication client writes the generated authentication information into the non-contact IC chip after a predetermined time has elapsed since the service request content confirmation screen was displayed.

According to a sixteenth aspect of the present invention, there is provided an online service server that provides an online service, a non-contact IC chip reader / writer, an information terminal that transmits a service request content to the online service server and receives an online service, Authentication information used for authentication of service request contents, possessed by an authentication server that performs processing related to authentication of service request contents in a service, and a user who receives an online service at the information terminal, and includes a contactless IC chip and an authentication client An authentication method in an authentication system configured with a portable information terminal that generates
The information terminal is
Transmitting a service request content together with an authentication request to the online service server;
The online service server is
The service request content received from the information terminal is transmitted to the authentication server, the random number information and the authentication client activation code generated by the authentication server are received, and the random number information, the authentication client activation code, and the service request content are included. Generating a contactless IC chip reader / writer control code and displaying an authentication client operation screen incorporating the contactless IC chip reader / writer control code on the information terminal;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code incorporated in the authentication client operation screen is executed, and a random number is applied to the non-contact IC chip via the non-contact IC chip reader / writer. Writing information and service request content, and sending an authentication client activation code to the portable information terminal;
The portable information terminal is
The authentication client activation code is received from the information terminal, the authentication client is activated, a service request content confirmation screen including the service request content is displayed, and authentication is performed based on the random number information read from the non-contact IC chip and the service request content Generating information, writing the generated authentication information to a contactless IC chip, and terminating the authentication client;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Reading and sending authentication information to the online service server;
The online service server is
Transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating the authentication information received from the online service server based on the random number information generated by itself and the content of the service request received from the information terminal together with the authentication request, and transmitting an authentication result to the online service server; It is characterized by providing.

The invention according to claim 17 is an online service server for providing an online service;
An information terminal comprising a non-contact IC chip reader / writer, transmitting service request contents to the online service server and receiving provision of the online service, an authentication server performing processing related to authentication of the service request contents in the online service, and the information terminal It is composed of a portable information terminal possessed by a user who receives an online service, having a non-contact IC chip and an authentication client, storing personal identification information in advance, and generating authentication information used for authentication of service request contents An authentication method in an authentication system
The information terminal is
Transmitting a service request content together with an authentication request to the online service server;
The online service server is
The service request content received from the information terminal is transmitted to the authentication server, the random number information and the authentication client activation code generated by the authentication server are received, and the random number information, the authentication client activation code, and the service request content are included. Generating a contactless IC chip reader / writer control code and displaying an authentication client operation screen incorporating the contactless IC chip reader / writer control code on the information terminal;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code incorporated in the authentication client operation screen is executed, and a random number is applied to the non-contact IC chip via the non-contact IC chip reader / writer. Writing information and service request content, and sending an authentication client activation code to the portable information terminal;
The portable information terminal is
The authentication client activation code is received from the information terminal, the authentication client is activated, a service request content confirmation screen including the service request content is displayed, and the terminal user authentication means is executed using the personal identification information stored in advance. The terminal user authentication is performed, and when the terminal user authentication is determined to be successful, the authentication information is generated based on the random number information read from the non-contact IC chip and the content of the service request. Writing information to the contactless IC chip and terminating the authentication client;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Reading and sending authentication information to the online service server;
The online service server is
Transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating the authentication information received from the online service server based on the random number information generated by itself and the content of the service request received from the information terminal together with the authentication request, and transmitting an authentication result to the online service server; It is characterized by providing.

An invention according to claim 18 is provided with an online service server for providing online services, an information terminal comprising a contactless IC chip reader / writer, an information terminal for receiving provision of online services by transmitting service request contents to the online service server, An authentication server that performs processing related to the authentication of service request contents in a service, and a user who receives an online service at the information terminal, includes a contactless IC chip and an authentication client, stores personal identification information in advance, An authentication method in an authentication system configured with a portable information terminal that generates authentication information used for content authentication,
The information terminal is
Transmitting a service request content together with an authentication request to the online service server;
The online service server is
The service request content received from the information terminal is transmitted to the authentication server, the random number information generated by the authentication server, the authentication client activation code, and the terminal user authentication determination information are received, and the random number information and the authentication client activation code are received. Generating a contactless IC chip reader / writer control code including the service request content and terminal user authentication determination information, and causing the information terminal to display an authentication client operation screen incorporating the contactless IC chip reader / writer control code When,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code incorporated in the authentication client operation screen is executed, and a random number is applied to the non-contact IC chip via the non-contact IC chip reader / writer. Writing information, service request content and terminal user authentication determination information, and transmitting an authentication client activation code to the portable information terminal;
The portable information terminal is
The authentication client activation code is received from the information terminal, the authentication client is activated, a service request content confirmation screen including the service request content is displayed, and the terminal user authentication determination information read from the non-contact IC chip is used. The terminal user authentication necessity determination means is executed to determine the necessity of terminal user authentication, and when it is determined that the necessity determination is unnecessary, and the necessity determination is determined to be necessary, and The terminal user authentication is executed by executing the terminal user authentication means using the personal identification information stored in advance, and when the terminal user authentication is determined to be successful, it is read from the non-contact IC chip. Generating authentication information based on the random number information and the contents of the service request, writing the generated authentication information to the non-contact IC chip, and terminating the authentication client ,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Reading and sending authentication information to the online service server;
The online service server is
Transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating the authentication information received from the online service server based on the random number information generated by itself and the content of the service request received from the information terminal together with the authentication request, and transmitting an authentication result to the online service server; It is characterized by providing.

The invention according to claim 19 is provided with an online service server that provides online services, an information terminal that includes a non-contact IC chip reader / writer, transmits service request contents to the online service server, and receives provision of online services, An authentication server that performs processing related to the authentication of service request contents in a service, and a user who receives an online service at the information terminal, includes a contactless IC chip and an authentication client, stores personal identification information in advance, An authentication method in an authentication system configured with a portable information terminal that generates authentication information used for content authentication,
The information terminal is
Transmitting a service request content together with an authentication request to the online service server;
The online service server is
Transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Necessity of terminal user authentication by generating random number information, authentication client activation code and terminal user authentication determination information, and using the terminal user authentication determination information to execute terminal user authentication necessity determination means Performing determination, obtaining a result of the necessity determination as a terminal user authentication request flag, and transmitting random number information, an authentication client activation code, and a terminal user authentication request flag to the online service server;
The online service server is
A contactless IC chip reader that receives random number information, an authentication client activation code, and a terminal user authentication request flag from the authentication server, and includes random number information, an authentication client activation code, service request contents, and a terminal user authentication request flag Generating a writer control code and displaying an authentication client operation screen incorporating the non-contact IC chip reader / writer control code on the information terminal;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code incorporated in the authentication client operation screen is executed, and a random number is applied to the non-contact IC chip via the non-contact IC chip reader / writer. Writing information, service request content and terminal user authentication request flag, and transmitting an authentication client activation code to the portable information terminal;
The portable information terminal is
The authentication client activation code is received from the information terminal, the authentication client is activated, a service request content confirmation screen including the service request content is displayed, and the terminal user authentication request flag read from the non-contact IC chip is unnecessary. Terminal user authentication request flag read from a non-contact IC chip is necessary, and terminal user authentication is performed by executing terminal user authentication means using pre-stored personal identification information When the terminal user authentication is determined to be successful, authentication information is generated based on the random number information read from the contactless IC chip and the service request content, and the generated authentication information is stored in the contactless IC chip. Writing and exiting the authentication client; and
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Reading and sending authentication information to the online service server;
The online service server is
Transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating the authentication information received from the online service server based on the random number information generated by itself and the content of the service request received from the information terminal together with the authentication request, and transmitting an authentication result to the online service server; It is characterized by providing.

