JP2015028689A - Mutual authentication system and program therefor - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a mechanism of mutual authentication in which an authentication request person authenticates an authentication target person and also the authentication target person authenticates the authentication request person.SOLUTION: An authentication target person captures an authentication pattern image of an authentication request person, and the authentication request person captures an authentication pattern image of the authentication target person. Then, the authentication target person and the authentication request person transmit first authentication information and second authentication information which include pattern IDs corresponding to the respective authentication pattern images and identification IDs of their respective terminals. Mutual authentication is to be performed by determining whether the identification information corresponding to the pattern image of the first authentication information corresponds to the identification information of the terminal having transmitted the second authentication information, and also the identification information corresponding to the pattern image of the second authentication information corresponds to the identification information of the terminal having transmitted the first authentication information.

Description

   The present invention relates to an authentication technique for performing authentication by recognizing a pattern image as authentication information, and more particularly to a mutual authentication system and a program therefor that mutually authenticate an authentication requester and an authentication subject.

  In recent years, smartphones and mobile phone terminals (hereinafter referred to as mobile terminals) have become widespread. In many cases, each portable terminal has a personal terminal for each individual. A technique is known that uses such a characteristic of a mobile terminal as an authentication device for identifying an individual of the mobile terminal.

  For example, Patent Document 1 discloses a system that performs authentication processing by displaying image data on a display of a portable terminal, photographing the displayed image data, and determining whether the image data matches authentication information, As an example, there is shown a technique for locking a door key with an image displayed on a portable terminal.

  Moreover, in patent document 2, when a portable terminal is used as a door unlocking key, the same authentication image is not reused and displayed on the portable terminal. A technique for unlocking a door by requesting an image to be a key to the server device, displaying the issued image on a portable terminal, and recognizing the image with an image sensor provided in the door is disclosed. Yes.

JP 2004-13870 A JP 2006-72778 A

  By using the prior art, the pattern image displayed on the mobile terminal can be captured by the camera device, and the mobile terminal can be authenticated. However, in the prior art, the authentication side (authentication requester) unilaterally shoots a pattern image or the like displayed on the mobile terminal of the user (authentication subject) and performs the authentication process.

  For this reason, the authentication requester can authenticate whether or not the person to be authenticated has a legitimate authority. However, for example, when using a pattern image displayed on a portable terminal as a door unlocking key, authentication Even if the subject person tries to unlock the door by mistake, the authentication requester cannot determine which door the subject of authentication has requested to unlock. Therefore, if it is a legitimate subject of authentication, it can authenticate and the subject of authentication will unlock the wrong door.

  In addition, when performing authentication with an application or the like operated on the WEB site by the method disclosed in Patent Document 2, it is possible to authenticate the authentication target person illegally by impersonating the authentication requester. There is a concern about unauthorized use that collects user information after authentication. Even if it is a legitimate WEB site, if the WEB site used by the person to be authenticated is wrong, there is a possibility that the user information is transmitted to the authentication requester not intended by the person to be authenticated.

  The present invention has been made to solve the above-described problem, and provides a mutual authentication mechanism in which not only the authentication requester authenticates the authentication target person but also the authentication target person authenticates the authentication requester. For the purpose.

  In order to solve the above problems, a mutual authentication system in the present invention is a mutual authentication system including one or more terminal devices, a camera device connected to each of the terminal devices, and an information management device, The terminal device includes an authentication image display unit that displays a pattern image corresponding to a pattern ID corresponding to the terminal device, a camera video acquisition unit that acquires video captured by a camera device connected to the terminal device, A pattern image recognition unit that extracts a pattern image from video captured by the camera video acquisition unit, and transmits authentication information including the pattern image extracted by the pattern image recognition unit and identification information of the terminal device to the information management device. Authentication information transmitting unit, and an identification information acquiring unit that acquires identification information from the information management device. Receiving the first authentication information and the second authentication information respectively transmitted from the device, the identification information corresponding to the pattern image of the first authentication information matches the identification information of the terminal that transmitted the second authentication information, and 2 When the identification information determination unit for determining whether the identification information corresponding to the pattern image of the authentication information matches the identification information of the terminal that transmitted the first authentication information, and the identification information determination unit match It is characterized by comprising an identification information transmitting unit for transmitting the identification information to the terminal device when it is determined.

