JP2012181595A - Authentication system, authentication method for authentication system, positioning device, and positioning program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an authentication system capable of rejecting counterfeit positional information in authentication processing based on positional information.SOLUTION: A portable phone 300 is connected to a mobile PC 200. When decrypting encrypted data, the mobile PC 200 acquires first current place data indicating a current place of the portable phone 300 from the portable phone 300, and transmits the acquired first current place data to an authentication station server 400. The authentication station server 400 receives second current place data of the portable phone 300 by communicating with the portable phone 300 which should be connected to the mobile PC 200. Then, when the first current place data and the second current place data match each other, the authentication station server 400 transmits decryption key data to the mobile PC 200. The mobile PC 200 receives the decryption key data from the authentication station server 400, and decrypts the encrypted data by using the received decryption key data.

Description

  The present invention relates to, for example, an authentication system for authenticating access to a file based on position information, an authentication method for an authentication system, an information processing apparatus, an information processing program, an authentication apparatus, an authentication program, a positioning apparatus, and a positioning program. It is.

For example, when new product information before announcement is distributed to overseas bases via the website, the new product information is encrypted so that it cannot be easily referred to even if the new product information leaks outside the company. .
However, if the product information and password are leaked at the same time, it can be easily referenced.

Patent Document 1 discloses a mechanism for returning a decryption key when position information acquired from an information reference destination matches position information registered in a certificate authority.
However, since the position information is simply a value indicating longitude and latitude, there is a possibility that the position information is easily forged.

Japanese Patent Laid-Open No. 2007-241907

  An object of the present invention is to make it possible to deny position information forged in, for example, authentication processing based on position information.

The authentication system of the present invention includes an information processing device and an authentication device.
The information processing device is connected to a specific positioning device that measures the current location.
The information processing apparatus includes:
A processing device storage unit that stores an application program and encrypted data obtained by encrypting application data used in the application program;
An application execution unit for executing the application program;
When the application execution unit uses the application data, the application execution unit acquires first current location data representing the current location from the specific positioning device, and transmits authentication request data including the acquired first current location data to the authentication device. And an authentication requesting unit for receiving decryption key data used for decrypting the encrypted data from the authentication device.
The application execution unit decrypts the encrypted data using the decryption key data received by the authentication request unit, and executes the application program using application data obtained by decryption.
The authentication device
An authentication device storage unit that stores the decryption key data and permission area data representing a permission area that permits the use of the application data;
An authentication request receiver for receiving the authentication request data from the information processing apparatus;
When the authentication request receiving unit receives the authentication request data, the current location data of the predetermined positioning device is acquired as second current location data from a current location providing device that provides current location data representing the current location of the predetermined positioning device, Based on the acquired second current location data and the first current location data included in the authentication request data, the current location represented by the first current location data is within a predetermined allowable range from the current location represented by the second current location data. A current location determination unit for determining whether or not the vehicle is located;
When the authentication request receiving unit receives the authentication request data, a permission area determination unit that determines whether or not a current area represented by the first current position data is included in a permission area represented by the permission area data;
The current location determination unit determines that the current location represented by the first current location data is located within the allowable range from the current location represented by the second current location data, and the permitted region determination unit places the first current location in the permitted region. An authentication response unit that transmits authentication response data including decryption key data stored in the authentication device storage unit to the information processing device when it is determined that the current location represented by the data is included.

The information processing apparatus includes:
A positioning password generating unit that generates a positioning password to be output to the specific positioning device, displays the generated positioning password, and outputs the positioning password to the specific positioning device.
The specific positioning device is:
A positioning unit that measures the current location and generates current location data representing the current location,
A regular password input unit for inputting a positioning password output from the information processing apparatus as a regular password;
An input password input unit for displaying a password input screen for inputting a positioning password, and inputting the positioning password specified on the password input screen as an input password;
A positioning password determination unit that determines whether or not the input password input by the input password input unit and the regular password input by the regular password input unit match;
When the positioning password determination unit determines that the input password matches the regular password, the current location data output unit outputs the current location data generated by the positioning unit to the information processing apparatus as the first current location data With.

The information processing apparatus includes:
A positioning password generating unit for generating a positioning password to be output to the predetermined positioning device when connected to the predetermined positioning device, displaying the generated positioning password and outputting the generated positioning password to the predetermined positioning device; Prepare.
The authentication device communicates with the predetermined positioning device as the current location providing device.
The predetermined positioning device is:
A positioning unit that measures the current location and generates current location data representing the current location,
A regular password input unit for inputting a positioning password output from the information processing apparatus as a regular password;
An input password input unit for displaying a password input screen for inputting a positioning password, and inputting the positioning password specified on the password input screen as an input password;
A positioning password determination unit that determines whether or not the input password input by the input password input unit and the regular password input by the regular password input unit match;
A current location data transmission unit for transmitting the current location data generated by the positioning unit to the authentication device as the second current location data when the positioning password determination unit determines that the input password and the regular password match. Is provided.

In the authentication method of the authentication system of the present invention,
The authentication system includes an information processing device and an authentication device.
The information processing device is connected to a specific positioning device that measures the current location.
The information processing apparatus includes:
Storing an application program and encrypted data obtained by encrypting application data used in the application program;
When using the application data, first current location data representing the current location is acquired from the specific positioning device, authentication request data including the acquired first current location data is transmitted to the authentication device, and the authentication device Receiving decryption key data used to decrypt the encrypted data;
The encrypted data is decrypted using the received decryption key data, and the application program is executed using the application data obtained by decryption.
The authentication device
Storing the decryption key data and permission area data representing a permission area permitting use of the application data;
Receiving the authentication request data from the information processing apparatus;
The current location data of the predetermined positioning device is acquired as second current location data from a current location providing device that provides current location data representing the current location of the predetermined positioning device, and is included in the acquired second current location data and the authentication request data Determining whether or not the current location represented by the first current location data is within a predetermined allowable range from the current location represented by the second current location data based on the first current location data;
Determining whether or not the current location represented by the first current location data is included in the permitted region represented by the permitted region data;
When it is determined that the current location represented by the first current location data is located within the allowable range from the current location represented by the second current location data, and it is determined that the current location represented by the first current location data is included in the permitted area The authentication response data including the decryption key data is transmitted to the information processing apparatus.

The information processing apparatus of the present invention connects a specific positioning device that measures the current location.
The information processing apparatus includes:
A processing device storage unit that stores an application program and encrypted data obtained by encrypting application data used in the application program;
An application execution unit for executing the application program;
When the application execution unit uses the application data, the application execution unit acquires first current location data representing the current location from the specific positioning device, and transmits authentication request data including the acquired first current location data to a predetermined authentication device. And an authentication requesting unit that receives decryption key data used for decrypting the encrypted data from the authentication device.
The application execution unit decrypts the encrypted data using the decryption key data received by the authentication request unit, and executes the application program using application data obtained by decryption.

In the information processing program of the information processing apparatus of the present invention,
The information processing apparatus includes a processing device storage unit that connects a specific positioning device that measures the current location, and stores an application program and encrypted data obtained by encrypting application data used in the application program.
The information processing program includes:
An application execution process for executing the application program;
When the application data is used in the application execution process, first current location data representing the current location is acquired from the specific positioning device, and authentication request data including the acquired first current location data is transmitted to a predetermined authentication device. And causing the information processing apparatus to execute authentication request processing for receiving decryption key data used for decrypting the encrypted data from the authentication apparatus.
The application execution process is a process of executing the application program using application data obtained by decrypting the encrypted data using the decryption key data received by the authentication request unit.

The authentication device of the present invention is
An authentication device storage unit that stores decryption key data used for decryption of application data, and permission area data that represents a permission area permitted to use the application data;
Authentication request reception for receiving authentication request data including first current location data representing the current location of the information processing device, which is authentication request data transmitted from an information processing device storing encrypted data obtained by encrypting the application data And
When the authentication request receiving unit receives the authentication request data, the current location data of the predetermined positioning device is acquired as second current location data from a current location providing device that provides current location data representing the current location of the predetermined positioning device, Based on the acquired second current location data and the first current location data included in the authentication request data, the current location represented by the first current location data is within a predetermined allowable range from the current location represented by the second current location data. A current location determination unit for determining whether or not the vehicle is located;
When the authentication request receiving unit receives the authentication request data, a permission area determination unit that determines whether or not a current area represented by the first current position data is included in a permission area represented by the permission area data;
The current location determination unit determines that the current location represented by the first current location data is located within the allowable range from the current location represented by the second current location data, and the permitted region determination unit places the first current location in the permitted region. An authentication response unit that transmits authentication response data including decryption key data stored in the authentication device storage unit to the information processing device when it is determined that the current location represented by the data is included.