The invention according to claim 20 is the authentication method according to any one of claims 18 and 19,
The terminal user authentication determination information is a time when the authentication server generates random number information to be used as an argument when generating authentication information,
The terminal user authentication determination means includes a random number generation time acquired as the terminal user authentication determination information and the terminal user authentication determination information when the portable information terminal generates the authentication information immediately before the authentication request being processed. Calculate the time difference from the obtained random number generation time, and if the calculated time difference is less than the time difference determined in advance in the authentication system, determine that the execution result of the terminal user authentication determination means is unnecessary, and calculate the time difference However, when the time difference is equal to or greater than a time difference determined in advance in the authentication system, the execution result of the terminal user authentication determination unit is determined to be necessary.

The invention according to claim 21 is the authentication method according to any one of claims 18 and 19,
The terminal user authentication determination information is a transaction amount included in a service request content transmitted by the information terminal together with an authentication request,
The terminal user authentication determination unit determines that the execution result of the terminal user authentication determination unit is unnecessary when the transaction amount acquired as the terminal user authentication determination information is less than an amount determined in advance in the authentication system. When the transaction amount acquired as the terminal user authentication determination information is greater than or equal to the amount determined in advance in the authentication system, the execution result of the terminal user authentication determination unit is determined to be necessary.

The invention according to claim 22 is the authentication method according to any one of claims 18 and 19,
The terminal user authentication determination information includes transaction amount and customer information included in the service request content transmitted by the information terminal together with the authentication request, and history information of the service request content executed by the user before the authentication request being processed. And
The terminal user authentication determination means is configured such that the transaction amount acquired as the terminal user authentication determination information is higher or lower than an amount determined in advance in the authentication system, and the terminal user authentication determination information The terminal user authentication determination means is executed by a combination of the condition determinations that the customer information acquired as the terminal user authentication determination information is included or not included in the history information of the service request content acquired as The result is determined to be necessary or unnecessary.

The invention according to claim 23 is the authentication method according to any one of claims 18 and 19,
The terminal user authentication determination information is a login determination flag included in the service request content transmitted by the information terminal together with the authentication request,
If the login determination flag acquired as the terminal user authentication determination information is a value indicating that a request other than login to the online service is requested as the service request content, the terminal user authentication determination means If the login determination flag acquired as the terminal user authentication determination information is a value indicating that login to the online service is requested as the service request content, the terminal determines that the execution result of the authentication determination means is unnecessary. The execution result of the user authentication determination unit is determined to be necessary.
Invention of Claim 24 in the authentication method in any one of Claims 16-23,
The step of terminating the authentication client is characterized in that the generated authentication information is written into the non-contact IC chip after a predetermined time has elapsed since the service request content confirmation screen was displayed.

According to the present invention, the user can use the authentication system regardless of the radio wave reception status of the portable information terminal.
In addition, an authentication system that can authenticate only by operating the information terminal without operating the portable information terminal, as long as the user places the portable information terminal within a distance range that can be read and written by the non-contact IC reader / writer. Can be provided. Thereby, the user can authenticate a plurality of times in a short time with a simple operation.
In addition, by introducing a mechanism for determining the necessity of terminal user authentication for mobile information terminals, the terminal that minimizes the risk of unauthorized use of the authentication system by a third party who is not an authorized user. This can be prevented simply by requesting an operation burden.

Hereinafter, an authentication system and an authentication method according to embodiments of the present invention will be described with reference to the drawings.
(First embodiment of the present invention)
FIG. 1 is an overall configuration diagram of an authentication system according to the first embodiment of the present invention.
In the first embodiment of the present invention, a mode is described in which information (for example, time) uniquely generated by the authentication system is used as terminal user authentication determination information.
First, the configuration of the authentication system will be described below.
The authentication system of this embodiment has a configuration in which an information terminal 101, an online service server 103, and an authentication server 104 are connected via a communication network 105 such as the Internet.
Further, the information terminal 101 is connected to a non-contact IC chip reader / writer 106 (referred to as “non-contact ICR / W” in the figure and the text below). The non-contact ICR / W 106 is an information device that performs non-contact communication with the portable information terminal 102.
The information terminal 101 includes at least an online service client 107.
The information terminal 101 is, for example, a personal computer (PC) owned by a user of an online service.
The portable information terminal 102 includes at least a non-contact IC chip 108 and an authentication client 109. The mobile information terminal 102 is, for example, a mobile phone owned by a user of an online service.

FIG. 2 is a functional block diagram showing the configuration of the information terminal 101.
Note that the online service client 209 in this figure is the same as the online service client 107 shown in FIG.
The information terminal 101 includes a CPU 201 that executes and executes a program, an input unit 202 that inputs commands and data, an output unit 203 that outputs a system state, a memory 204 that loads programs and data, A non-contact ICR / W connection unit 205 that connects the contact ICR / W, a communication processing unit 206 that establishes a connection with another communication device, an online service client 209, and a non-contact ICR / W control program 210 are stored. A storage unit 207 is connected by a bus 208.

  The non-contact ICR / W connection unit 205 is a connection port for connecting the non-contact ICR / W 106 to the information terminal 101. For example, when the non-contact ICR / W is provided as an external connection device of the information terminal, the USB In the case where the non-contact ICR / W is provided as a function built in the information terminal in advance, the connection port is mounted on an electronic board such as a motherboard.

The online service client 209 has a function of transmitting information input by the user through the input unit 202 to the online service server 103 and a function of presenting information received from the online service server 103 to the user through the output unit 203. Software.
The online service client 209 is, for example, a browser.

The non-contact ICR / W control program 210 is a program that realizes a function of transmitting a read / write request for information to the non-contact IC chip 108 and an authentication client activation code for activating the authentication client 109 to the portable information terminal 102.
Here, the authentication client activation code is information including the address of the authentication client 109 in the storage unit of the portable information terminal 102 and a password required for activation.
The non-contact ICR / W control program 210 is a plug-in that extends the function of the online service client or a program provided as one of the functions of the online service client.

FIG. 3 is a functional block diagram showing a configuration of the portable information terminal 102.
In addition, the non-contact IC chip 305 and the authentication client 310 in this figure are the same as the non-contact IC chip 108 and the authentication client 109 shown in FIG. 1, respectively.
The portable information terminal 102 includes a CPU 301 that executes programs and performs calculations, an input unit 302 that inputs commands and data, an output unit 303 that outputs system statuses, a memory 304 that loads programs and data, A non-contact IC chip 305 storing encrypted information 308 with MAC obtained by encrypting service request contents 313, terminal user authentication determination information 314 and random number information 315 and further adding a MAC (Message Authentication Code), and authentication information 309; The authentication client 310 including the terminal user authentication necessity determination program 316 and the terminal user authentication program 317, the non-contact IC chip control program 311 and the storage unit 306 for storing the identity confirmation information 312 are provided on the bus. The configuration connected at 307 is adopted.

The input unit 302 is a keyboard, camera, microphone, position information acquisition means such as GPS, and a biometric information input device such as a fingerprint, an iris, a retina pattern, and a vein pattern.
The non-contact IC chip 305 is an IC chip corresponding to non-contact communication, and in addition to reading / writing information from an external information device via the non-contact ICR / W 106, reading / writing information from software installed in the portable information terminal 102 It is also possible IC chip.
The non-contact IC chip 305 is, for example, a FeliCa (registered trademark) chip.
The authentication information 309 is information that is generated by the authentication client 310 based on the random number information 315, the service request content 313, and key information described later, and is used for authentication processing in the authentication server 104.
The authentication information 309 is, for example, a one-time password or a digital signature.

The authentication client 310 is portable information terminal software distributed by a provider that provides an online service or a provider that operates an authentication server.
The non-contact IC chip control program 311 receives a read / write request from the non-contact ICR / W 106 to the non-contact IC chip 305 and reads / writes information in the non-contact IC chip, or an authentication client from the non-contact ICR / W 106 A program having a function of receiving an activation code and activating the authentication client 310.
The non-contact IC chip control program 311 is a program that is distributed together with an authentication client by an operator that provides an online service or an operator that operates an authentication server, or is provided as one of the functions of the authentication client.

