JP2012008951A - Device and program for biometric authentication - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a biometric authentication device and a biometric authentication program capable of inhibiting reverse engineering.SOLUTION: The biometric authentication device comprises a user data storage which stores registered user data including a biosensor for obtaining biological information of users, legitimate registered biological data to which a legitimate password is added for each user, and illegitimate registered biological data to which an illegitimate password is added and different from the legitimate registered biological data, a verification means which verifies verification biological data based on the biological information obtained by the biosensor and the registered user data, and a communication means which transmits the password added to the registered biological data which succeeded in the verification by the verification means to a security circuit. The security circuit holds a cryptographic key and releases the cryptographic key by input of the legitimate password, and the upper limit is set on the number of failures in password input.

Description

  The present invention relates to a biometric authentication device and a biometric authentication program.

  Biometric authentication systems that perform personal authentication using biometric information (biometric information) such as fingerprints, veins, and iris have been developed. Compared with a system using a password, this system has excellent characteristics without problems such as illegal acquisition by guessing, transfer to another person, unusability due to forgetting, and the like.

  The password can be directly converted into an encryption key by converting with a hash function such as SHA-1. On the other hand, it is difficult to directly convert biometric information into an encryption key. Therefore, biometric information has the property of being vulnerable to reverse engineering in stand-alone authentication. In the stand-alone authentication, both the registered biometric information and the encryption key are placed on the client server. In this case, there is a risk of both being scammed by reverse engineering. As a method for solving this problem, there is a method disclosed in Patent Document 1.

JP 2007-249349 A

  However, biometric information changes according to environmental changes, input states, and the like. Therefore, it is difficult to convert biometric information of all users into uniquely determined encryption keys.

  The present invention has been made in view of the above problems, and an object thereof is to provide a biometric authentication device and a biometric authentication program that can suppress reverse engineering.

  In order to solve the above problems, the biometric authentication device disclosed in the specification includes a biometric sensor that acquires biometric information of a user, positive registered biometric data to which a regular password is added for each user, and a false password A user data storage unit that stores registered user data including false registered biometric data different from the positive registered biometric data, verification biometric data based on biometric information acquired by the biometric sensor, and the registered user data Collating means for performing collation, and communication means for transmitting a password added to registered biometric data successfully collated by the collating means to a security circuit, wherein the security circuit holds an encryption key, and A circuit that releases the encryption key when a password is entered, with an upper limit set for the number of failed password entries A.

  In order to solve the above problems, a biometric authentication program disclosed in the specification includes a biometric information acquisition step for acquiring biometric information of a user, verification biometric data based on the biometric information acquired by the biometric information acquisition step, and registered user data. And a communication step of transmitting a password added to the registered biometric data successfully verified in the verification step to the security circuit, and the registered user data is stored for each user. The registered biometric data to which a regular password is added, and the false registered biometric data to which a fake password is added and different from the registered biometric data, wherein the security circuit holds an encryption key, and Is a circuit for releasing the encryption key by inputting the password of In which the upper limit is set to failure frequency.

  According to the biometric authentication device and the biometric authentication program disclosed in the specification, reverse engineering can be suppressed.

It is a block diagram for demonstrating the whole structure of the terminal device which concerns on the comparative example 1. FIG. It is a block diagram for demonstrating the whole structure of the terminal device which concerns on the comparative example 2. FIG. It is a block diagram for demonstrating the whole structure of the terminal device which concerns on Example 1. FIG. It is a functional block diagram of the biometric authentication apparatus implement | achieved by execution of a fingerprint authentication program. It is a flowchart for demonstrating the preparation procedure of the registration user data for one user. It is a figure for demonstrating the example of the registration user data of each user. It is a figure for demonstrating an example of the flowchart implement | achieved by execution of the fingerprint authentication program by CPU. It is a block diagram for demonstrating the whole structure of the terminal device which concerns on Example 2. FIG. It is a flowchart for demonstrating the creation procedure of the registration user data regarding the palm vein for one user. It is a block diagram for demonstrating the whole structure of the terminal device which concerns on Example 3. FIG. It is a flowchart for demonstrating the preparation procedure of the registration user data regarding the iris for one user. It is a block diagram for demonstrating the whole structure of the terminal device which concerns on Example 4. FIG.

