JP2011155348A - Biometric authentication system, biometric authentication method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a biometric authentication system which cannot be traced by expanding an authentication protocol having anonymity and untraceability, and generating a key from biological information. <P>SOLUTION: A U reads biological information to generate a secret key x2 from the biological information, and generates a secret key x1 from a random number. The U generates public keys y1, y2 from the secret keys to transmits the public keys to a CA. The CA performs signing by a signature key for the received public keys, and issues an attribute certificate to the U. The U transmits a service provision request to an SP, the SP generates the secret key and the public key of itself to transmit a challenge constituted of a random number and the public key to the U. The U deforms the attribute certificate by a random number f, deforms the secret key, calculates a signature value received from them, and transmits the deformed attribute certificate and the signature value to the SP. The SP verifies the attribute certificate received from the U, and verifies the signature value. The SP confirms lapse to confirm validity of the attribute certificate and the signature value, and provides a service based on attribute information to the U on the condition of completion of the lapse confirmation. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to an anonymous and untraceable authentication protocol, and relates to a remote biometric authentication system, biometric authentication method, and program that cannot be traced by generating a key from biometric information.

  In recent years, various services have been provided electronically through the Internet. When providing such a service, it is essential to authenticate the user. Here, a method for authenticating a user is generally classified into authentication for specifying an individual and authentication for not specifying an individual such as attribute authentication (for example, see Patent Document 1).

  On the other hand, there is biometric authentication using biometrics as a specific authentication means. Biometric authentication is characterized in that high security can be realized because the biometric information of the user can be used.

Japanese Patent Publication No. 8-2051

  However, since personal biometric information is fixed information, there is a problem that it is possible to track a user using the information. In addition, in the conventional attribute authentication technology, there is no technology for realizing remote and anonymous biometric authentication.

  Accordingly, the present invention has been made in view of the above-described problems, and extends an authentication protocol having anonymity and untraceability, and generates a key from biometric information, making it impossible to trace and remote biometric authentication system. An object of the present invention is to provide a biometric authentication method and program.

  The present invention proposes the following items in order to solve the above-described problems. In addition, in order to make an understanding easy, although the code | symbol corresponding to embodiment of this invention is attached | subjected and demonstrated, it is not limited to this.

  (1) The present invention includes a user terminal (for example, equivalent to the user terminal 1 in FIG. 1), an attribute certificate issuing server (for example, equivalent to the attribute authentication server 3 in FIG. 1), and a service providing server (for example, FIG. 1 is equivalent to the SP server 2) via a network, and the user terminal reads biometric information reading means (for example, the biometric information reader 11 in FIG. 2). 1), a first secret key generation unit (for example, corresponding to the key generation unit 12 in FIG. 2) that generates a secret key x2 from the read biometric information, and the biometric information reading unit generate a random number, Second secret key generation means (for example, corresponding to the key generation unit 12 in FIG. 2) that generates a secret key x1 from the generated random number, and public keys y1 and y2 are generated from the two secret keys x1 and x2. First public key generator (For example, equivalent to the key generation unit 12 in FIG. 2) and first transmission means for transmitting the generated public keys y1, y2 to the attribute certificate issuing server (for example, equivalent to the transmission unit 14 in FIG. 2) ), Second transmission means for transmitting a service provision request to the service provision server (for example, corresponding to the transmission unit 14 in FIG. 2), a random number f is generated, and the attribute proof is generated using the random number f. 2 for transforming the attribute certificate issued by the certificate issuing server (for example, equivalent to the attribute certificate transforming unit 13 in FIG. 2), and transforming the two secret keys x1 and x2 into fx1 and fx2 by the random number f. , Using the modified fx1 and fx2, processing means for calculating a signature value for the service provider's public key y3 received from the service providing server multiplied by the random number r (for example, in the processing unit 15 of FIG. 2) Equivalent) and the deformed hand And a third transmission unit (e.g., corresponding to the transmission unit 14 in FIG. 2) that transmits the attribute certificate modified in step 1 and the signature value calculated by the processing unit to the service providing server, A signing means (for example, corresponding to the signature unit 31 in FIG. 5) for signing with a signature key z held by the issuing server with respect to the public key generated by the first public key generating means of the user terminal; Issuing means for issuing {y1, y2, z (y1 + y2)} as attribute certificates to the user terminal (for example, corresponding to the attribute certificate issuing unit 32 in FIG. 5), wherein the service providing server includes Information including key generation means (for example, corresponding to the key generation unit 25 in FIG. 4) for generating its own private key x3 and public key y3 (= x3 * P), the generated random number r, and the public key y3 As a challenge to the user end And a first verification means for verifying the attribute certificate received from the user terminal (for example, the attribute certificate verification section in FIG. 4). 21), second verification means for verifying the signature value received from the user terminal (for example, equivalent to the signature value verification section 22 in FIG. 4), and revocation confirmation execution means for executing revocation confirmation (for example, 4), the validity of the attribute certificate is confirmed by the first verification means, the validity of the signature value is confirmed by the second verification means, and the validity is revoked. Service providing means (for example, corresponding to the service providing unit 24 in FIG. 4) for providing a service based on the attribute information to the user terminal when the revocation confirmation is completed by the confirmation executing means. A living body characterized by It has proposed a proof system.