In the authentication program of the authentication device of the present invention,
The authentication device includes an authentication device storage unit that stores decryption key data used for decryption of application data and permission area data representing a permission area that permits use of the application data.
The authentication program is:
Authentication request reception for receiving authentication request data including first current location data representing the current location of the information processing device, which is authentication request data transmitted from an information processing device storing encrypted data obtained by encrypting the application data Processing,
When the authentication request data is received in the authentication request reception process, the current location data of the predetermined positioning device is acquired as second current location data from the current location providing device that provides the current location data representing the current location of the predetermined positioning device, Based on the acquired second current location data and the first current location data included in the authentication request data, the current location represented by the first current location data is within a predetermined allowable range from the current location represented by the second current location data. Current location determination processing for determining whether or not it is located;
When the authentication request data is received in the authentication request reception process, a permission area determination process for determining whether or not a current area represented by the first current position data is included in a permission area represented by the permission area data;
It is determined that the current location represented by the first current location data is located within the allowable range from the current location represented by the second current location data in the current location determination processing, and the first current location is placed in the permitted region in the permitted region determination processing. If it is determined that the current location represented by the data is included, the authentication apparatus is caused to execute an authentication response process for transmitting authentication response data including decryption key data stored in the authentication apparatus storage unit to the information processing apparatus.

The positioning device of the present invention is connected to an information processing device that outputs a positioning password.
The positioning device is
A positioning unit that measures the current location and generates current location data representing the current location,
A regular password input unit for inputting a positioning password output from the information processing apparatus as a regular password;
An input password input unit that displays a password input screen for inputting the positioning password, and inputs the positioning password specified on the password input screen as an input password;
A positioning password determination unit that determines whether or not the input password input by the input password input unit and the regular password input by the regular password input unit match;
When the positioning password determination unit determines that the input password matches the regular password, the current location data output unit outputs the current location data generated by the positioning unit to the information processing apparatus as the first current location data With.

The positioning device of the present invention is an information processing device that uses application data and is connected to an information processing device that outputs a positioning password.
The positioning device is
A positioning unit that measures the current location and generates current location data representing the current location,
A regular password input unit for inputting a positioning password output from the information processing apparatus as a regular password;
An input password input unit for displaying a password input screen for inputting a positioning password, and inputting the positioning password specified on the password input screen as an input password;
A positioning password determination unit that determines whether or not the input password input by the input password input unit and the regular password input by the regular password input unit match;
When the positioning password determination unit determines that the input password and the regular password match, the first current location data indicating the current location of the information processing device and the second current location data indicating the current location of the positioning device are obtained. An authentication device that determines whether to permit use of the application data by comparison includes a current location data transmission unit that transmits the current location data generated by the positioning unit to the authentication device as the second current location data. .

In the positioning program of the positioning device of the present invention,
The positioning device is connected to an information processing device that outputs a positioning password.
The positioning program is
Positioning processing to measure the current location and generate current location data representing the current location,
A regular password input process for inputting a positioning password output from the information processing apparatus as a regular password;
An input password input process for displaying the password input screen for inputting the positioning password, and inputting the positioning password specified on the password input screen as an input password;
A positioning password determination process for determining whether or not the input password input in the input password input process matches the regular password input in the regular password input process;
A current location data output process for outputting the current location data generated by the positioning process to the information processing device as the first current location data when the positioning password determination processing determines that the input password and the regular password match. The positioning device is executed.

In the positioning program of the positioning device of the present invention,
The positioning device is an information processing device that uses application data and is connected to an information processing device that outputs a positioning password.
The positioning program is
Positioning processing to measure the current location and generate current location data representing the current location,
A regular password input process for inputting a positioning password output from the information processing apparatus as a regular password;
An input password input process for displaying a password input screen for inputting a positioning password and inputting the positioning password specified on the password input screen as an input password;
A positioning password determination process for determining whether or not the input password input in the input password input process matches the regular password input in the regular password input process;
When it is determined in the positioning password determination process that the input password matches the regular password, the first current position data indicating the current position of the information processing apparatus is compared with the second current position data indicating the current position of the positioning apparatus. Then, the positioning device is caused to execute current location data transmission processing for transmitting the current location data generated by the positioning processing as the second current location data to an authentication device that determines whether to permit use of the application data.

  According to the present invention, for example, the authentication device acquires location information (second current location data) from a predetermined positioning device, and compares the location information (first current location data) transmitted from the information processing device. When the position information transmitted from the information processing device is forged, the position information can be denied.

1 is a schematic diagram of a location authentication system 100 according to Embodiment 1. FIG. 2 is a functional configuration diagram of a mobile PC 200 and a mobile phone 300 according to Embodiment 1. FIG. 2 is a functional configuration diagram of a certificate authority server 400 according to Embodiment 1. FIG. 3 is a flowchart showing an information processing method of mobile PC 200 in the first embodiment. 3 is a flowchart showing a positioning determination method of mobile phone 300 in the first embodiment. 4 is a flowchart showing an authentication method of the certificate authority server 400 in the first embodiment. FIG. 5 shows a table stored in a certificate authority storage unit 490 in the first embodiment. FIG. 5 shows a table stored in a certificate authority storage unit 490 in the first embodiment. FIG. 3 is a diagram illustrating an example of hardware resources of the location authentication system 100 according to the first embodiment. 10 is a flowchart showing an information processing method of mobile PC 200 in the second embodiment. 9 is a flowchart showing a positioning determination method of mobile phone 300 in the second embodiment. FIG. 9 is a functional configuration diagram of a registration terminal 500 in a third embodiment. 10 is a flowchart illustrating a file registration method according to the third embodiment.

Embodiment 1 FIG.
A position authentication system that permits the use of specific data by a computer when the computer is located within a predetermined area will be described.

FIG. 1 is a schematic diagram of a location authentication system 100 according to the first embodiment.
An overview of the position authentication system 100 according to the first embodiment will be described with reference to FIG.

  First, the outline of the configuration of the position authentication system 100 will be described.

  The location authentication system 100 (an example of an authentication system) includes a mobile PC 200 (an example of an information processing device), a mobile phone 300 (an example of a positioning device and a current location providing device), a certificate authority server 400 (an example of an authentication device), and a Web server 110. , A registration terminal 500, a base station device 120 (an example of a current location providing device), a carrier server 130 (an example of a current location providing device), and a relay station device 140.

  The mobile phone 300 is connected to a mobile PC 200 (personal computer).

The mobile phone 300 is connected to the mobile phone network 102 (an example of a communication network).
The mobile phone 300 is connected to the mobile phone network 102 from the base station device 120, and is connected to the Internet 101 (an example of a communication network) from the mobile phone network 102 via the relay station device 140.
Base station apparatus 120 is generally called a base station and connects mobile phone 300 to mobile phone network 102. The relay station device 140 is generally called a relay station, and relays communication between the mobile phone network 102 and the Internet 101.
The carrier server 130 is a server device of a mobile phone company (carrier) and provides services such as a location search service that provides the current location of the mobile phone 300.

The mobile PC 200 connects to the Internet 101 using a mobile phone 300 or a wireless LAN card (an example of a communication device) (not shown).
The certificate authority server 400, the Web server 110, and the registration terminal 500 are connected to the Internet 101.

The registration terminal 500 registers encrypted data obtained by encrypting application data (application data) in the Web server 110 via the Internet 101, and uses the Internet 101 for decryption key data used for decrypting the encrypted data. 400 is a device to be registered.
The Web server 110 is an apparatus that provides encrypted data via the Internet 101.
The mobile PC 200 acquires encrypted data from the Web server 110 via the Internet 101.

  Next, an outline of an authentication method in which the mobile PC 200 receives authentication from the certificate authority server 400 in order to use encrypted data will be described.

(1) The mobile PC 200 acquires current location data from the mobile phone 300.
(2) The mobile PC 200 transmits an authentication request including the current location data to the certificate authority server 400 via the Internet 101.
(3) When receiving the authentication request, the certificate authority server 400 communicates with the mobile phone 300 (or carrier server 130) registered in advance via the mobile phone network 102 (or the Internet 101), and the mobile phone 300 (or The present location data is received from the carrier server 130).
(4) The certificate authority server 400 compares the current location data received from the mobile PC 200 with the current location data received from the mobile phone 300 (or the carrier server 130).
(5) The certificate authority server 400 decrypts the decryption key data via the Internet 101 when the compared two current location data match (or approximate) and the current location represented by the current location data is located in the pre-registered permission area. Is sent to the mobile PC 200.
(6) The mobile PC 200 receives the authentication response, decrypts the encrypted data using the decryption key data included in the received authentication response, and executes the application program using the application data obtained by the decryption. .

As described in (3) and (4) above, the current location data notified from the mobile PC 200 to the certificate authority server 400 is compared with the current location data acquired by the certificate authority server 400 from the mobile phone 300 (or the carrier server 130).
For this reason, if the user is not a legitimate user who possesses the mobile phone 300 registered in advance, the certificate authority server 400 cannot receive authentication.
That is, even if an unauthorized user impersonating a legitimate user forges current location data representing the current location in the permitted area and requests authentication from the mobile PC 200 to the certification authority server 400, the certification authority server 400 cannot receive authentication. . This is because the mobile phone 300 does not exist at the current location represented by the forged current location data.

  Details of the position authentication system 100 will be described below.

FIG. 2 is a functional configuration diagram of mobile PC 200 and mobile phone 300 in the first embodiment.
Functional configurations of mobile PC 200 and mobile phone 300 in Embodiment 1 will be described with reference to FIG.