The identity verification information 312 is information used as an argument of the terminal user authentication program 317.
The personal identification information 312 is, for example, secret information such as a personal identification number and position information that only the owner of the portable information terminal knows, and biometric information of the owner of the portable information terminal such as a fingerprint, an iris, a retina pattern, and a vein pattern. It is.
The service request content 313 is an operation content requested by the user, such as login to an online service, or a transaction content such as merchandise sales or bank transfer. When the authentication by the authentication system is successful, the online service This is information regarding the contents of the service provided by the server 103.
The terminal user authentication determination information 314 is information used as an argument of the terminal user authentication necessity determination program 316.
The random number information 315 is information used as one of arguments when generating the authentication information 309 in the processing of the authentication client 310.
The random number information 315 is, for example, a random byte string generated by a pseudo random number program.

Hereinafter, the operation of the authentication system according to the present embodiment will be described with reference to FIGS.
The operation of the authentication system according to the present embodiment is roughly divided into three operations: an authentication information generation preparation process, an authentication information generation process, and an authentication process.
FIG. 4 is a diagram showing an operation flow of the authentication information generation preparation process.
The authentication information generation preparation process is executed with the transmission of the authentication request from the online service client 107.
FIG. 5 is a diagram showing an operation flow of the authentication information generation process of the authentication system.
The authentication information generation process is executed when the user presses an authentication information generation button displayed on the online service client 107 by executing the authentication information generation preparation process.
FIG. 6 is a diagram showing an operation flow of the authentication process of the authentication system.
The authentication process includes an authentication information transmission button displayed on the online service client 107 by executing the authentication information generation preparation process after the user confirms the service request content confirmation screen displayed on the authentication client 109 by executing the authentication information generating process. Is executed when the user presses down.

First, the initial state of the authentication system will be described below.
The portable information terminal owned by the user of the online service stores the data listed below in the storage unit 306.
・ Common key K
・ Secret key SK
The authentication server 104 stores data listed below for each online service user.
・ User ID
・ Common key K
・ Public key PK
However, the secret key SK and the public key PK are information necessary only when a digital signature is used as the authentication information 309, and are not necessary when a one-time password is used as the authentication information.
The common key K is key information generated and issued by the authentication server for each user of the online service, and the generation of the encryption information 308 with MAC in the authentication server 104 and the encryption information with MAC in the authentication client 109 Key information used for MAC authentication and decryption.
The secret key SK and the public key PK are a pair of key information based on public key encryption technology generated and issued by the authentication server 104 for each user of the online service. The secret key SK is a digital signature at the authentication client. The public key PK is key information used for verification of the digital signature in the authentication server 104.

As an example of a procedure for configuring the initial state described above, an initial setting procedure of the authentication client 109 will be described below.
A business provider that provides an online service or a business that operates an authentication server distributes a user ID and a fixed password together when distributing the authentication client 109 to a user of the online service.
The user accesses the initial setting site prepared in the authentication server 104 from the online service client 107, logs in with a user ID and a fixed password, and transmits an initial setting request for the authentication client 109 to the authentication server 104. .
In response to the initial setting request, the authentication server 104 generates a common key K, a secret key SK, and a public key PK, and transmits the common key K and the secret key SK to the online service client 107. At this time, the authentication server 104 stores the common key K and the public key PK in association with the user ID.
The online service client 107 transmits the common key K and the secret key SK to the portable information terminal 102 using contactless communication.
The portable information terminal 102 stores the received common key K and secret key SK in the storage unit 306.
When the portable information terminal 102 can be connected to the communication network 105 and can access the initial setting site, an initial setting request is transmitted from the portable information terminal to the initial setting site. The information terminal may receive the common key K and the secret key SK.
In addition, after the above procedure is completed, the user, if necessary, can identify the user, such as personal identification number, location information, and biometric information, the display time of the service request content confirmation screen described later, and the need for terminal user authentication. Information used in the determination program (for example, a terminal user authentication request elapsed time to be described later or an initial value of the previous authentication random number generation time) is input and stored in the storage unit 306.

First, the operation flow of the authentication information generation preparation process of the authentication system will be described with reference to FIG.
In the following description of the first embodiment, it is assumed that the service request content 313 is a login to an online service.
Further, the terminal user authentication determination information 314 will be described as the time when the random number information 315 is generated in the authentication server 104 (hereinafter referred to as the random number generation time). However, the random number generation time is a time based on an internal clock operating on the authentication server 104, and the internal clock is synchronized with an NTP (Network Time Protocol) server (not shown) connected via the communication network 105. It is assumed that the time is always controlled to be accurate.

In FIG. 4, the online service client 107 transmits an authentication request including a user ID and service request content to the online service server 103 in accordance with the operation of the information terminal by the user (step 401).
The online service server 103 transmits the received authentication request to the authentication server 104 (step 402).
Upon receiving the authentication request, the authentication server 104 generates random number information (step 403).
The authentication server 104 acquires a random number generation time that is the time when the random number information was generated in step 403 as the terminal user authentication determination information (step 404).
First, the authentication server 104 refers to the user ID acquired in step 402 and acquires the common key K associated with the user ID and stored in the authentication server.
Then, the service request content, the terminal user authentication determination information, and the random number information are encrypted with the common key K, and further the MAC is added to generate the encryption information with the MAC (step 405).

The authentication server 104 generates an authentication client activation code, and transmits the authentication client activation code, the encryption information with MAC, and the service request content to the online service server 103 (step 406).
When the online service server 103 receives the authentication client activation code, the encryption information with MAC, and the service request content, the authentication service operation screen display incorporating the non-contact IC chip reader / writer control code executed by the non-contact ICR / W control program 210 is displayed. A code is generated and transmitted to the online service client 107 (step 407).
Here, the authentication client operation screen display code is, for example, an HTML code incorporating a non-contact IC chip reader / writer control code.
The non-contact IC chip reader / writer control code includes an authentication client activation code, a request for writing encryption information with MAC to the non-contact IC chip, and a request for reading authentication information 309 from the non-contact IC chip. This is a code for realizing a function to be transmitted to the terminal 102.
When receiving the authentication client operation screen display code, the online service client 107 displays the authentication client operation screen 801 shown in FIG. 8 (step 408).

The authentication client operation screen 801 illustrated in FIG. 8 includes at least a service request content display unit 802, an authentication information generation button 803, and an authentication information transmission button 804.
The service request content display unit 802 is a message box that displays the service request content transmitted by the user in step 401, and in this case, displays a character string “online service login”.
When the authentication information generation button 803 is pressed, the non-contact IC chip reader / writer control code incorporated in step 407 is executed, and the authentication client activation code and the non-contact IC chip 305 write request for encryption information with MAC are written. Is a button for transmitting to the portable information terminal 102.
When the authentication information transmission button 804 is pressed, the non-contact IC chip reader / writer control code incorporated in step 407 is executed, the authentication information 309 is read from the non-contact IC chip 305, and the read authentication information is This is a button for transmitting to the online service server 103.

Next, the operation flow of the authentication information generation process will be described with reference to FIG.
After confirming the authentication client operation screen 801 displayed on the information terminal 101 in the authentication information generation preparation process, the user places the portable information terminal 102 within the communicable range of the contactless ICR / W 106 and presses the authentication information generation button 803. .
When the authentication information generation button is pressed, the online service client 107 writes the encryption information with MAC 308 into the non-contact IC chip 305 and activates the authentication client 310 of the portable information terminal 102 (step 501).
Details of the processing in step 501 are shown below.
When the authentication information generation button 803 is pressed, the online service client transmits a request for writing encryption information with MAC and an authentication client activation code to the non-contact IC chip control program 311 of the portable information terminal.
When the non-contact IC chip control program 311 receives the write request for the encryption information with MAC, the non-contact IC chip control program 311 writes the encryption information with MAC to the non-contact IC chip. Further, when the authentication client activation code is received, the authentication client is activated.
The authentication client 109 reads the encryption information with MAC 308 from the non-contact IC chip and acquires it in the memory (step 502).
The authentication client 109 first reads the common key K stored in the storage unit 306 and acquires it in the memory. Then, using the common key K, MAC authentication and decryption of the encryption information 308 with MAC are performed. If either MAC authentication or decryption fails, a message indicating the failure is displayed and the execution of the authentication client is immediately terminated.
If the MAC authentication and decryption are successful, the service request content 313, terminal user authentication determination information 314, and random number information 315 are acquired in the memory, and the process proceeds to step 504 (step 503).