  As a result, the authentication requester's terminal device not only authenticates the authenticity of the authentication target user's terminal device, but also the authentication requester's terminal device can authenticate the authenticity of the authentication requester's terminal device. It becomes possible.

  In the mutual authentication system according to the present invention, the information management device further includes a pattern ID generation unit that generates a pattern ID corresponding to each of the terminal devices, and the terminal device corresponds to the terminal. A pattern ID request unit that requests the information management device to issue a pattern ID is further included, and the authentication image display unit receives the pattern ID generated by the pattern ID generation unit of the information management device. The authentication image display unit displays a corresponding pattern image.

  Accordingly, each time the mutual authentication process is performed, the authentication requester and the authentication target person can use different authentication pattern images, thereby preventing unauthorized use due to imitation of pattern images.

  In the mutual authentication system according to the present invention, the identification information determination unit receives the first authentication information and the second authentication information respectively transmitted from the terminal device, and corresponds to the pattern image of the first authentication information. Whether the identification information matches the identification information of the terminal that transmitted the first authentication information, and whether the identification information corresponding to the pattern image of the second authentication information matches the identification information of the terminal that transmitted the first authentication information It is the identification information determination part to determine, It is characterized by the above-mentioned.

  As a result, the person to be authenticated can authenticate not only his / her validity but also the validity of the authentication requester.

The effects of the present invention are as follows.
(1) By performing mutual authentication, the user can prevent the authentication process for the spoofed certifier.
(2) The user can transmit the user information after automatically confirming whether the system to be used is the system that the user intends to use.
(3) Even without inputting an ID or password, the authentication process can be performed only by photographing the authentication pattern image.

Overall view of mutual authentication system Mutual authentication system basic configuration diagram Data structure of pattern information storage Data structure of device information storage Data structure of pattern management information storage Data structure of identification information storage unit Data structure of pattern issue information storage Mutual authentication system configuration diagram in the first embodiment and the second embodiment Processing sequence diagram of mutual authentication system in embodiment 1 Processing sequence diagram of mutual authentication system in embodiment 2 Configuration diagram of mutual authentication system in embodiment 3 Process sequence diagram of mutual authentication system in embodiment 3 Configuration diagram of mutual authentication system in embodiment 4 Processing sequence diagram of mutual authentication system in embodiment 4

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. FIG. 1 is an overall view of a mutual authentication system according to the present invention. In the mutual authentication system of the present invention, a plurality of terminal devices 200, a camera device 300, a camera-equipped terminal device 400, and an information management device 500 are connected to each other through a network line 100. As the network line 100, an Internet line or an intranet line is used, but any network line can be used as long as the apparatuses can communicate with each other.

  As the terminal device 200, a server device in which an application that needs to be authenticated is configured, a computer device that uses client software that uses the application, a smartphone device, or the like is used. Any computer device capable of operating an application that requires mutual authentication processing may be used. The camera device 300 may be any camera device as long as it has a function of capturing an external image and can transmit the captured image to the terminal device 200. Moreover, it is also possible to use the terminal device with camera device 400 in which the terminal device 200 and the camera device 300 are integrated.

  The terminal device 200, the camera device 300, and the camera-equipped terminal device 400 include a plurality of authentication requesting devices (hereinafter referred to as authentication requesting devices) and authenticated devices (hereinafter referred to as authentication target devices), network lines 100, one of the authentication target devices is connected to one of the authentication requesting devices, and an authentication process is performed.

  The information management device 500 manages authentication pattern images used in the mutual authentication system, manages the association between the terminal device 200 or the terminal device with camera device 400 and the authentication pattern image, and manages the terminal device 200 or the terminal with camera device. It performs issuance management of authentication pattern images that are used only once by the device 400, information management of the terminal device 200 and the terminal device 400 with camera device stored in association with the authentication pattern image, and the like. The above is the outline of the overall view of each device used in the mutual authentication system. Details of the functions of each device will be described later.

  Next, the basic configuration of each device in the mutual authentication system will be described. FIG. 2 is a diagram showing a basic configuration of each device of the mutual authentication system according to the present invention. FIG. 2 shows an example of connection between a plurality of camera-equipped terminal devices 400 in which the camera device 300 and the terminal device 200 are integrated with the information management device 500. As shown in FIG. The terminal device 200 may be configured as another device as long as it can be connected via a network line.

