JP2010061350A - Time-series authentication device and system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a time-series authentication device preventing phishing and authenticating a person who has performed a past procedure. <P>SOLUTION: This time-series authentication device 11 is communicably connected to user terminals 21, business center terminals 31, and social insurance office terminals 41 or the like via a network 101, performs authentication using past biological information changing with time, and stores the authenticated biological information in an external database 12. The device includes the following means, not shown in Figure: a management means systematically storing in time series the biological information authenticated in association with a procedure; a similarity calculation means calculating similarity between the biological information used for the authentication of a current procedure and that stored by the management means; and an authentication specification means enabling current authentication and specification of the past procedure based on the calculated similarity. The current authentication and the specification of the past procedure are performed by preferentially using the similarity to the biological information close to the present. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a time-series authentication apparatus and system that can authenticate a current principal and also specify a past principal, and particularly relates to a system that uses biometric authentication.

  Traditionally, government agencies such as the Ministry of Health, Labor and Welfare have realized procedures such as application and notification via the network, and are updating the system from time to time. This allows users to apply for pension benefits, for example, from their homes or companies without going out. In such a system (hereinafter referred to as an electronic application / notification system), personal authentication is important. For this reason, the user is required to register authentication information such as the user ID and password of the user or an electronic signature at the time of application. These are used for personal authentication.

Also, in view of the importance of personal authentication, biometric authentication has become widespread (see, for example, Patent Document 1), and its use has been studied for this type of personal authentication. Although it is such biometric authentication, it is known that even biometric information changes over time. This temporal change is not uniform in time and for each individual, and there is a need for a personal authentication technique that can withstand this temporal change. Patent Document 1 describes a technique for dealing with changes in biological information over time.
JP 2007-018436 A

  However, the conventional identity authentication technology has a problem that it is not possible to sufficiently avoid the imitation that has become possible with the advancement of the technology, and in addition, there is a problem that it is not possible to identify the person who has performed past procedures. Specifically, using a user ID and password has a high risk of spoofing. In addition, the use of electronic signatures lacks time proof, so the person who has done the past procedure is not identified, and it is not known whether the right person has done the procedure in the past. As a result, for example, when there is an inquiry about past procedures, it may not be possible to clarify whether the procedure has been performed by the person himself / herself.

  In view of the above situation, an object of the present invention is to provide a time-series authentication apparatus that can avoid spoofing and can authenticate a person who has performed past procedures.

In order to solve the above problems, the present invention provides the following configurations.
The invention according to claim 1 is an apparatus that performs authentication using past biometric information that changes with time, and stores the authenticated biometric information in an external database. A management means for systematically storing data in time series, a similarity calculation means for calculating the similarity between the biometric information used for authentication of the current procedure and the biometric information stored by the management means, and An authentication specifying means for enabling identification of a current authentication and a past procedure based on the degree of similarity, wherein the current authentication and the identification of the past procedure are similar to the current biometric information; Is preferentially used.

  The invention according to claim 2 is the time-series authentication apparatus according to claim 1, wherein the management means includes, in the database, a basic pension number, an applicant's name, an application date, an application content, a biometric information ID, and a biometric authentication. It is characterized by storing data.

  According to the first aspect of the invention, authentication is performed using past biometric information that changes with time, and the authenticated biometric information is stored in an external database, and is authenticated in association with a procedure. Management means for systematically storing information in time series, similarity calculation means for calculating the similarity between the biological information used for authentication of the current procedure and the biological information stored by the management means, and calculation Authentication means for enabling identification of a current authentication and a past procedure based on the similarity, and the identification of the current authentication and the past procedure with respect to biometric information closer to the present. Since the similarity is preferentially used, it is possible to realize a time-series authentication device that can avoid impersonation and can authenticate the person who has performed past procedures.

  According to the invention of claim 2, in addition to the effect of claim 1, the management means stores, in the database, a basic pension number, an applicant's name, an application date, an application content, a biometric information ID, and biometric authentication. Since data is stored, the history of important pension procedures can be specified together with the personal authentication result through the biometric information ID.

Hereinafter, embodiments of the present invention will be described with reference to the drawings showing examples.
FIG. 1 is a block diagram of an authentication system necessary for the first procedure. As shown in FIG. 1, the time-series authentication system 100 includes a host 10 and a user terminal 20 that are communicably connected to each other via a network 101. Hereinafter, the electronic application / notification system will be described as an example in which the host 10 performs processing related to application / notification procedures for pension benefit business (hereinafter simply referred to as application notification procedure processing).