(Comparative Example 1)
First, the terminal device 201 according to Comparative Example 1 will be described. The terminal device 201 is a terminal device that is activated by password authentication, and is a mobile phone, a notebook computer, or the like. FIG. 1 is a hardware configuration diagram for explaining the overall configuration of the terminal device 201. Referring to FIG. 1, a terminal device 201 includes a CPU (Central Processing Unit) 210, a main storage device 220, an auxiliary storage device 230, a keyboard 240, and the like. The auxiliary storage device 230 stores a boot loader 231, an OS (Operating System) 232, a program 233, data 234, and the like.

  The CPU 210 is a processing device for executing the boot loader 231, the OS 232, the program 233, and the like. The main storage device 220 is a memory or the like that loads and temporarily stores an OS 232, a program 233, data 234, and the like used by the CPU 210. The auxiliary storage device 230 is a nonvolatile storage device. The boot loader 231 is a program that is executed first when the terminal device is activated, and performs password authentication. The OS 232 is an operating system that is executed when password authentication is successful. The program 233 is a program for starting various applications. Data 234 is the result of processing of the OS 232, the program 233, and the like. The OS 232, the program 233, and the data 234 are encrypted with an encryption key. The keyboard 240 is an input device for inputting a password or the like.

  Next, an operation procedure of the terminal device 201 will be described. First, when the power of the terminal device 201 is turned on, the boot loader 231 is loaded from the auxiliary storage device 230 to the main storage device 220. Next, the CPU 210 executes the boot loader 231. As a result, the terminal device 201 enters an input waiting state. Next, a password is input from the user using the keyboard 240. The CPU 210 generates a hash from the input password using SHA-256 or the like. The main storage device 220 stores the generated hash as an encryption key. Thereby, the encryption of the OS 232 of the auxiliary storage device 230 is decrypted using the encryption key stored in the main storage device 220. As a result, the OS 232 is loaded into the main storage device 220. Thereby, the execution by the CPU 210 moves to the OS 232 loaded in the main storage device 220. Thereafter, the OS 232 also performs encryption using the hash value for input / output with the auxiliary storage device 230.

  The input / output using the encryption as described above is an important function for a terminal device such as a mobile phone or a notebook personal computer having a high incidence of loss or theft. However, since a character string (for example, 123456) that is easy to guess as a password is often set, password authentication is not reliable.

(Comparative Example 2)
Next, the terminal device 202 according to Comparative Example 2 will be described. The terminal device 202 is activated by fingerprint authentication. FIG. 2 is a hardware configuration diagram for explaining the overall configuration of the terminal device 202. 2, terminal device 202 includes a CPU (Central Processing Unit) 210, a main storage device 220, an auxiliary storage device 230, a keyboard 240, a fingerprint sensor 250, and the like. Unlike the comparative example 1, the auxiliary storage device 230 stores a boot loader 231, an OS (Operating System) 232, a program 233, data 234, a fingerprint authentication program 235, registered fingerprint data 236, and the like. The registered fingerprint data 236 is user fingerprint data registered in advance.

  Next, the operation procedure of the terminal device 202 will be described. First, when the terminal device 202 is powered on, the boot loader 231 is copied from the auxiliary storage device 230 to the main storage device 220. Next, the CPU 210 executes the boot loader 231. By executing the boot loader, the fingerprint authentication program 235 is loaded into the main storage device 220. Thereby, the CPU 210 executes the fingerprint authentication program 235. By executing the fingerprint authentication program 235, the terminal device 202 is in a state of waiting for a fingerprint image input.

  Next, when the user impresses a finger on the fingerprint sensor 250, the fingerprint sensor 250 acquires a fingerprint image of the user. The CPU 210 generates collation fingerprint data from the acquired fingerprint image. The CPU 210 compares the verification fingerprint data and the registered fingerprint data 236, and saves the encryption key in the main storage device 220 if they match. Next, the encryption of the OS 232 of the auxiliary storage device 230 is decrypted using the encryption key stored in the main storage device 220. As a result, the OS 232 is loaded into the main storage device 220. As a result, the execution by the CPU 210 moves to the OS 232 loaded in the main storage device 220.

  As described above, by using a sensor that acquires biometric information, such as a fingerprint sensor, the terminal device can be activated, logged in, and the like with reliable authentication without inputting a password. Thus, in Comparative Example 2, the problem of using a weak password by the user is solved. However, authentication using biometric information is not perfect and causes a problem of encryption key fraud by reverse engineering.