  The camera-equipped terminal device 400 includes a plurality of authentication requesting devices and authentication target devices, and the authentication requesting device and the authentication target device are connected to each other via the network line 100 through a network line. Examples of the terminal device with camera 400 include a mobile phone terminal, a smartphone, and a laptop computer. The camera device 300 and the terminal device 200 are configured as separate devices when a WEB server or an application server is used as the terminal device 200.

  Each processing unit of the camera-equipped terminal device 400 will be described. The terminal device with camera 400 includes a pattern information storage unit 411, a device information storage unit 410, a camera device 300, a camera video acquisition unit 401, a pattern image recognition unit 402, an authentication information transmission unit 403, an authentication image display unit 404, and a pattern ID request. A unit 405 and an identification information acquisition unit 406.

  Next, each processing unit will be described. First, the pattern information storage unit 411 stores a list of pattern IDs corresponding to all authentication pattern images that can be used in the mutual authentication system. FIG. 3 shows an example of the data structure of the pattern storage information stored in the pattern information storage unit.

  In FIG. 3, “pattern image” stores a unique pattern image that can be recognized by a pattern image recognition unit 402 described later, and “pattern ID” stores a unique ID corresponding to the pattern image.

  FIG. 3 shows an example in which “pattern ID” and “pattern image” are stored in association with each other in the pattern information storage unit 411. However, from the viewpoint of resource saving in the storage area of the terminal device with camera 400, the pattern information storage unit 411 may store a list of “pattern IDs” without storing “pattern images”.

  In this case, the camera-equipped terminal device 400 transmits the “pattern ID” to the information management device 500 before displaying the image in the authentication image display unit 404 and receives the “pattern image” corresponding to the “pattern ID” from the information management device 500. To do. The received “pattern image” is displayed on the authentication image display unit 404.

  When there are 100 pattern images that can be used in the mutual authentication system in the pattern information storage unit 411, 100 patterns of combinations of pattern images and pattern IDs are stored in the pattern information storage unit 411. Alternatively, as described above, when the authentication image display unit 404 acquires a “pattern image” corresponding to a “pattern ID” before displaying an image, 100 pattern IDs are stored. The number of pattern images and pattern IDs that can be used in the mutual authentication system is not limited as long as they are identifiable pattern images.

  The pattern image may be any image as long as it can be extracted by the pattern image recognition unit 402. For example, a pattern image in which colored squares are arranged in a grid pattern as shown in the pattern image of FIG. 3 may be used, or characters and figures can be identified as long as the pattern image can be distinguished from other pattern images. It may be a pattern image. There are Chameleon Code (registered trademark) and QR code (registered trademark) that can be used as pattern images, but other patterns may be used as pattern images.

  The device information storage unit 410 stores device information for identifying the camera-equipped terminal device 400. FIG. 4 shows an example of device information stored in the device information storage unit 400. In FIG. 4, the “authentication pattern image” stores the image of the pattern image assigned to the camera-equipped terminal device 400, and the “identification ID” and “IP address” identify the identification assigned to the camera-equipped terminal device 400. An ID and an IP address are stored, respectively, and an identifier held by the camera-equipped terminal device 400, such as a MAC address, is stored in the “terminal identifier”.

  When the authentication image display unit 404 acquires a “pattern image” corresponding to the “pattern ID” before displaying the image, the device information storage unit 400 stores “pattern ID” instead of “authentication pattern image”. It may be done.

  The authentication pattern image is a pattern image that is assigned in advance as a unique authentication pattern image to the camera-equipped terminal device 400, and matches one of the pattern image or the pattern ID stored in the pattern information storage unit 411. is there. Which pattern image is assigned to which camera-equipped terminal device 400 is managed by the pattern management information storage unit 510 of the information management device 500 described later, and the same pattern image is assigned to different camera-equipped terminal devices 400. There is no.

  The camera device 300 is a camera device that can capture images and moving images. Images and moving images captured by the camera device 300 are acquired by the camera image acquisition unit 401. When the camera device 300 and the terminal device 200 are integrated, the camera image acquisition unit 401 may be included in the camera device 300. When the camera device 300 and the terminal device 200 are configured as separate devices, the camera video acquisition unit 401 of the terminal device 200 acquires images and videos captured by the camera device 300.

  The pattern image recognition unit 402 extracts the recognized pattern image when recognizing the pattern image stored in the pattern information storage unit 411 from the image or video acquired by the camera video acquisition unit 401. When a plurality of pattern images are recognized, a plurality of pattern images can be extracted.