  The mobile PC 200 and the mobile phone 300 are connected using a USB cable 109 (an example of a communication cable).

  The mobile PC 200 (an example of an information processing apparatus) includes a login unit 210, a registration data acquisition unit 220, an application execution unit 230, an authentication request unit 240, a positioning password generation unit 250, and a PC storage unit 290.

The login unit 210 executes the following login process.
The login unit 210 compares the login password input by the user with the user password set in the account data 291 and authenticates the user who uses the mobile PC 200.

The registration data acquisition unit 220 executes the following registration data acquisition process.
The registration data acquisition unit 220 acquires a registration file 292 including encrypted data from the Web server 110.

The application execution unit 230 executes the following application execution process.
The application execution unit 230 decrypts the encrypted data included in the registration file 292 using the decryption key data that the authentication request unit 240 acquires from the certificate authority server 400.
Then, the application execution unit 230 executes the application program (application 293) using the application data obtained by decryption.

The authentication request unit 240 executes the following authentication request process.
When the application execution unit 230 uses application data, the authentication request unit 240 acquires first current location data representing the current location from the mobile phone 300 (an example of a specific positioning device) connected to the mobile PC 200.
Then, the authentication request unit 240 transmits the authentication request data including the acquired first current location data to the certificate authority server 400 and receives the decryption key data used for decrypting the encrypted data from the certificate authority server 400.

The positioning password generation unit 250 executes the following positioning password generation processing.
The positioning password generator 250 generates a positioning password to be output to the mobile phone 300, displays the generated positioning password, and outputs the positioning password to the mobile phone 300.

The PC storage unit 290 (an example of a processing device storage unit) stores data used by the mobile PC 200.
Account data 291, registration file 292, and application 293 are examples of data stored in PC storage unit 290.

The account data 291 is data in which a user ID (identifier) of a legitimate user permitted to use the mobile PC 200 is associated with a user password.
The registration file 292 is data acquired from the Web server 110. The registration file 292 includes a registration file ID for identifying the registration file and encrypted data obtained by encrypting the application data.
The application 293 is an application program that uses application data.

  The mobile phone 300 (an example of a positioning device or a current location providing device) includes a mobile communication unit 310, a positioning unit 320, a positioning determination unit 330, and a mobile storage unit 390.

The mobile communication unit 310 (an example of the current location data transmission unit) performs communication via the mobile phone network 102.
For example, the mobile communication unit 310 transmits second current location data representing the current location measured by the positioning unit 320 to the certificate authority server 400 via the mobile phone network 102 (current location data transmission process).

The positioning unit 320 executes the following positioning process.
The positioning unit 320 measures the current location, and generates current location data representing the current location that has been measured.

The positioning determination unit 330 (an example of a regular password input unit, an input password input unit, a positioning password determination unit, and a current location data output unit) inputs a positioning password output from the mobile PC 200 as a regular password (regular password input process).
The positioning determination unit 330 displays a password input screen for inputting a positioning password, and inputs the positioning password designated on the password input screen as an input password (input password input processing).
The positioning determination unit 330 determines whether or not the inputted input password matches the regular password (positioning determination process).
If the positioning determination unit 330 determines that the input password matches the regular password, the positioning determination unit 330 outputs the current location data generated by the positioning unit 320 to the mobile PC 200 as first current location data (positioning determination processing).

Mobile storage unit 390 (an example of a positioning device storage unit) stores data used by mobile phone 300.
The current location data generated by the positioning unit 320 is an example of data stored in the portable storage unit 390.

FIG. 3 is a functional configuration diagram of the certificate authority server 400 according to the first embodiment.
The functional configuration of the certificate authority server 400 in the first embodiment will be described with reference to FIG.

  The certificate authority server 400 (an example of an authentication device) includes an authentication communication unit 410, a user determination unit 420, a current location determination unit 430, a permitted region determination unit 440, an authentication response unit 450, an authentication data registration unit 460, and a certificate authority storage unit 490. Prepare.

An authentication communication unit 410 (an example of an authentication request reception unit) performs communication via the Internet 101 or the mobile phone network 102.
For example, the authentication communication unit 410 receives authentication request data from the mobile PC 200 via the Internet 101 (authentication request receiving process).

The user determination unit 420 performs the following user determination process.
When the authentication communication unit 410 receives the authentication request data, the user determination unit 420 determines whether or not the user ID (identifier) included in the authentication request data matches the user ID preset in the target user table 494. judge.

The current location determination unit 430 performs the following current location determination processing.
When the authentication communication unit 410 receives the authentication request data, the current location determination unit 430 receives the mobile phone 300 (an example of a predetermined positioning device) or the carrier server 130 (an example of the current location providing device) preset in the target mobile table 493. To obtain the second current location data representing the current location of the mobile phone 300.
Then, the current location determination unit 430 determines that the current location represented by the first current location data is the current location represented by the second current location data based on the acquired second current location data and the first current location data included in the authentication request data. To determine whether or not it is within a predetermined allowable range.

The permission area determination unit 440 performs the following permission area determination processing.
When the authentication communication unit 410 receives the authentication request data, the permission area determination unit 440 determines whether or not the permission area represented by the permission area table 496 (an example of permission area data) includes the current position represented by the first current position data. Determine.

The authentication response unit 450 performs the following authentication response processing.
The authentication response unit 450 is determined by the user determination unit 420 that the user IDs match, and the current location determination unit 430 determines that the current location represented by the first current location data is within an allowable range from the current location represented by the second current location data. When the permitted area determination unit 440 determines that the current position represented by the first current position data is included in the permitted area, the authentication response data including the decryption key data is transmitted to the mobile PC 200.

The authentication data registration unit 460 performs the following authentication data registration process.
When the authentication data registration unit 460 receives a registration request from the registration terminal 500, the authentication data registration unit 460 sets each table stored in the certificate authority storage unit 490 based on the registration request.

The certificate authority storage unit 490 (an example of an authentication device storage unit) stores data used by the certificate authority server 400.
The registration file table 491, the authority table 492, the target mobile table 493, the target user table 494, the mobile phone table 495, and the permitted area table 496 are examples of data stored in the certificate authority storage unit 490.

The registered file table 491 is data in which a registered file ID and decryption key data are associated with each other.
The authority table 492 is data in which a registered file ID, an identifier of a permitted area that permits use of application data included in the registered file (permitted area ID), and a method of using application data (reading and writing) are associated with each other. is there.
The target mobile table 493 is data in which the registration file ID is associated with the identifier (mobile phone ID) of the mobile phone 300 to be connected to the mobile PC 200 that uses the application data included in the registration file.
The target user table 494 is data in which a registered file ID and an identifier (user ID) of a user who uses the mobile PC 200 are associated with each other.
The mobile phone table 495 is data in which the mobile phone ID, the phone number, and the address of the carrier server 130 are associated with each other.
The permitted area table 496 is data in which the permitted area ID is associated with coordinate values that specify the permitted area.

FIG. 4 is a flowchart showing an information processing method of mobile PC 200 in the first embodiment.
A processing flow of the information processing method of the mobile PC 200 will be described with reference to FIG.

  First, an outline of an information processing method of the mobile PC 200 will be described.

  The login unit 210 inputs a login password (login PW) (S110), and determines whether the login password is correct (S111).

  If the login password is correct, the registration data acquisition unit 220 acquires the registration file 292 from the Web server 110 (S120), and the application execution unit 230 starts executing the application 293 (S130).

When the encrypted application data is used by the application 293, the authentication request unit 240 requests the current location data from the mobile phone 300 (S140).
At this time, the positioning password generator 250 outputs the positioning password to the mobile phone 300 (S141).

  In the mobile phone 300, the input of the positioning password is requested, and the input positioning password is compared with the positioning password output from the positioning password generation unit 250. When the two positioning passwords match, the current location data is output from the mobile phone 300.

  The authentication request unit 240 inputs the current location data output from the mobile phone 300 (S142), and transmits authentication request data including the input current location data to the certificate authority server 400 (S150).

  The certificate authority server 400 performs an authentication process based on the current location data included in the authentication request data. If the authentication result is “permitted”, authentication response data including decryption key data is transmitted from the certificate authority server 400.

  The authentication request unit 240 receives the authentication response data from the certificate authority server 400 (S151).

  When the authentication result is “permitted”, the application execution unit 230 decrypts the encrypted data included in the registration file 292 using the decryption key data included in the authentication response data, and the application data obtained by decrypting the encrypted data. The application 293 is executed using it (S160).

  Next, details of the information processing method of the mobile PC 200 will be described.

In S110, the login unit 210 displays a login screen on a display (display unit, display device).
The user designates a login ID and a login password on the login screen using an input device such as a keyboard and a mouse.
The login unit 210 inputs the login ID and login password specified on the login screen from the input device.
It progresses to S111 after S110.

In S111, the login unit 210 refers to the account data 291 and searches for a combination of a user ID and a user password that matches the combination of the login ID and the login password.
If there is a combination of the user ID and the user password that matches the combination of the login ID and the login password, that is, if the login password is correct, the process proceeds to S120.
If there is no combination of the user ID and the user password that matches the combination of the login ID and the login password, that is, if the login password is not correct, the processing of the information processing method ends.