  Specifically, there arises a problem that it is difficult to securely encrypt the registered fingerprint data 236 and the encryption key and store them in the auxiliary storage device 230. The registered fingerprint data 236 and the encryption key can be stored in the auxiliary storage device 230 using some encryption key. However, in order to perform fingerprint verification, the registered fingerprint data 236 needs to be combined. For this purpose, the boot loader 231 needs to include an encryption key for decrypting the registered fingerprint data 236. When the decryption encryption key is reverse engineered, the OS decryption encryption key in the auxiliary storage device 230 is easily deceived. In the method using the password, the encryption key can be generated directly from the password, so that it is not necessary to store the OS combination key in the auxiliary storage device 230.

  As one method for solving this problem, there is a method in which an authentication server is prepared separately and the authentication encryption key and the OS decryption encryption key are stored in the authentication server. This method is effective for a computer such as a desktop computer that is used stationary and communicates via a wired LAN. However, a portable device such as a notebook PC needs wireless communication such as a wireless LAN or a mobile phone. In particular, in the authentication for the purpose of logging in to the OS, a mobile phone with many usable locations is suitable, but the contract cost and the communication cost are high. Therefore, it is difficult to install mobile phones in all notebook PCs.

  Further, there is a method in which the biometric information is directly converted into an encryption key, instead of detecting the similarity between the verification biometric data and the registered biometric data. Further, as a similar method, there is a method in which an approximate part of registered biometric data and verification biometric data is extracted and used as an encryption key. However, biometric information typified by fingerprints changes according to environmental changes, input states, and the like. For example, an unclear fingerprint collected from a rough finger has low reproducibility. Therefore, it is very difficult to convert biometric information of all users into uniquely determined encryption keys.

  In general biometric authentication, the verification is performed by setting the erroneous verification to about 1 / 10,000. This means that if the degree of approximation is allowed and numerical values are obtained by eliminating fluctuations, the approximate portion of the feature information is 16 bits or less. The 16-bit information is insufficient as an encryption key. However, sensors that acquire various biological information such as fingerprints have already been adopted in many terminal devices. As the performance of fingerprint sensors improves and other problems are solved, the reverse engineering problem is relatively large. In the following embodiments, a biometric authentication apparatus and a biometric authentication program that can suppress reverse engineering will be described.

  FIG. 3 is a hardware configuration diagram for explaining the overall configuration of the terminal device 101 in which the authentication device according to the first embodiment is incorporated. The terminal device 101 is a terminal device that is activated by fingerprint authentication, a terminal device that can be logged in by fingerprint authentication, or the like, such as a mobile phone or a notebook computer. Referring to FIG. 3, the terminal device 101 includes a CPU (Central Processing Unit) 110, a main storage device 120, an auxiliary storage device 130, a TPM (Trusted Platform Module) 140, a keyboard 150, a fingerprint sensor 160, and the like. CPU 110, main storage device 120, auxiliary storage device 130, TPM 140, keyboard 150, and fingerprint sensor 160 are connected to each other by a system bus 170. The auxiliary storage device 130 stores a boot loader 131, a fingerprint authentication program (biometric authentication program) 132, a user data group 133, an OS 134, a program 135, general data 136, and the like.

  The CPU 110 is a processing device for executing the boot loader 131, the fingerprint authentication program 132, the OS 134, the program 135, and the like. The main storage device 120 is a memory such as a RAM (Random Access Memory) that loads and temporarily stores programs, data, and the like used by the CPU 110. The auxiliary storage device 130 is a non-volatile memory such as a ROM (Read Only Memory), a HDD (Hard Disk Drive) or the like. The keyboard 150 is an input device for inputting a user ID and the like. The fingerprint sensor 160 is a sensor that collects a fingerprint image of a stamped finger.

  The TPM 140 is a package similar to a surface mounted flash ROM, and is directly mounted on the motherboard. Inside the TPM 140, devices such as a processor, a memory, a nonvolatile memory, a clock, and a timer are incorporated. Information stored in the non-volatile memory inside the TPM 140 can be locked with a password or the like. In order to refer to the stored information, it is necessary to input a password. In addition, the TPM 140 causes self-destruction for illegal reading in decomposition. As a result, the stored information cannot be read. That is, the TPM 140 has a high tamper resistance.

  As a means for accessing the TPM 140, for example, a PHCS # 11 library can be used. An example of TPM access using this PKCS # 11 will be described below.