  Here, when only “pattern ID” is recorded in the pattern information storage unit 411, the recognized pattern image is transmitted to the information management apparatus 500 and the pattern ID corresponding to the pattern image is received from the information management apparatus 500. . Then, the pattern image and the pattern ID are extracted by confirming whether or not the received pattern ID is recorded in the pattern information storage unit 411.

  The pattern image recognized by the pattern image recognition unit 402 is transmitted to the identification information determination unit 501 of the information management apparatus 500 by the authentication information transmission unit 403. At this time, the image of the pattern image may be transmitted as it is, or the pattern ID corresponding to the pattern image may be transmitted based on the information in the pattern information storage unit 411. In addition, device information for identifying the camera-equipped terminal device 400 stored in the device information storage unit 410 and input information directly input by the user to the camera-equipped terminal device 400 may be transmitted together.

  Next, the authentication image display unit 404 is a display unit for displaying an image of a pattern image such as a monitor device or a display device. The displayed pattern image may display an authentication pattern image pre-assigned to the camera-equipped terminal device 400 stored in the device information storage unit 410, or may be assigned by the pattern ID generation unit 502 of the information management device 500. The pattern image that can be used only once may be displayed.

  When the authentication image display unit 404 receives a pattern ID instead of a pattern image as a display image, the authentication image display unit 404 transmits a “pattern ID” to the information management apparatus 500 before displaying the image, and the information management apparatus 500 changes the “pattern ID” to “pattern ID”. The corresponding “pattern image” may be received, and the received “pattern image” may be displayed.

  Which pattern image is displayed depends on how mutual authentication is performed. In some cases, an authentication pattern image assigned in advance to the camera-equipped terminal device 400 is printed on paper or the like and displayed. How to display which pattern image will be described later in a specific example.

  The pattern ID request unit 405 is a request unit that requests the pattern ID generation unit 502 of the information management device 500 to issue a pattern image or pattern ID that can be temporarily used by the terminal device with camera 400 for a predetermined period.

  The identification information acquisition unit 406 generates identification information generated based on the processing result performed by the identification information determination unit 501 of the information management device 500 based on the authentication information transmitted from the authentication information transmission unit 403 to the information management device 500. It is an acquisition unit that receives from the identification information transmission unit 503 of the information management device 500. Based on the authentication information acquired here, the terminal device with camera 400 determines whether the authentication is successful.

  The above is the outline of each processing unit of the camera-equipped terminal device 400. Next, each processing unit of the information management apparatus 500 will be described.

  The information management apparatus 500 includes a pattern management information storage unit 510, an identification information storage unit 511, a pattern issue information storage unit 512, an identification information determination unit 501, a pattern ID generation unit 502, and an identification information transmission unit 503.

  Each processing unit will be described. First, the pattern management information storage unit 510 stores a list of pattern IDs and usage statuses corresponding to all pattern images that can be used in the mutual authentication system.

  FIG. 5 shows an example of the data structure of the pattern management information stored in the pattern management information storage unit 510. In FIG. 5, “pattern image” stores a pattern image managed by the information management apparatus 500, “pattern ID” stores a unique ID corresponding to the pattern image, and corresponds to “in-use flag”. The pattern image and the pattern ID to be assigned are assigned to the camera-equipped terminal device 400 and the terminal device 200, and the status of whether the pattern image and the pattern ID are in use is stored.

  The list of combinations of pattern images and pattern IDs stored here is the same as the list of combinations of pattern images and pattern IDs stored in the pattern information storage unit 411. When a list of pattern IDs is recorded in the pattern information storage unit 411, the list of pattern IDs stored in the pattern information storage unit 411 is a list of pattern IDs stored in the pattern management information storage unit 510. Will be the same.

  The identification information storage unit 511 stores a list of the terminal device with camera 400 and the terminal device 200 managed by the information management device 500. FIG. 6 shows an example of the data structure of the identification information recorded in the identification information storage unit 511. In FIG. 6, “Identification ID” records an identification ID for identifying the terminal device with camera 400 and the terminal device 200.

  The identification ID here matches the identification ID stored in the device information storage unit 410. In the “pattern ID”, a pattern ID corresponding to a pattern image assigned in advance to the camera-equipped terminal device 400 or the terminal device 200 is stored. The pattern ID here matches the pattern ID corresponding to the pattern image stored in the device information storage unit 410. Further, the in-use flag of the pattern management information storage unit 510 corresponding to the pattern ID recorded here is recorded as in use.

