JP2010061318A - User terminal, method to be executed by user terminal, program and data structure - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a system for performing settlement even in a state that the substance of a credit card is lost. <P>SOLUTION: A user inputs user ID and sum information about a payment sum to a user device, and a user device generates a one-time password, and sends user ID, sum information and one-time password to an authentication device. The authentication device authenticates the validity of a user by the user ID and the one-time password, and when the user is valid, records the user ID, sum information and one-time password sent from the user device, and sends the notification of authentication success to the user device. The user device generates set data by integrating the user ID, the sum information and the one-time password, and transfers the set data to the other party of payment. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a technique for paying money via a network.

Money is paid on a daily basis via the network. For example, payment by credit card. A user holding a credit card uses a credit card to make a payment at, for example, a real store or a virtual store on the Internet. In any case, the user pays using a credit card owned by the user or using information held by the credit card.
By the way, many people own multiple credit cards. Because credit cards are often carried around by nature, most people cannot escape from the complexity of having to carry around multiple credit cards. Multiple credit cards often occupy a lot of space in the wallet, so their presence is a hindrance. However, since there is a preconception that a credit card is a resin card, both credit card companies and users have to accept the above-mentioned sparseness caused by having multiple credit cards. It is thought not to get.

The applicant of the present application considered that the physical existence of a credit card made of resin should be eliminated in order to eliminate the above-mentioned sparsity.
However, when the physical existence of a credit card is lost, the issue is how the credit card company should confirm the validity of the credit card user and the validity of the credit card usage. .
For example, with credit cards that are currently popular, when a user pays with a credit card, if the user uses a credit card at a real store, the user can read the data read by the card reader at the real store. When the card is used at a virtual store on the web, the computer of the credit card company (or the data received by the user from the actual store or the virtual store via a network such as the Internet (or the like) sent from the virtual store via encrypted communication (or, for example) A computer managed by a credit card company generally determines whether or not credit can be made to the user based on the received data, and if credit can be made, a method is used in which payment is made. It has been. Such credit is intended to mitigate the risks posed by the credit card company, but the credit card company's computer may authenticate the user (eg, a combination of credit card number and credit card holder name) prior to making the credit. The risk is also reduced by performing (authentication by checking the legitimacy). Recently, various technologies such as CVC (Card Verification Code) and CVC2 have been used for such authentication.
Since credit and user authentication are basically based on information recorded on the credit card, how to implement them when the credit card is no longer physically present That is a very difficult problem.
In addition, since traditional payment processing was linked to a credit card number, what would the credit card company computer link to payment information if the physical presence of the credit card was erased? That is also a problem.

  It is an object of the present invention to provide a technique for enabling payment via a network without the presence of a physical credit card.

In order to solve the above-mentioned problems, the present inventor proposes the following invention. The following invention is the most basic form of the present invention, and may be referred to as a “basic invention” for convenience.
The basic invention is an authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and can transmit data to the authentication device via the network. The user terminal for comprising the authentication system comprised including the several user terminal which each user uses.
The user terminal includes an OTP generation unit that generates a one-time password according to a predetermined condition, an amount information input unit for inputting amount information that is information about the amount, and allocation for each user of the user terminal. ID input means for inputting a unique user ID to each user, the one-time password generated by the OTP generation means, the amount information input from the amount information input means, and the ID input means The user transmission that receives the user ID input from the server and transmits the received one-time password, the money amount information, and the user ID to the authentication device via the network in a state where they are associated with each other. And the one-time password, the amount information, and the user ID. The authentication device received from the user terminal corresponds to each other by comparing the one-time password generated as corresponding to the received user ID with the one-time password received from the user terminal. The one-time password received from the attached user terminal, the amount information, and whether or not the user ID is valid can be authenticated.

This user terminal is used in combination with an authentication device capable of communicating via the Internet or other networks. By using this user device, the user can make the same payment as when using a credit card without using a credit card. Although not limited to the basic invention, the user device can be configured by a general personal computer or a portable terminal device (for example, a mobile phone or a notebook personal computer). In particular, when a portable terminal device that is normally carried around is used as the user terminal, it is convenient for the user because it is not necessary to carry a credit card.
Hereinafter, it supplements about the structure of the authentication system containing the user terminal of this invention.
The user terminal is configured to send the one-time password, the money amount information, and the user ID to an authentication device, and the authentication device that has received them authenticates the user terminal that is the source of the data. It has become. Such authentication is performed using a user ID and a one-time password. The technology that uses one-time passwords was developed mainly for the purpose of improving the accuracy of authentication and preventing impersonation, and requires a one-time password that can only be used on the spot. Is generated each time, and authentication is performed using the one-time password. By generating the same one-time password depending on the time when the one-time password is generated and the number of times the one-time password is generated in both the device that performs authentication and the device that performs authentication, One-time password authentication is possible. In the present invention, the same one-time password is generated by the user terminal and the authentication device, thereby authenticating the user.
Here, it is the user ID and money amount information associated with the one-time password that determines whether the authentication device is legitimate using the one-time password. That is, in the authentication apparatus, the validity of information indicating which user has paid for one one-time password is determined. When the authentication is successful, the authentication device stores the one-time password, the user ID, and the money amount information associated with each other on a predetermined recording medium included in the authentication apparatus or an external recording medium. By doing so, the administrator of the authentication device (for example, a traditional credit card company may do this) can record information about the payment made by the user, and the validity of the payment. Can be confirmed.
When there are a plurality of authentication devices and the administrators of the authentication devices are different, the user can pay for each authentication device at the same user terminal. For example, it means that payment can be made with one user terminal to different credit card companies. This is also an advantage of the present invention.
There are other advantages of the present invention. That is, the user ID and amount information are authenticated using a different one-time password for each payment. The one-time password, user ID, and amount information used in this authentication system when the user pays using the user terminal is the credit card number, the name of the credit card, and the use in the conventional credit card. Respectively. In the authentication device including the user terminal according to the present invention, since a one-time password corresponding to a credit card number is generated every time payment is made, it is disposable. The fear is small. This high safety caused by the above-described effects, such as disposing of a credit card, is also an advantage of the present invention.
In addition, according to the present invention, the user ID is irrelevant to the user's name, thereby enabling complete anonymous settlement. Regardless of the credit card company, being able to maintain anonymity with respect to the actual store to which the customer pays or a virtual store on the Internet would be of great benefit to the user. For example, on the Internet virtual space, two users have some data from an avatar imitating the self used by one user in the virtual space to an avatar imitating the other user used in the virtual space. By passing, it will be possible for both users to pay money while maintaining anonymity.

The same effects as those of the user terminal according to the basic invention described above can be obtained by, for example, the following method.
The method includes an authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and can transmit data to the authentication device via the network. , A user terminal for configuring an authentication system including a plurality of user terminals used by each user, and a method executed by the information processing unit, although including an information processing unit that executes information processing .
The method includes an OTP generation process for generating a one-time password according to predetermined conditions, an amount information input process for receiving input of amount information that is information about the amount, An ID input process for receiving an input of a unique user ID for each user allocated for each user of the terminal, the one-time password generated in the OTP generation process, the amount information received in the amount information input process, and Including the user transmission process of transmitting the user ID received in the ID input process to the authentication device via the network in a state in which they are associated with each other, the one-time password, The authentication device that has received the amount information and the user ID from the user terminal has accepted the user. The one-time password received from the user terminals associated with each other by comparing the one-time password generated as corresponding to the ID with the one-time password received from the user terminal. The amount information and whether the user ID is valid can be authenticated.
Effects similar to those of the user terminal according to the basic invention described above can be obtained by, for example, the following program.
The program is configured to be able to connect to a predetermined network and to perform authentication using a one-time password, and to transmit data to the authentication device via the network. A program for causing a computer to function as a user terminal for configuring an authentication system including a plurality of user terminals used by each user.
The program causes the computer to generate OTP generation means for generating a one-time password in accordance with predetermined conditions, money amount information input means for inputting money amount information as money amount information, and a user of the user terminal. ID input means for inputting a unique user ID to each user allocated for each user, the one-time password generated by the OTP generation means, the amount information input from the amount information input means, and the The user ID input from the ID input means is received, and the received one-time password, the money amount information, and the user ID are transmitted to the authentication device via the network in a state where they are linked to each other. The one-time password, the previous The one-time password generated by the authentication device that has received the amount information and the user ID from the user terminal as corresponding to the received user ID is compared with the one-time password received from the user terminal. By seeing the coincidence, it is possible to authenticate whether the one-time password, the amount information, and the user ID received from the user terminals associated with each other are valid.