First, when registering a password,
The administrator prepares the encryption key and the correct password. (2) Initialize the TPM 140. (3) Start communication with the TPM 140 using the C_Login function.
(4) The correct password is set in the TPM 140 using the C_SetPIN function. (5) The encryption key is stored in the TPM 140 using the C_SetAttributeValue function. (6) The communication with the TPM 140 is completed using the C_Logout function. The correct password is registered along with.

During password verification,
(1) Prepare a password that is obtained from fingerprint authentication, whether it is correct or incorrect (2) Start communication with the TPM 140 using the password (1) in the C_Login function (3) If the password is incorrect (5 (4) Acquire an encryption key with the C_GetAttributeValue function (5) Complete communication with the TPM 140 with the C_Logout function According to the above procedure, if the password is correct, the encryption key can be acquired and the password is incorrect. If so, the encryption key cannot be acquired.

  The TPM 140 has a function of recording the number of PIN failures in a built-in nonvolatile memory. In the TPM 140, an upper limit (for example, 10 to 20 times) is set for the number of failures. When the number of password input failures exceeds the upper limit, the TPM 140 refuses to accept more passwords and enters a lockout state. In order to release this lockout, a master password held by an administrator or the like is required. Since the upper limit is set for the number of failures in this way, the TPM 140 can prevent a brute force attack.

  The boot loader 131 is a program that is executed first when the terminal device 201 is activated. The boot loader 131 loads the fingerprint authentication program 132 into the main storage device 120 when the terminal device 201 is activated, and loads the OS 134 into the main storage device 120 when the encryption key is successfully acquired from the TPM 140 in fingerprint authentication. The fingerprint authentication program 132 is a program executed by the CPU 110 when the terminal device 201 is activated or logged in, and performs fingerprint authentication. The user data group 133 includes registered user data for each user. The OS 134 is an operating system that is executed when fingerprint authentication is successful. The program 135 is a program for starting various applications and other general office processing programs. The general data 142 is data generated by the execution of the program 135. In order to maintain confidentiality, the OS 134, the program 135, and the general data 136 are encrypted with an encryption key stored in the TPM 140.

  Prior to the operation of the terminal device 101, the TPM 140 is initialized, the encryption key of the TPM 140 is stored, and registered user data is created. Initialization of the TPM 140 and storage of the encryption key of the TPM 140 can be performed by the above-described procedure of PKCS # 11. At the time of this initialization, as an example, a 256-bit value generated by a random number is used as an encryption key. In addition, since the encryption key with the password set is stored in the TPM 140, the password is also generated. This password does not need to be composed of general alphabets, numbers, etc., and may be a large value that cannot be associated. In this embodiment, a 256-bit value is used as the password.

  FIG. 4 is a functional block diagram of the biometric authentication device 100 realized in the terminal device 101 by executing the fingerprint authentication program 132 by the CPU 110. Referring to FIG. 4, biometric authentication device 100 includes biometric sensor 10, verification unit 20, registration data creation unit 30, user data storage unit 40, and communication unit 50. The biometric sensor 10 corresponds to the fingerprint sensor 160 of FIG. 3, and the user data storage unit 40 corresponds to the user data group 133 of FIG.

  Next, a procedure for creating registered user data will be described. FIG. 5 is a flowchart for explaining a procedure for creating registered user data for one user. First, the biosensor 10 collects a user's fingerprint image (step S1). The collected fingerprint image is stored in the main storage device 120. Next, the registration data creation means 30 copies the stored fingerprint image to another location in the main storage device 120 (step S2).

  The registration data creation means 30 performs fingerprint feature point data extraction processing, which is biometric information, on the fingerprint image copied in the main storage device 120 to generate normal registration fingerprint data (step S3). Next, the registration data creation means 30 adds the regular password set in the TPM 140 to the normal registration fingerprint data, and generates regular registration data (step S4). Next, the registration data creation means 30 copies the fingerprint image of step S1 to yet another location in the main storage device 120. The registration data creation means 30 adds dummy feature data to the copied fingerprint image. Specifically, the registration data creation means 30 draws about 10 black squares and white squares each having a ridge thickness of about one side on a copied fingerprint image at random positions ( Step S5).

  Next, the registration data creation means 30 performs fingerprint feature point data extraction processing on the fingerprint image to which the square is added. Due to the added square, the fake registered fingerprint data No. which does not match the original fingerprint image. 1 is generated (step S6). Next, the registration data creating means 30 adds a fake password generated by a random number to the fake registration fingerprint data, and the fake registration data No. 1 is generated (step S7). By repeating steps S5 to S7, for example, 9999 times, 9999 pieces of false registration data are generated (steps S8 to S10).