  In “IP address” and “terminal identifier”, the IP addresses and terminal identification information of the terminal device with camera 400 and the terminal device 200 corresponding to the identification ID are recorded. This information matches the “IP address” and “terminal identifier” corresponding to the identification ID stored in the device information storage unit 410. The device information storage unit 410 may store individual information corresponding to the identification ID even if it is not the item shown in FIG.

  The pattern issuance information storage unit 512 manages issuance information of temporary use pattern images that can be used only for a specified period by the terminal device with camera 400 or the terminal device 200. FIG. 7 shows an example of the data structure of the pattern issue information stored in the pattern issue information storage unit 512.

  The “pattern ID” stores the pattern ID of the pattern image used as the temporary use pattern image. As the pattern ID stored here, a pattern ID whose use flag of the pattern management information storage unit 510 is not used is selected. When a pattern ID is recorded in the pattern issue information storage unit, the pattern ID corresponds to the pattern ID. The use flag of the pattern management information storage unit 510 is in use.

  In “Issuance destination identification ID”, the identification ID of the terminal device with camera 400 or the terminal device 200 that issued the pattern ID is recorded. The identification ID recorded here is the identification ID stored in the device information storage unit 410 of the issue destination. The “expiration date” records the date and time of the expiration date when the issued pattern ID can be used. When the date and time recorded in the expiration date is exceeded, the corresponding pattern ID data is deleted from the pattern issue information storage unit 512, and the in-use flag of the corresponding pattern ID stored in the pattern management information storage unit 510 is not set. Changed to use.

  The identification information determination unit 501 receives authentication information such as a pattern image, a pattern ID, device information, and input information from the authentication information transmission unit 403, and performs identification processing based on the received information. For example, the camera-equipped terminal that receives the pattern image extracted by the authentication requesting device and the identification ID of the authentication requesting device as the first authentication information from the camera-equipped terminal device 400 that serves as the authentication requesting device The pattern image extracted by the authentication target device and the identification ID of the authentication target device are received from the device 400 as the second authentication information.

  Then, the identification ID of the pattern ID corresponding to the pattern image of the first authentication information matches the identification ID of the second authentication information, and the identification ID of the pattern ID corresponding to the pattern image of the second authentication information is the first ID. It is determined whether or not it matches the identification ID of one authentication information. A specific determination method will be described later based on a specific embodiment.

  When the identification information determination unit 501 determines that the authentication information matches, the identification information transmission unit 503 transmits the authentication target device information to the authentication request device, and the authentication request device information to the authentication target device. Part.

  In response to a request from the pattern ID request unit 405, the pattern ID generation unit 502 issues a pattern ID corresponding to a pattern image that can be temporarily used for a predetermined period. The issued pattern ID is one in which the usage status is unused among the pattern IDs related in the pattern management information storage unit 510. When the pattern ID is issued, the usage status of the corresponding pattern ID is in use.

  The above is the outline of each processing unit of the information management apparatus 500. In the mutual authentication system, the processing units of the terminal device with camera device 400 and the information management device 500 described above operate in cooperation with each other, so that the authentication requester not only authenticates the authentication target person but also the authentication target. Implements a mutual authentication mechanism that authenticates the authentication requester. Next, an embodiment of the mutual authentication system will be described in detail based on specific usage scenes.

  In the first embodiment, an example in which a mutual authentication system is used in the transportation business will be described. In the transportation business, a business is performed in which a transportation company delivers a package to a private house. At this time, the carrier delivers the package to the private house depending on the address, but it is difficult to confirm whether the consignee is really the consignee of the package. The consignee may also receive cash-on-delivery baggage, sales, or fraudulent baggage that is not related to him / her from a fake carrier.

  Therefore, the consignee must confirm that the delivery person who has delivered the package is an authorized delivery company, and the delivery person must confirm that the consignee is the correct recipient. FIG. 8 illustrates a system configuration diagram when such mutual confirmation is performed using a mutual authentication system. FIG. 8 illustrates a case where the consignee has the camera-equipped terminal device 400 as the authentication target device 400a, and the delivery person has the camera-equipped terminal device 400 as the authentication requesting device 400b.