The above-described authentication system including the user terminal of the basic invention can also be configured to include an intermediary device. For example, when a conventional credit card is used in an actual store, it is combined with a data reader that reads data recorded on, for example, a magnetic tape of the credit card so that the data reader reads the data recorded on the credit card. Used. The authentication system including the user terminal of the present invention may include an intermediary device corresponding to a data reader used in combination with a conventional credit card.
In this case, the user terminal can be connected to a predetermined network, can authenticate with a one-time password, and can transmit data to the authentication device via the network. A plurality of user terminals used by each user, and data generated by the user terminal or data for specifying the data that can be connected to the network can be received from the user terminal. And an intermediary device that transmits the received data to the authentication device via the network.
The user terminal includes an OTP generation unit that generates a one-time password according to a predetermined condition, an amount information input unit for inputting amount information that is information about the amount, and an allocation for each user of the user terminal. ID input means for inputting a unique user ID to each user, the one-time password generated by the OTP generation means, the amount information input from the amount information input means, and the ID input means A delivery means for accepting the user ID input from, and delivering the accepted one-time password, the money amount information, and the user ID to the intermediary device in a state where they are associated with each other. Before accepting the one-time password, the money amount information, and the user ID from the intermediary device. By comparing the one-time password generated by the authentication device as corresponding to the received user ID with the one-time password received from the intermediary device, the matching is performed from the user terminals associated with each other. The received one-time password, the amount information, and whether or not the user ID is valid can be authenticated.
In the basic invention, the one-time password, the money amount information, and the user ID do not necessarily have to be so. However, in the present invention, these data are once passed to the mediation device and then authenticated from the mediation device. Sent to the device. In this respect, the present invention is different from the basic invention. Therefore, the user terminal according to the present invention does not necessarily need to be able to communicate via the network, particularly to communicate with the authentication device.
The intermediary device may receive a one-time password, money amount information, and user ID data itself from the user terminal. For example, by connecting the user terminal and the mediation device by wire (for example, USB connection) or wirelessly (for example, Bluetooth connection), the mediation device can receive these data from the user terminal. .
Alternatively, the intermediary device receives data for specifying one-time password, money amount information, and user ID data from the user terminal, and based on the received data, the one-time password, money amount information, and The user ID data may be restored. In addition, the intermediary device sends the received one-time password, money amount information, and data for specifying the data of the user ID to the authentication device, and the authentication device that has received it receives the data based on the received data. The one-time password, money amount information, and user ID data may be restored.
For example, if the user terminal is provided with a display for displaying an image, the data for specifying the one-time password, the amount information, and the data of the user ID from the user terminal to the mediation apparatus is The intermediary device may read the image corresponding to the data for specifying the one-time password, money amount information, and user ID data displayed on the display. If the user terminal is a mobile phone, it is normal to have a display, so there is no shortage of displays for displaying such images. More specifically, the user terminal displays a barcode as such a target image on the display, and the mediation device reads the barcode with a barcode reader, so that the specification data is transferred from the user terminal to the mediation device. Can be done.

The same effects as those of the user terminal constituting the authentication system including the mediation device described above can be obtained by, for example, the following method.
The method includes an authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and can transmit data to the authentication device via the network. A plurality of user terminals used by each user and data generated by the user terminal or data for specifying the data, which can be connected to the network, can be received from the user terminal. And a user terminal for configuring an authentication system including an intermediary device that transmits received data to the authentication device via the network, and includes an information processing unit that executes information processing. This is a method executed by the information processing means.
The method includes an OTP generation process for generating a one-time password according to predetermined conditions, an amount information input process for receiving input of amount information that is information about the amount, An ID input process for receiving an input of a unique user ID for each user allocated for each user of the terminal, the one-time password generated in the OTP generation process, the amount information received in the amount information input process, and Including the delivery process of delivering the user ID received in the ID input process to the intermediary device in a state in which the user IDs are associated with each other, so that the one-time password, the amount information, and the user The authentication device that receives the ID from the mediation device generates the ID corresponding to the received user ID. By comparing the one-time password with the one-time password received from the intermediary device, the one-time password received from the user terminals associated with each other, the amount information, and the user ID Authenticate whether or not is legitimate.
Effects similar to those of the user terminal constituting the authentication system including the mediation device described above can be obtained by the following program, for example.
The program is configured to be able to connect to a predetermined network and to perform authentication using a one-time password, and to transmit data to the authentication device via the network. A plurality of user terminals used by each user and data generated by the user terminal or data for specifying the data, which can be connected to the network, can be received from the user terminal. A program for causing a computer to function as a user terminal for configuring an authentication system including an intermediary device that transmits received data to the authentication device via the network.
The program causes the computer to generate OTP generation means for generating a one-time password in accordance with predetermined conditions, money amount information input means for inputting money amount information as money amount information, and a user of the user terminal. ID input means for inputting a unique user ID to each user allocated for each user, the one-time password generated by the OTP generation means, the amount information input from the amount information input means, and the A delivery means for accepting the user ID inputted from the ID input means, and delivering the accepted one-time password, the money amount information, and the user ID to the intermediary device in a state where they are associated with each other; The one-time password, the amount information, and the user By comparing the one-time password generated by the authentication device that has received D from the mediation device as corresponding to the accepted user ID with the one-time password received from the mediation device, It is possible to authenticate whether or not the one-time password, the amount information, and the user ID received from the user terminals associated with each other are valid.

The above-described authentication system including the user terminal of the basic invention can be configured to include a token. For example, a conventional authentication device using a one-time password generally uses a token. A token is a small, generally portable device that allows a user to generate the same one-time password that is generated by an authentication device. The tokens that each user has are typically provided with data, commonly referred to as seeds, that is unique to each token that is used to generate a one-time password, and the time when the one-time password is generated, Alternatively, the one-time password is generated using data on the number of times the one-time password has been generated. In the basic invention, the user terminal has a function of generating a one-time password. However, in the present invention, the function is excluded from the user terminal, and instead, the token has a function of generating a one-time password. It is possible to
In this case, the user terminal can be connected to a predetermined network, can authenticate with a one-time password, and can transmit data to the authentication device via the network. User terminal for configuring an authentication system including a plurality of user terminals used by each user and a plurality of tokens used by each user and generating a one-time password according to a predetermined condition It is.
The user terminal includes an OTP input unit for inputting the one-time password generated by the token, a monetary information input unit for inputting monetary information that is information about the monetary amount, and a user of the user terminal ID input means for inputting a unique user ID to each user allocated for each, the one-time password input by the OTP input means, the amount information input from the amount information input means, and the The user ID input from the ID input means is received, and the received one-time password, the money amount information, and the user ID are transmitted to the authentication device via the network in a state where they are linked to each other. User transmission means for performing the one-time password, the amount information, and the By comparing the one-time password generated by the authentication device that has received the ID from the user terminal as that corresponding to the received user ID with the one-time password received from the user terminal. The one-time password received from the user terminals associated with each other, the amount information, and whether or not the user ID is valid can be authenticated.

The same effect as that of the user terminal constituting the authentication system including the token described above can be obtained by the following method, for example.
The method includes an authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and can transmit data to the authentication device via the network. A user terminal for configuring an authentication system including a plurality of user terminals used by each user and a plurality of tokens used by each user to generate a one-time password according to a predetermined condition, This is a method executed by the information processing means although it is provided with information processing means for executing information processing.
The method includes an OTP input process for receiving an input of a one-time password generated by the token, and an amount information input process for receiving an input of amount information that is information about the amount, which is executed by the information processing means; ID input process for receiving an input of a unique user ID for each user allocated for each user of the user terminal, the one-time password received in the OTP input process, and the amount information received in the amount information input process And a user transmission process of transmitting the user IDs received in the ID input process to the authentication device via the network in a state where they are associated with each other, The authentication device that receives the password, the money amount information, and the user ID from the user terminal receives the password. The one-time password received from the user terminals associated with each other by comparing the one-time password generated as corresponding to the digit user ID with the one-time password received from the intermediary device. It is possible to authenticate whether the password, the amount information, and the user ID are valid.
The same operation effect as the user terminal which comprises the authentication system containing the token demonstrated above can be acquired by the following programs, for example.
The program is configured to be able to connect to a predetermined network and to perform authentication using a one-time password, and to transmit data to the authentication device via the network. A computer as a user terminal for configuring an authentication system including a plurality of user terminals used by each user and a plurality of tokens used by each user to generate a one-time password according to a predetermined condition Is a program for making
Then, the program causes the computer to input an OTP input means for inputting the one-time password generated by the token, an amount information input means for inputting amount information which is information about the amount, and the user ID input means for inputting a unique user ID to each user allocated for each user of the terminal, the one-time password input by the OTP input means, and the amount information input from the amount information input means And the user ID input from the ID input means, and the received one-time password, the money amount information, and the user ID are associated with each other, and the authentication is performed via the network. The one-time pass by functioning as user transmission means for transmitting to the device The one-time password generated by the authentication device that has received the password, the amount information, and the user ID from the user terminal as corresponding to the received user ID, and the one-time password received from the user terminal By comparing the match, it is possible to authenticate whether the one-time password received from the user terminals associated with each other, the money amount information, and the user ID are valid. To do.

The authentication device including the user terminal according to the present invention may include both the mediation device and the token described above.
In this case, the user terminal can be connected to a predetermined network, can authenticate with a one-time password, and can transmit data to the authentication device via the network. A plurality of user terminals used by each user, and data generated by the user terminal or data for specifying the data that can be connected to the network can be received from the user terminal. And an intermediary device that transmits received data to the authentication device via the network, and a plurality of tokens that are used by each user and that generate a one-time password according to predetermined conditions. It is a user terminal for comprising an authentication system.
The user terminal includes an OTP input unit for inputting the one-time password generated by the token, a monetary information input unit for inputting monetary information that is information about the monetary amount, and a user of the user terminal ID input means for inputting a unique user ID to each user allocated for each, the one-time password input by the OTP input means, the amount information input from the amount information input means, and the A delivery means for accepting the user ID inputted from the ID input means, and delivering the accepted one-time password, the money amount information, and the user ID to the intermediary device in a state where they are associated with each other; The one-time password, the money amount information, and the user ID are received from the mediation device. The one-time password generated by the attached authentication device as corresponding to the received user ID is compared with the one-time password received from the intermediary device, so that the matching is made. The one-time password received from the user terminal, the money amount information, and whether or not the user ID is valid can be authenticated.