  The registration data creation means 30 shuffles one regular registration data and 9999 false registration data. The shuffled registration data group is set as a set of registered user data, and a user ID is added to the registered user data (step S11). That is, the registered user data managed by one ID includes one correct registration data to which a correct password is added and 9999 false registration data to which a fake password is added. The registered user data is stored in the user data storage unit 40.

  FIG. 6 is a diagram for explaining an example of registered user data of each user. Referring to FIG. 6, “yamada” of user ID 1 includes registered finger data to which an attached password is added. It cannot be determined which of the registered finger data is the correct registered finger data.

  According to the above procedure, it is not possible to know what number of registered finger data the correct registered finger data is. Therefore, even if this registered user data is reverse-engineered, it is difficult to fraud the password added to the correct registration finger data because it is not known which registered finger data is the correct registration finger data. It should be noted that fraud due to a brute force attack is avoided by the function of the TPM 140. Hereinafter, fingerprint authentication will be described.

  FIG. 7 is a diagram for explaining an example of a flowchart realized by execution of the fingerprint authentication program 132 by the CPU 110. The fingerprint authentication program 132 is executed in a state where registered user data of all users is stored in the user data storage unit 40.

  With reference to FIG. 7, the collation means 20 acquires the user ID input into the keyboard 150 by the user (step S21). Next, the collation unit 20 acquires a fingerprint image collected by the biometric sensor 10 (step S22). Next, the collation means 20 produces | generates collation fingerprint data from the fingerprint image acquired by step S21 (step S23). The collation fingerprint data is data obtained by extracting feature points of a fingerprint image, and is used in a collation process with registered fingerprint data. Next, the collation means 20 searches for registered user data that matches the user ID acquired in step S21 (step S24).

  Next, the collation unit 20 determines whether each registered user data includes registered user data that matches the user ID (step S25). When it determines with "No" in step S25, the collation means 20 determines with collation having failed (step S29). Thereafter, the execution of the flowchart ends. If “Yes” is determined in step S25, the collation unit 20 reads all the registered fingerprint data in order to target all the registered fingerprint data included in the registered user data having the same user ID (step S26). . Thereby, one-to-N collation is performed in which one collation fingerprint data is collated with a plurality of registered fingerprint data.

  Next, the collation means 20 calculates the degree of approximation between the collation fingerprint data and all registered fingerprint data, and performs collation processing (step S27). The collation means 20 determines whether there is registered fingerprint data that approximates the collation fingerprint data in the registered fingerprint data (step S28). If it is determined as “No” in step S28, the collation unit 20 determines that the collation has failed (step S29). Thereafter, the execution of the flowchart ends.

  If “Yes” is determined in step S28, the communication unit 50 transmits the password added to the registered fingerprint data approximate to the verification fingerprint data to the TPM 140 and tries to acquire the encryption key (step S30). The collation means 20 determines whether or not the encryption key has been successfully acquired as a result of step S30 (step S31). When it determines with "No" in step S31, the communication means 50 acquires the frequency | count of continuous failure from TPM140 (step S32). In the initial state, the number of consecutive failures is zero.

  Next, the collation unit 20 determines whether or not the number of failures acquired in step S33 has reached a predetermined value (for example, 5 times) (step S33). If “No” is determined in step S33, the collation unit 20 excludes the registered fingerprint data that has failed this time from the one-to-N collation target (step S34). Then, the collation means 20 repeats the process from step S27. In this case, accidental coincidence due to finger distortion or the like during fingerprint image collection can be avoided.

  If it is determined as “Yes” in step S31, the collation unit 20 resets the counter of the number of consecutive failures in the TPM 140 and resets it to zero (step S35). Next, the CPU 110 starts to decompress the encrypted files (OS 134, program 135, etc.) (step S36). Thereby, start-up of the terminal device 101 starts or login to the terminal device 101 is completed. Thereafter, the execution of the flowchart ends.

  If “Yes” is determined in step S33, the TPM 140 has shifted to the locked state because the number of failures exceeds the upper limit. Therefore, the collation unit 20 determines that the collation has failed (step S29). Thereafter, the execution of the flowchart ends.