  A unique authentication pattern image associated with each identification ID is issued in advance to each of the authentication target device 400a and the authentication requesting device 400b and stored in each device information storage unit 410. The information of the issued authentication pattern image is managed by the pattern management information storage unit 510 and the identification information storage unit 511 of the information management device 500, and the pattern image associated with the identification ID of the authentication target device 400a and the authentication request device 400b. The pattern ID is recorded as being used in the pattern management information storage unit 510 and becomes a pattern image that cannot be used elsewhere. The identification ID associated with the pattern ID and the terminal device information are stored in the identification information storage unit 511.

  FIG. 9 shows a processing sequence when the consignee and the delivery person mutually authenticate in this embodiment. Processing when the consignee and the delivery person mutually authenticate will be described along the sequence of FIG.

  First, the consignee displays the authentication pattern image stored in the device information storage unit 410a on the authentication image display unit 404a of the authentication target device 400a (S901). Similarly, the delivery person displays the authentication pattern image stored in the device information storage unit 410b on the authentication image display unit 404b of the authentication requesting device 400b (S902).

  Then, the consignee takes a pattern image displayed on the authentication image display unit 404b of the authentication requesting device 400b with the camera device 300a of the authentication target device 400a, and stores the pattern image in the pattern information storage unit 411 from the taken image. A pattern ID corresponding to the existing pattern image is extracted (S903).

  Similarly, the deliverer takes a pattern image displayed on the authentication image display unit 404a of the authentication target device 400a with the camera device 300b of the authentication requesting device 400b, and stores the pattern image in the pattern information storage unit 411 from the taken image. A pattern ID corresponding to the current pattern image is extracted (S904).

  Here, if the pattern image cannot be extracted in S903 or S904, it is determined that the mutual authentication has failed because the authentication process cannot be performed, and the process ends. When the pattern image is extracted in S903 or S904, the authentication target device 400a uses the extracted pattern image or pattern ID and the device information stored in the device information storage unit 410 of the authentication target device 400a as the information management device 500. As the first authentication information (S905).

  Similarly, the authentication requesting device 400b transmits the extracted pattern image or pattern ID and device information stored in the device information storage unit 410 of the authentication requesting device 400b to the information management device 500 as second authentication information (S906). .

  When the identification information determination unit 501 of the information management device 500 receives the first authentication information from the authentication target device 400a and receives the second authentication information from the authentication requesting device 400b, the identification information determination unit 501 determines the identification information based on the received information. (S907).

  Specifically, an identification ID corresponding to the pattern ID of the first authentication information is acquired from the identification information storage unit 511. Then, it is determined whether the acquired identification ID is equal to the identification ID included in the second authentication information. In addition, an identification ID corresponding to the pattern ID of the second authentication information is acquired from the identification information storage unit 510. Then, it is determined whether the acquired identification ID is equal to the identification ID included in the first authentication information. If it is determined that any one of the identification IDs is not equal, the display is terminated because one of the pattern images may be invalid, and the process ends.

  When it is determined that the identification IDs are equal, the authentication target device 400a and the authentication requesting device 400b have confirmed each other's pattern images normally, and thus the information management device 500 identifies the authentication requesting device 400b. Information is acquired from the identification information storage unit 511 based on the identification ID and transmitted to the authentication target device 400a (S908), and identification information relating to the authentication target device 400a is acquired from the identification information storage unit 511 based on the identification ID. It transmits to 400b (S909). When receiving the identification information, the authentication target device 400a and the authentication requesting device 400b perform respective processes based on the received identification information.

  For example, the authentication target device 400a checks whether the authentication requesting device 400b is the intended delivery person authentication requesting device 400b. Similarly, the authentication requesting device 400b checks whether the authentication target device 400a is the intended consignee authentication target device 400a. Based on such check results, it is possible to confirm the validity and accuracy of each other.

  In the example in the case where the mutual authentication system is used in the transportation business in the first embodiment, when the pattern image stored in each device information storage unit 410 is copied and displayed on the authentication image display unit 404, There is a possibility of being impersonated. Therefore, in the second embodiment, a description will be given of an embodiment in which a pattern image is issued as necessary and used in the mutual authentication system.

  FIG. 10 illustrates a case where the consignee and the delivery person mutually authenticate using the temporary use pattern image as the authentication pattern image in each of the authentication target device 400a and the authentication requesting device 400b in the same usage scene as in the first embodiment. This shows the processing sequence. A process in the case where the consignee and the delivery person mutually authenticate using the temporary use pattern image as an authentication pattern image along the processing sequence of FIG. 10 will be described.