  According to this invention, the biometric information reading means of the user terminal reads biometric information. The first secret key generation means generates a secret key x2 from the read biometric information. In the second secret key generation means, the biometric information reading means generates a random number, and generates a secret key x1 from the generated random number. The first public key generation means generates public keys y1 and y2 from the two secret keys x1 and x2. The first transmission means transmits the generated public keys y1 and y2 to the attribute certificate issuing server. The second transmission means transmits a service provision request to the service provision server. The deformation means generates a random number f and uses the random number f to deform the attribute certificate issued by the attribute certificate issuing server. The processing means transforms the two secret keys x1 and x2 into fx1 and fx2 using a random number f, and uses the modified fx1 and fx2 to generate a random number r in the service provider's public key y3 received from the service providing server. The signature value for the product of multiplication is calculated. The third transmitting unit transmits the attribute certificate deformed by the deforming unit and the signature value calculated by the processing unit to the service providing server. The signature means of the attribute certificate issuing server signs the public key generated by the first public key generation means of the user terminal with the signature key z that it holds. The issuing means issues {y1, y2, z (y1 + y2)} as attribute certificates to the user terminal. The key generation means of the service providing server generates its own private key x3 and public key y3 (= x3 * P). The fourth transmission means transmits information including the generated random number r and the public key y3 as a challenge to the user terminal. The first verification unit verifies the attribute certificate received from the user terminal. The second verification unit verifies the signature value received from the user terminal. The revocation confirmation execution means executes revocation confirmation. When the validity of the attribute certificate is confirmed by the first verification means, the validity of the signature value is confirmed by the second verification means, and the revocation confirmation is completed by the revocation confirmation execution means The service based on the attribute information is provided to the user terminal. Therefore, anonymity is guaranteed at the time of authentication. Moreover, since the key used for authentication is generated from the biometric information, it cannot be transferred or loaned to another person. Further, when authenticating, communication with a third party is not required. Also, any modification of the key used for authentication is possible without communication with a third party. In addition, revocation processing and revocation confirmation processing are possible without inquiring a third party. Furthermore, it is a system which cannot trace a user's action from the communication history before the time when the revocation information is disclosed.

  (2) In the biometric authentication system according to (1), the present invention is characterized in that the first secret key generation means generates a secret key x2 by removing noise from the read biometric information. A biometric authentication system is proposed.

  According to the present invention, the biological information has fluctuations, but the fluctuations can be absorbed by removing noise from the read biological information.

  (3) The present invention provides the biometric authentication system according to (1), wherein the service providing server generates a random number r, calculates r * y3 from the random number r and its own public key y3, and challenges this The biometric authentication system characterized by transmitting as is proposed.

  According to the present invention, the service providing server generates a random number r, calculates r * y3 from the random number r and its own public key y3, and transmits this as a challenge. That is, a public key y3 (= x3 * P) that is different for each service provider is embedded in the challenge, and a signature is returned from the user terminal in response to this challenge. An unknown third party cannot trace the user's behavior from the communication history before the time when the revocation information is disclosed.

  (4) The present invention provides the biometric authentication system according to (3), in which the processing unit of the user terminal uses r * y3 using the secret keys fx1 and fx2 modified by the random number f generated by the deformation unit. Has proposed a biometric authentication system characterized by calculating a signature value for s1 = fx1 * r * y3 and s2 = fx2 * r * y3.

  According to the present invention, the processing means of the user terminal uses the secret keys fx1 and fx2 transformed by the random number f generated by the transformation means to change the signature value for r * y3 to s1 = fx1 * r * y3, s2 = Calculate by fx2 * r * y3. Therefore, since the signature value is calculated using the simple calculation formula as described above, the calculation load can be reduced.

  (5) In the biometric authentication system according to (1), when the first verification unit of the service providing server uses zP as a public key for issuing an attribute, e (f (y1 + y2), A biometric authentication system is proposed in which zP) = e (fz (y1 + y2), P) is calculated, and the validity of the attribute certificate is verified based on whether the calculation formula is satisfied.

  According to the present invention, when the first verification unit of the service providing server uses zP as a public key for attribute issuance, e (f (y1 + y2), zP) = e (fz (y1 + y2), P) The validity of the attribute certificate is verified based on whether or not the calculation formula is satisfied. Therefore, since the attribute certificates transmitted from the user terminal can be collectively verified by the above arithmetic expression, the calculation load can be reduced.

  (6) The present invention provides the biometric authentication system according to (4), wherein the second verification unit of the service providing server is e (s1, P) e (s2, P) = e (f * (y1 + y2) , R * y3), and a biometric authentication system is proposed in which the validity of the signature is verified based on whether the arithmetic expression is satisfied.

  According to this invention, the second verification means of the service providing server calculates e (s1, P) e (s2, P) = e (f * (y1 + y2), r * y3), The validity of the signature is verified depending on whether or not Therefore, since the signature value is calculated using the simple calculation formula as described above, the calculation load can be reduced.

  (7) The present invention provides the biometric authentication system according to (3) or (4), in which the revocation confirmation execution unit of the service providing server performs r * x3 * y1 for all y1s listed in the revocation list. Is calculated, and e (z (y1 + y2), s1) = e (f * z * (y1 + y2), r * x3 * y1) is calculated, and the revocation check is executed depending on whether the arithmetic expression is satisfied. We have proposed a biometric authentication system.

  According to this invention, the revocation confirmation execution means of the service providing server calculates r * x3 * y1 for all y1s listed in the revocation list and e (z (y1 + y2), s1) = e ( f * z * (y1 + y2), r * x3 * y1) is calculated, and revocation confirmation is executed depending on whether or not the calculation formula is satisfied. Therefore, the revocation list cannot be traced by a third party who does not know the service provider's private key x3 and can easily trace the user's behavior from the communication history before the revocation information was disclosed. Confirmation processing can be realized.