  In S120, the registration data acquisition unit 220 downloads the registration file 292 from the Web server 110 (Web site) via the Internet 101 as follows.

The registration data acquisition unit 220 connects communication with the Web server 110 via the Internet 101.
The Web server 110 includes a storage unit (storage device) that stores a plurality of registered files 292 identified by registered file IDs (for example, file names) in advance, and a registered file list (Web page) that lists registered file IDs. Is transmitted to the mobile PC 200.
The registration data acquisition unit 220 displays a registration file selection screen (Web screen) including a registration file list on the display.
The user designates the registration file ID on the registration file selection screen using the input device.
The registration data acquisition unit 220 inputs the registration file ID designated on the registration file selection screen from the input device.
The registration data acquisition unit 220 generates registration file request data including the input registration file ID, and transmits the generated registration file request data to the Web server 110.
The Web server 110 acquires the registration file 292 identified by the registration file ID included in the registration file request data from the storage unit, and transmits the acquired registration file 292 to the registration data acquisition unit 220.
The registration data acquisition unit 220 receives the registration file 292 from the Web server 110 and stores the received registration file 292 in the PC storage unit 290.

  The registration file 292 includes a registration file ID and encrypted data obtained by encrypting application data. The application 293 may be included in the registration file 292.

  Further, the registration data acquisition unit 220 may receive the registration file 292 as an email attachment file.

  It progresses to S130 after S120.

In S130, the user designates a registration file ID using the input device, and the application execution unit 230 activates a predetermined application 293 that uses application data of the registration file 292 identified by the designated registration file ID.
For example, the application execution unit 230 activates word processing software (word processor) when a registration file including encrypted data obtained by encrypting word processing data is designated.
However, in order to use application data, it is necessary to decrypt the encrypted data in the registration file 292.
It progresses to S140 after S130.

In S140, the application execution unit 230 calls the authentication request unit 240 to decrypt the encrypted data in the registration file 292.
The authentication request unit 240 connects communication with the mobile phone 300 via the USB cable 109.
Authentication request unit 240 generates current location request data for requesting current location data, and outputs the generated current location request data to mobile phone 300.
It progresses to S141 after S140.

In S141, when the present location request data is input, the mobile phone 300 generates positioning password request data for requesting a positioning password, and outputs the generated positioning password request data to the mobile PC 200.
The authentication request unit 240 calls the positioning password generation unit 250 when the positioning password request data is input.
When called from the authentication requesting unit 240, the positioning password generation unit 250 executes a predetermined password generation program that generates a one-time password, and generates a one-time password as a new positioning password.
Authentication request unit 240 outputs the positioning password generated by positioning password generation unit 250 to mobile phone 300.
The authentication request unit 240 further displays the positioning password on the display.
It progresses to S142 after S141.

In S142, the mobile phone 300 inputs the positioning password output from the mobile PC 200 as a regular password.
The mobile phone 300 displays a positioning password input screen for inputting a positioning password on the display, and compares the input password input on the positioning password input screen with the regular password input from the mobile PC 200.
When the input password matches the regular password, the mobile phone 300 outputs current location response data including current location data representing the current location to the mobile PC 200. If the input password and the regular password do not match, the mobile phone 300 outputs current location response data including error data to the mobile PC 200.
Authentication request unit 240 receives current location response data from mobile phone 300.
If the current position response data includes the current position data, the process proceeds to S150.
If the current location response data includes error data, the application execution unit 230 displays an error message on the display and stops the application 293, and the processing of the information processing method of the mobile PC 200 ends (not shown).

In S150, the authentication request unit 240 generates authentication request data and transmits the generated authentication request data to the certificate authority server 400 via the Internet 101.
The authentication request data is data including a login ID, a login password, a registered file ID, current location data, and a mobile phone ID.
The mobile phone ID is identification data for identifying the mobile phone 300 connected to the mobile PC 200. The mobile PC 200 acquires the mobile phone ID from the mobile phone 300 when the mobile phone 300 is connected or when the authentication request unit 240 connects communication with the mobile phone 300 (S140).
After S150, the process proceeds to S151.

In S151, when the certificate authority server 400 receives the authentication request data, the certificate authority server 400 performs an authentication process based on the authentication request data.
When the authentication result is “permission (authorization)”, the certificate authority server 400 transmits authentication response data including the authentication result “permission”, the decryption key data, and the authority information to the mobile PC 200. When the authentication result is “not permitted (denied)”, the certificate authority server 400 transmits authentication response data including the authentication result “not permitted” to the mobile PC 200.
The authentication request unit 240 receives the authentication response data transmitted from the certificate authority server 400 via the Internet 101.
It progresses to S152 after S151.

In S152, the authentication request unit 240 determines whether the authentication result included in the authentication response data is “permitted” or “not permitted”.
If the authentication result is “permitted”, the process proceeds to S160.
When the authentication result is “not permitted”, the application execution unit 230 displays an error message on the display and stops the application 293, and the processing of the information processing method of the mobile PC 200 ends.

In S160, the authentication request unit 240 outputs the decryption key data and the authority information included in the authentication response data to the application execution unit 230.
The application execution unit 230 decrypts the encrypted file included in the registration file 292 using the decryption key data output from the authentication request unit 240. Application data is obtained by decrypting the encrypted file.
The application execution unit 230 executes the application 293 using application data obtained by decrypting the encrypted file. However, the application execution unit 230 uses the application data according to the authority information output from the authentication request unit 240.
For example, when “write” is not included in the authority information, the application execution unit 230 displays the application data but does not edit the application data.
By S160, the process of the information processing method of the mobile PC 200 ends.

FIG. 5 is a flowchart showing a positioning determination method of mobile phone 300 in the first embodiment.
A processing flow of the positioning determination method of the mobile phone 300 will be described with reference to FIG.

  First, an outline of the positioning determination method of the mobile phone 300 will be described.

  When current location request data for requesting current location data is input from the mobile PC 200, the mobile phone 300 operates as follows.

  The positioning determination unit 330 requests a positioning password from the mobile PC 200 (S210), and inputs the positioning password output from the mobile PC 200 as a regular password (S211).

  The positioning determination unit 330 displays a positioning password input screen for inputting a positioning password (S220), and inputs the positioning password specified on the positioning password input screen as an input password (S221).

  The positioning determination unit 330 compares the input password with the regular password (S222).

If the input password matches the regular password, the positioning unit 320 measures the current location (S230), and the positioning determination unit 330 outputs the current location data representing the current location to the mobile PC 200 (S231).
If the input password and the regular password do not match, the positioning determination unit 330 outputs error data to the mobile PC 200 (S232).

  Next, details of the positioning determination method of the mobile phone 300 will be described.

  When the mobile PC 200 outputs current location request data requesting current location data to the mobile phone 300, the mobile phone 300 operates as follows.

In S210, the positioning determination unit 330 receives the current location request data, generates positioning password request data for requesting a positioning password from the mobile PC 200, and outputs the generated positioning password request data to the mobile PC 200.
It progresses to S211 after S210.

In S211, the mobile PC 200 generates a positioning password and outputs the generated positioning password to the mobile phone 300. Furthermore, the mobile PC 200 displays the positioning password on the display.
The positioning determination unit 330 inputs the positioning password output from the mobile PC 200 as a regular password.
After S211, the process proceeds to S220.

In S220, the positioning determination unit 330 displays a positioning password input screen for inputting a positioning password on a display (display unit, display device).
It progresses to S221 after S220.

In step S <b> 221, the user operates an input device (such as a numeric keypad or a cross key) of the mobile phone 300 and designates the positioning password displayed on the mobile PC 200 on the positioning password input screen of the mobile phone 300.
The positioning determination unit 330 inputs the positioning password specified on the positioning password input screen from the input device as an input password.
It progresses to S222 after S221.

In S222, the positioning determination unit 330 compares the input password with the regular password.
If the input password matches the regular password (YES), the process proceeds to S230.
If the input password does not match the regular password (NO), the process proceeds to S232.

In S230, the positioning unit 320 performs GPS (Global Positioning).
The current location is measured by the (System) function, and current location data representing the measured current location is generated.
It progresses to S231 after S230.

In S231, the positioning determination unit 330 generates current location response data including the current location data generated by the positioning unit 320, and outputs the generated current location response data to the mobile PC 200.
By S231, the processing of the positioning determination method of the mobile phone 300 ends.

In S232, the positioning determination unit 330 generates current location response data including error data, and outputs the generated current location response data to the mobile PC 200.
By S232, the processing of the positioning determination method of the mobile phone 300 ends.

According to the positioning determination method of the mobile phone 300 described above, it is guaranteed that the mobile phone 300 exists near the mobile PC 200.
This is because if the mobile phone 300 is not near the mobile PC 200, the user cannot confirm the positioning password displayed on the mobile PC 200 and cannot input the positioning password to the mobile phone 300.

Furthermore, it is guaranteed that the mobile phone 300 and the mobile PC 200 are connected.
This is because the mobile phone 300 cannot acquire the regular password from the mobile PC 200 unless the mobile phone 300 is connected to the mobile PC 200.