  Here, communication terminals of related departments such as the business center terminal 30 and the social insurance office terminal 40 may be connected to the host 10 so that they can communicate with each other. The business center terminals 30 are installed in social insurance business centers scattered in each prefecture, and the social insurance office terminals 40 are installed in social insurance offices. The host 10 can be managed through the business center terminal 30 and the social insurance office terminal 40.

  FIG. 2 is a flowchart for explaining an example of an application notification procedure process performed from the user terminal side to the host. FIG. 2A relates to, for example, an initial application procedure, and FIG. Here, in the electronic application / notification system, predetermined applications and procedures can be performed via the network, and the applicant can view his / her electronic official documents regarding the disposal of the application.

  The user needs to confirm whether or not the planned procedure can be executed through the electronic application / notification system. For this purpose, in the application notification procedure process, first, the user terminal 20 obtains information from the host 10 through which the user terminal 20 can confirm this (S101). If the planned procedure can be executed, it will be executed. However, it is necessary to prepare an environment for using the electronic application / notification system. In the following description, it is assumed that the planned procedure is executable and the environment for that is not ready.

  Next, the user terminal 20 accesses the host 10 according to the user's operation, and receives a program for realizing the above environment (hereinafter referred to as an application program), etc. (S102). Here, the received data includes, in addition to the application program, assignment authentication information assigned for personal authentication when the user first performs a procedure. The user installs the obtained application program in the user terminal 20 and prepares the above environment, but the user terminal 20 performs an operation for preparing the environment in response to the operation of the user ( S103). As a result, the document to be applied can be displayed on the user terminal 20.

  Next, the user terminal 20 displays a document to be applied on the user terminal 20 in accordance with a user operation (S104). As a result, the user can input necessary items. When the input to the target document is completed and a transmission operation is performed by the user, the user terminal 20 displays and inputs the above-mentioned assignment authentication information input screen, and inputs in response to the input completion operation. The document that has been made and the assignment authentication information are transmitted (S105).

  Next, the user terminal 20 waits for and receives reply data from the host 10 (S131). The reply data includes, for example, an arrival number, a processing status confirmation ID, a notification that the procedure cannot be accepted, and the like. Next, the user terminal 20 displays a screen asking whether to perform re-input (S132). When re-input is selected by the user in step S132, the process returns to step S104 and the above process is repeated. If re-input is not performed in step S132, the process ends.

  Next, in the electronic application / notification system, the applicant can view electronic official documents concerning his / her own documents and disposal. In a browsing process that does not use biometric information for authentication, the user terminal 20 first displays a procedure browsing screen and inputs an arrival number, a processing status confirmation ID, and the like (S201). However, allocation authentication information may be used instead of the processing status confirmation ID. Next, the user terminal 20 transmits the input data to the host 10 (S202), and receives reply data that can be browsed according to the user's operation (S231). This reply data includes, for example, information to be browsed and its display screen.

  FIG. 3 is a block diagram of a time-series authentication system according to the present invention, which relates to using biometric authentication. In FIG. 3, a biometric information server 12 that stores biometric information and the like is newly connected to the host 11, and the biometric information is recorded in a biometric information database stored in the biometric information server 12. In FIG. 3, a biometric information reader is connected to the user terminal 21. Similarly, a biometric information reader may be connected to the business center terminal 31 and the social insurance office terminal 41.

  FIG. 4 is an explanatory diagram showing a usage example of the biological information reader. When the user U puts his / her reading portion on the biological information reader 212 and performs a predetermined operation, the biological information VD of the reading portion is read and output to the computer 211 of the user terminal 21. In the following, it is assumed that vein information is read. The read vein information VD is used to authenticate the person, and is transmitted to the host 11 and stored in the biometric information server 12 for that purpose. The vein information authenticated as the person's thing is stored in the biometric information server 12, and is used for performing time-series person authentication described below. Here, time-series identity authentication refers to authentication including past identity authentication in addition to current identity authentication.

  FIG. 5 is an explanatory diagram of changes over time in vein information. The vein information generally changes with the passage of time H, and this change with time is not uniform in terms of time and individual. In FIG. 5, vein information is visualized as vein patterns P1 to P3, and the vein pattern changes from the oldest pattern P1 to the latest pattern P3. In the present invention, vein information that has changed over time but is within a similar range is stored and used for authentication of the past person. The authentication of the person in the past is performed by a method of following a formula based on the vein information of the current person based on the similarity of the vein information.