The authentication client 109 executes the terminal user authentication necessity determination program 316 using the terminal user authentication determination information 314 as an argument, and acquires a terminal user authentication request flag as an execution result (step 504).
If the value of the terminal user authentication request flag is “unnecessary”, the authentication client 109 stores the random number generation time acquired as the terminal user authentication determination information 314 in the storage unit 306 and proceeds to step 507. If the value of the terminal user authentication request flag is “necessary”, the terminal user authentication program 317 is executed, the terminal user authentication result is acquired as the execution result, and the process proceeds to step 506 (step 505).
Here, when the value of the terminal user authentication request flag is “unnecessary”, the random number generation time stored in the storage unit 306 is the previous authentication in the operation of the terminal user authentication necessity determination program 316 described later. Time used as hour random number generation time.

Here, the operation of the terminal user authentication program 317 will be described with reference to FIG.
The terminal user authentication program 317 displays a terminal user authentication screen 901 illustrated in FIG. 9, requests input of identification information from the input unit 302 of the portable information terminal 102, and the input identification information is stored in advance. This is a program for determining whether or not it matches the personal identification information 312 stored in the storage unit 306.
If the identity verification information matches, the terminal user authentication is determined to be successful, and “success” is determined as the terminal user authentication result. If the identity verification information does not match, the terminal user authentication is determined to be unsuccessful. Return “No” as the terminal user authentication result.
Here, FIG. 9 shows an example in which the personal identification information is a personal identification number, but when the portable information terminal 102 has an input unit for position information and biological information in the input unit 302, the personal identification information is used instead of the personal identification number. Position information or biometric information may be used as confirmation information, and input of position information or biometric information may be requested when the terminal user authentication program is executed.

If the terminal user authentication result is “No”, the authentication client 109 interrupts the authentication process and immediately ends the execution of the authentication client 109.
When the terminal user authentication result is “success”, the random number generation time acquired as the terminal user authentication determination information is stored in the storage unit 306, and the process proceeds to step 507 (step 506).
Here, when the terminal user authentication result is “success”, the random number generation time stored in the storage unit 306 is the previous authentication random number generation in the operation of the terminal user authentication necessity determination program 316 described later. This is the time used as the time.
The authentication client 109 generates authentication information based on the service request content 313, random number information 315, and key information, and writes the generated authentication information 309 to the non-contact IC chip 309 (step 507).

Details of processing for generating authentication information in step 507 will be described below.
When a one-time password is used as authentication information, the authentication client 109 first reads the common key K stored in the storage unit 306 and acquires it in the memory.
Next, a secure hash function is executed using a byte string obtained by concatenating the common key K, service request contents, and random number information as an argument, and a hash value is acquired as an execution result.
Then, a part or all of the hash value is set as a one-time password.

When using a digital signature as the authentication information, the authentication client 109 first reads the secret key SK stored in the storage unit 306 and acquires it in the memory.
Next, a secure hash function is executed using a byte string obtained by concatenating service request contents and random number information as an argument, and a hash value is acquired as an execution result.
Then, the hash value is encrypted with the secret key SK, and the acquired byte string is used as a digital signature.

The authentication client 109 displays the service request content confirmation screen 1001 shown in FIG. 10 (step 508).
Here, the service request content confirmation screen 1001 will be described with reference to FIG.
The service request content confirmation screen 1001 includes at least an authentication client service request content display unit 1002 for displaying the service request content.
In this case, a character string “online service login” is displayed in the authentication client service request content display section.
Furthermore, in the service request content confirmation screen shown in FIG. 10, taking into account the convenience of the user, a message notifying the user that the generation of the authentication information has been completed, or until the authentication client 109 is terminated in the subsequent step 509. A message is displayed to notify the user of the remaining time of the user at regular intervals.
The authentication client 109 terminates execution after a predetermined time has elapsed from the display of the service request content confirmation screen 1001. As a result, the authentication client 109 makes a transition to an authentication client activation code standby state for preparing the next authentication information without requesting the user to operate the portable information terminal (step 509).

Details of the processing in step 509 will be described below.
As a method for realizing a function in which the authentication client ends after a lapse of a certain time from the display of the service request content confirmation screen, for example, the method described below can be cited.
In step 508, the authentication client 109 displays a service request content confirmation screen and starts a timer at the same time. When the timer reaches the display time of the service request content confirmation screen, the authentication client 109 executes a termination process.
Here, it is assumed that the display time of the service request content confirmation screen is stored in advance in the storage unit 306 of the portable information terminal by a method such as a user inputting at the time of initial setting of the authentication client 109.
Note that the display time of the service request content confirmation screen should be the same as the content displayed on the service request content confirmation screen. It is desirable that it be long enough to be confirmed and as short as possible.

Next, the operation flow of the authentication process will be described with reference to FIG.
After confirming the display of the service request content confirmation screen displayed on the portable information terminal 102 in the authentication information generation process, the user places the portable information terminal 102 within the communicable range of the non-contact ICR / W 106 and transmits the authentication information. A button 804 is pressed.
When the authentication information transmission button 804 is pressed, the online service client 107 reads the authentication information 309 from the non-contact IC chip 305 and acquires it in the memory, and further transmits the acquired authentication information to the online service server 103 (step) 601).
The online service server 103 transmits the received authentication information to the authentication server 104 (step 602).
Upon receiving the authentication information, the authentication server 104 executes an authentication process and acquires an authentication result (step 603).

Details of the authentication processing in step 603 will be described below.
When a one-time password is used as authentication information, the authentication server 104 first refers to the user ID acquired in step 402 and uses the common key K stored in the authentication server in association with the user ID. get.
Next, the secure hash function is executed with the byte string obtained by concatenating the common key K, the service request content acquired in step 402 and the random number information acquired in step 403 as an argument, and a hash value is acquired as an execution result. .
Then, the hash value is compared with the one-time password received from the online service server 103.
If they match, it is determined that the authentication has succeeded and “success” is returned as the authentication result. If they do not match, it is determined that the authentication has failed and “no” is returned as the authentication result.

When using a digital signature as authentication information, the authentication server 104 first refers to the user ID acquired in step 402 and acquires the public key PK associated with the user ID and stored in the authentication server. To do.
Next, the secure hash function is executed using the byte string obtained by concatenating the service request content acquired in step 402 and the random number information acquired in step 403 as an argument, and a hash value is acquired as an execution result.
Then, the hash value is compared with a value obtained by decrypting the digital signature received from the online service server 103 with the public key PK.
If they match, it is determined that the authentication has succeeded and “success” is returned as the authentication result. If they do not match, it is determined that the authentication has failed and “no” is returned as the authentication result.

The authentication server 104 transmits the authentication result to the online service server 103 (step 604).
If the received authentication result is “success”, the online service server 103 provides the user with an online service according to the service request content requested by the user.
If the received authentication result is “No”, the online service is not provided, and a message is sent to the online service client 107 to inform the user that the authentication has failed (step 605).

Next, the operation flow of the terminal user authentication necessity determination program 316 in the first embodiment will be described with reference to FIG.
Note that the operation of the terminal user authentication necessity determination program described below is about the elapsed time of terminal user authentication request after the authentication client 310 generates authentication information in the operation of the authentication information generation process of the authentication system. This is a program that implements a mechanism for generating authentication information without requesting terminal user authentication again at the next generation of authentication information.
Here, it is assumed that the terminal user authentication request elapsed time is stored in advance in the storage unit 306 of the portable information terminal by a method such as a user inputting when the authentication client 310 is initially set.
First, a random number generation time is obtained as terminal user authentication determination information from an argument (step 701).
Next, the terminal user authentication request elapsed time and the previous authentication random number generation time are read from the storage unit and acquired in the memory (step 702).
Here, the previous authentication random number generation time is the latest random number generation time stored in the storage unit 306 in step 505 and step 506.
However, the initial value of the previous authentication random number generation time that is referred to when the authentication client 310 is activated for the first time, the difference between the random number generation time and the previous authentication random number generation time is always equal to or greater than the terminal user authentication elapsed time. It is assumed that a sufficiently old time is set.
The difference between the random number generation time and the previous authentication random number generation time is calculated and acquired in the memory as the terminal user authentication elapsed time (step 703).
If the terminal user authentication elapsed time is less than the terminal user authentication request elapsed time, the process proceeds to step 705. If the terminal user authentication elapsed time is equal to or longer than the terminal user authentication request elapsed time, the process proceeds to step 706 (step 704).
“Unnecessary” is returned as the value of the terminal user authentication request flag, and the process ends (step 705).
“Necessary” is returned as the value of the terminal user authentication request flag, and the process ends (step 706).
The first embodiment of the authentication system of the present invention has been described above.