That is, if the mobile phone 300 exists near the mobile PC 200 and the mobile phone 300 and the mobile PC 200 are not connected, the mobile PC 200 cannot acquire current location data from the mobile phone 300.
Thereby, the use of the registration file 292 (application data) by an unauthorized user who does not have the registered mobile phone 300 can be prevented.

FIG. 6 is a flowchart showing an authentication method of certificate authority server 400 in the first embodiment.
The processing flow of the authentication method of the certificate authority server 400 will be described with reference to FIG.

  First, an outline of the authentication method of the certificate authority server 400 will be described.

  The authentication communication unit 410 receives authentication request data including the first current location data from the mobile PC 200 (S310).

  The user determination unit 420 authenticates the user based on the target user table 494 (S320).

  If the user is a valid user (S321), the current location determination unit 430 acquires second current location data from the mobile phone 300 (S330).

  When the current location represented by the first current location data matches the current location represented by the second current location data (S331 “YES”), the permitted region determination unit 440 obtains the permitted region data from the permitted region table 496 (S340). .

When the current location of the first current location data is included in the permitted region of the permitted region data (S341), the authentication response unit 450 transmits authentication response data indicating authentication permission to the mobile PC 200 (S351).
When the current location of the first current location data is not included in the permitted region of the permitted region data (S341), the authentication response unit 450 transmits authentication response data indicating that authentication is not permitted to the mobile PC 200 (S352).

  Next, details of the authentication method for the certificate authority server 400 will be described.

In S310, the authentication communication unit 410 receives the authentication request data transmitted from the mobile PC 200 via the Internet 101.
The authentication request data is data including a mobile phone ID, a login ID, a login password, a registration file ID, and current location data (see S150 in FIG. 4).
Hereinafter, the current location data included in the authentication request data is referred to as “first current location data”.
It progresses to S320 after S310.

  In S320, the user determination unit 420 authenticates the user based on the login ID and the login password included in the authentication request data.

7 and 8 are diagrams illustrating tables stored in the certificate authority storage unit 490 according to the first embodiment.
A table stored in the certificate authority storage unit 490 will be described with reference to FIGS.

  As illustrated in FIG. 7, the certificate authority storage unit 490 stores a registration file table 491, an authority table 492, a target mobile table 493, and a target user table 494.

  The registered file table 491 is data in which a registered file ID, decryption key data, an authority table ID, a target mobile table ID, and a target user table ID are associated with each other.

The registration file ID is identification data for identifying the registration file 292.
The decryption key data is data used for decrypting the encrypted data included in the registration file 292.
The authority table ID is identification data for identifying the authority table 492.
The target mobile table ID is identification data for identifying the target mobile table 493.
The target user table ID is identification data for identifying the target user table 494.

  For example, the encrypted data included in the registration file 292 identified by “FILE_0001” is decrypted using decryption key data having a value of “KEY_0001” (or decryption key data identified by “KEY_0001”).

  The authority table 492 is data in which the permitted area table ID is associated with the authority information.

The permitted area table ID is identification data for identifying the permitted area table 496 (see FIG. 8).
The authority information is data that restricts how to use the application data. “Read” and “write” are examples of authority information.

  For example, the application data of the registration file 292 identified by “FILE — 0001” is used exclusively for “reading” within the permission area defined in the permission area table 496 identified by “POS — 0001”. The application data of the registration file 292 identified by “FILE_0001” is permitted to “read” and “write” within the permitted area defined in the permitted area table 496 identified by “POS_0002”.

  The target mobile table 493 is data indicating a plurality of mobile phone IDs for identifying the mobile phone 300.

  For example, when using the application data of the registration file 292 identified by “FILE_0001”, it is necessary to connect the mobile phone 300 identified by “PHONE_0001”, “PHONE_0002” or other predetermined mobile phone ID to the mobile PC 200. is there.

  The target user table 494 is data in which a user ID and a user password are associated with each other.

  For example, the application data of the registration file 292 identified by “FILE_0001” includes a user identified by “USER_0001” and “PASS_0001”, a user identified by “USER_0002” and “PASS_0002”, or other predetermined user ID and user password. Used by the user identified by

The target mobile table 493 may be data in which a personal computer ID for identifying the mobile PC 200 and a mobile phone ID are associated with each other. The personal computer ID is an ID for uniquely identifying a personal computer registered in the system.
In this case, the authentication request data includes a personal computer ID instead of the mobile phone ID. The mobile PC 200 needs to be connected with a mobile phone 300 identified by a mobile phone ID corresponding to the personal computer ID.

  As shown in FIG. 8, the certificate authority storage unit 490 further stores a mobile phone table 495 and a permitted area table 496.

  The mobile phone table 495 is data in which a mobile phone ID, a phone number, and a carrier server address are associated with each other.

  The carrier server address is data indicating the IP address of the telephone company server device (carrier server 130).

  For example, the telephone number of the mobile phone 300 identified by “PHONE_0001” is “TEL # _0001”, and the IP address of the server device of the telephone company of the mobile phone 300 is “IP_0001”.

  The permitted area table 496 is data in which a type, a name, and a range are associated with each other.

The type is information indicating the type of permitted area, such as “building”, “station”, and “train”.
The name is information indicating the name of the permitted area, such as “xxx square”, “xxx station”, “Nozomi xxx”.
The range is information (coordinate values or longitude, latitude) representing the range of the permitted area, such as the inside of a building, a station, or a train route.

  Returning to FIG. 6, the description of S320 will be continued.

The user determination unit 420 authenticates the user as follows.
The user determination unit 420 acquires the target user table ID corresponding to the registration file ID included in the authentication request data from the registration file table 491 (see FIG. 7).
The authentication request unit 240 refers to the target user table 494 (see FIG. 7) identified by the acquired target user table ID, and matches the login ID and login password included in the authentication request data with the user ID and user password. Search for combinations with.
It progresses to S321 after S320.

In step S321, the user determination unit 420 determines whether there is a combination of a user ID and a user password that matches the combination of the login ID and the login password.
If there is a combination of the user ID and the user password that matches the combination of the login ID and the login password, that is, if the user using the mobile PC 200 is a valid user, the process proceeds to S330.
If the combination of the user ID and the user password that matches the combination of the login ID and the login password does not exist, that is, if the user using the mobile PC 200 is an unauthorized user, the process proceeds to S352.

  In S330, the current location determination unit 430 acquires current location data from the mobile phone 300 as follows.

The current location determination unit 430 acquires the target mobile table ID corresponding to the registration file ID included in the authentication request data from the registration file table 491 (see FIG. 7).
The current location determination unit 430 refers to the target mobile table 493 (see FIG. 7) identified by the acquired target mobile table ID, and searches for the mobile phone ID included in the authentication request data.
If the mobile phone ID included in the authentication request data is not set in the target mobile table 493, the process proceeds to S352 (not shown).
When the mobile phone ID included in the authentication request data is set in the target mobile phone table 493, the current location determination unit 430 acquires the phone number corresponding to the mobile phone ID from the mobile phone table 495 (see FIG. 8).
The current location determination unit 430 dials the acquired telephone number, calls the mobile phone 300 corresponding to the mobile phone ID, and performs voice communication with the mobile phone 300.
The mobile phone 300 or the base station apparatus 120 adds control information including current location data indicating the current location of the mobile phone 300 to the audio data. For example, the base station apparatus 120 acquires current location data from the mobile phone 300 at regular time intervals, stores the acquired current location data, and sets the most recently acquired current location data as control information for audio data.
Then, the current location determination unit 430 receives the audio data of the mobile phone 300, acquires the current location data of the mobile phone 300 from the control information added to the received audio data, and ends the call (communication) with the mobile phone 300 To do.

However, the current location determination unit 430 may acquire the current location data of the mobile phone 300 using a location search service of a mobile phone provided by a telephone company.
In this case, the current location determination unit 430 acquires the carrier server address corresponding to the mobile phone ID from the mobile phone table 495.
The current location determination unit 430 generates current location request data including the mobile phone ID, transmits the generated current location request data to the carrier server 130 using the carrier server address as a transmission destination, and the current location data of the mobile phone 300 from the carrier server 130 To get.
The carrier server 130 receives the current location request data, and detects the current location of the mobile phone 300 identified by the mobile phone ID based on the mobile phone ID included in the received current location request data. For example, the carrier server 130 communicates with the mobile phone 300 when receiving the current location request data, and acquires the current location data from the mobile phone 300. The carrier server 130 may acquire current location data from the mobile phone 300 at regular time intervals and store the acquired current location data. In addition, when the mobile phone 300 cannot perform GPS positioning (when the mobile phone 300 cannot receive a positioning signal from a GPS satellite), the carrier server 130 carries the mobile phone by triangulation using position information of each base station that has received a radio signal from the mobile phone 300. The current location of the telephone 300 is measured.
Then, the telephone company server device generates current location response data including the current location data representing the detected current location, and transmits the generated current location response data to the certificate authority server 400.