  FIG. 6 is an explanatory diagram of the biometric information database stored in the biometric information server. In the biometric information database, as shown in FIG. 6, for example, for each basic pension number T11, data T1 such as an applicant name T12, an application date T13, an application content T14, a biometric information ID (T15), and vein information T16 are recorded. These data can be used for authentication and management. Thus, the biometric information ID (T15) and vein information T16 corresponding to the application date T13 are assigned to the recorded procedure data T1.

  In data recording, T1s having the same basic pension number T11 but different application dates T13 can be distinguished from each other. In an extreme case, the application content T14, the biometric information ID (T15), and the vein information T16 are recorded independently for each different application even if the application is made multiple times on the same day. By configuring in this way, it is possible to authenticate a person with respect to past application contents.

  FIG. 7 is a flowchart for explaining processing performed by the host in the application notification procedure processing, and relates to the processing after at least one procedure has been performed. Below, it demonstrates based on the structure shown in FIG. Here, in the procedure on the user terminal side, step S105 shown in FIG. 2 is executed. When the user terminal 11 transmits input data or the like in step S105, the host 11 receives them (S311).

  Here, the input data or the like includes an arrival number, a processing status confirmation ID, and the like for basic authentication, and vein information acquired via the biometric information reader 212 for time-series personal authentication. The arrival number can identify the procedure that has already been performed, and the processing status confirmation ID also has a function serving as a password or the like. Basic authentication is performed before time-series authentication.

  Next, the host 11 performs basic authentication using the arrival number and the processing status confirmation ID, and sets a counter i for the number of times allowed for authentication or the like to 0 (S312). Next, the host 11 determines whether or not the user is authenticated by the basic authentication in step S312 (S313). When the host 11 is authenticated, the host's past vein information (VD in FIG. 7) is determined. Is retrieved from the biological information database (S314).

  Next, the host 11 determines whether or not past vein information has been detected (S315). When it is determined in step S315 that no vein information is detected, the host 11 records the received vein information in the biological information database (S316). When determining in step S315 that vein information has been detected, the host 11 calculates the similarity between the received vein information and the latest detected vein information (S317). Here, the similarity of vein information may be expressed using, for example, a correlation value between feature portions of vein information.

  Next, the host 11 determines whether or not the similarity calculated in step S317 is greater than or equal to a predetermined threshold (S318). This reinforces the current identity authentication and further associates with the past identity. When the received vein information is recorded in the biometric information database in step S316 and when it is determined that the received vein information is equal to or greater than the threshold value in step S318, the host 11 records the received data and creates procedure data T1 (S319). Thereafter, the host 11 returns a completion notification to the user terminal 21 (S320). The completion notification may include data such as the arrival number, processing status confirmation ID, and recorded contents of the electronic official document related to the procedure in addition to indicating that the procedure has been properly completed.

  When the user is not authenticated in step S313 and when it is determined in step S318 that it is not equal to or greater than the threshold value, the host 11 increments the error allowable counter i by 1 (S321). Next, the host 11 determines whether or not the counter i is greater than or equal to a preset threshold I of allowable errors (S322). When it is determined that the counter i is less than the threshold I, the host 11 returns to step S313 to Repeat the process.

  When it is determined in step S322 that the counter i is equal to or greater than the preset threshold value I of the allowable number of errors, the host 11 notifies the user terminal 21 of an error (S323), and ends the process. As a result, not only the case where the authentication is not performed by the basic authentication but also the access when the temporal continuity of the vein information is not ensured can be excluded. The completion notification in step S320 and the error notification in step S323 are received by the user terminal 21 in step S131.

  FIG. 8 is a flowchart for explaining the outline of processing performed by the host when there is an inquiry about the authenticity of past procedures. In response to an access from the user terminal 21, the host 11 displays an inquiry reception screen on the user terminal 21 to specify the inquiry content (S401), and searches for target data (hereinafter referred to as personal data) (S410). ).

  FIG. 9 is a flowchart illustrating the personal data search process performed in step S410. In the personal data search process, first, the host 11 sets a counter j for the permitted number of accesses to 0 (S411). Next, the host 11 requests and obtains the latest vein information from the user terminal 21 (S412). In response to this, for example, the user reads his / her vein information via the biological information reader 212 and transmits it. However, when the latest vein information is stored, it may be replaced with the read vein information.