  (8) The biometric authentication system according to (1), wherein the attribute certificate issuing server publishes y1 and z (y1 + y2) of the revoked user in the revocation list. Has proposed.

  According to the present invention, the attribute certificate issuing server publishes y1 and z (y1 + y2) of the revoked user in the revocation list. Thus, since y1 and z (y1 + y2) are not disclosed, but y1 and y2 are disclosed, it is possible to prevent tracing of the past history from the disclosed information, and to secure the forward security.

  (9) The present invention provides a biometric authentication method in a biometric authentication system in which a user terminal, an attribute certificate issuing server, and a service providing server are connected via a network, wherein the user terminal receives biometric information. A first step of reading (e.g., corresponding to step S201 in FIG. 6 and step S301 in FIG. 7), a second step in which the user terminal generates a secret key x2 from the read biometric information, and the user terminal Is a third step of generating a secret key x1 from the generated random number, and a fourth step of the user terminal generating public keys y1 and y2 from the two secret keys x1 and x2 (for example, FIG. Step S202, which corresponds to Steps S302 and S303 in FIG. 7), and the user terminal sends the generated public keys y1 and y2 to the attribute certificate issuing server. And a sixth step in which the attribute certificate issuing server signs the public key generated by the user terminal with the signature key z held (for example, corresponding to step S303 in FIG. 7). ) And the seventh step (for example, steps S204, S205 in FIG. 6) in which the attribute certificate issuing server issues {y1, y2, z (y1 + y2)} as attribute certificates to the user terminal. 7) (equivalent to step S304 in FIG. 7), and an eighth step in which the user terminal transmits a service provision request to the service providing server (for example, corresponding to step S209 in FIG. 6 and step S305 in FIG. 7); A ninth step (for example, corresponding to step S206 in FIG. 6) in which the service providing server generates its own private key x3 and public key y3 (= x3 * P); A tenth step (for example, corresponding to step S210 in FIG. 6 and step S306 in FIG. 7) in which the service providing server transmits information including the generated random number r and the public key y3 to the user terminal as a challenge; The eleventh step in which the user terminal generates a random number f and transforms the attribute certificate issued by the attribute certificate issuing server using the random number f (for example, step S211 in FIG. 6, step S2 in FIG. Equivalent to step S307), and the user terminal transforms the two secret keys x1 and x2 into fx1 and fx2 using a random number f, and uses the modified fx1 and fx2 to receive the service received from the service providing server. A twelfth step (for example, corresponding to step S212 in FIG. 6) for calculating a signature value for the provider's public key multiplied by a random number; A thirteenth step (for example, corresponding to step S213 in FIG. 6 and step S308 in FIG. 7) in which the terminal transmits the modified attribute certificate and the calculated signature value to the service providing server; and the service providing server 14th step for verifying the attribute certificate received from the user terminal (e.g., corresponding to step S214 in FIG. 6 and step S309 in FIG. 7) and the signature received by the service providing server from the user terminal A fifteenth step (for example, corresponding to step S215 in FIG. 6 and step S309 in FIG. 7) for verifying the value, and a fifteenth step (for example, step S216 in FIG. 6) in which the service providing server performs revocation confirmation. , Corresponding to step S310 in FIG. 7), the service providing server confirms the validity of the attribute certificate and confirms the signature value. A sixteenth step (for example, step S217 in FIG. 6 and step in FIG. 7) for providing a service based on attribute information to the user terminal when validity is confirmed and revocation confirmation is completed. And a biometric authentication method characterized by comprising:

  According to this invention, the user terminal reads biometric information. The user terminal generates a secret key x2 from the read biometric information. The user terminal generates a secret key x1 from the generated random number. The user terminal generates public keys y1 and y2 from the two secret keys x1 and x2. The user terminal transmits the generated public keys y1 and y2 to the attribute certificate issuing server. The attribute certificate issuing server signs the public key generated by the user terminal with the signature key z that it holds. The attribute certificate issuing server issues {y1, y2, z (y1 + y2)} as attribute certificates to the user terminal. The user terminal transmits a service provision request to the service provision server. The service providing server generates its own secret key x3 and public key y3 (= x3 * P). The service providing server transmits information including the generated random number r and the public key y3 as a challenge to the user terminal. The user terminal generates a random number f and uses the random number f to transform the attribute certificate issued by the attribute certificate issuing server. The user terminal transforms the two secret keys x1 and x2 into fx1 and fx2 using a random number f, and uses the modified fx1 and fx2 to multiply the service provider's public key received from the service providing server by the random number. Calculate the signature value for the thing. The user terminal transmits the modified attribute certificate and the calculated signature value to the service providing server. The service providing server verifies the attribute certificate received from the user terminal. The service providing server verifies the signature value received from the user terminal. The service providing server performs revocation confirmation. The service providing server provides the service based on the attribute information to the user terminal when the validity of the attribute certificate is confirmed, the validity of the signature value is confirmed, and the revocation confirmation is completed. . Therefore, anonymity is guaranteed at the time of authentication. Moreover, since the key used for authentication is generated from the biometric information, it cannot be transferred or loaned to another person. Further, when authenticating, communication with a third party is not required. Also, any modification of the key used for authentication is possible without communication with a third party. In addition, revocation processing and revocation confirmation processing are possible without inquiring a third party. Furthermore, it is a system which cannot trace a user's action from the communication history before the time when the revocation information is disclosed.