(Second embodiment of the present invention)
Next, a second embodiment of the present invention will be described.
In the second embodiment of the present invention, a mode is described in which information included in a service request content transmitted by the information terminal 101 together with an authentication request is used as terminal user authentication determination information.
The configuration of the system according to the second embodiment of the present invention is the same as that of the first embodiment described with reference to FIGS.
In the following, the operation of the system will be described.
The initial state of the authentication system is the same as in the first embodiment.
However, at the time of initial setting, it is assumed that the user inputs a terminal user authentication request amount as information used in the terminal user authentication necessity determination program 316.
In the following description of the second embodiment, it is assumed that the service request content 313 is a transfer procedure in online banking. However, it is assumed that the contents of the service request include the transfer amount and the transfer destination account information necessary for executing the transfer procedure in online banking.
The terminal user authentication determination information 314 is assumed to be the transfer amount and transfer destination account information included in the service request content, and transfer history information stored in the authentication server in association with the user ID.
Here, the transfer history information is information related to the account transfer performed by the user before the authentication request being processed, and is information including the transfer amount and the transfer destination account information on which the transfer was performed.
Of the operation of the system according to the second embodiment of the present invention, the description of the part that executes the same process as the first embodiment is omitted, and the part that executes the process different from the first embodiment. Is described below.

In the operation of the authentication information generation preparation process, in step 404, the authentication server 104, as the terminal user authentication determination information 314, includes the transfer amount and the transfer destination account information included in the service request content acquired in step 402, and the user. Transfer history information associated with the ID and stored in the authentication server is acquired.
In step 408, when receiving the authentication client operation screen display code, the online service client 107 displays the authentication client operation screen 1201 shown in FIG.
The authentication client operation screen 1201 will be described with reference to FIG.
Regarding the components of the authentication client operation screen 1201, the elements indicated by reference numerals 1202, 1203, and 1204 are the service request content display unit 802, the authentication information generation button 803, and the authentication information transmission button described in the first embodiment, respectively. This element has the same function as 804.
However, in this case, the service request content display unit 1202 displays the transfer destination account information and the transfer amount that the user has input and transmitted to the online service client as the service request content.

In the operation of the authentication information generation process shown in FIG. 5, in step 505, if the value of the terminal user authentication request flag is “unnecessary”, the authentication client 109 immediately proceeds to step 507. If the value of the terminal user authentication request flag is “necessary”, the terminal user authentication program 317 is executed, the terminal user authentication result is acquired as the execution result, and the process proceeds to step 506.
In step 506, if the terminal user authentication result is “NO”, the authentication client 109 interrupts the authentication process and immediately ends the execution of the authentication client. If the terminal user authentication result is “successful”, the process immediately proceeds to step 507.
In step 508, the authentication client 109 displays a service request content confirmation screen 1301 shown in FIG.

Here, the service request content confirmation screen 1301 will be described with reference to FIG.
Regarding the constituent elements of the service request content confirmation screen 1301, the element denoted by reference numeral 1302 is an element having the same function as the authentication client service request content display unit 1002 described in the first embodiment.
However, in this case, the authentication client service request content display unit 1302 displays the transfer destination account information and the transfer amount that the user has input and transmitted to the online service client as the service request content.
The operation of the authentication process shown in FIG. 6 is the same as that of the first embodiment.

Next, the operation flow of the terminal user authentication necessity determination program 316 in the second embodiment will be described with reference to FIG.
The operation of the terminal user authentication necessity determination program described below is based on whether the transfer amount included in the service request content is less than the terminal user authentication request amount in the operation of the authentication information generation process of the authentication system. Or, even if the transfer amount is equal to or greater than the terminal user authentication request amount, if the transfer destination account information is an account that has been transferred by the user in the past, the user is requested to perform terminal user authentication. It is a program that realizes a mechanism for generating authentication information without any problem.
First, the transfer amount, transfer destination account information, and transfer history information are acquired from the argument as terminal user authentication determination information (step 1101).
Next, the terminal user authentication request amount is read from the storage unit 306 and acquired in the memory (step 1102).
If the transfer amount is less than the terminal user authentication request amount, the process proceeds to step 1104. If the transfer amount is equal to or greater than the terminal user authentication request amount, the process proceeds to step 1105 (step 1103). Then, “unnecessary” is returned as the value of the terminal user authentication request flag, and the process is terminated (step 1104).
If the transfer account information exists in the transfer history information, the process proceeds to step 1104. If the transfer account information does not exist in the transfer history information, the process proceeds to step 1106 (step 1105). Then, “required” is returned as the value of the terminal user authentication request flag, and the process is terminated (step 1106).
Heretofore, the second embodiment of the authentication system of the present invention has been described.

In the above description of the second embodiment, a transfer procedure in online banking is taken as an example, and the transfer amount and transfer account information included in the service request contents are used as terminal user authentication necessity determination information. Explained the method.
However, in view of the fact that procedures such as online banking transfer are usually executed after successful login to the online service site, the following embodiment may be adopted.
That is, in step 401, the service request content transmitted by the online service client newly includes the requested transaction being login to the online service site, or after successful login to the online service site, the user. Add a login determination flag to determine whether the transaction is provided for.
The login determination flag is a flag that is set by the online service client as “success” when the operation requested by the user is login, or “not” when the operation requested by the user is a transaction other than login. It is.
In step 404, the authentication server 104 acquires the login determination flag as the terminal user authentication determination information 314 in addition to the transfer amount, the transfer destination account information, and the transfer history information.
Then, in the terminal user authentication necessity determination program 316 described with reference to FIG. 11, prior to execution of step 1101, condition determination using a login determination flag described below is performed.
If the login determination flag is “successful”, the value of the terminal user authentication request flag is set to “necessary” and the process is immediately terminated. If the login determination flag is “NO”, the processing after step 1101 is executed.
By executing the above process, terminal user authentication is always performed when logging in to the online service, and the service request content is used when authenticating transactions other than login, such as the transfer procedure of the online service. Accordingly, it is possible to provide an authentication system that omits terminal user authentication.
Alternatively, in the terminal user authentication necessity determination program 316, if the login determination flag is “successful”, the value of the terminal user authentication request flag is set to “necessary” and the process is immediately terminated. If the login determination flag is “No”, the value of the terminal user authentication request flag is set to “unnecessary” and the process is immediately terminated.
By executing the above processing, terminal user authentication is always performed when authenticating login to the online service, and terminal authentication is always used when authenticating transactions other than login, such as transfer procedures for online services. An authentication system that omits person authentication can be provided.

In the first and second embodiments of the authentication system of the present invention, the terminal user authentication necessity determination program 316 is one of the functions of the authentication client 310 and is executed by the portable information terminal 102. It was.
However, the present invention can also be implemented in a form in which the terminal user authentication necessity determination program is one of the functions of the authentication server 104 and is executed by the authentication server.
Regarding the flow of operations when the terminal user authentication necessity determination program is executed by the authentication server, the operation changes will be described below based on the operations of the second embodiment.
However, it is assumed that the terminal user authentication request amount used in the terminal user authentication necessity determination program is stored in advance by the authentication server.
First, after step 404 and before step 405, the authentication server 104 executes a terminal user authentication necessity determination program using the terminal user authentication determination information as an argument, and requests a terminal user authentication request as an execution result. Get the flag.
In step 405, the authentication server 104 uses the terminal user authentication request flag instead of the terminal user authentication determination information to generate cryptographic information with MAC.
In step 503, the authentication client 109 acquires the terminal user authentication request flag in the memory instead of the terminal user authentication determination information, and after the acquisition, skips step 504 and proceeds to step 505.
In step 506, the authentication client 109 performs processing based on the terminal user authentication request flag acquired in step 503.