The same effects as those of the user terminal constituting the authentication system including both the mediation device and the token described above can be obtained by the following method, for example.
The method includes an authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and can transmit data to the authentication device via the network. A plurality of user terminals used by each user and data generated by the user terminal or data for specifying the data, which can be connected to the network, can be received from the user terminal. And an intermediary device that transmits the received data to the authentication device via the network, and a plurality of tokens that are used by each user and that generate a one-time password according to a predetermined condition. It is a user terminal for configuring the system, and includes information processing means for executing information processing The information processing means of a method of execution.
The method includes an OTP input process for receiving an input of a one-time password generated by the token, and an amount information input process for receiving an input of amount information that is information about the amount, which is executed by the information processing means; ID input process for receiving an input of a unique user ID for each user allocated for each user of the user terminal, the one-time password received in the OTP input process, and the amount information received in the amount information input process And a delivery process of delivering the user ID received in the ID input process to the intermediary device in a state where they are associated with each other, so that the one-time password, the amount information, and The authentication device that has received the user ID from the mediation device corresponds to the received user ID. By comparing the generated one-time password with the one-time password received from the intermediary device, the one-time password received from the user terminals associated with each other, the amount information, and the It is possible to authenticate whether or not the user ID is valid.
The same effects as those of the user terminal constituting the authentication system including both the mediation device and the token described above can be obtained by the following program, for example.
The program is configured to be able to connect to a predetermined network and to perform authentication using a one-time password, and to transmit data to the authentication device via the network. A plurality of user terminals used by each user and data generated by the user terminal or data for specifying the data, which can be connected to the network, can be received from the user terminal. And an intermediary device that transmits the received data to the authentication device via the network, and a plurality of tokens that are used by each user and that generate a one-time password according to a predetermined condition. A program for functioning a computer as a user terminal for configuring the system. A gram.
Then, the program causes the computer to input an OTP input means for inputting the one-time password generated by the token, an amount information input means for inputting amount information that is information about the amount, and the user ID input means for inputting a unique user ID to each user allocated for each user of the terminal, the one-time password input by the OTP input means, and the amount information input from the amount information input means And accepting the user ID inputted from the ID input means, and delivering the accepted one-time password, the money amount information, and the user ID to the intermediary device in a state where they are associated with each other. By functioning as a delivery means, the one-time password, the amount information, and The authentication device that has received the user ID from the mediation device looks at the match of the one-time password generated as corresponding to the received user ID in comparison with the one-time password received from the mediation device. Thus, it is possible to authenticate whether or not the one-time password received from the user terminals associated with each other, the amount information, and the user ID are valid.

When any one of the user terminals described above authenticates the one-time password, the amount information, and the user ID, the authenticated one-time password, amount information, and You may provide the set data production | generation means which produces | generates the set data integrated including user ID in the state which can be delivered to a predetermined | prescribed external device.
Authenticated set data (the set data includes, for example, the one-time password, the money amount information, and the user ID, and these are integrated and has such a data structure) is distributed. In this case, there is a possibility that the same handling as that of money or check can be performed. In other words, the set data after being authenticated by the authentication device is that the user specified by the user ID included in the set data has agreed to pay the amount specified by the amount information included in the set data. Is authenticated by the one-time password included in the set data (this is similar to the state “guaranteed” by the authentication device), so the set data is set to the amount specified by the amount information. Handling money like a face value or a check may be a problem to be solved such as counterfeiting or anti-copying, but at least not impossible.
In order to make it possible to use the set data in a predetermined external device other than the user terminal, the user terminal may be provided with output means for outputting the set data to the predetermined external device. For example, the user terminal can transmit set data to an external device by wired or wireless communication. Alternatively, the user terminal includes means for generating specification data that is data for specifying the set data, and second transfer means for transferring the specification data generated by the means to a predetermined external device. May be. The predetermined external device can restore the set data from the received identification data. For example, if the user data is transferred from the user terminal to the external device, for example, if the user terminal has a display for displaying an image, the image displayed on the display and corresponding to the data for specifying This may be executed by the external device reading the identification image. When the user terminal is a mobile phone, it is normal to have a display, so there is no shortage of displays for displaying a specific image. More specifically, the specifying image can be a barcode.

If the authentication system does not include an intermediary device, the user delivery means in the user terminal sends terminal identification information unique to the user terminal to the authentication device in addition to the one-time password, the amount information, and the user ID. You may come to transmit. In this case, the authentication device that has received the one-time password, the money amount information, the user ID, and the terminal identification information from the user terminal can authenticate the user terminal using the received terminal identification information. To be.
If the authentication system includes an intermediary device, the delivery means in the user terminal transmits terminal identification information unique to the user terminal to the intermediary device in addition to the one-time password, the amount information, and the user ID. It does not matter if In this case, the authentication device that has received the one-time password, the money amount information, the user ID, and the terminal identification information from the intermediary device can authenticate the user terminal using the received terminal identification information. To be.

  Hereinafter, first to third embodiments of the present invention will be described. In the description of each embodiment, the same reference numerals are given to the same objects, and redundant descriptions are omitted in some cases.

<< First Embodiment >>
FIG. 1 schematically shows the overall configuration of the authentication system of the first embodiment.
The authentication system includes a plurality of user devices 1-1 to 1-N, an authentication device 2, and a network 3.
The network 3 is the Internet in this embodiment, although not limited to this.

The user device 1 corresponds to a user terminal referred to in the present application, and includes a computer. More specifically, the user device 1 in this embodiment is configured by a general-purpose personal computer. In this embodiment, description will be made assuming that each user owns the user device 1, but the user device 1 may be shared by a plurality of users.
The user device 1 can be connected to the authentication device 2 via the network 3. The user device 1 can also browse a homepage other than that provided by the authentication device 2 via the network 3, and a known web browser is implemented to enable this.

Next, the configuration of the user device 1 will be described. The configurations of the user devices 1-1 to 1-N are the same in relation to the present invention.
The hardware configuration of each user apparatus 1-1 to 1-N is shown in FIG.

In this embodiment, the user device 1 includes a central processing unit (CPU) 21, a read only memory (ROM) 22, a random access memory (RAM) 23, an input device 24, a display device 25, and a communication unit 26. ing. The CPU 21, ROM 22, RAM 23, input device 24, display device 25, and communication unit 26 are connected via a bus 27.
The ROM 22 stores a predetermined program and data necessary for executing the program. This program includes the program of the present invention. This program may be installed in the user device 1 from the time of shipment of the user device 1, or may be installed by the user's hand after the user device 1 is shipped, for example. When a program is installed in the user device 1, the program may be installed in the user device 1 from a predetermined recording medium, or may be installed by distribution via a network. In addition, the program of the present invention may cause the user device 1 to execute the processing described below alone, and the processing described below in the user device 1 in cooperation with the OS and other programs. May be executed.
The CPU 21 controls the entire user device 1 and executes processing to be described later based on programs and data stored in the ROM 22. The RAM 23 is used as a working storage area when the CPU 21 performs processing to be described later. In addition, an initial solution to be described later is recorded in the RAM 23 as necessary.
The user device 1 may include a hard disk drive (HDD) or other recording medium. A part of the above-described program and data may be recorded in the HDD, and the HDD may be allowed to take over some of the functions of the RAM 23.
The input device 24 is for a user to input data, and may be configured in any way as long as it is possible. In this embodiment, the input device 24 is not limited to this. It consists of a mouse. The information input from the input device 24 will be described in detail later. For example, data for generating a user ID and data for generating money amount information are input from the input device 24.
The display device 25 is a device that displays an image, and can be configured by, for example, an LCD (liquid crystal display). The display device 25 is configured to display the content input from the input device 24, the content of processing executed by the user device 1, and the like.
The communication unit 26 performs communication via the network 3. The communication unit 26 according to this embodiment can browse a home page via a Web browser and connect to the authentication device 2. Details of communication performed by the communication unit 26 will be described later.

In the user apparatus 1 having the above hardware, the CPU 21 executes the program, thereby generating a functional block as shown in FIG.
Inside the user device 1, an input unit 31, an information processing unit 32, and an output unit 33 are generated. The information processing unit 32 includes a processing unit 32A, an ID information generation unit 32B, an amount information generation unit 32C, an OTP generation unit 32D, an OTP generation data recording unit 32E, and a set data generation unit 32F.

The input unit 31 receives data from the outside. The input unit 31 receives a notification of successful authentication (which will be described later) from the authentication device 2 via the network 3 and receives data necessary for browsing the home page via the network 3. The input unit 31 also receives data such as data for generating a user ID and data for generating money amount information from the input device 24.
The input unit 31 sends these received data to the information processing unit 32.