  (10) The present invention is a program for causing a computer to execute a biometric authentication method in a biometric authentication system in which a user terminal, an attribute certificate issuing server, and a service providing server are connected via a network. A first step in which the user terminal reads biometric information (for example, corresponding to step S201 in FIG. 6 and step S301 in FIG. 7), and the user terminal generates a secret key x2 from the read biometric information. The second step, the user terminal generates a secret key x1 from the generated random number, and the user terminal generates a public key y1, y2 from the two secret keys x1, x2. (For example, equivalent to steps S202 of FIG. 6, steps S302 and S303 of FIG. 7), and the user terminal A fifth step of transmitting the generated public keys y1 and y2 to the row server, and the attribute certificate issuing server signs the public key generated by the user terminal with the signature key z held by the user certificate In a sixth step (for example, corresponding to step S303 in FIG. 7), the attribute certificate issuing server issues {y1, y2, z (y1 + y2)} as attribute certificates to the user terminal. 7 (for example, equivalent to steps S204 and S205 in FIG. 6 and step S304 in FIG. 7), and an eighth step in which the user terminal transmits a service provision request to the service providing server (for example, FIG. 6). Step S209, which corresponds to step S305 in FIG. 7), and the service providing server generates its own private key x3 and public key y3 (= x3 * P) in the ninth step ( For example, corresponding to step S206 in FIG. 6, and the service providing server transmits the information including the generated random number r and the public key y3 as a challenge to the user terminal (for example, FIG. 6). Step S210, corresponding to Step S306 in FIG. 7), and the user terminal generates a random number f and uses the random number f to transform the attribute certificate issued by the attribute certificate issuing server (For example, corresponding to step S211 in FIG. 6 and step S307 in FIG. 7), the user terminal transforms the two secret keys x1 and x2 into fx1 and fx2 by a random number f, and the transformed fx1 and fx2 A twelfth step of calculating a signature value for a product obtained by multiplying the service provider's public key received from the service provider server by a random number (for example, , Corresponding to step S212 in FIG. 6), and the user terminal transmits the modified attribute certificate and the calculated signature value to the service providing server (for example, step S213 in FIG. 6, FIG. 7). Step S308), the service providing server verifies the attribute certificate received from the user terminal (for example, step S214 in FIG. 6 and step S309 in FIG. 7), The service providing server executes a fifteenth step (for example, corresponding to step S215 in FIG. 6 and step S309 in FIG. 7) for verifying the signature value received from the user terminal, and the service providing server executes revocation confirmation. A fifteenth step (e.g., equivalent to step S216 in FIG. 6 and step S310 in FIG. 7), and the service providing server However, when the validity of the attribute certificate is confirmed, the validity of the signature value is confirmed, and the revocation confirmation is completed, a service based on the attribute information is provided to the user terminal. A program for causing a computer to execute these steps (for example, corresponding to step S217 in FIG. 6 and step S311 in FIG. 7) is proposed.

  According to this invention, the user terminal reads biometric information. The user terminal generates a secret key x2 from the read biometric information. The user terminal generates a secret key x1 from the generated random number. The user terminal generates public keys y1 and y2 from the two secret keys x1 and x2. The user terminal transmits the generated public keys y1 and y2 to the attribute certificate issuing server. The attribute certificate issuing server signs the public key generated by the user terminal with the signature key z that it holds. The attribute certificate issuing server issues {y1, y2, z (y1 + y2)} as attribute certificates to the user terminal. The user terminal transmits a service provision request to the service provision server. The service providing server generates its own secret key x3 and public key y3 (= x3 * P). The service providing server transmits information including the generated random number r and the public key y3 as a challenge to the user terminal. The user terminal generates a random number f and uses the random number f to transform the attribute certificate issued by the attribute certificate issuing server. The user terminal transforms the two secret keys x1 and x2 into fx1 and fx2 using a random number f, and uses the modified fx1 and fx2 to multiply the service provider's public key received from the service providing server by the random number. Calculate the signature value for the thing. The user terminal transmits the modified attribute certificate and the calculated signature value to the service providing server. The service providing server verifies the attribute certificate received from the user terminal. The service providing server verifies the signature value received from the user terminal. The service providing server performs revocation confirmation. The service providing server provides the service based on the attribute information to the user terminal when the validity of the attribute certificate is confirmed, the validity of the signature value is confirmed, and the revocation confirmation is completed. . Therefore, anonymity is guaranteed at the time of authentication. Moreover, since the key used for authentication is generated from the biometric information, it cannot be transferred or loaned to another person. Further, when authenticating, communication with a third party is not required. Also, any modification of the key used for authentication is possible without communication with a third party. In addition, revocation processing and revocation confirmation processing are possible without inquiring a third party. Furthermore, it is a system which cannot trace a user's action from the communication history before the time when the revocation information is disclosed.

  According to the present invention, there is an effect that anonymity is guaranteed at the time of authentication. Moreover, since the key used for authentication is generated from the biometric information, there is an effect that it cannot be transferred or lent to another person. Further, there is an effect that communication with a third party is not required at the time of authentication. Further, there is an effect that any modification of the key used for authentication is possible without communication with a third party. Further, there is an effect that the revocation process and the revocation confirmation process can be performed without inquiring a third party. Furthermore, there is an effect that the user's behavior cannot be traced from the communication history before the time when the revocation information is disclosed.