In addition, when there is an ASP (Application Service Provider) provider that uses the location search service of the telephone company to provide the current location data of the mobile phone 300, the current location determination unit 430 does not use the carrier server 130, You may acquire the present location data of the mobile telephone 300 from a server apparatus (an example of a present location provision apparatus) (illustration omitted).
In this case, the address of the ASP server (the server device of the ASP operator) is set in the mobile phone table 495 in association with the mobile phone ID, and the current location determination unit 430 uses the address to transfer the mobile phone 300 from the ASP server. Get current location data.

Hereinafter, the current location data acquired from the mobile phone 300 (or carrier server 130, ASP server) is referred to as “second current location data”.
It progresses to S331 after S330.

In S331, the current location determination unit 430 compares the first current location data included in the authentication request data with the second current location data acquired from the mobile phone 300, and presents the current location represented by the first current location data (first current location). ) Is located within a predetermined allowable range (for example, a radius of 1 m) from the current location (second current location) represented by the second current location data. However, the allowable range may be “0”, and it may be determined whether or not the first current location matches the second current location.
When the first current location is within the allowable range from the second current location (YES), the process proceeds to S340.
If the first current location is not within the allowable range from the second current location (NO), the process proceeds to S352.

  In S340, the permission area determination unit 440 acquires permission area data from the permission area table 496 as follows.

The permission area determination unit 440 acquires an authority table ID corresponding to the registration file ID included in the authentication request data from the registration file table 491 (see FIG. 7).
The permitted area determination unit 440 acquires the permitted area table ID from the authority table 492 (see FIG. 7) identified by the acquired authority table ID.
The permitted area determination unit 440 acquires a plurality of coordinate values representing the range of the permitted area from the permitted area table 496 (see FIG. 8) identified by the acquired permitted area table ID. Hereinafter, a plurality of coordinate values (or longitude and latitude) representing the range of the permitted area are referred to as permitted area data.

  When a plurality of permitted area table IDs are set in the authority table 492, the permitted area determination unit 440 acquires a plurality of permitted area table IDs from the authority table 492 as described in S341.

  It progresses to S341 after S340.

In S341, the permitted area determination unit 440 uses the first current position data within the permitted area represented by the permitted area data based on the first current position data included in the authentication request data and the permitted area data acquired in S340. It is determined whether or not the first current location represented by is included.
When the first current location is included in the range of the permitted area (within the permitted area), the process proceeds to S351.

When the first current location is not included in the range of the permitted area, the permitted area determination unit 440 determines whether or not the permission area table ID that has not been acquired in S340 remains in the authority table 492.
When the permission area table ID remains, the permission area determination unit 440 acquires a new permission area table ID from the authority table 492, and creates a new permission area from the permission area table 496 identified by the new permission area table ID. Get the data.
Then, the permitted area determination unit 440 determines whether or not the first current location is included in the range of the new permitted area represented by the new permitted area data.
When the first current location is included in the range of the new permitted area (within the permitted area), the process proceeds to S351.

  When the first current location is not included in the range of any permission area based on all permission area table IDs set in the authority table 492 (outside the permission area), the process proceeds to S352.

In step S351, the authentication response unit 450 acquires the decryption key data corresponding to the registration file ID included in the authentication request data from the registration file table 491.
The authentication response unit 450 acquires from the authority table 492 authority information corresponding to the permitted area table ID of the permitted area table 496 that defines the range of the permitted area including the first current location.
Then, the authentication response unit 450 sets the authentication result “permitted”, the decryption key data, and the authority information, generates authentication response data, and transmits the generated authentication response data to the mobile PC 200 via the Internet 101.
By S351, the processing of the authentication method of the certificate authority server 400 ends.

In S <b> 352, the authentication response unit 450 sets the authentication result “not permitted” to generate authentication response data, and transmits the generated authentication response data to the mobile PC 200 via the Internet 101.
By S352, the processing of the authentication method of the certificate authority server 400 ends.

FIG. 9 is a diagram illustrating an example of hardware resources of the location authentication system 100 according to the first embodiment.
In FIG. 9, a mobile PC 200, a certificate authority server 400, a Web server 110, a registration terminal 500, a carrier server 130, and a relay station device 140 include a CPU 901 (Central Processing Unit). The CPU 901 is connected to the ROM 903, the RAM 904, the communication board 905, the display device 911, the keyboard 912, the mouse 913, the drive device 914, and the magnetic disk device 920 via the bus 902, and controls these hardware devices. The drive device 914 is a device that reads and writes a storage medium such as an FD (Flexible Disk Drive), a CD (Compact Disc), and a DVD (Digital Versatile Disc).
Similarly, the cellular phone 300 includes a CPU 901, a ROM 903, a RAM 904, and a display device 911. The mobile phone 300 includes a numeric keypad and a cross key instead of the keyboard 912 and the mouse 913.

  The communication board 905 is wired or wirelessly connected to a communication network such as a LAN (Local Area Network), the Internet, or a telephone line.

  The magnetic disk device 920 (or ROM 903, RAM 904) stores an OS 921 (operating system), a program group 922, and a file group 923.

  The program group 922 includes programs that execute the functions described as “units” in the embodiments. The program is read and executed by the CPU 901. That is, the program causes the computer to function as “to part”, and causes the computer to execute the procedures and methods of “to part”.

  The file group 923 includes various data (input, output, determination result, calculation result, processing result, etc.) used in “˜part” described in the embodiment.

  In the embodiment, arrows included in the configuration diagrams and flowcharts mainly indicate the flow of data and processing.

  In the embodiment, what is described as “to part” may be “to circuit”, “to apparatus”, and “to device”, and “to step”, “to procedure”, and “to processing”. May be. That is, what is described as “to part” may be implemented by any of firmware, software, hardware, or a combination thereof.

  In the first embodiment, for example, the following position authentication system 100 has been described.

The location authentication system 100 authenticates location information of a location where a file is accessed by a certificate authority.
The position authentication system 100 compares the position information acquired via the mobile PC with the position information acquired directly from the mobile phone or mobile phone carrier registered in the certificate authority (the certificate authority server 400). Thereby, forgery of position information can be prevented and strong security can be realized. For this reason, the electronic data (registration file 292) taken outside can be accessed only at the registered location.
In the position authentication system 100, a unique ID (permitted area table ID) for identifying position information is registered in the certificate authority, and the file can be accessed in the position information DB (certificate authority storage unit 490) in association with the position information ID. A valid range (permitted area). This makes it possible to centrally manage location information accessible to files, and flexibly cope with changes in file access locations (office relocation, meeting location changes, etc.). In particular, even when the customer moves to another office, simply changing the certificate authority settings (location information) allows the customer to continue to use electronic data while maintaining security, improving convenience.
Furthermore, by using the position information ID registered in the certificate authority as an ID for uniquely identifying the transportation facility, the customer can access the file on the route of the transportation facility, and convenience is improved.

Embodiment 2. FIG.
A mode in which positioning determination using a one-time password is performed not when mobile PC 200 acquires current location data from mobile phone 300 but when certificate authority server 400 acquires current location data from mobile phone 300 will be described.
Hereinafter, items different from the first embodiment will be mainly described. Matters whose description is omitted are the same as those in the first embodiment.

  The configuration of the position authentication system 100 is the same as that of the first embodiment (see FIGS. 1 to 3).

FIG. 10 is a flowchart showing an information processing method of mobile PC 200 in the second embodiment.
An information processing method of mobile PC 200 in Embodiment 2 will be described with reference to FIG.

  In the information processing method of mobile PC 200 in the second embodiment, S141 described in the first embodiment (see FIG. 4) is not executed.

  That is, when requested by the mobile PC 200 for current location data (S140), the mobile phone 300 generates current location data without performing positioning determination using the positioning password, and outputs the generated current location data to the mobile PC 200 (S142). ).

  Other processes (S110 to S130, S150 to S160) are the same as those in the first embodiment.

  However, in the second embodiment, as in the first embodiment, when the current location data is requested from the mobile PC 200 to the mobile phone 300, the positioning determination using the positioning password (S141) may be performed.

FIG. 11 is a flowchart showing a positioning determination method of mobile phone 300 in the second embodiment.
A positioning determination method for mobile phone 300 according to Embodiment 2 will be described with reference to FIG.

The certificate authority server 400 generates current location request data for requesting current location data, and transmits the generated current location request data to the mobile phone 300.
When the mobile phone 300 receives the current location request data from the certificate authority server 400, the mobile phone 300 performs positioning determination using the positioning password by the positioning determination method shown in FIG.

  In the positioning determination method for mobile phone 300 in the second embodiment, S233 and S234 are executed instead of S231 and S232 described in the first embodiment (see FIG. 5).

  In S233, the positioning determination unit 330 generates current location response data including the current location data generated by the positioning unit 320, and transmits the generated current location response data to the certificate authority server 400.

  In S <b> 234, the positioning determination unit 330 generates current location response data including error data, and transmits the generated current location response data to the certificate authority server 400.

The authentication method of the certificate authority server 400 is the same as that in the first embodiment (see FIG. 6).
However, if the current location response data received from the mobile phone 300 includes error data instead of the current location data in S330, the process proceeds to S352 instead of S331.