The information processing unit 32 performs various information processing based on the data received from the input unit 31. A part of the data generated as a result of the information processing performed by the information processing unit 32 is output to the output unit 33.
The processing unit 32 </ b> A is configured to execute information processing other than money payment described later. In this embodiment, the processing unit 32 </ b> A executes a process for allowing a user to browse a homepage that can be browsed via the network 3 on the screen of the display device 25. That is, the function of the Web browser described above is realized as a function of the processing unit 32A. The processing unit 32A generates data for displaying the home page on the display device 25 by using the data for displaying the home page received from the network 3 via the input unit 31 and the function as the Web browser that the processing unit 32A has, This is output to the output unit 33. The display device 25 that has received this data from the output unit 33 displays the homepage image on the screen.

The ID information generation unit 32B, the money amount information generation unit 32C, the OTP generation unit 32D, the OTP generation data recording unit 32E, and the set data generation unit 32F each execute a part of the monetary payment process described later. .
The ID information generation unit 32B receives data for generating a user ID sent from the input device 24 through the input unit 31 by the operation of the input device 24 by the user, and generates data of the user ID based on the data To do. The user ID is information unique to each user for specifying each user assigned to each user. The ID information generation unit 32B sends the generated user ID data to the output unit 33 or the set data generation unit 32F.
The amount information generation unit 32C receives data for generating amount information sent from the input device 24 via the input unit 31 by the operation of the input device 24 by the user, and generates amount information data based on the data To do. The amount information is information for specifying the amount specified by the user, such as 10,000 yen or 2000 dollars. The money amount information generating unit 32C is configured to send the generated money amount information data to the output unit 33 or the set data generating unit 32F.
The OTP generation unit 32D generates a one-time password. The OTP generation unit 32D generates a one-time password with a mechanism similar to that of a token used in a known authentication system that uses a one-time password. The OTP generation unit 32D generates a one-time password using a predetermined initial value (this is often referred to as a seed) shared with the authentication device 2 in the same manner as a known token. The initial value is recorded in the OTP generation data recording unit 32E. When generating the one-time password, the OTP generation unit 32D reads the initial value from the OTP generation data recording unit 32E, and generates the one-time password according to a predetermined rule or algorithm shared with the authentication device 2. The OTP generation unit 32D sends the generated one-time password to the output unit 33 or the set data generation unit 32F.
The set data generation unit 32F integrates data on the user ID received from each of the ID information generation unit 32B, the amount information generation unit 32C, and the OTP generation unit 32D, data on the amount information, and data on the one-time password. It generates set data that is data. The set data generation unit 32F generates set data when it receives later-described data indicating that the authentication has been successful.

The output unit 33 has a function of outputting the data received from the information processing unit 32 to the outside, more specifically, to the network 3 or the display device 25. Data output to the network 3 via the output unit 33 is sent to the authentication device 2, for example. The output unit 33 may send data about the user ID, the amount information, and the one-time password to the authentication device 2. In this case, these data are integrated or at least associated with each other. It will be.
The data output from the output unit 33 to the display device 25 causes the display device 25 to display an image based on the data.

Next, the configuration of the authentication device 2 will be described.
In this embodiment, the authentication device 2 is configured by a general computer device.
The hardware configuration of the authentication device 2 is the same as the hardware configuration of the user device 1 in this embodiment. The authentication device 2 includes a CPU, a ROM, a RAM, an input device, a display device, a communication unit, and a bus that connects them. The authentication device 2 also includes an HDD or other recording medium as necessary. The functions of the CPU, ROM, RAM, input device, display device, communication unit, bus (and HDD or other recording medium) constituting the authentication device 2 are the same as those of the user device 1, and are generally used for computer devices. Is.

In the authentication apparatus 2 having the hardware as described above, a functional block as shown in FIG. 4 is generated when the CPU executes a program.
An input unit 41, an information processing unit 42, and an output unit 43 are generated inside the authentication device 2. The information processing unit 42 includes a user ID specifying unit 42A, an OTP generation unit 42B, an OTP generation data recording unit 42C, an authentication unit 42D, a set data processing unit 42E, and a set data recording unit 42F.

The input unit 41 receives data from the outside. The input unit 41 receives data sent from the user device 1, for example, data on a user ID, money amount information, and a one-time password.
The input unit 41 sends the received data to the information processing unit 42.

  The information processing unit 42 executes various information processing based on the data received from the input unit 41. A part of the data generated as a result of the information processing performed by the information processing unit 42 is output to the output unit 43.

The user ID specifying unit 42A extracts the user ID data from the user ID, money amount information, and one-time password data received from the user device 1 via the network 3 and the input unit 41, and sends the data. The user ID of the user is specified. The user ID identification unit 42A sends information about the identified user ID to the OTP generation unit 42B.
The OTP generator 42B generates a one-time password. When the information about the user ID is received from the user ID specifying unit 42A, the OTP generating unit 42B generates a one-time password that is unique for each user ID specified by the information about the user ID. To make this possible, the OTP generation data recording unit 42C records the user ID assigned to each user and the initial value used to generate a one-time password corresponding to each user ID. (FIG. 5). These initial values are set to be the same as the initial values recorded in the user device 1 where the user ID associated with the initial value is scheduled to be used. When the OTP generation unit 42B receives information about the user ID from the user ID specifying unit 42A, the OTP generation unit 42B reads an initial value associated with the user ID specified by the information from the OTP generation data recording unit 42C, and Using the rules or algorithms shared with the device 1, the user device 1 that sent the user ID, money amount information, and one-time password data that triggered the generation of the one-time password is generated. Generate the same one-time password that you did. The OTP generation unit 42B sends the generated one-time password data to the authentication unit 42D.
The OTP generation unit 42B does not generate a one-time password when the user ID specified by the information about the user ID received from the user ID specification unit 42A does not exist in the OTP generation data recording unit 42C. This is notified to the authentication unit 42D.
The authentication unit 42D has a function of authenticating the validity of the user. The user ID, amount information, and one-time password data sent to the input unit 41 are sent to the information processing unit 42 as described above. Of these data, data about the user ID is sent to the authentication unit 42D. The authentication unit 42D performs OTP based on the initial value associated with the data about the user ID sent from the user device 1 and the data about the user ID sent together with the data about the user ID. The authenticity of the user is authenticated by comparing the data of the one-time password generated by the generation unit 42B. If the data of both one-time passwords match, the authentication unit 42D determines that the user who sent the one-time password is valid, and if they do not match, the authentication unit 42D sends the one-time password. It is determined that the user is not valid.
When the authentication unit 42D receives a notification from the OTP generation unit 42B that the user ID specified by the information about the user ID received from the user ID specification unit 42A does not exist in the data recording unit 42C for OTP generation. In addition, it is determined that the user who sent the one-time password is not valid.
When it is determined that the user is valid, the authentication unit 42D notifies the set data processing unit 42E of the determination.

The set data processing unit 42E, among the user ID, money amount information, and one-time password data sent to the input unit 41, is determined to be valid by the user who sent the data, It is recorded in the set data recording unit 42F.
For example, as illustrated in FIG. 6, the set data processing unit 42 </ b> E records, for each user ID, money amount information authenticated as valid and a one-time password in association with each other.
The set data recording unit 42F also records user information including the recorded amount information and the one-time password, the amount information, and the one-time after recording the amount information and the one-time password that are authenticated as valid in the set data recording unit 42F. Data relating to a notification that authentication has been successful, which is sent to the user apparatus 1 that has sent the password data, is generated. This data is sent to the output unit 43 and sent to the user device 1 via the network 3.

  Next, the operation of the authentication system according to the first embodiment will be described.

While the user is browsing a desired home page displayed on the display device 25 using the function of the Web browser created by the processing unit 32A of the user device 1, for example, a third party purchases a product. Suppose you have to pay money.
In that case, the user is skipped to a payment processing page as shown in FIG. 8 by, for example, a link in the homepage (S001). Data for displaying the payment processing page on the display device 25 of the user device 1 is generated by, for example, the information processing unit 42 of the authentication device 2 and sent to the user device 1 via the output unit 43 and the network 3.
As shown in FIG. 8, the payment processing page in this embodiment prompts the user to input a user ID and a payment amount. The user operates the input device 24 in response to the request made on the payment processing page, and inputs his / her user ID and the payment amount to be paid for this payment within a predetermined frame prepared on the payment processing page. . The data input in the “user ID” frame is sent from the input unit 31 to the ID information generation unit 32B of the information processing unit 32. On the other hand, the data input in the “payment amount” frame is sent from the input unit 31 to the amount information generation unit 32 </ b> C of the information processing unit 32. Receiving these data, the ID information generating unit 32B and the monetary amount information generating unit 32C respectively generate data on the user ID and data on the monetary amount information (S002). Both the data about the user ID and the data about the amount information are sent to the output unit 33.

In this state, the user operates the input device 24 and clicks a “Send” button on the payment processing page.
In this embodiment, the user ID data and the amount information data are sent to the authentication device 2 by clicking the “Send” button, but a one-time password is generated prior to that. (S003).
When the user operates the input device 24 and clicks the “Send” button, the OTP generation unit 32D reads the initial value from the OTP generation data recording unit 32E and uses it to obtain a one-time password in the manner described above. Generate. The one-time password is sent to the output unit 33.
In this embodiment, what is required of the user to execute the generation of the one-time password and the transmission of the user ID, the amount information, and the data about the one-time password is the click of the “Send” button. There is only one action of the user, but it is natural that another action can be requested from the user in order to execute both processes.