It is a figure which shows an example of the system configuration | structure of the biometric authentication system which concerns on embodiment of this invention. It is a block diagram of the attribute authentication client module which concerns on embodiment of this invention. It is a figure explaining the process which produces | generates a secret key from the biometric information which concerns on embodiment of this invention. It is a block diagram of the attribute authentication server module which concerns on embodiment of this invention. It is a block diagram of the attribute certificate issuing module which concerns on embodiment of this invention. It is a figure which shows the operation sequence of the whole biometric authentication system which concerns on embodiment of this invention. It is a flowchart which shows operation | movement of the user terminal in the biometric authentication system which concerns on embodiment of this invention. It is the operation | movement conceptual diagram quoted in order to demonstrate the management method of the effective period of the attribute information of the biometric authentication system concerning embodiment of this invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
Note that the constituent elements in the present embodiment can be appropriately replaced with existing constituent elements and the like, and various variations including combinations with other existing constituent elements are possible. Therefore, the description of the present embodiment does not limit the contents of the invention described in the claims.

<System configuration of biometric authentication system>
FIG. 1 is a diagram illustrating an example of a system configuration of a biometric authentication system according to an embodiment of the present invention.
As shown in FIG. 1, a biometric authentication system according to the present embodiment includes a user terminal 1 (U), a service providing server (hereinafter simply referred to as an SP server 2) managed and operated by a service provider, and an attribute certificate authority ( CA) and an attribute authentication server 3 managed and operated, and both are connected via a network 4.

  The user terminal 1 includes an attribute authentication client module 10, the SP server 2 includes an attribute authentication server module 20, and the attribute authentication server 3 includes an attribute certificate issuance module 30.

<Configuration of attribute authentication client module>
Further, as shown in FIG. 2, the attribute authentication client module 10 includes a biometric information reading unit 11, a key generation unit 12, an attribute certificate transformation unit 13, a transmission unit 14, and a processing unit 15. Yes.

  The biometric information reading unit 11 reads the biometric information of the user. The key generation unit 12 generates a secret key x2 from the biometric information read by the biometric information reading unit 11. Specifically, as shown in FIG. 3, the biometric information reading unit 11 reads the biometric information and performs a process of removing fluctuations and noise from the discretized biometric information to generate the secret key x2. Further, the secret key x1 is generated from the random number generated by the biometric information reading unit 11. Further, public keys y1 and y2 are generated from these two secret keys x1 and x2.

  The attribute certificate modification unit 13 generates a random number f, and transforms the attribute certificate issued by the attribute certificate authority server (CA) 3 into fzy using the random number f.

  The transmission unit 14 transmits the service provision request, the attribute certificate modified by the attribute certificate modification unit 13, and the signature value calculated by the processing unit 15 to the SP server 2. Further, the generated public keys y1 and y2 are transmitted to the attribute certificate authority server (CA) 3.

  The processing unit 15 transforms the two secret keys x1 and x2 generated by the key generation unit 12 into fx1 and fx2 using a random number f, and calculates a signature value for r * y3 using the modified fx1 and fx2 . Specifically, using the private keys fx1 and fx2 modified by the random number f generated by the attribute certificate modification unit 13, the signature values for the challenge r * y3 are expressed as s1 = f * x1 * r * y3 and s2 = f. * X2 * r * y3 is calculated. Thereby, since the signature value is calculated by a simple calculation formula, the calculation load can be reduced.

<Configuration of attribute authentication server module>
As shown in FIG. 4, the attribute authentication server module 20 includes an attribute certificate verification unit 21, a signature value verification unit 22, a revocation check execution unit 23, a service provision unit 24, a key generation unit 25, The challenge generation unit 26 and the transmission unit 27 are included.

  The attribute certificate verification unit 21 verifies the attribute certificate received from the user terminal 1. Specifically, when zP is used as a public key for issuing an attribute, e (f (y1 + y2), zP) = e (fz (y1 + y2), P) is calculated to determine whether or not this calculation formula is satisfied. Thus, the validity of the attribute certificate is verified. Thereby, since the attribute certificates transmitted from the user terminal can be verified together, the calculation load can be reduced.

  The signature value verification unit 22 verifies the signature value received from the user terminal 1. Specifically, e (s1, P) e (s2, P) = e (f * (y1 + y2), r * y3) is calculated, and the validity of the signature is verified based on whether the arithmetic expression is satisfied. To do. Thereby, since the signature value is calculated by the simple calculation formula as described above, the calculation load can be reduced.

  The revocation confirmation execution unit 23 executes revocation confirmation. Specifically, r * x3 * y1 is calculated for all y1s on the revocation list, and e (z (y1 + y2), s1) = e (f * z * (y1 + y2), r * x3 * Y1) is calculated, and revocation confirmation is executed depending on whether or not the calculation formula is satisfied. Therefore, the revocation list cannot be traced by a third party who does not know the service provider's private key x3 and can easily trace the user's behavior from the communication history before the revocation information was disclosed. Confirmation processing can be realized.

  The service providing unit 24 provides the service based on the attribute information to the user terminal 1 when the validity of the attribute certificate is confirmed, the validity of the signature value is confirmed, and the revocation confirmation is completed. I do.

  The key generation unit 25 generates its own private key x3 and public key y3 (= x3 * P). At this time, the public key certificate zy3 is issued from the attribute authentication server 3 in advance. The challenge generation unit 26 generates a random number r, calculates r * y3, and generates the calculated value as a challenge. The transmission unit 27 transmits the challenge generated by the challenge generation unit 26 to the user terminal 1.

<Configuration of attribute certificate issuing module>
As shown in FIG. 5, the attribute certificate issuance module 30 includes a signature unit 31, an attribute certificate issuance unit 32, a transmission unit 33, a user information storage unit 34, and a data table generation unit 35. Yes.