In the first and second embodiments of the present invention, the terminal user authentication program 317 is used to input the identity verification information from the input unit 302 of the portable information terminal. However, even if the identity verification information is input from the input unit 202 of the information terminal, the present invention can be implemented.
Regarding the flow of operation when the identity verification information is input from the input unit 202 of the information terminal, changes from the operations of the first and second embodiments will be described below.
In step 407, a description for transmitting a request for writing personal identification information to the non-contact IC chip 305 is newly added to the non-contact IC chip reader / writer control code generated by the online service server.
In step 408, a new entry field for identification information (for example, a text box for accepting input of a personal identification number) is added to the authentication client operation screen. Further, a function for transmitting a request for writing the personal identification information to the non-contact IC chip 305 to the portable information terminal 102 is newly added to the function of the authentication information generation button 803.
In step 501, when the authentication information generation button is pressed, the online service client 107 writes the personal identification information to the non-contact IC chip 305 in addition to the encryption information with MAC.
This change is realized by adding a description to the non-contact IC chip reader / writer control code in step 407.
In step 502, it is assumed that the online service client 107 reads the personal identification information from the non-contact IC chip in addition to the encryption information 308 with MAC and acquires it in the memory.
In step 505, the terminal user authentication program 317 executes processing using the personal identification information acquired in step 502, and acquires a terminal user authentication result as an execution result.

In the first and second embodiments of the present invention, when the terminal user authentication result is “No” in step 506, the authentication process is interrupted and the execution of the authentication client is immediately terminated. It was. However, this process may be replaced with the process described below.
The authentication client 109 records the number of authentication failures in which the terminal user authentication result is “No” in the storage unit 306 before ending the processing.
When the number of authentication failures exceeds a certain number, the authentication client 109 deletes the common key K and the secret key SK stored in the storage unit and executes the authentication client initial setting procedure again. To the user.
The number of authentication failures that require the user to make initial settings again is determined according to the security strength required by the provider providing the online service for this authentication system, and is incorporated in the authentication client program in advance, or the user Shall be entered in the initial setting of the authentication client.
If such a mechanism is introduced, the security strength of the authentication system can be further improved as necessary.
In the first and second embodiments of the present invention, the authentication client generates authentication information in step 507 and writes it in the contactless IC, and then displays a service request content confirmation screen in step 508. did. However, the execution order of step 507 and step 508 may be reversed. That is, the authentication client may first display the service request content confirmation screen, and then write the generated authentication information to the non-contact IC chip after a certain period of time has elapsed.
When such a mechanism is introduced, a user can be tampered with an information terminal by, for example, a service request transmitted from an information terminal being tampered with on a communication network by a third party, or a malicious program called spyware being installed. Even in such a case, by confirming the display of the service request content confirmation screen, it is possible to notice the occurrence of these illegal acts. And before the authentication information is written to the non-contact IC, by placing the portable information terminal outside the non-contact communication range of the non-contact ICR / W, it is possible to prevent unauthorized online services from being executed in advance. The security of the authentication system can be further improved.
In FIG. 1, the online service server 103 and the authentication server 104 may be configured to be integrated in the same server.

1 is an overall configuration diagram showing an embodiment of an authentication system according to the present invention. It is a functional block diagram which shows the structure of an information terminal. It is a functional block diagram which shows the structure of a portable information terminal. It is a flowchart which shows the flow of operation | movement of an authentication information generation preparation process. It is a flowchart which shows the flow of operation | movement of an authentication information generation process. It is a flowchart which shows the flow of operation | movement of an authentication process. It is a flowchart which shows the flow of a process of the terminal user authentication necessity determination program in 1st Embodiment. It is a figure which shows the example of the authentication client operation screen in 1st Embodiment. It is a figure which shows the example of the terminal user authentication screen in 1st Embodiment. It is a figure which shows the example of the service request content confirmation screen in 1st Embodiment. It is a flowchart which shows the flow of a process of the terminal user authentication necessity determination program in 2nd Embodiment. It is a figure which shows the example of the authentication client operation screen in 2nd Embodiment. It is a figure which shows the example of the service request content confirmation screen in 2nd Embodiment.

Explanation of symbols

101 information terminal 102 portable information terminal 103 online service server 104 authentication server 105 communication network 106 contactless ICR / W
107 Online service client 108 Non-contact IC chip 109 Authentication client

Claims (24)