The output unit 33 that has received the data about the user ID, the money amount information, and the one-time password sends the data to the authentication device 2 via the network 3 in a state of being associated with each other (S004).
The authentication device 2 receives this data through the input unit 41 (S005).

Data on the user ID, the money amount information, and the one-time password is sent to the user ID specifying unit 42A in the information processing unit 42. The user ID specifying unit 42A extracts the data about the user ID from the data about the user ID, the amount information, and the one-time password, and specifies the user ID of the user who sent the data. The user ID specifying unit 42A sends information about the specified user ID to the OTP generating unit 42B.
The OTP generation unit 42B that has received the information about the user ID from the user ID specifying unit 42A reads the initial value associated with the user ID specified by the information from the OTP generation data recording unit 42C, and the user device A one-time password is generated using a rule or algorithm shared with 1 (S006). The OTP generation unit 42B sends the generated one-time password data to the authentication unit 42D.
When the user ID specified by the information about the user ID received from the user ID specifying unit 42A does not exist in the OTP generation data recording unit 42C, the OTP generation unit 42B does not generate a one-time password. The notification to the authentication unit 42D is as described above.

Generated by the OTP generation unit 42B based on the data about the user ID sent from the user device 1 and the initial value associated with the data about the user ID sent together with the data about the user ID The authentication unit 42D that has received the one-time password data authenticates the validity of the user by comparing the two (S007).
When it is determined that the user is valid, the authentication unit 42D notifies the set data processing unit 42E of the determination.
When the authentication unit 42D determines that the user who sent the one-time password is not valid, or the user ID specified by the information about the user ID received from the user ID specifying unit 42A is the OTP generation data recording unit When a notification that the message does not exist in 42C is received from the OTP generation unit 42B, the process ends here.

When the authentication unit 42D determines that the user who sent the one-time password is valid and sends a notification to that effect to the set data processing unit 42E, the set data processing unit 42E that has received the notification to that effect The amount information and the one-time password data sent by the recognized user are recorded in the set data recording unit 42F in a state associated with the user ID of the user (S008).
Further, when the set data processing unit 42E records the money amount information and the one-time password that have been authenticated as authentic, the authentication device 2 records the money amount information and the user ID and money amount information including the one-time password. And a notification that the authentication is successful is sent to the user apparatus 1 that has sent the one-time password data (S009).

This data is received by the input unit 31 of the user device 1 (S010).
Data indicating that the authentication is successful is sent from the input unit 31 to the set data generation unit 32F of the information processing unit 32. The set data generation unit 32F that has received this generates set data in which the user ID, the amount information, and the one-time password data that have been received previously are collected together (S011).

This completes the authentication with this authentication system.
The user device 1 is configured to be able to output the set data described above to other external devices. In this embodiment, the user device 1 can transmit set data to an external device via the output unit 33 and the network 3.
In the case of this embodiment, the user device 1 can transmit the set data to a server of a store on the Web where the user browses and purchases a product. The server of the store on the Web can use the received set data for confirmation when receiving payment of money from the administrator of the authentication device 2, for example. The set data recording unit 42F of the authentication device 2 records, for each user ID, information about the one-time password and the amount of money that the user has approved for the authentication, so that the user included in the set data The ID data, the money amount information data, and the one-time password data can be used as the basis when the store on the Web receives payment of money from the administrator of the authentication device 2, so the payer receives it. Convenient for both sides.
In some cases, the set data may be transferred from the device that received it from the user device 1 to another device. In such a case, for example, on the condition that the assigner is obliged to notify the authentication device 2 that such set data has been transferred (notification of clarifying the assignee). The administrator of the authentication device 2 can change the party from whom money is paid from the assignor to the assignee. This means that the set data may be used like a check or bill. The notification to the authentication device 2 that the set data has been transferred will have a meaning close to the endorsement in the bill.

<< Second Embodiment >>
FIG. 9 schematically shows the overall configuration of the authentication system of the second embodiment.
The authentication system according to the second embodiment is almost the same as the authentication system according to the first embodiment.
If there is a difference, the authentication system according to the second embodiment is provided with tokens 4-1 to 4-N. The tokens 4-1 to 4-N are possessed by each user.
In the first embodiment, the one-time password sent from the user device 1 to the authentication device 2 is generated in the user device 1. On the other hand, in the second embodiment, the one-time password sent from the user device 1 to the authentication device 2 is generated in the tokens 4-1 to 4-N.
The tokens 4-1 to 4-N are obtained by extracting the functions of the OTP generation unit 32C and the OTP generation data recording unit 32E in the user device of the authentication system according to the first embodiment. As the configuration of the tokens 4-1 to 4-N, a publicly known one can be adopted. The tokens 4-1 to 4-N are often portable and will be configured in an appropriate shape such as a card type or a stick type. Although not shown in the figure, the token 4 has an operation unit for performing an operation, and a liquid crystal display or the like for displaying a one-time password generated inside the token 4 by operating the operation unit. Is provided.

A configuration of the user device 1 according to the second embodiment will be described. In terms of hardware configuration, the user device 1 of the second embodiment is the same as the user device of the first embodiment.
In the user device 1 of the second embodiment, a function block similar to that generated in the user device 1 of the first embodiment is generated by the CPU 21 in the user device 1 executing a program. (FIG. 10).
In the second embodiment, the functions of the OTP generation unit 32C and the OTP generation data recording unit 32E in the user device of the authentication system of the first embodiment are transferred to the token 4. Therefore, the OTP generation unit 32C and the OTP generation data recording unit 32E do not exist in the user device 1 of the second embodiment.

  The configuration of the authentication device 2 is the same as that of the first embodiment in terms of hardware and functional blocks.

  Next, the operation of the authentication system according to the second embodiment will be described.

Suppose that a user has to pay money to a third party.
In that case, the user is skipped to a payment processing page as shown in FIG. 11, for example, by a link in the homepage. The payment processing page of the second embodiment is not much different from that of the first embodiment, but differs from the case of the first embodiment in that there is a frame for inputting a one-time password.
When the payment processing page is displayed, the user operates the input device 24, and the user ID, the payment amount to be paid for this payment, and the one-time password are within a predetermined frame prepared on the payment processing page. To enter. The data to be entered in the “user ID” frame and the “payment amount” frame is the same as in the first embodiment. On the other hand, the one-time password displayed on the display of the token 4 is input by the user operating the token 4 in the “one-time password” frame.
The one-time password data input in the “one-time password” frame is sent to the information processing unit 32 via the input unit 31. The one-time password data is sent from the information processing unit 32 to the output unit 33. In this embodiment, the one-time password data is also sent from the information processing unit 32 to the set data generation unit 32F.
In this state, the user operates the input device 24 and clicks a “Send” button on the payment processing page. Then, the data of the one-time password is associated with each other together with the data about the user ID and the data about the amount information sent to the output unit 33 as in the case of the first embodiment. And sent to the authentication device 2.

The processing executed by the authentication device 2 is not different from the case of the first embodiment.
When the authentication is successful, the authentication device 2 is said to have succeeded in authenticating the user device 1 that has sent the user ID, money amount information, and one-time password data, as in the case of the first embodiment. Send notifications.
This data is received by the input unit 31 of the user device 1.
The set data generation unit 32F that has received this from the input unit 31 generates set data in which the user ID, the amount information, and the one-time password data that have been received in advance are combined.
The authentication in the authentication system according to the second embodiment is thus completed.

<< Third Embodiment >>
An authentication system according to the third embodiment will be described.
The authentication system of the third embodiment includes mobile phones 5-1 to 5-N that play roles similar to the roles of the user devices 1-1 to 1-N in the first embodiment, the authentication device 2, and the mediation device 6. (FIG. 12). The authentication device 2 and the mediation device 6 can communicate with each other via the same network 3 as in the first embodiment.
In the first embodiment, data transmission from the user device 1 to the authentication device 2 is performed by the user device 1 via the network 3, but in this embodiment, the user devices 1-1 to 1-1 of the first embodiment are performed. The mobile phones 5-1 to 5-N instead of -N pass the data to be sent to the authentication device 2 to the mediation device 6 connected to the network 3, and cause the mediation device 6 to transmit the data to the authentication device 2.

Each user possesses the cellular phones 5-1 to 5-N.
The mobile phones 5-1 to 5-N may be connected to the Internet or other networks, but it does not matter whether the mobile phones can be connected to the network 3 in relation to the authentication system.
The hardware configuration of the mobile phone 5 is basically the same as the hardware configuration of the user device 1 of the first embodiment. However, the mobile phone 5 of this embodiment does not perform communication via the network 3 and therefore does not include the communication unit 26. That is, the mobile phone 5 includes a CPU 21, a ROM 22, a RAM 23, an input device 24, and a display device 25. These functions are not significantly different from those provided in the user device 1 of the first embodiment, but the input device 24 is not a keyboard and a mouse but a numeric keypad, and the display device 25 is integrated with the mobile phone 5. There is a difference. Further, the RAM 23 stores a unique identification number unique to each of the mobile phones 5, which is the same as that of a general mobile phone that is widely used.