In the second embodiment, the mobile phone 300 has a positioning password both when there is a request for current location data from the mobile PC 200 to the mobile phone 300 and when there is a request for current location data from the certificate authority server 400 to the mobile phone 300. Positioning determination using may be executed.
When there is a request for current location data from the mobile PC 200, the mobile phone 300 executes the positioning determination method (see FIG. 5) described in the first embodiment.

  As in the first embodiment, the location authentication system 100 according to the second embodiment can ensure that the mobile phone 300 and the mobile PC 200 are connected, and can enhance security.

Embodiment 3 FIG.
Details of the registration terminal 500 provided in the position authentication system 100 will be described.
Other configurations are the same as those in the first and second embodiments.

FIG. 12 is a functional configuration diagram of registration terminal 500 in the third embodiment.
A functional configuration of registration terminal 500 in the third embodiment will be described with reference to FIG.

  The registration terminal 500 includes an application data generation unit 510, an authentication data generation unit 520, a key generation unit 530, an authentication registration request unit 540, a file registration unit 550, and a registration terminal storage unit 590.

Registered terminal storage unit 590 stores data used by registered terminal 500.
Application data, encrypted data, registration file 292, encryption key data, and decryption key data are examples of data stored in registration terminal storage unit 590.

  Other functional configurations will be described based on the following flowchart.

FIG. 13 is a flowchart showing a file registration method according to the third embodiment.
A file registration method according to the third embodiment will be described with reference to FIG.

In S410, the user inputs application information used for generating application data to the registration terminal 500 using an input device such as a keyboard or a mouse.
The application data generation unit 510 inputs application information from the input device, and generates application data based on the input application information.
For example, the user requests the registration terminal 500 to start word processing software, the application data generation unit 510 starts up the word processing software, the user specifies a character string in the word processing software, and the application data generation unit 510 specifies the specified character string. To generate a word profile.
It progresses to S420 after S410.

  In S420, the authentication data generation unit 520 inputs various data to be registered in the certificate authority server 400 as “authentication data” as follows.

The user inputs the mobile phone ID of the mobile phone 300 to the registration terminal 500 using the input device. The authentication data generation unit 520 inputs the mobile phone ID from the input device and stores the input mobile phone ID.
However, the user may connect the mobile phone 300 to the registration terminal 500 with a USB cable. In this case, the authentication data generation unit 520 inputs the mobile phone ID from the mobile phone 300.

  The user inputs the user ID and the user password to the registration terminal 500 using the input device. The authentication data generation unit 520 inputs a user ID and a user password from the input device, and stores the input user ID and user password.

The authentication data generation unit 520 acquires a plurality of permitted area tables 496 from the certificate authority server 400 and displays the acquired plurality of permitted area tables 496 on the display.
The user selects at least one of the permitted area tables 496 from the displayed plurality of permitted area tables 496, and the authentication data generation unit 520 stores the permitted area table ID of the selected permitted area table 496.
However, the user may define a new permitted area table 496, and the authentication data generation unit 520 may store the newly defined permitted area table 496.

  The user inputs authority information to the registration terminal 500 using an input device. The authentication data generation unit 520 inputs authority information from the input device and stores the input authority information.

  Hereinafter, the mobile phone ID, user ID, user password, permission area table ID (or new permission area table 496), and authority information are referred to as “authentication data”.

  It progresses to S430 after S420.

In S430, the key generation unit 530 executes a predetermined key generation program to generate encryption key data and decryption key data.
It progresses to S440 after S430.

In S440, the authentication registration request unit 540 includes the mobile phone ID, user ID, user password, permission area table ID (or new permission area table 496), and authority information stored in S420, and is generated in S430. Authentication registration request data including decryption key data is generated.
The authentication registration request unit 540 transmits the generated authentication registration request data to the certificate authority server 400.
It progresses to S510 after S440.

In S510, the authentication data registration unit 460 of the certificate authority server 400 receives the authentication registration request data from the registration terminal 500.
It progresses to S520 after S510.

In S520, the authentication data registration unit 460 generates a new registration file ID.
It progresses to S530 after S520.

  In S530, the authentication data registration unit 460 registers the authentication data as follows.

The authentication data registration unit 460 generates the authority table 492 by associating the permission area table ID (or the permission area table ID of the new permission area table 496) included in the authentication registration request data with the authority information.
The authentication data registration unit 460 sets the mobile phone ID included in the authentication registration request data and generates the target mobile table 493.
The authentication data registration unit 460 generates the target user table 494 by associating the user ID and the user password included in the authentication registration request data.
The authentication data registration unit 460 stores the generated authority table 492, target mobile table 493, and target user table 494 in the certificate authority storage unit 490.

  Further, the authentication data registration unit 460 sets the registration file ID generated in S520, the decryption key data included in the authentication registration request data, and the table ID of each generated table in the registration file table 491 in association with each other.

  It progresses to S540 after S530.

In S540, the authentication data registration unit 460 generates authentication registration response data including the registration file ID generated in S520, and transmits the generated authentication registration response data to the registration terminal 500.
It progresses to S450 after S540.

In S450, the authentication registration request unit 540 of the registration terminal 500 receives the authentication registration response data from the certificate authority server 400.
It progresses to S460 after S450.

In S460, the file registration unit 550 encrypts the application data generated in S410 using the encryption key data generated in S430.
The file registration unit 550 generates a registration file 292 including encrypted data obtained by encrypting application data and a registration file ID included in the authentication registration response data.
It progresses to S470 after S460.

In S470, the file registration unit 550 transmits the registration file 292 generated in S460 to the Web server 110.
The Web server 110 receives the registration file 292 from the registration terminal 500 and stores the received registration file 292.
By S470, the file registration method process ends.

  According to the third embodiment, the table (authentication data) of the certificate authority server 400 can be set.

  100 location authentication system, 101 Internet, 102 mobile phone network, 109 USB cable, 110 Web server, 120 base station device, 130 carrier server, 140 relay station device, 200 mobile PC, 210 login unit, 220 registered data acquisition unit, 230 Application execution unit, 240 authentication request unit, 250 positioning password generation unit, 290 PC storage unit, 291 account data, 292 registration file, 293 application, 300 mobile phone, 310 mobile communication unit, 320 positioning unit, 330 positioning determination unit, 390 Portable storage unit, 400 Certificate authority server, 410 Authentication communication unit, 420 User determination unit, 430 Current location determination unit, 440 Permitted area determination unit, 450 Authentication response unit, 460 Authentication data registration unit, 490 Authentication station storage unit, 491 Record file table, 492 authority table, 493 target mobile table, 494 target user table, 495 mobile phone table, 496 permitted area table, 500 registration terminal, 510 application data generation unit, 520 authentication data generation unit, 530 key generation unit, 540 Authentication registration request unit, 550 file registration unit, 590 registration terminal storage unit, 901 CPU, 902 bus, 903 ROM, 904 RAM, 905 communication board, 911 display device, 912 keyboard, 913 mouse, 914 drive device, 920 magnetic disk device , 921 OS, 922 program group, 923 file group.

The present invention is, for example, relates to an authentication system, an authentication method of the authentication system, measuring position device and positioning program for authenticating based access to files on the position information.

Claims (12)