  The signature unit 31 calculates y1 + y2 with respect to the public keys y1 and y2 generated by the key generation unit 12 of the user terminal 1, and performs a signature with the signature key held for this y1 + y2. As shown in FIG. 8, the signature key having the longest validity period is used among the existing ones. Specifically, the signature is z (y1 + y2), where z is the signature private key and zP is the public key corresponding thereto (P is the generation source). Thereby, only necessary and sufficient information can be given to the user, and the user's fraud can be prevented. In addition, since the calculation load can be reduced, the calculation speed can be increased.

  The attribute certificate issuing unit 32 issues {y1, y2, z (y1 + y2)} to the user terminal 1 as an attribute certificate. The transmitting unit 33 transmits the attribute certificate issued by the attribute certificate issuing unit 32 to the user terminal 1.

  The user information storage unit 34 stores y1 and z (y1 + y2) as long as the issued user's private keys x1 and x2 are within the validity period.

<Operation sequence of biometric authentication system>
FIG. 6 is an operation sequence diagram showing the operation flow of the entire biometric authentication system according to the embodiment of the present invention in time series, and FIG. 7 is a flowchart showing the operation flow of the user terminal. . The operation sequence diagram shown in FIG. 6 also shows the procedure of the attribute information anonymization method in the biometric authentication system of the present invention.
Hereinafter, the operation of the biometric authentication system shown in FIG. 1 will be described in detail with reference to FIGS.

  First, the biometric information reading unit 11 of the user terminal 1 generates a secret key from the biometric information read into the biometric information reading device. This is x2. Moreover, in order to make it possible to change the secret key for each service, the biometric information reading unit 11 generates a random number and creates a secret key from the random number. This is x1. At that time, the biometric information reading unit 11 holds the generated random number. Since biometric information has fluctuations, a logic that absorbs fluctuations and generates the same key is incorporated. For example, the fluctuation is absorbed by using a method in which a certain area is feature information and information of one bit is extracted from the information (step S201 in FIG. 6 and step S301 in FIG. 7).

  The key generation unit 12 of the user terminal 1 generates user secret keys x1 and x2 and public keys y1 = x1 * P and y2 = x2 * P (step S202 in FIG. 6 and steps S302 and S303 in FIG. 7). Here, P is a generation source. Then, the transmission unit 14 of the user terminal 1 transmits an attribute certificate issuance request to the attribute authentication server 3 (step S203 in FIG. 6).

  The attribute authentication server 3 calculates y1 + y2, and signs the y1 + y2 with a signature key for attributes held by the attribute authentication server 3 (step S303 in FIG. 7). In addition, the signature key with the longest expiration date is used among the existing ones (see FIG. 8). The signature is z (y1 + y2) where z is the private key for signature and zP is the corresponding public key.

  Then, {y1, y2, z (y1 + y2)} is issued to the user terminal 1 as a certificate. Further, as long as the issued user's private keys x1 and x2 are within the validity period, y1 and z (y1 + y2) are stored (steps S204 and S205 in FIG. 6 and step S304 in FIG. 7).

  FIG. 8 conceptually shows how to manage the effective period. In FIG. 8, t on the horizontal axis indicates the flow of time. According to the present invention, since the attribute information is only key information, it is necessary to manage a new effective period. For this reason, as shown in FIG. 6, the attribute certificate issuing module 30 of the attribute authentication server 3 manages a validity period by assigning a plurality of signature keys for each attribute and periodically updating the combination. I have to. At that time, a plurality of title keys assigned for each attribute are managed in parallel so that a user who can enjoy the service only for a very short period does not occur.

  In order to assign the signature key having the longest valid period, for example, as shown in FIG. 8, if the key is to be assigned in the latter half of the usage period of the key A, the attribute authentication server 3 The attribute certificate issuing module 30 assigns a signature key D or a signature key E to the attribute authentication client module 10 of the user terminal 1. Thereby, the inconvenience that the user can receive the service for a very short period can be prevented.

  Next, the transmission unit 14 of the user terminal 1 transmits a service provision request to the SP server 2 (step S209 in FIG. 6 and step S305 in FIG. 7). The key generation unit 25 of the SP server 2 generates its own secret key x3 and public key y3 = x3 * P (step S206 in FIG. 6). Similarly, the public key certificate zy3 is issued from the attribute authentication server 3. The SP server 2 transmits a certificate issuance request to the attribute authentication server 3 (step S207 in FIG. 6). In response to this issuance request, the attribute authentication server 3 A certificate is issued (step S208 in FIG. 6).

  The challenge generation unit 26 of the SP server 2 generates a random number r, calculates r * y3, and transmits the calculated value as a challenge from the transmission unit 27 to the user terminal 1 (step S210 in FIG. 6). Step S306 in FIG. 7).

  The attribute certificate modification unit 13 of the user terminal 1 transforms the received attribute certificate (step S211 in FIG. 6 and step S307 in FIG. 7). Specifically, a random number f is generated and transformed to fz (y1 + y2).

  At this time, the secret key is also transformed into fx1 and fx2. Then, the processing unit 15 of the user terminal 1 calculates a signature value for r * y3 using fx1 and fx2. Specifically, s1 = f * x1 * r * y3 and s2 = f * x2 * r * y3 are calculated. (Step S212 in FIG. 6).

  The transmission unit 14 of the user terminal 1 returns the modified attribute certificate and the calculated signature value to the SP server 2 (step S213 in FIG. 6 and step S308 in FIG. 7).