  According to the biometric authentication device 100 according to the present embodiment, by including fake registered fingerprint data in each user's registered user data, a correct password can be mixed into the fake password. Further, since the fake feature points are added to the fake registered fingerprint data, the correct registered fingerprint data matches only the collation fingerprint data of the user himself / herself. For the above reasons, password fraud can be suppressed. Furthermore, since an upper limit can be set for the number of failures using the TPM 140, password fraud due to a brute force attack can be suppressed. Therefore, reverse engineering can be suppressed.

  In rare cases, the fake registered fingerprint data and the collation fingerprint data may coincide with each other due to finger distortion or the like. However, in this case, the registered fingerprint data that has been erroneously collated is excluded from the collation target and collation is performed. Thereby, in the next collation, the collation fingerprint data and the correct registered fingerprint data coincide with each other with high probability. Therefore, inconvenience for the user can be avoided. Furthermore, in reverse engineering, it is possible to fraud registered fingerprint data, but it is difficult to determine which is correct registered fingerprint data. In particular, when performing minutiae authentication, it is very difficult to determine correct registered fingerprint data by reverse engineering.

  FIG. 8 is a hardware configuration diagram for explaining the overall configuration of the terminal apparatus 102 according to the second embodiment. The terminal device 102 differs from the terminal device 101 according to the first embodiment in that a palm vein sensor 160a is provided instead of the fingerprint sensor 160, and a vein authentication program 132a is provided instead of the fingerprint authentication program 132. The palm vein sensor 160a is a sensor that reads the position of a vein in the palm of the user by collecting a vein image of the palm of the user. If the palm vein sensor 160a is used, a vein that is not in contact with the outside world is detected, so that there are few users who are inconvenient to use. Therefore, stable authentication can be realized. In the present embodiment, a biometric authentication device similar to that in FIG. 4 is realized by executing the vein authentication program 132a.

  Next, a procedure for creating registered user data related to the palm vein will be described. FIG. 9 is a flowchart for explaining a procedure for creating registered user data related to a palm vein for one user. First, the biosensor 10 collects a vein image of the user's palm (step S41). The registration data creation unit 30 stores the collected vein image in the main storage device 120. Next, the registration data creation means 30 copies the stored vein image to another location in the main storage device 120 (step S42).

  The registered data creation means 30 performs a vein feature extraction process, which is biometric information, on the vein image copied in the main storage device 120 to generate normal registered vein data (step S43). As vein authentication, various collation methods such as a feature point method and a pattern matching method can be adopted as in fingerprint authentication. In this embodiment, as an example, a pattern matching verification method will be described. Therefore, the biological information according to the present embodiment is obtained by binarizing (black and white) a captured vein image.

  Next, the registration data creation means 30 adds the regular password set in the TPM 140 to the normal registration vein data to generate normal registration vein data (step S44). Next, the registration data creation means 30 copies the vein image in step S41 to a further location in the main storage device 120. The registration data creation means 30 adds dummy feature data to the copied vein image. Specifically, the registration data creation means 30 arranges white scratch lines and black scratch lines having a thickness of about 1 mm to 2 mm and a length of about 3 cm at random positions on the copied vein image at a time of about 5 lines. (Step S45). Thereby, the connection of veins can be modified.

  Next, the registration data creation means 30 performs vein feature extraction processing on the vein image to which the white wound line and the black wound line are added. Due to the added line, a false registered vein data No. that does not match the original vein image. 1 is generated (step S46). Next, the registration data creation means 30 adds a fake password generated by a random number to the fake registration vein data, and the fake registration data No. 1 is generated (step S47). By repeating steps S45 to S47, for example, 9999 times, 9999 pieces of false registration data are generated (steps S48 to S50).

  The registration data creation means 30 shuffles one regular registration data and 9999 false registration data. The shuffled registration data group is set as a set of registered user data, and a user ID is added to the registered user data (step S51). That is, the registered user data managed by one ID includes one correct registration data to which a correct password is added and 9999 false registration data to which a fake password is added. The registered user data is stored in the user data storage unit 40.

  By the above procedure, it is not possible to know what number the registered data is. Therefore, even if this registered user data is reverse-engineered, it is difficult to deceive the password added to the main registration data because it is not known which registration data is the main registration data. It should be noted that fraud due to a brute force attack is avoided by the function of the TPM 140. Palm vein authentication is performed according to the vein authentication program 132a. Palm vein authentication can be performed by a procedure similar to the procedure described in FIG.