  Next, the host 11 searches the vein data recorded in the past for the procedure data T1 of the user who is inquiring (hereinafter referred to as the inquiry procedure person) (S413), and the vein recorded in the past is searched. It is determined whether information is detected (S414). When vein information is not detected in step S414, the host 11 sets “NO DATA” indicating that there is no data useful for the inquiry, that is, data that can authenticate the past person (S415).

  When determining that vein information has been detected in step S414, the host 11 calculates the similarity between the latest vein information of these and the vein information acquired in step S412 (S416). Next, the host 11 determines whether or not the degree of similarity is greater than or equal to a predetermined threshold, for example, greater than or equal to the threshold used in step S318 (S417).

  When it is determined in step S417 that the value is equal to or greater than the threshold value, the host 11 sets “OK” in the answer indicating that there is data useful for the inquiry, that is, past data that has been authenticated (S418). In step S418, information specifying past data that has been authenticated may be added to the answer.

  FIG. 10 is an explanatory diagram showing a time-series authentication result of the principal data. As shown in FIG. 10, the biometric information database also records time-series authentication results (T21) for each of the biometric information IDs (T15). Here, since the biometric information ID (T15) can identify the procedure, it is clarified whether each procedure has been authenticated in the past. This biometric information ID (T15) can be used as the information to be added.

  If it is not greater than or equal to the threshold value in step S417, the host 11 increments the counter j for the permitted number of accesses by 1 (S419). Next, the host 11 determines whether or not the counter j is greater than or equal to a preset threshold value J of the allowable number of errors (S420). When determining that the counter j is less than the threshold value J, the host 11 returns to step S412 and returns to step S412. Repeat the process.

  When it is determined in step S420 that the counter j is equal to or larger than the preset threshold J of the permitted number of accesses, the host 11 sets “access error” as an answer (S421). The host 11 returns the answers set in steps S415, S418, and S421 to the user terminal 21 as shown in FIG. 8 (S430).

  The time-series authentication device according to the present invention can be used in the electronic component manufacturing industry, the information communication equipment manufacturing industry, the communication service industry, etc., and is also applied as an electronic application / notification system, and can also be used in online shopping. Enhance the usefulness of such products.

It is a block block diagram of the authentication system required for the first procedure. It is a flowchart explaining an example of the application report procedure process performed to a host from the user terminal side, (a) is related to the first application procedure, for example, and (b) is related to browsing of documents and the like. It is a block block diagram of the time series authentication system by this invention, and relates to what uses biometrics authentication. It is explanatory drawing which shows the usage example of a biometric information reader. It is explanatory drawing of the time-dependent change of vein information. It is explanatory drawing about the biometric information database which a biometric information server stores. It is a flowchart explaining the process which a host performs in an application notification procedure process, and relates to the thing after a procedure is performed at least once. It is a flowchart explaining the outline | summary of the process which a host performs when there is an inquiry about the authenticity of the past procedure. It is a flowchart explaining the principal data search process performed by step S410. It is explanatory drawing which shows the time-sequential authentication result of principal data.

Explanation of symbols

10, 11 Host 12 Biometric information server 20, 21 User terminal 30, 31 Business center terminal 40, 41 Social insurance office terminal 100 Authentication system 101 Network 200 Time series authentication system 211 Computer 212 Biometric information reader H Time course P1 P3 Vein pattern T1 Procedure data T11 Basic pension number T12 Applicant name T13 Application date T14 Application details T15 Biometric ID
T16 Vein information T21 Authentication result VD Vein information U User

Claims (2)

A device that performs authentication using past biological information that changes over time, and stores the authenticated biological information in an external database,
Management means for storing biometric information authenticated in association with a procedure in a time-series manner,
Similarity calculation means for calculating the similarity between the biological information used for authentication of the current procedure and the biological information stored by the management means;
Based on the calculated similarity, authentication specifying means for enabling identification of current authentication and past procedures;
The time-series authentication apparatus characterized in that the current authentication and the identification of the past procedure are performed preferentially using the similarity to the current biological information.   2. The time-series authentication device according to claim 1, wherein the management means stores a basic pension number, an applicant's name, an application date, an application content, a biometric information ID, and biometric authentication data in the database. .

Images