A functional block as shown in FIG. 13 is generated in the mobile phone 5 having the above hardware by the CPU 21 executing the program.
The functional blocks generated inside the mobile phone 5 are not so different from the functional blocks generated in the user device 1 of the first embodiment.
An input unit 31, an information processing unit 32, and an output unit 33 are generated inside the mobile phone 5. The functions of the input unit 31 and the output unit 33 are the same as in the first embodiment. However, the input unit 31 has no input from the network 3, and the output unit 33 has no output to the network 3.
As in the case of the first embodiment, the information processing unit 32 generates a processing unit 32A, an ID information generation unit 32B, an amount information generation unit 32C, an OTP generation unit 32D, and an OTP generation data recording unit 32E. However, the information processing unit 32 of the mobile phone 5 does not have the set data generation unit 32F that was in the user device 1 of the first embodiment, and the individual information generation unit 32G that was not in the user device 1 of the first embodiment. And a barcode image generation unit 32H.

The functions of the processing unit 32A, the ID information generation unit 32B, the money amount information generation unit 32C, the OTP generation unit 32D, and the OTP generation data recording unit 32E are basically the same as those in the first embodiment. Note that the processing unit 32 </ b> A generated in the mobile phone 5 has a function of displaying a payment processing image described later on the display device 25 of the mobile phone 5. Data for displaying the payment processing image on the display device 25 is sent from the processing unit 32 </ b> A to the display device 25 via the output unit 33.
The individual information generating unit 32G generates data about individual information that is information unique to the mobile phone 5. In this embodiment, the above-described individual identification number is used as information unique to the mobile phone 5. The individual information generation unit 32G reads the individual identification number from the RAM 23 and generates data on the individual information when the user ID and the amount information are input. The individual information generation unit 32G sends the generated individual information data to the barcode image generation unit 32H.
The barcode image generating unit 32H generates a barcode image that is an image of a barcode displayed on the display device 25 of the mobile phone 5. Although the barcode used for the barcode image in this embodiment is not limited to this, it is a two-dimensional barcode. The barcode image is an image corresponding to these data for transferring user ID data, money amount information data, one-time password data, and individual information data to the intermediary device 6. As will be described later, the intermediary device 6 can reproduce the user ID data, the money amount information data, the one-time password data, and the individual information data by reading the barcode image. . In order to be able to generate a barcode image corresponding to user ID data, money amount information data, one-time password data, and individual information data, the barcode image generation unit 32H includes an individual information generation unit 32G. In addition to the individual information, the user ID data is received from the ID information generation unit 32B, the amount information data is received from the amount information generation unit 32C, and the one-time password data is received from the OTP generation unit 32D. . The barcode image generation unit 32H sends the generated barcode image data to the display device 25 via the output unit 33. The display device 25 that has received this data displays a barcode image.

Next, the configuration of the authentication device 2 of the third embodiment is basically the same as the configuration of the authentication device 2 of the first embodiment.
However, the authentication device 2 according to the third embodiment is configured to receive the user ID data and the like that the authentication device 2 according to the first embodiment has received from the user device 1 from the mediation device 6. Different from the authentication device 2 of the first embodiment.
The function of the user ID specifying unit 42A of the authentication device 2 of the third embodiment and the data recorded in the OTP generation data recording unit 42C are slightly different from those of the authentication device 2 of the first embodiment. Will be described later.

The mediation device 6 is a device that mediates transmission of data from the mobile phone 5 to the authentication device 2 via the network 3.
Although not shown, the intermediary device 6 includes a barcode reader and a computer that can communicate with the authentication device 2 via the network 3. The barcode reader has a function of reading the above-described barcode image displayed on the display device 25 of the mobile phone 5.
The computer included in the mediation device 6 may be a very general computer. Although not shown, the computer included in the mediation device 6 includes a CPU, a ROM, a RAM, an HDD, and an interface. By executing a program recorded in the RAM or the HDD, the computer shown in FIG. The function block shown is generated.
An input unit 61, an information processing unit 62, and an output unit 63 are generated inside the mediation device 6.
The input unit 61 receives data generated by the barcode reader reading the barcode image from the barcode reader. The input unit 61 sends the data received from the barcode reader to the information processing unit 62. The input unit 61 also receives data, which will be described later, from the authentication device 2 via the network 3 for notification that the authentication has been successful. When the input unit 61 receives this data, it sends it to the information processing unit 62.
The information processing unit 62 includes a data reproduction unit 62A, a data management unit 62B, and a data recording unit 62C. From the data received from the barcode reader, the data reproduction unit 62A uses the user ID data, the amount information data, the one-time password data (and not necessarily the data) from which the barcode image is based. Although not limited to this, in this embodiment, individual information data) is generated. The data reproduction unit 62A sends the reproduced user ID data, monetary information data, and one-time password data (and individual information data in this embodiment) to the output unit 63. . The data reproduction unit 62A also sends the reproduced user ID data, amount information data, and one-time password data (and individual information data in this embodiment) to the data management unit 62B. It has become.
The data management unit 62B records the above-described data received from the data reproduction unit 62A in the data recording unit 62C when data to be described later regarding notification of successful authentication is received from the input unit 61.
The output unit 63 is configured to send the above-mentioned data received from the data reproduction unit 62A to the authentication device 2 via the network 3.

  Next, the operation of the authentication system according to the third embodiment will be described.

For example, when the user enters a situation where payment is made at a store, the user operates the input device 24 of the mobile phone 5 to start payment processing.
Information generated by the user operating the input device 24 is sent to the processing unit 32 </ b> A of the information processing unit 32 via the input unit 31. The processing unit 32 generates payment processing image data, sends it to the display device 25 via the output unit 33, and causes the display device 25 to display the payment processing image. An example of the payment processing image is shown in FIG.

Similar to the payment processing page in the first embodiment, the payment processing image in the third embodiment prompts the user to input a user ID and a payment amount. As in the case of the first embodiment, the user operates the input device 24 to input the user ID and the payment amount to be paid. The data input in the “user ID” frame is sent to the ID information generation unit 32B, and the data input in the “payment amount” frame is sent to the amount information generation unit 32C. The unit 32B and the amount information generating unit 32C generate data about the user ID and data about the amount information, respectively.
On the other hand, when the user clicks the “Generate” button, a one-time password is generated. The one-time password is generated by the OTP generation unit 32D in the same manner as in the first embodiment. The generated one-time password is displayed in the “one-time password” frame of the payment processing image.
Further, in this embodiment, when the user clicks the “Generate” button, the individual information generation unit 32G that has received the information via the input unit 31 reads the individual identification number from the RAM 23 and stores the individual information data. Generate.

User ID data, monetary information data, one-time password data, and individual information data are obtained from the ID information generating unit 32B, the monetary information generating unit 32C, the OTP generating unit 32D, and the individual information generating unit 32G. It is sent to the code image generation unit 32H.
The barcode image generation unit 32H generates barcode image data based on the data. The barcode image data is sent from the output unit 33 to the display device 25. The barcode image is displayed on the display device 25 that has received the barcode image data.
This is not necessarily the case, but in this embodiment, when the user presses the “Generate button”, the one-time password is displayed in the “One-time password” frame immediately after that, and about one second later, the display device A bar code image is displayed at 25.

The user causes the barcode reader of the mediation device 6 to read the display device 25 of the mobile phone 5 on which the barcode image is displayed on the display device 25.
Data generated by the barcode reader reading the barcode image is sent to the computer of the intermediary device 6. This data is sent to the data reproduction unit 62A of the information processing unit 62 via the input unit 61. The data reproduction unit 62A generates data on the user ID, data on the amount information, one-time password data, and individual information data from the data generated by reading the barcode image. This data is sent to the data management unit 62B and the output unit 63.
The output unit 63 sends these data to the authentication device 2 via the network 3.

  These data are received by the input unit 41 of the authentication device 2. These data are sent from the input unit 41 to the information processing unit 42. The subsequent processing executed in the authentication device 2 is basically the same as that in the first embodiment, but there is one difference.

In the first embodiment, the user ID specifying unit 42A that has received the user ID, money amount information, and one-time password data specifies the user ID data from the data and sends it to the OTP generating unit 42B. It was like that.
In the third embodiment, the user ID specifying unit 42A that has received the user ID, money amount information, one-time password, and individual information data specifies the user ID data and the individual information data from the data, This is sent to the OTP generator 42B.
The OTP generation unit 42B that has received the data about the user ID and the individual information from the user ID specifying unit 42A records the initial value associated with the data about the user ID and the individual information specified by the data as an OTP generation data record. The one-time password is generated by reading from the unit 42 </ b> C and using the initial value and a rule or algorithm shared between the mobile phone 5. That is, in the third embodiment, one-time unless the user ID and the individual information of the data sent from the mobile phone 5 match those recorded in the data recording unit 42C for OTP generation. Do not generate a password. In order to make this possible, in the third embodiment, in addition to the user ID and the initial value, individual information is recorded in the OTP generation data recording unit 42C (FIG. 16).
In the third embodiment, authentication is performed using three different types of data: a user ID unique to the user, individual information unique to the mobile phone 5, and a one-time password that is temporarily generated and discarded. Can improve the accuracy.