  The attribute certificate verification unit 21 of the SP server 2 verifies the sent attribute certificate (step S214 in FIG. 6 and step S309 in FIG. 7). Here, Pairing calculation is used for verification. Specifically, it is verified whether or not e (f (y1 + y2), zP) = e (fz (y1 + y2), P) is satisfied when the pairing calculation is represented by e (*, *). Here, zP is a public key for issuing attributes.

  Next, the signature value verification unit 22 of the SP server 2 verifies the sent signature (step S215 in FIG. 6 and step S309 in FIG. 7). Specifically, it is verified whether or not e (s1, P) e (s2, P) = e (f * (y1 + y2), r * y3) holds.

  Further, the revocation confirmation execution unit 23 of the SP server 2 performs revocation confirmation (step S216 in FIG. 6 and step S310 in FIG. 7). Here, when revocation confirmation is performed, a revocation list is acquired from the attribute authentication server 3 in advance or on the spot. The revocation list is generated by the attribute authentication server 3, and the public keys y1 and z (y1 + y2) of the revoked user are made public. The revocation list is signed by the attribute authentication server 3, and its validity can be confirmed.

  The revocation check calculates r * x3 * y1 for all y1s on the revocation list, and e (z (y1 + y2), s1) = e (f * z * (y1 + y2), r * x3 * y1) It is verified whether or not holds. When this equation is established, it is determined that the key is invalid (has expired).

  The SP server 2 determines that the authentication is successful when the certificate validity check, the signature validity check, and the revocation check are completed, and the service providing unit 24 of the SP server 2 sets the attribute to the user terminal 1. Service provision based on information is performed (step S217 in FIG. 6 and step S311 in FIG. 7).

  In addition, specific uses of the biometric authentication system described above include the confirmation of whether or not you have medical qualifications in the disclosure of medical information, or a qualification such as a Silver Pass issued publicly in public transportation. Applications such as confirmation are conceivable.

  As described above, in the present embodiment, anonymity is guaranteed at the time of authentication. Moreover, since the key used for authentication is generated from the biometric information, it cannot be transferred or loaned to another person. Further, when authenticating, communication with a third party is not required. Also, any modification of the key used for authentication is possible without communication with a third party. In addition, revocation processing and revocation confirmation processing are possible without inquiring a third party. Furthermore, it is a system which cannot trace a user's action from the communication history before the time when the revocation information is disclosed.

  The attribute authentication client module 10, the attribute authentication server module 20, and the attribute certificate issuance module 30 shown in FIG. 1 are programs executed by the user terminal 1, the SP server 2, and the attribute authentication server 3, respectively. The program is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read by the user terminal 1, the SP server 2, and the attribute authentication server 3 (all computer systems) and executed. The biometric authentication system of the invention can be realized. The computer system here includes an OS and hardware such as peripheral devices.

  Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW (World Wide Web) system is used. The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.

  The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

  The embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the embodiments, and includes designs and the like that do not depart from the gist of the present invention. For example, in the present embodiment, the form in which the attribute authentication server 3 executes the revocation check process has been described. However, a server that performs the revocation check process may be provided separately from the attribute authentication server 3.

1 User terminal (U)
2. Service providing server (SP server)
3 ... Attribute authentication server (CA server)
DESCRIPTION OF SYMBOLS 4 ... Network 10 ... Attribute authentication client module 11 ... Biometric information reading part 12 ... Key generation part 13 ... Attribute certificate transformation part 14 ... Transmission part 15 ... Processing part 20 ... Attribute authentication server module 21 ... Attribute certificate verification unit 22 ... Signature value verification unit 23 ... Revocation check execution unit 24 ... Service provision unit 25 ... Key generation unit 26 ... Random number generation unit 27 ... transmission unit 30 ... attribute certificate issuing module 31 ... signature unit 32 ... attribute certificate issuing unit 33 ... transmission unit

Claims (10)