An online service server providing online services;
An information terminal comprising a non-contact IC chip reader / writer, and receiving an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
An authentication system comprising a portable information terminal possessed by a user who receives an online service at the information terminal, comprising a contactless IC chip and an authentication client, and generating authentication information used for authenticating the content of the service request. And
The information terminal is
Means for transmitting a service request content to the online service server together with an authentication request;
The online service server is
The service request content received from the information terminal is transmitted to the authentication server, the random number information and the authentication client activation code generated by the authentication server are received, and the random number information, the authentication client activation code, and the service request content are included. Means for generating a non-contact IC chip reader / writer control code and displaying an authentication client operation screen incorporating the non-contact IC chip reader / writer control code on the information terminal;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code incorporated in the authentication client operation screen is executed, and a random number is applied to the non-contact IC chip via the non-contact IC chip reader / writer. Means for writing information and service request content, and means for transmitting an authentication client activation code to the portable information terminal;
The portable information terminal is
The authentication client activation code is received from the information terminal, the authentication client is activated, a service request content confirmation screen including the service request content is displayed, and authentication is performed based on the random number information read from the non-contact IC chip and the service request content Means for generating information, writing the generated authentication information into a contactless IC chip, and terminating the authentication client;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Means for reading and sending authentication information to the online service server;
The online service server is
Means for transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. A featured authentication system. An online service server providing online services;
An information terminal comprising a non-contact IC chip reader / writer, and receiving an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
A portable information terminal possessed by a user who receives an online service at the information terminal, comprising a contactless IC chip and an authentication client, storing personal identification information in advance, and generating authentication information used for authentication of service request contents; An authentication system comprising:
The information terminal is
Means for transmitting a service request content to the online service server together with an authentication request;
The online service server is
The service request content received from the information terminal is transmitted to the authentication server, the random number information and the authentication client activation code generated by the authentication server are received, and the random number information, the authentication client activation code, and the service request content are included. Means for generating a non-contact IC chip reader / writer control code and displaying an authentication client operation screen incorporating the non-contact IC chip reader / writer control code on the information terminal;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code incorporated in the authentication client operation screen is executed, and a random number is applied to the non-contact IC chip via the non-contact IC chip reader / writer. Means for writing information and service request content, and means for transmitting an authentication client activation code to the portable information terminal;
The portable information terminal is
The authentication client activation code is received from the information terminal, the authentication client is activated, a service request content confirmation screen including the service request content is displayed, and the terminal user authentication means is executed using the personal identification information stored in advance. The terminal user authentication is performed, and when the terminal user authentication is determined to be successful, the authentication information is generated based on the random number information read from the non-contact IC chip and the content of the service request. Means for writing information to the contactless IC chip and terminating the authentication client;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Means for reading and sending authentication information to the online service server;
The online service server is
Means for transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. A featured authentication system. An online service server providing online services;
An information terminal comprising a non-contact IC chip reader / writer, and receiving an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
A portable information terminal possessed by a user who receives an online service at the information terminal, comprising a contactless IC chip and an authentication client, storing personal identification information in advance, and generating authentication information used for authentication of service request contents; An authentication system comprising:
The information terminal is
Means for transmitting a service request content to the online service server together with an authentication request;
The online service server is
The service request content received from the information terminal is transmitted to the authentication server, the random number information generated by the authentication server, the authentication client activation code, and the terminal user authentication determination information are received, and the random number information and the authentication client activation code are received. Generating a non-contact IC chip reader / writer control code including service request contents and terminal user authentication determination information, and displaying an authentication client operation screen incorporating the non-contact IC chip reader / writer control code on the information terminal When,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code incorporated in the authentication client operation screen is executed, and a random number is applied to the non-contact IC chip via the non-contact IC chip reader / writer. Writing information, service request content and terminal user authentication determination information, and means for transmitting an authentication client activation code to the portable information terminal;
The portable information terminal is
The authentication client activation code is received from the information terminal, the authentication client is activated, a service request content confirmation screen including the service request content is displayed, and the terminal user authentication determination information read from the non-contact IC chip is used. The terminal user authentication necessity determination means is executed to determine the necessity of terminal user authentication, and when it is determined that the necessity determination is unnecessary, and the necessity determination is determined to be necessary, and The terminal user authentication is executed by executing the terminal user authentication means using the personal identification information stored in advance, and when the terminal user authentication is determined to be successful, it is read from the non-contact IC chip. Generating authentication information based on the random number information and the service request content, writing the generated authentication information to the non-contact IC chip, and terminating the authentication client;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Means for reading and sending authentication information to the online service server;
The online service server is
Means for transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. A featured authentication system. An online service server providing online services;
An information terminal comprising a non-contact IC chip reader / writer, and receiving an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
A portable information terminal possessed by a user who receives an online service at the information terminal, comprising a contactless IC chip and an authentication client, storing personal identification information in advance, and generating authentication information used for authentication of service request contents; An authentication system comprising:
The information terminal is
Means for transmitting a service request content to the online service server together with an authentication request;
The online service server is
Means for transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Necessity of terminal user authentication by generating random number information, authentication client activation code and terminal user authentication determination information, and using the terminal user authentication determination information to execute terminal user authentication necessity determination means Performing determination, obtaining the result of the necessity determination as a terminal user authentication request flag, and transmitting random number information, an authentication client activation code, and a terminal user authentication request flag to the online service server;
The online service server is
A contactless IC chip reader that receives random number information, an authentication client activation code, and a terminal user authentication request flag from the authentication server, and includes random number information, an authentication client activation code, service request contents, and a terminal user authentication request flag Means for generating a writer control code and displaying an authentication client operation screen incorporating the non-contact IC chip reader / writer control code on the information terminal;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code incorporated in the authentication client operation screen is executed, and a random number is applied to the non-contact IC chip via the non-contact IC chip reader / writer. Writing information, service request content and terminal user authentication request flag, and means for transmitting an authentication client activation code to the portable information terminal;
The portable information terminal is
The authentication client activation code is received from the information terminal, the authentication client is activated, a service request content confirmation screen including the service request content is displayed, and the terminal user authentication request flag read from the non-contact IC chip is unnecessary. Terminal user authentication request flag read from a non-contact IC chip is necessary, and terminal user authentication is performed by executing terminal user authentication means using pre-stored personal identification information When the terminal user authentication is determined to be successful, authentication information is generated based on the random number information read from the contactless IC chip and the service request content, and the generated authentication information is stored in the contactless IC chip. Means to write and exit the authentication client;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Means for reading and sending authentication information to the online service server;
The online service server is
Means for transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. A featured authentication system. In the authentication system according to any one of claims 3 and 4,
The terminal user authentication determination information is a time when the authentication server generates random number information to be used as an argument when generating authentication information,
The terminal user authentication determination means includes a random number generation time acquired as the terminal user authentication determination information and the terminal user authentication determination information when the portable information terminal generates the authentication information immediately before the authentication request being processed. Calculate the time difference from the obtained random number generation time, and if the calculated time difference is less than the time difference determined in advance in the authentication system, determine that the execution result of the terminal user authentication determination means is unnecessary, and calculate the time difference Is an authentication system characterized by determining that the execution result of the terminal user authentication determination means is necessary when the time difference is equal to or greater than a time difference determined in advance in the authentication system. In the authentication system according to any one of claims 3 and 4,
The terminal user authentication determination information is a transaction amount included in a service request content transmitted by the information terminal together with an authentication request,
The terminal user authentication determination unit determines that the execution result of the terminal user authentication determination unit is unnecessary when the transaction amount acquired as the terminal user authentication determination information is less than an amount determined in advance in the authentication system. And, when the transaction amount acquired as the terminal user authentication determination information is greater than or equal to the amount determined in advance in the authentication system, the execution result of the terminal user authentication determination means is determined to be necessary. system. In the authentication system according to any one of claims 3 and 4,
The terminal user authentication determination information includes transaction amount and customer information included in the service request content transmitted by the information terminal together with the authentication request, and history information of the service request content executed by the user before the authentication request being processed. And
The terminal user authentication determination means is configured such that the transaction amount acquired as the terminal user authentication determination information is higher or lower than an amount determined in advance in the authentication system, and the terminal user authentication determination information The terminal user authentication determination means is executed by a combination of the condition determinations that the customer information acquired as the terminal user authentication determination information is included or not included in the history information of the service request content acquired as An authentication system characterized by determining whether a result is necessary or unnecessary. In the authentication system according to any one of claims 3 and 4,
The terminal user authentication determination information is a login determination flag included in the service request content transmitted by the information terminal together with the authentication request,
If the login determination flag acquired as the terminal user authentication determination information is a value indicating that a request other than login to the online service is requested as the service request content, the terminal user authentication determination means If the login determination flag acquired as the terminal user authentication determination information is a value indicating that login to the online service is requested as the service request content, the terminal determines that the execution result of the authentication determination means is unnecessary. An authentication system characterized in that an execution result of a user authentication determination unit is determined to be important. In the authentication system according to any one of claims 2 to 8,
The terminal user authentication means executed by the authentication client prompts the user to input personal identification information. If the input personal identification information matches the personal identification information stored in the portable information terminal in advance, the terminal user authentication means Authentication system characterized in that person authentication is determined to be successful. The authentication system according to any one of claims 2 to 9,
The authentication system, wherein the personal identification information is a personal identification number. The authentication system according to any one of claims 2 to 9,
The authentication system characterized in that the identity verification information is position information. The authentication system according to any one of claims 2 to 9,
The authentication system characterized in that the identity verification information is biometric information of a user. In the authentication system according to any one of claims 1 to 12,
The authentication system, wherein the authentication information is a one-time password. In the authentication system according to any one of claims 1 to 12,
The authentication system, wherein the authentication information is a digital signature. The authentication system according to any one of claims 1 to 14,
The authentication system characterized in that the means for terminating the authentication client writes the generated authentication information into the non-contact IC chip after a predetermined time has elapsed since the service request content confirmation screen was displayed. An online service server providing online services;