In an authentication system comprising an information processing device and an authentication device,
The information processing apparatus connects a specific positioning device for positioning the current location,
The information processing apparatus includes:
A processing device storage unit that stores an application program and encrypted data obtained by encrypting application data used in the application program;
An application execution unit for executing the application program;
When the application execution unit uses the application data, the application execution unit acquires first current location data representing the current location from the specific positioning device, and transmits authentication request data including the acquired first current location data to the authentication device. An authentication request unit that receives decryption key data used for decrypting the encrypted data from the authentication device,
The application execution unit decrypts the encrypted data using the decryption key data received by the authentication request unit, executes the application program using application data obtained by decryption,
The authentication device
An authentication device storage unit that stores the decryption key data and permission area data representing a permission area that permits the use of the application data;
An authentication request receiver for receiving the authentication request data from the information processing apparatus;
When the authentication request receiving unit receives the authentication request data, the current location data of the predetermined positioning device is acquired as second current location data from a current location providing device that provides current location data representing the current location of the predetermined positioning device, Based on the acquired second current location data and the first current location data included in the authentication request data, the current location represented by the first current location data is within a predetermined allowable range from the current location represented by the second current location data. A current location determination unit for determining whether or not the vehicle is located;
When the authentication request receiving unit receives the authentication request data, a permission area determination unit that determines whether or not a current area represented by the first current position data is included in a permission area represented by the permission area data;
The current location determination unit determines that the current location represented by the first current location data is located within the allowable range from the current location represented by the second current location data, and the permitted region determination unit places the first current location in the permitted region. An authentication response unit configured to transmit authentication response data including decryption key data stored in the authentication device storage unit to the information processing device when it is determined that the current location represented by the data is included system. The information processing apparatus includes:
A positioning password generating unit that generates a positioning password to be output to the specific positioning device, displays the generated positioning password, and outputs the positioning password to the specific positioning device,
The specific positioning device is:
A positioning unit that measures the current location and generates current location data representing the current location,
A regular password input unit for inputting a positioning password output from the information processing apparatus as a regular password;
An input password input unit for displaying a password input screen for inputting a positioning password, and inputting the positioning password specified on the password input screen as an input password;
A positioning password determination unit that determines whether or not the input password input by the input password input unit and the regular password input by the regular password input unit match;
When the positioning password determination unit determines that the input password matches the regular password, the current location data output unit outputs the current location data generated by the positioning unit to the information processing apparatus as the first current location data The authentication system according to claim 1, further comprising: The information processing apparatus includes:
A positioning password generating unit for generating a positioning password to be output to the predetermined positioning device when connected to the predetermined positioning device, displaying the generated positioning password and outputting the generated positioning password to the predetermined positioning device; Prepared,
The authentication device communicates with the predetermined positioning device as the current location providing device,
The predetermined positioning device is:
A positioning unit that measures the current location and generates current location data representing the current location,
A regular password input unit for inputting a positioning password output from the information processing apparatus as a regular password;
An input password input unit for displaying a password input screen for inputting a positioning password, and inputting the positioning password specified on the password input screen as an input password;
A positioning password determination unit that determines whether or not the input password input by the input password input unit and the regular password input by the regular password input unit match;
A current location data transmission unit for transmitting the current location data generated by the positioning unit to the authentication device as the second current location data when the positioning password determination unit determines that the input password and the regular password match. The authentication system according to claim 1, further comprising: In an authentication method of an authentication system comprising an information processing device and an authentication device,
The information processing apparatus connects a specific positioning device for positioning the current location,
The information processing apparatus includes:
Storing an application program and encrypted data obtained by encrypting application data used in the application program;
When using the application data, first current location data representing the current location is acquired from the specific positioning device, authentication request data including the acquired first current location data is transmitted to the authentication device, and the authentication device Receiving decryption key data used to decrypt the encrypted data;
Decrypt the encrypted data using the received decryption key data, execute the application program using application data obtained by decryption,
The authentication device
Storing the decryption key data and permission area data representing a permission area permitting use of the application data;
Receiving the authentication request data from the information processing apparatus;
The current location data of the predetermined positioning device is acquired as second current location data from a current location providing device that provides current location data representing the current location of the predetermined positioning device, and is included in the acquired second current location data and the authentication request data Determining whether or not the current location represented by the first current location data is within a predetermined allowable range from the current location represented by the second current location data based on the first current location data;
Determining whether or not the current location represented by the first current location data is included in the permitted region represented by the permitted region data;
When it is determined that the current location represented by the first current location data is located within the allowable range from the current location represented by the second current location data, and it is determined that the current location represented by the first current location data is included in the permitted area An authentication method for an authentication system, wherein authentication response data including the decryption key data is transmitted to the information processing apparatus. In an information processing device that connects a specific positioning device that measures the current location,
A processing device storage unit that stores an application program and encrypted data obtained by encrypting application data used in the application program;
An application execution unit for executing the application program;
When the application execution unit uses the application data, the application execution unit acquires first current location data representing the current location from the specific positioning device, and transmits authentication request data including the acquired first current location data to a predetermined authentication device. And an authentication request unit that receives decryption key data used for decrypting the encrypted data from the authentication device,
The application execution unit decrypts the encrypted data using the decryption key data received by the authentication request unit, and executes the application program using application data obtained by decryption apparatus. An information processing apparatus connected to a specific positioning apparatus for positioning a current location, the information processing apparatus comprising a processing device storage unit for storing an application program and encrypted data obtained by encrypting application data used in the application program In the information processing program of the device,
An application execution process for executing the application program;
When the application data is used in the application execution process, first current location data representing the current location is acquired from the specific positioning device, and authentication request data including the acquired first current location data is transmitted to a predetermined authentication device. And causing the information processing apparatus to execute authentication request processing for receiving decryption key data used for decrypting the encrypted data from the authentication apparatus,
The application execution process is a process of executing the application program using application data obtained by decrypting the encrypted data using the decryption key data received by the authentication request unit. Information processing program. An authentication device storage unit that stores decryption key data used for decryption of application data, and permission area data that represents a permission area permitted to use the application data;
Authentication request reception for receiving authentication request data including first current location data representing the current location of the information processing device, which is authentication request data transmitted from an information processing device storing encrypted data obtained by encrypting the application data And
When the authentication request receiving unit receives the authentication request data, the current location data of the predetermined positioning device is acquired as second current location data from a current location providing device that provides current location data representing the current location of the predetermined positioning device, Based on the acquired second current location data and the first current location data included in the authentication request data, the current location represented by the first current location data is within a predetermined allowable range from the current location represented by the second current location data. A current location determination unit for determining whether or not the vehicle is located;
When the authentication request receiving unit receives the authentication request data, a permission area determination unit that determines whether or not a current area represented by the first current position data is included in a permission area represented by the permission area data;
The current location determination unit determines that the current location represented by the first current location data is located within the allowable range from the current location represented by the second current location data, and the permitted region determination unit places the first current location in the permitted region. An authentication response unit configured to transmit authentication response data including decryption key data stored in the authentication device storage unit to the information processing device when it is determined that the current location represented by the data is included apparatus. In an authentication program of an authentication device including an authentication device storage unit that stores decryption key data used for decryption of application data and permission area data representing a permission area that permits use of the application data,
Authentication request reception for receiving authentication request data including first current location data representing the current location of the information processing device, which is authentication request data transmitted from an information processing device storing encrypted data obtained by encrypting the application data Processing,
When the authentication request data is received in the authentication request reception process, the current location data of the predetermined positioning device is acquired as second current location data from the current location providing device that provides the current location data representing the current location of the predetermined positioning device, Based on the acquired second current location data and the first current location data included in the authentication request data, the current location represented by the first current location data is within a predetermined allowable range from the current location represented by the second current location data. Current location determination processing for determining whether or not it is located;
When the authentication request data is received in the authentication request reception process, a permission area determination process for determining whether or not a current area represented by the first current position data is included in a permission area represented by the permission area data;
It is determined that the current location represented by the first current location data is located within the allowable range from the current location represented by the second current location data in the current location determination processing, and the first current location is placed in the permitted region in the permitted region determination processing. If it is determined that the current location represented by the data is included, the authentication device is caused to execute an authentication response process of transmitting authentication response data including decryption key data stored in the authentication device storage unit to the information processing device. A featured authentication program. In a positioning device connected to an information processing device that outputs a positioning password,
A positioning unit that measures the current location and generates current location data representing the current location,
A regular password input unit for inputting a positioning password output from the information processing apparatus as a regular password;
An input password input unit that displays a password input screen for inputting the positioning password, and inputs the positioning password specified on the password input screen as an input password;
A positioning password determination unit that determines whether or not the input password input by the input password input unit and the regular password input by the regular password input unit match;
When the positioning password determination unit determines that the input password matches the regular password, the current location data output unit outputs the current location data generated by the positioning unit to the information processing apparatus as the first current location data And a positioning device. In a positioning device connected to an information processing device that uses application data and outputs a positioning password,
A positioning unit that measures the current location and generates current location data representing the current location,
A regular password input unit for inputting a positioning password output from the information processing apparatus as a regular password;
An input password input unit for displaying a password input screen for inputting a positioning password, and inputting the positioning password specified on the password input screen as an input password;
A positioning password determination unit that determines whether or not the input password input by the input password input unit and the regular password input by the regular password input unit match;
When the positioning password determination unit determines that the input password and the regular password match, the first current location data indicating the current location of the information processing device and the second current location data indicating the current location of the positioning device are obtained. An authentication device that determines whether to permit use of the application data by comparison includes a current location data transmission unit that transmits the current location data generated by the positioning unit to the authentication device as the second current location data. A positioning device characterized by that. In the positioning program of the positioning device connected to the information processing device that outputs the positioning password,
Positioning processing to measure the current location and generate current location data representing the current location,
A regular password input process for inputting a positioning password output from the information processing apparatus as a regular password;
An input password input process for displaying the password input screen for inputting the positioning password, and inputting the positioning password specified on the password input screen as an input password;
A positioning password determination process for determining whether or not the input password input in the input password input process matches the regular password input in the regular password input process;
A current location data output process for outputting the current location data generated by the positioning process to the information processing device as the first current location data when the positioning password determination processing determines that the input password and the regular password match. A positioning program executed by the positioning device. In a positioning program of a positioning device connected to an information processing device that uses application data and outputs a positioning password,
Positioning processing to measure the current location and generate current location data representing the current location,
A regular password input process for inputting a positioning password output from the information processing apparatus as a regular password;
An input password input process for displaying a password input screen for inputting a positioning password and inputting the positioning password specified on the password input screen as an input password;
A positioning password determination process for determining whether or not the input password input in the input password input process matches the regular password input in the regular password input process;
When it is determined in the positioning password determination process that the input password matches the regular password, the first current position data indicating the current position of the information processing apparatus is compared with the second current position data indicating the current position of the positioning apparatus. And causing the positioning device to execute current location data transmission processing for transmitting the current location data generated by the positioning processing as the second current location data to an authentication device that determines whether to permit use of the application data. A positioning program characterized by

Images