A biometric authentication system in which a user terminal, an attribute certificate issuing server, and a service providing server are connected via a network,
The user terminal is
Biometric information reading means for reading biometric information;
First secret key generation means for generating a secret key x2 from the read biometric information;
The biometric information reading means generates a random number and generates a secret key x1 from the generated random number;
First public key generation means for generating public keys y1 and y2 from the two secret keys x1 and x2,
First transmitting means for transmitting the generated public keys y1 and y2 to the attribute certificate issuing server;
Second transmission means for transmitting a service provision request to the service provision server;
Deforming means for generating a random number f and transforming the attribute certificate issued by the attribute certificate issuing server using the random number f;
The two secret keys x1 and x2 are transformed into fx1 and fx2 by a random number f, and the service provider's public key y3 received from the service providing server is multiplied by a random number r using the transformed fx1 and fx2. Processing means for calculating a signature value for the object;
Third transmitting means for transmitting the attribute certificate modified by the modifying means and the signature value calculated by the processing means to the service providing server;
With
The attribute certificate issuing server is
Signing means for signing with the signature key z possessed with respect to the public key generated by the first public key generating means of the user terminal;
Issuing means for issuing {y1, y2, z (y1 + y2)} as attribute certificates to the user terminal;
With
The service providing server is
Key generation means for generating its own private key x3 and public key y3 (= x3 * P);
A fourth transmission means for transmitting information including the generated random number r and the public key y3 to the user terminal as a challenge;
First verification means for verifying the attribute certificate received from the user terminal;
Second verification means for verifying a signature value received from the user terminal;
Revocation check execution means for executing revocation check;
When the validity of the attribute certificate is confirmed by the first verification means, the validity of the signature value is confirmed by the second verification means, and when the revocation confirmation is completed by the revocation confirmation execution means, Service providing means for providing a service based on attribute information to the user terminal;
A biometric authentication system comprising:   The biometric authentication system according to claim 1, wherein the first secret key generation unit generates a secret key x2 by removing noise from the read biometric information.   The biometric authentication system according to claim 1, wherein the service providing server generates a random number r, calculates r * y3 from the random number r and its own public key y3, and transmits it as a challenge.   The processing means of the user terminal uses the secret keys fx1 and fx2 transformed by the random number f generated by the transformation means to change the signature value for r * y3 to s1 = fx1 * r * y3, s2 = fx2 * r * The biometric authentication system according to claim 3, wherein the biometric authentication system is calculated by y3.   The first verification means of the service providing server calculates e (f (y1 + y2), zP) = e (fz (y1 + y2), P) when zP is a public key for attribute issuance, The biometric authentication system according to claim 1, wherein the validity of the attribute certificate is verified depending on whether the arithmetic expression is established.   Whether or not the second verification means of the service providing server calculates e (s1, P) e (s2, P) = e (f * (y1 + y2), r * y3) The biometric authentication system according to claim 4, wherein the validity of the signature is verified.   The revocation confirmation execution means of the service providing server calculates r * x3 * y1 for all y1s on the revocation list and e (z (y1 + y2), s1) = e (f * z * ( The biometric authentication system according to claim 3 or 4, wherein y1 + y2) and r * x3 * y1) are calculated, and revocation confirmation is executed depending on whether or not the calculation formula is satisfied.   The biometric authentication system according to claim 1, wherein the attribute certificate issuing server publishes y1 and z (y1 + y2) of the revoked user in the revocation list. A biometric authentication method in a biometric authentication system in which a user terminal, an attribute certificate issuing server, and a service providing server are connected via a network,
A first step in which the user terminal reads biometric information;
A second step in which the user terminal generates a secret key x2 from the read biometric information;
A third step in which the user terminal generates a secret key x1 from the generated random number;
A fourth step in which the user terminal generates public keys y1, y2 from the two secret keys x1, x2;
A fifth step in which the user terminal transmits the generated public keys y1 and y2 to the attribute certificate issuing server;
A sixth step in which the attribute certificate issuing server signs a public key generated by the user terminal with a signature key z held;
A seventh step in which the attribute certificate issuing server issues {y1, y2, z (y1 + y2)} as attribute certificates to the user terminal;
An eighth step in which the user terminal transmits a service provision request to the service provision server;
A ninth step in which the service providing server generates its own private key x3 and public key y3 (= x3 * P);
A tenth step in which the service providing server transmits information including the generated random number r and the public key y3 to the user terminal as a challenge;
An eleventh step in which the user terminal generates a random number f and uses the random number f to transform the attribute certificate issued by the attribute certificate issuing server;
The user terminal transforms the two secret keys x1 and x2 into fx1 and fx2 using a random number f, and uses the modified fx1 and fx2 to generate a random number for the public key of the service provider received from the service providing server. A twelfth step of calculating a signature value for the product of
A thirteenth step in which the user terminal transmits the deformed attribute certificate and the calculated signature value to the service providing server;
A fourteenth step in which the service providing server verifies the attribute certificate received from the user terminal;
A fifteenth step in which the service providing server verifies a signature value received from the user terminal;
A fifteenth step in which the service providing server executes a revocation check;
The service providing server provides the service based on the attribute information to the user terminal when the validity of the attribute certificate is confirmed, the validity of the signature value is confirmed, and the revocation confirmation is completed. A sixteenth step of performing
A biometric authentication method comprising: A program for causing a computer to execute a biometric authentication method in a biometric authentication system in which a user terminal, an attribute certificate issuing server, a service providing server, and a reliable server are connected via a network,
A first step in which the user terminal reads biometric information;
A second step in which the user terminal generates a secret key x2 from the read biometric information;
The user terminal generates a secret key x1 from the generated random number;
A fourth step in which the user terminal generates public keys y1, y2 from the two secret keys x1, x2;
A fifth step in which the user terminal transmits the generated public keys y1 and y2 to the attribute certificate issuing server;
A sixth step in which the attribute certificate issuing server signs a public key generated by the user terminal with a signature key z held;
A seventh step in which the attribute certificate issuing server issues {y1, y2, z (y1 + y2)} as attribute certificates to the user terminal;
An eighth step in which the user terminal transmits a service provision request to the service provision server;
A ninth step in which the service providing server generates its own private key x3 and public key y3 (= x3 * P);
A tenth step in which the service providing server transmits information including the generated random number r and the public key y3 to the user terminal as a challenge;
An eleventh step in which the user terminal generates a random number f and uses the random number f to transform the attribute certificate issued by the attribute certificate issuing server;
The user terminal transforms the two secret keys x1 and x2 into fx1 and fx2 using a random number f, and uses the modified fx1 and fx2 to generate a random number for the public key of the service provider received from the service providing server. A twelfth step of calculating a signature value for the product of
A thirteenth step in which the user terminal transmits the deformed attribute certificate and the calculated signature value to the service providing server;
A fourteenth step in which the service providing server verifies the attribute certificate received from the user terminal;
A fifteenth step in which the service providing server verifies a signature value received from the user terminal;
A fifteenth step in which the service providing server executes a revocation check;
The service providing server provides the service based on the attribute information to the user terminal when the validity of the attribute certificate is confirmed, the validity of the signature value is confirmed, and the revocation confirmation is completed. A sixteenth step of performing
A program that causes a computer to execute.

Images