  FIG. 10 is a hardware configuration diagram for explaining the overall configuration of the terminal device 103 according to the third embodiment. The terminal device 103 is different from the terminal device 101 according to the first embodiment in that an iris sensor 160 b is provided instead of the fingerprint sensor 160 and an iris authentication program 132 b is provided instead of the fingerprint authentication program 132. The iris sensor 160b is a sensor that collects an iris image of the user's eyes. In the present embodiment, a biometric authentication device similar to that in FIG. 4 is realized by executing the iris authentication program 132b.

  Next, a procedure for creating registered user data related to the iris will be described. FIG. 11 is a flowchart for explaining a procedure for creating registered user data related to irises for one user. First, the biosensor 10 collects an iris image of the user's eyes (step S61). The registration data creation means 30 stores the collected iris image in the main storage device 120. Next, the registration data creation means 30 copies the stored iris image to another location in the main storage device 120 (step S62).

  The registration data creation means 30 performs an iris feature extraction process, which is biometric information, on the iris image copied in the main storage device 120 to generate normal registration iris data (step S63). Note that various types of collation methods such as a feature point method and a pattern matching method can be adopted as the iris authentication as in the fingerprint authentication. In this embodiment, a pattern matching collation method will be described as an example. Therefore, the biological information according to the present embodiment is obtained by binarizing (black and white) a photographed iris image.

  Next, the registration data creation means 30 adds the regular password set in the TPM 140 to the normal registration iris data, and generates regular registration data (step S64). Next, the registration data creation means 30 copies the iris image of step S61 to yet another location in the main storage device 120. CPU 110 adds dummy feature data to the copied iris image. Specifically, the registration data creation means 30 arranges white scratch lines and black scratch lines having a thickness of about 1 mm to 2 mm and a length of about 3 cm at random positions in the copied iris image. (Step S65). Thereby, a fake iris can be created. In addition, it is preferable to arrange the black scratch line so as not to overlap with the black eye.

  Next, the registration data creation means 30 performs an iris feature extraction process on the iris image to which the white line and the black line are added. The fake registered iris data No. that does not match the original iris image due to the effect of the added line. 1 is generated (step S66). A fake password generated by a random number is added to fake registration iris data, and fake registration data No. 1 is generated (step S67). By repeating step S65 to step S67, for example, 9999 times, 9999 pieces of false registration data are generated (step S68 to step S70).

  The registration data creation means 30 shuffles one regular registration data and 9999 false registration data. The shuffled registration data group is set as a set of registered user data, and a user ID is added to the registered user data (step S71). That is, the registered user data managed by one ID includes one correct registration data to which a correct password is added and 9999 false registration data to which a fake password is added. The registered user data is stored in the user data storage unit 40.

  By the above procedure, it is not possible to know what number the registered data is. Therefore, even if this registered user data is reverse-engineered, it is difficult to deceive the password added to the main registration data because it is not known which registration data is the main registration data. It should be noted that fraud due to a brute force attack is avoided by the function of the TPM 140. The iris authentication is performed according to the iris authentication program 132b. The iris authentication can be performed by the same procedure as that described with reference to FIG. It should be noted that the false verification rate is low in iris authentication, so that false verification is not performed even if false registration data is prepared. Therefore, even if an unauthorized accessor discovers a password by accident, the probability that information is fraudulently fraudulent can be reduced.

  FIG. 12 is a hardware configuration diagram for explaining the overall configuration of the terminal device 104 according to the fourth embodiment. Referring to FIG. 12, the terminal device 104 is different from the terminal device 101 according to the first embodiment in that an IC card reader / writer 140 a is provided instead of the TPM 140. The IC card reader / writer 140a is a device for reading and writing information on the IC card 140b. In this embodiment, the IC card reader / writer 140a corresponds to the communication unit 50 in FIG.

  A normal IC card has a storage capacity of hundreds to thousands of bytes, and can set a password for reading and writing information. The IC card for which a password is set requires password authentication before reading / writing information, and prohibits reading / writing information until the authentication is successful. This IC card can also measure the number of password input failures, and is locked when the number of failures exceeds the upper limit. Also, PKCS # 11 similar to the TPM module can be used as the IC card control library.

  From the above, the IC card reader / writer 140a and the IC card 140b realize functions equivalent to those of the TPM 140 according to the first embodiment. Further, the IC card 140b can be removed from the terminal device 104 and stored / managed. Therefore, authentication by two elements, biometric authentication and physical token, can be performed.