The one-time password generated by the OTP data generation unit 42B is sent to the authentication unit 42D, where authentication processing is executed. When it is determined that the user is valid, the authentication unit 42D notifies the set data processing unit 42E of the determination. Receiving this notification, the set data processing unit 42E records the same data as in the first embodiment in the set data recording unit 42F. In the case of the third embodiment, the data recorded in association with the user ID of each user includes not only the amount information and the one-time password data, but also the individual information sent with them. You can.
Thereafter, the authentication device 2 sends a notification that the authentication has been successful to the intermediary device 6 that has sent data and the like of money amount information that has been authenticated as valid.

This notification is received by the input unit 61 of the computer of the mediation apparatus 6 and sent from the input unit 61 to the data management unit 62B. The data management unit 62B that has received the data records the data of the user ID, the amount information, the one-time password, and the individual information that have been received in the data recording unit 62C.
The administrator of the mediation apparatus 6 having this data is in the same state as when receiving payment from the user. Note that the set data recorded in the data recording unit 62C is transferable, and the like is the same as in the first embodiment. Even in the case of the third embodiment, at least the user ID, the money amount information, and the one-time password among the set data recorded in the data recording unit 62C need to be integrated. It is united with. In the case of the third embodiment, the processing may be performed by, for example, the data management unit 62B of the mediation device 6, or by the output unit 33 of the mobile phone 5 before sending these data to the mediation device 6. May be.
In the case of the first embodiment, the user apparatus 1 generates the set data after successful authentication and transfers it to the external apparatus. In the case of the third embodiment, the user apparatus 1 transmits to the authentication apparatus 2. Since the data corresponding to the set data is transferred to the intermediary device 6 in advance in order to perform this, it is not necessary for the mobile phone 5 to generate the set data again after successful authentication.
This completes the authentication with this authentication system.

  In the third embodiment, the barcode image is used for the transfer of the user ID, the money amount information, the one-time password, and the individual information data from the mobile phone 5 to the intermediary device 6. If the intermediary device 6 can perform wired or wireless communication, the mediator device directly uses the user ID, amount information, one-time password, and individual information data generated in the mobile phone 5 without using a barcode image. 6 can also be transmitted. Many mobile phones in recent years are equipped with means for performing communication, such as a USB terminal, an infrared communication device, a Bluetooth communication device, and a non-contact IC chip. If the mobile phone 5 is equipped with a means for performing these communications, the user ID, money amount information, one-time password, and individual information data are not changed to a bar code image in the mediating device 6 once. Both could be transmitted as is.

The figure which shows the whole structure of the authentication system of 1st Embodiment. The figure which shows the hardware constitutions of the user apparatus contained in the authentication system shown in FIG. The block diagram which shows the functional block produced | generated in the user apparatus contained in the authentication system shown in FIG. The block diagram which shows the functional block produced | generated in the authentication apparatus contained in the authentication system shown in FIG. The figure which shows an example of the data currently recorded on the data recording part for OTP production | generation shown in FIG. The figure which shows an example of the data recorded on the set data recording part shown in FIG. The flowchart which shows the flow of the process performed with the authentication system shown in FIG. The figure which shows an example of the payment process page displayed on the display apparatus of the user apparatus of the authentication system shown in FIG. The figure which shows the whole structure of the authentication system of 2nd Embodiment. The block diagram which shows the functional block produced | generated in the user apparatus contained in the authentication system shown in FIG. The figure which shows an example of the payment process page displayed on the display apparatus of the user apparatus of the authentication system shown in FIG. The figure which shows the whole structure of the authentication system of 3rd Embodiment. The block diagram which shows the functional block produced | generated in the mobile telephone contained in the authentication system shown in FIG. The block diagram which shows the functional block produced | generated in the computer with which the mediation apparatus contained in the authentication system shown in FIG. 12 is provided. The figure which shows an example of the payment process image displayed on the display apparatus of the mobile telephone of the authentication system shown in FIG. The figure which shows an example of the data currently recorded on the data recording part for OTP production | generation shown in FIG.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 User apparatus 2 Authentication apparatus 3 Network 4 Token 5 Cellular phone 6 Mediation apparatus 31 Input part 32 Information processing part 32A Processing part 32B ID information generation part 32C Amount information generation part 32D OTP generation part 32E OTP generation data recording part 32F Set data Generation unit 32H Barcode image generation unit 33 Output unit 41 Input unit 42 Information processing unit 42A User ID identification unit 42B OTP generation unit 42C OP generation data recording unit 42D Authentication unit 42E Set data processing unit 42F Set data recording unit 43 Output unit 61 Input unit 62 Information processing unit 62A Data reproduction unit 62B Data management unit 62C Data recording unit 63 Output unit

Claims (21)

An authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and each user that is capable of transmitting data to the authentication device via the network A user terminal for configuring an authentication system including a plurality of user terminals to be used,
OTP generating means for generating a one-time password according to predetermined conditions;
Amount information input means for inputting amount information that is information about the amount,
ID input means for inputting a unique user ID to each user allocated for each user of the user terminal;
The one-time password generated by the OTP generation unit, the amount information input from the amount information input unit, and the user ID input from the ID input unit, and the received one-time password, the amount User transmission means for transmitting the information and the user ID to the authentication device via the network in a state where they are associated with each other
With
The one-time password received from the user terminal generated by the authentication device that has received the one-time password, the money amount information, and the user ID from the user terminal as corresponding to the received user ID. By seeing the match in comparison with the password, it is possible to authenticate whether the one-time password received from the user terminals associated with each other, the money amount information, and the user ID are valid. Have been like,
User terminal. An authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and each user that is capable of transmitting data to the authentication device via the network A plurality of user terminals to be used, and data generated by the user terminal or data for specifying the data, which can be connected to the network, can be received from the user terminal and received. A mediation device that transmits data to the authentication device via the network, and a user terminal for configuring an authentication system comprising:
OTP generating means for generating a one-time password according to predetermined conditions;
Amount information input means for inputting amount information that is information about the amount,
ID input means for inputting a unique user ID to each user allocated for each user of the user terminal;
The one-time password generated by the OTP generation unit, the amount information input from the amount information input unit, and the user ID input from the ID input unit, and the received one-time password, the amount Delivery means for delivering the information and the user ID to the intermediary device in a state where they are associated with each other;
With
The one-time password received from the mediation device by the authentication device that has received the one-time password, the money amount information, and the user ID from the mediation device, and generated as corresponding to the received user ID. By seeing the match in comparison with the password, it is possible to authenticate whether the one-time password received from the user terminals associated with each other, the money amount information, and the user ID are valid. Have been like,
User terminal. An authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and each user that is capable of transmitting data to the authentication device via the network A user terminal for configuring an authentication system including a plurality of user terminals to be used and a plurality of tokens that are used by each user to generate a one-time password according to a predetermined condition,
OTP input means for inputting the one-time password generated by the token;
Amount information input means for inputting amount information that is information about the amount,
ID input means for inputting a unique user ID to each user allocated for each user of the user terminal;
The one-time password input by the OTP input unit, the amount information input from the amount information input unit, and the user ID input from the ID input unit are received, and the received one-time password, the amount User transmission means for transmitting the information and the user ID to the authentication device via the network in a state in which they are associated with each other;
With
The one-time password received from the user terminal generated by the authentication device that has received the one-time password, the money amount information, and the user ID from the user terminal as corresponding to the received user ID. By seeing the match in comparison with the password, it is possible to authenticate whether the one-time password received from the user terminals associated with each other, the money amount information, and the user ID are valid. Have been like,
User terminal. An authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and each user that is capable of transmitting data to the authentication device via the network A plurality of user terminals to be used, and data generated by the user terminal or data for specifying the data, which can be connected to the network, can be received from the user terminal and received. An authentication system including an intermediary device that transmits data to the authentication device via the network and a plurality of tokens that are used by each user and generate a one-time password according to a predetermined condition is configured. A user terminal for
OTP input means for inputting the one-time password generated by the token;
Amount information input means for inputting amount information that is information about the amount,
ID input means for inputting a unique user ID to each user allocated for each user of the user terminal;
The one-time password input by the OTP input unit, the amount information input from the amount information input unit, and the user ID input from the ID input unit are received, and the received one-time password, the amount Delivery means for delivering the information and the user ID to the intermediary device in a state where they are associated with each other;
With
The one-time password received from the mediation device by the authentication device that has received the one-time password, the money amount information, and the user ID from the mediation device, and generated as corresponding to the received user ID. By seeing the match in comparison with the password, it is possible to authenticate whether the one-time password received from the user terminals associated with each other, the money amount information, and the user ID are valid. Have been like,
User terminal. When the authentication device authenticates that the one-time password, the amount information, and the user ID are valid,
A set data generating unit configured to generate a set data including the authenticated one-time password, amount information, and user ID in a state in which the set data can be delivered to a predetermined external device;
The user terminal in any one of Claims 1-4. An output means for outputting the set data to a predetermined external device;
The user terminal according to claim 5. A means for generating specification data that is data for specifying the set data, and a second transfer means for transferring the specification data generated by the means to a predetermined external device;
The user terminal according to claim 5. A display for displaying an image, wherein the specifying data is included in the specifying image associated with the specifying data displayed on the display;
The user terminal according to claim 7. The specifying image is a barcode.
The user terminal according to claim 8. The user terminal is configured by a mobile phone.
The user terminal in any one of Claims 1-4. In addition to the one-time password, the amount information, and the user ID, the user delivery means is configured to transmit terminal identification information unique to the user terminal to the authentication device,
The authentication device that has received the one-time password, the money amount information, the user ID, and the terminal identification information from the user terminal can perform authentication of the user terminal using the received terminal identification information. Yes,
The user terminal according to claim 1 or 3. In addition to the one-time password, the amount information, and the user ID, the user delivery means is configured to transmit terminal identification information unique to the user terminal to the mediation device,
The authentication device that has received the one-time password, the money amount information, the user ID, and the terminal identification information from the intermediary device can authenticate the user terminal using the received terminal identification information. Yes,
The user terminal according to claim 2 or 4. An authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and each user that is capable of transmitting data to the authentication device via the network A user terminal for configuring an authentication system including a plurality of user terminals to be used, the information processing means including the information processing means for executing information processing,
Executed by the information processing means;
OTP generation process for generating a one-time password according to predetermined conditions;
Amount information input process that accepts input of amount information that is information about the amount of money,
An ID input process for receiving an input of a unique user ID for each user assigned to each user of the user terminal;
In the state where the one-time password generated in the OTP generation process, the money information received in the money information input process, and the user ID received in the ID input process are associated with each other, Via the user transmission process to transmit to the authentication device,
By including
The one-time password received from the user terminal generated by the authentication device that has received the one-time password, the money amount information, and the user ID from the user terminal as corresponding to the received user ID. By seeing the match in comparison with the password, it is possible to authenticate whether the one-time password received from the user terminals associated with each other, the money amount information, and the user ID are valid. To
Method. An authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and each user that is capable of transmitting data to the authentication device via the network A plurality of user terminals to be used, and data generated by the user terminal or data for specifying the data, which can be connected to the network, can be received from the user terminal and received. An information processing apparatus that includes an information processing unit that executes information processing, and is a user terminal for configuring an authentication system including an intermediary device that transmits data to the authentication device via the network A method performed by the means,
Executed by the information processing means;
OTP generation process for generating a one-time password according to predetermined conditions;
Amount information input process that accepts input of amount information that is information about the amount of money,
An ID input process for receiving an input of a unique user ID for each user assigned to each user of the user terminal;
In the state where the one-time password generated in the OTP generation process, the amount information received in the amount information input process, and the user ID received in the ID input step are associated with each other, the intermediary device The delivery process of delivering to
Contains
The one-time password received from the intermediary device by the authentication device that has received the one-time password, the amount information, and the user ID from the intermediary device as generated by the authentication device. By comparing the password with the user terminal, it is possible to authenticate whether the one-time password received from the user terminals associated with each other, the money amount information, and the user ID are valid. To
Method. An authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and each user that is capable of transmitting data to the authentication device via the network A user terminal for configuring an authentication system including a plurality of user terminals to be used and a plurality of tokens that are used by each user and generate a one-time password according to a predetermined condition, and executes information processing A method that is executed by the information processing means.
Executed by the information processing means;
An OTP input process for receiving an input of a one-time password generated by the token;
Amount information input process that accepts input of amount information that is information about the amount of money,
An ID input process for receiving an input of a unique user ID for each user assigned to each user of the user terminal;
The one-time password received in the OTP input process, the money information received in the money information input process, and the user ID received in the ID input process are linked to each other in the network. Via the user transmission process to transmit to the authentication device,
Contains
The one-time password received from the intermediary device received by the authentication device that has received the one-time password, the money amount information, and the user ID from the user terminal as corresponding to the received user ID By comparing the password with the user terminal, it is possible to authenticate whether the one-time password received from the user terminals associated with each other, the money amount information, and the user ID are valid. To
Method. An authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and each user that is capable of transmitting data to the authentication device via the network A plurality of user terminals to be used, and data generated by the user terminal or data for specifying the data, which can be connected to the network, can be received from the user terminal and received. An authentication system including an intermediary device that transmits data to the authentication device via the network and a plurality of tokens that are used by each user and generate a one-time password according to a predetermined condition is configured. A user terminal for providing information processing means for executing information processing. A method of processing means executes,
Executed by the information processing means;
An OTP input process for receiving an input of a one-time password generated by the token;
Amount information input process that accepts input of amount information that is information about the amount of money,
An ID input process for receiving an input of a unique user ID for each user assigned to each user of the user terminal;
The intermediary device in a state in which the one-time password accepted in the OTP input process, the money information accepted in the money information input process, and the user ID accepted in the ID input process are associated with each other. The delivery process of delivering to
Contains
The one-time password received from the intermediary device by the authentication device that has received the one-time password, the amount information, and the user ID from the intermediary device as generated by the authentication device. By comparing the password with the user terminal, it is possible to authenticate whether the one-time password received from the user terminals associated with each other, the money amount information, and the user ID are valid. To
Method. An authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and each user that is capable of transmitting data to the authentication device via the network A program for causing a computer to function as a user terminal for configuring an authentication system including a plurality of user terminals to be used,
The computer,
OTP generating means for generating a one-time password according to predetermined conditions;
Amount information input means for inputting amount information that is information about the amount,
ID input means for inputting a unique user ID to each user allocated for each user of the user terminal;
The one-time password generated by the OTP generation unit, the amount information input from the amount information input unit, and the user ID input from the ID input unit, and the received one-time password, the amount User transmission means for transmitting the information and the user ID to the authentication device via the network in a state where they are associated with each other
By making it function,
The one-time password received from the user terminal generated by the authentication device that has received the one-time password, the money amount information, and the user ID from the user terminal as corresponding to the received user ID. By seeing the match in comparison with the password, it is possible to authenticate whether the one-time password received from the user terminals associated with each other, the money amount information, and the user ID are valid. To
program. An authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and each user that is capable of transmitting data to the authentication device via the network A plurality of user terminals to be used, and data generated by the user terminal or data for specifying the data, which can be connected to the network, can be received from the user terminal and received. A program for causing a computer to function as a user terminal for configuring an authentication system including an intermediary device that transmits data to the authentication device via the network,
The computer,
OTP generating means for generating a one-time password according to predetermined conditions;
Amount information input means for inputting amount information that is information about the amount,
ID input means for inputting a unique user ID to each user allocated for each user of the user terminal;
The one-time password generated by the OTP generation unit, the amount information input from the amount information input unit, and the user ID input from the ID input unit, and the received one-time password, the amount Delivery means for delivering the information and the user ID to the intermediary device in a state where they are associated with each other;
By making it function,
The one-time password received from the intermediary device by the authentication device that has received the one-time password, the amount information, and the user ID from the intermediary device as generated by the authentication device. By comparing the password with the user terminal, it is possible to authenticate whether the one-time password received from the user terminals associated with each other, the money amount information, and the user ID are valid. To
program. An authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and each user that is capable of transmitting data to the authentication device via the network To make a computer function as a user terminal for configuring an authentication system including a plurality of user terminals to be used and a plurality of tokens that are used by each user and generate a one-time password according to predetermined conditions The program of
The computer,
OTP input means for inputting the one-time password generated by the token;
Amount information input means for inputting amount information that is information about the amount,
ID input means for inputting a unique user ID to each user allocated for each user of the user terminal;
The one-time password input by the OTP input unit, the amount information input from the amount information input unit, and the user ID input from the ID input unit are received, and the received one-time password, the amount User transmission means for transmitting the information and the user ID to the authentication device via the network in a state in which they are associated with each other;
By making it function,
The one-time password received from the user terminal generated by the authentication device that has received the one-time password, the money amount information, and the user ID from the user terminal as corresponding to the received user ID. By seeing the match in comparison with the password, it is possible to authenticate whether the one-time password received from the user terminals associated with each other, the money amount information, and the user ID are valid. To
program. An authentication device that can be connected to a predetermined network and can authenticate with a one-time password, and each user that is capable of transmitting data to the authentication device via the network A plurality of user terminals to be used, and data generated by the user terminal or data for specifying the data, which can be connected to the network, can be received from the user terminal and received. An authentication system including an intermediary device that transmits data to the authentication device via the network and a plurality of tokens that are used by each user and generate a one-time password according to a predetermined condition is configured. A program for causing a computer to function as a user terminal for
The computer,
OTP input means for inputting the one-time password generated by the token;
Amount information input means for inputting amount information that is information about the amount,
ID input means for inputting a unique user ID to each user allocated for each user of the user terminal;
The one-time password input by the OTP input unit, the amount information input from the amount information input unit, and the user ID input from the ID input unit are received, and the received one-time password, the amount Delivery means for delivering the information and the user ID to the intermediary device in a state where they are associated with each other;
By making it function,
The one-time password received from the intermediary device by the authentication device that has received the one-time password, the amount information, and the user ID from the intermediary device as generated by the authentication device. By comparing the password with the user terminal, it is possible to authenticate whether the one-time password received from the user terminals associated with each other, the money amount information, and the user ID are valid. To
program.   A data structure of set data including the one-time password, the money amount information, and the user ID, which are generated by the user terminal according to claim 5, and uniting them.

Images