An information terminal comprising a non-contact IC chip reader / writer, and receiving an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
Authentication in an authentication system comprised of a portable information terminal possessed by a user who receives an online service at the information terminal and comprising a non-contact IC chip and an authentication client, and generating authentication information used for authentication of service request contents A method,
The information terminal is
Transmitting a service request content together with an authentication request to the online service server;
The online service server is
The service request content received from the information terminal is transmitted to the authentication server, the random number information and the authentication client activation code generated by the authentication server are received, and the random number information, the authentication client activation code, and the service request content are included. Generating a contactless IC chip reader / writer control code and displaying an authentication client operation screen incorporating the contactless IC chip reader / writer control code on the information terminal;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code incorporated in the authentication client operation screen is executed, and a random number is applied to the non-contact IC chip via the non-contact IC chip reader / writer. Writing information and service request content, and sending an authentication client activation code to the portable information terminal;
The portable information terminal is
The authentication client activation code is received from the information terminal, the authentication client is activated, a service request content confirmation screen including the service request content is displayed, and authentication is performed based on the random number information read from the non-contact IC chip and the service request content Generating information, writing the generated authentication information to a contactless IC chip, and terminating the authentication client;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Reading and sending authentication information to the online service server;
The online service server is
Transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating the authentication information received from the online service server based on the random number information generated by itself and the service request content received from the information terminal together with the authentication request, and transmitting an authentication result to the online service server; An authentication method characterized by comprising: An online service server providing online services;
An information terminal comprising a non-contact IC chip reader / writer, and receiving an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
A portable information terminal possessed by a user who receives an online service at the information terminal, comprising a contactless IC chip and an authentication client, storing personal identification information in advance, and generating authentication information used for authentication of the service request content; An authentication method in an authentication system comprising:
The information terminal is
Transmitting a service request content together with an authentication request to the online service server;
The online service server is
The service request content received from the information terminal is transmitted to the authentication server, the random number information and the authentication client activation code generated by the authentication server are received, and the random number information, the authentication client activation code, and the service request content are included. Generating a contactless IC chip reader / writer control code and displaying an authentication client operation screen incorporating the contactless IC chip reader / writer control code on the information terminal;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code incorporated in the authentication client operation screen is executed, and a random number is applied to the non-contact IC chip via the non-contact IC chip reader / writer. Writing information and service request content, and sending an authentication client activation code to the portable information terminal;
The portable information terminal is
The authentication client activation code is received from the information terminal, the authentication client is activated, a service request content confirmation screen including the service request content is displayed, and the terminal user authentication means is executed using the personal identification information stored in advance. The terminal user authentication is performed, and when the terminal user authentication is determined to be successful, the authentication information is generated based on the random number information read from the non-contact IC chip and the content of the service request. Writing information to the contactless IC chip and terminating the authentication client;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Reading and sending authentication information to the online service server;
The online service server is
Transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating the authentication information received from the online service server based on the random number information generated by itself and the service request content received from the information terminal together with the authentication request, and transmitting an authentication result to the online service server; An authentication method characterized by comprising: An online service server providing online services;
An information terminal comprising a non-contact IC chip reader / writer, and receiving an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
A portable information terminal possessed by a user who receives an online service at the information terminal, comprising a contactless IC chip and an authentication client, storing personal identification information in advance, and generating authentication information used for authentication of the service request content; An authentication method in an authentication system comprising:
The information terminal is
Transmitting a service request content together with an authentication request to the online service server;
The online service server is
The service request content received from the information terminal is transmitted to the authentication server, the random number information generated by the authentication server, the authentication client activation code, and the terminal user authentication determination information are received, and the random number information and the authentication client activation code are received. Generating a contactless IC chip reader / writer control code including the service request content and terminal user authentication determination information, and causing the information terminal to display an authentication client operation screen incorporating the contactless IC chip reader / writer control code When,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code incorporated in the authentication client operation screen is executed, and a random number is applied to the non-contact IC chip via the non-contact IC chip reader / writer. Writing information, service request content and terminal user authentication determination information, and transmitting an authentication client activation code to the portable information terminal;
The portable information terminal is
The authentication client activation code is received from the information terminal, the authentication client is activated, a service request content confirmation screen including the service request content is displayed, and the terminal user authentication determination information read from the non-contact IC chip is used. The terminal user authentication necessity determination means is executed to determine the necessity of terminal user authentication, and when it is determined that the necessity determination is unnecessary, and the necessity determination is determined to be necessary, and The terminal user authentication is executed by executing the terminal user authentication means using the personal identification information stored in advance, and when the terminal user authentication is determined to be successful, it is read from the non-contact IC chip. Generating authentication information based on the random number information and the contents of the service request, writing the generated authentication information to the non-contact IC chip, and terminating the authentication client ,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Reading and sending authentication information to the online service server;
The online service server is
Transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating the authentication information received from the online service server based on the random number information generated by itself and the service request content received from the information terminal together with the authentication request, and transmitting an authentication result to the online service server; An authentication method characterized by comprising: An online service server providing online services;
An information terminal comprising a non-contact IC chip reader / writer, and receiving an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
A portable information terminal possessed by a user who receives an online service at the information terminal, comprising a contactless IC chip and an authentication client, storing personal identification information in advance, and generating authentication information used for authentication of the service request content; An authentication method in an authentication system comprising:
The information terminal is
Transmitting a service request content together with an authentication request to the online service server;
The online service server is
Transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Necessity of terminal user authentication by generating random number information, authentication client activation code and terminal user authentication determination information, and using the terminal user authentication determination information to execute terminal user authentication necessity determination means Performing determination, obtaining a result of the necessity determination as a terminal user authentication request flag, and transmitting random number information, an authentication client activation code, and a terminal user authentication request flag to the online service server;
The online service server is
A contactless IC chip reader that receives random number information, an authentication client activation code, and a terminal user authentication request flag from the authentication server, and includes random number information, an authentication client activation code, service request contents, and a terminal user authentication request flag Generating a writer control code and displaying an authentication client operation screen incorporating the non-contact IC chip reader / writer control code on the information terminal;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code incorporated in the authentication client operation screen is executed, and a random number is applied to the non-contact IC chip via the non-contact IC chip reader / writer. Writing information, service request content and terminal user authentication request flag, and transmitting an authentication client activation code to the portable information terminal;
The portable information terminal is
The authentication client activation code is received from the information terminal, the authentication client is activated, a service request content confirmation screen including the service request content is displayed, and the terminal user authentication request flag read from the non-contact IC chip is unnecessary. Terminal user authentication request flag read from a non-contact IC chip is necessary, and terminal user authentication is performed by executing terminal user authentication means using pre-stored personal identification information When the terminal user authentication is determined to be successful, authentication information is generated based on the random number information read from the contactless IC chip and the service request content, and the generated authentication information is stored in the contactless IC chip. Writing and exiting the authentication client; and
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Reading and sending authentication information to the online service server;
The online service server is
Transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating the authentication information received from the online service server based on the random number information generated by itself and the service request content received from the information terminal together with the authentication request, and transmitting an authentication result to the online service server; An authentication method characterized by comprising: The authentication method according to any one of claims 18 and 19,
The terminal user authentication determination information is a time when the authentication server generates random number information to be used as an argument when generating authentication information,
The terminal user authentication determination means includes a random number generation time acquired as the terminal user authentication determination information and the terminal user authentication determination information when the portable information terminal generates the authentication information immediately before the authentication request being processed. Calculate the time difference from the acquired random number generation time, and if the calculated time difference is less than the time difference determined in advance in the authentication system, the execution result of the terminal user authentication determination means is determined to be unnecessary, and the calculated time difference Is an authentication method characterized by determining that the execution result of the terminal user authentication determination means is necessary when the time difference is greater than or equal to a predetermined time in the authentication system. The authentication method according to any one of claims 18 and 19,
The terminal user authentication determination information is a transaction amount included in a service request content transmitted by the information terminal together with an authentication request,
The terminal user authentication determination unit determines that the execution result of the terminal user authentication determination unit is unnecessary when the transaction amount acquired as the terminal user authentication determination information is less than an amount determined in advance in the authentication system. And, when the transaction amount acquired as the terminal user authentication determination information is greater than or equal to the amount determined in advance in the authentication system, the execution result of the terminal user authentication determination means is determined to be necessary. Method. The authentication method according to any one of claims 18 and 19,
The terminal user authentication determination information includes transaction amount and customer information included in the service request content transmitted by the information terminal together with the authentication request, and history information of the service request content executed by the user before the authentication request being processed. And
The terminal user authentication determination means is configured such that the transaction amount acquired as the terminal user authentication determination information is higher or lower than an amount determined in advance in the authentication system, and the terminal user authentication determination information The terminal user authentication determination means is executed by a combination of condition determinations such that the customer information acquired as is included in the history information of the service request content acquired as terminal user authentication determination information. An authentication method characterized by determining whether a result is necessary or unnecessary. The authentication method according to any one of claims 18 and 19,
The terminal user authentication determination information is a login determination flag included in the service request content transmitted by the information terminal together with the authentication request,
If the login determination flag acquired as the terminal user authentication determination information is a value indicating that a request other than login to the online service is requested as the service request content, the terminal user authentication determination means If the login determination flag acquired as the terminal user authentication determination information is a value indicating that login to the online service is requested as the service request content, the terminal determines that the execution result of the authentication determination means is unnecessary. An authentication method characterized in that the execution result of the user authentication determination means is determined to be necessary. The authentication method according to any one of claims 16 to 23,
The step of ending the authentication client includes writing the generated authentication information into the non-contact IC chip after a predetermined time has elapsed after displaying the service request content confirmation screen.

Images