  In each of the above examples, the TPM module and the IC card have been described as the security circuit, but are not limited thereto. Any other security circuit can be used as long as it releases the encryption key by entering a regular password and sets an upper limit on the number of failed password inputs. In each of the above examples, terminal devices such as mobile phones and notebook PCs have been described as targets to which the authentication device and the authentication program are applied, but are not limited thereto. For example, the present invention may be applied to a non-portable device such as a desktop personal computer. Also, registered user data may be stored in a server that can communicate with the terminal device.

  Although the embodiments of the present invention have been described in detail above, the present invention is not limited to such specific embodiments, and various modifications and changes can be made within the scope of the gist of the present invention described in the claims. It can be changed.

101-104 terminal device 110 CPU
120 Main storage device 130 Auxiliary storage device 131 Boot loader 132 Fingerprint authentication program 132a Vein authentication program 132b Iris authentication program 133 User data group 140 TPM
150 Keyboard 160 Fingerprint sensor 160a Palm vein sensor 160b Iris sensor

Claims (12)

A biosensor for acquiring user biometric information;
A user data storage unit that stores registered user data including, for each user, positive registration biometric data to which a regular password is added; and false registration biometric data to which a fake password is added and different from the normal registration biometric data; ,
Collation means for collating collation biometric data based on biometric information acquired by the biometric sensor and the registered user data;
Communication means for transmitting a password added to registered biometric data that has been successfully verified by the verification means to a security circuit,
The biometric authentication apparatus, wherein the security circuit is a circuit that holds an encryption key and releases the encryption key by inputting the regular password, and an upper limit is set for the number of failed password inputs.   The said collation means excludes the said registration biometric data from a collation object, when the password added to the registration biometric data at the time of collation does not correspond with the said regular password. Biometric authentication device.   The apparatus further comprises registered biometric data creation means for generating biometric data from the biometric information acquired by the biometric sensor, adding a password to the biometric data, and storing the biometric data in the user data storage unit as registered biometric data. The biometric authentication device according to claim 1 or 2. The registered biometric data creation means includes:
The regular password is added to the biometric data generated from the biometric information acquired by the biometric sensor, and stored in the user data storage unit as the positive registration biometric data,
4. The biometric authentication apparatus according to claim 3, wherein dummy feature data is added to the generated biometric data, a fake password is added, and the false biometric data is stored in the user data storage unit.   5. The biometric authentication device according to claim 4, wherein the registered biometric data creation unit creates the false registered biometric data by randomly arranging white and black graphics in the generated biometric data. The security circuit is an IC card,
The biometric authentication device according to claim 1, wherein the transmission unit is an IC card reader / writer capable of reading and writing information of the IC card. A biometric information acquisition step of acquiring biometric information of the user;
A collation step of collating collation biometric data based on the biometric information acquired by the biometric information acquisition step and registered user data;
Causing the computer to execute a communication step of transmitting the password added to the registered biometric data successfully verified in the verification step to the security circuit,
The registered user data includes, for each user, positive registration biometric data to which a regular password is added, and false registration biometric data to which a fake password is added and different from the normal registration biometric data,
The biometric authentication program, wherein the security circuit is a circuit that holds an encryption key and releases the encryption key by inputting the regular password, and an upper limit is set for the number of failed password inputs.   8. The registered biometric data is excluded from the verification target when the password added to the registered biometric data when the verification is successful does not match the regular password in the verification step. Biometric authentication program.   A registered biometric data creating step for generating biometric data from the biometric information acquired in the biometric information acquiring step, adding a password to the biometric data, and storing the biometric data in the user data storage unit as registered biometric data; The biometric authentication program according to claim 7 or 8, wherein the biometric authentication program is executed. In the registration biometric data creation step,
Adding the regular password to the biometric data generated from the biometric information acquired in the biometric information acquisition step, and storing it in the user data storage unit as the correct registered biometric data;
The biometric authentication program according to claim 9, wherein dummy feature data is added to the generated biometric data, a fake password is added, and the user data storage unit stores the fake registered biometric data.   11. The biometric authentication program according to claim 10, wherein, in the registered biometric data creation step, the false registered biometric data is created by randomly arranging white and black graphics in the generated biometric data. The security circuit is an IC card,
The biometric authentication program according to any one of claims 7 to 11, wherein the transmitting step is an IC card reader / writer capable of reading and writing information of the IC card.

Images