  First, the consignee requests the information management apparatus 500 to issue a temporary usage pattern ID from the authentication target apparatus 400a (S1001). The temporary usage pattern ID issuance request is made by transmitting the identification information of the authentication target device 400a together. When the pattern ID generation unit 502 of the information management apparatus 500 receives a request for issuing a temporary use pattern ID, the pattern management information storage unit 511 acquires one unused pattern ID from the pattern management information storage unit 511, and uses the acquired pattern ID. Change the flag while in use.

  Then, the pattern ID acquired in the “pattern ID” of the pattern issuance information storage unit 512, the identification ID transmitted from the authentication target device 400a as the “issue destination identification ID”, and the pattern ID issued as the “expiration date” Each time limit for which the corresponding pattern image can be used as an authentication pattern image is registered. For the expiration date, for example, an arbitrary period such as a date and time one hour after the date and time when the pattern ID is acquired is set.

  If the pattern ID is acquired, the acquired pattern ID is transmitted from the information management apparatus 500 to the authentication target apparatus 400a (S1002). In the authentication target device 400a, when the pattern ID is acquired, a pattern image corresponding to the pattern ID is acquired from the pattern information storage unit 411 and displayed as an authentication pattern image on the authentication image display unit 404a (S1003).

  Here, instead of acquiring the pattern image corresponding to the pattern ID from the pattern information storage unit 411, the pattern ID is passed to the authentication image display unit 404a, and the pattern image corresponding to the pattern ID is received from the authentication image display unit 404a as information. It may be acquired from the management apparatus 500 and displayed as an authentication pattern image.

  Similarly, also in the authentication requesting device 400b, when using the temporary usage pattern ID, the authentication requesting device 400b requests the information management device 500 to issue the temporary usage pattern ID (S1004). The pattern ID is acquired by the same processing as the above and is transmitted to the authentication requesting apparatus 400b (S1005).

  Then, when acquiring the pattern ID, the authentication requesting apparatus 400b acquires a pattern image corresponding to the pattern ID from the pattern information storage unit 411 and displays it as an authentication pattern image on the authentication image display unit 404b (S1003).

  Here, instead of acquiring the pattern image corresponding to the pattern ID from the pattern information storage unit 411, the pattern ID is passed to the authentication image display unit 404b, and the pattern image corresponding to the pattern ID is received from the authentication image display unit 404b as information. It may be acquired from the management apparatus 500 and displayed as an authentication pattern image.

  Then, the consignee takes a pattern image displayed on the authentication image display unit 404b of the authentication requesting device 400b with the camera device 300a of the authentication target device 400a, and stores the pattern image in the pattern information storage unit 411 from the taken image. A pattern ID corresponding to the existing pattern image is extracted (S1007).

  Similarly, the deliverer takes a pattern image displayed on the authentication image display unit 404a of the authentication target device 400a with the camera device 300b of the authentication requesting device 400b, and stores the pattern image in the pattern information storage unit 411 from the taken image. A pattern ID corresponding to the current pattern image is extracted (S1008).

  Here, if the pattern image cannot be extracted in S1007 or S1008, it is assumed that the mutual authentication has failed and the processing ends. When the pattern image is extracted in S1007 or S1008, the authentication target device 400a uses the extracted pattern image or pattern ID and the device information stored in the device information storage unit 410 of the authentication target device 400a as the information management device 500. As the first authentication information (S1009).

  Similarly, the authentication requesting device 400b transmits the extracted pattern image or pattern ID and device information stored in the device information storage unit 410 of the authentication requesting device 400b to the information management device 500 as second authentication information (S1010). .

  When the identification information determination unit 501 of the information management device 500 receives the first authentication information from the authentication target device 400a and receives the second authentication information from the authentication requesting device 400b, the identification information determination unit 501 determines the identification information based on the received information. (S1011). Specifically, first, an identification ID corresponding to the pattern ID of the first authentication information is tried to be acquired from the identification information storage unit 511.

  However, since the identification information corresponding to the temporary use pattern ID is not recorded in the identification information storage unit 511, the issue destination identification ID and the expiration date corresponding to the pattern ID are acquired from the pattern issue information storage unit 512 next. Try. If the issuer identification ID cannot be acquired, the pattern ID is not usable, so that the mutual authentication has failed and the process ends.

  Even if the issuer ID can be acquired, if the expiration date has passed, the pattern ID cannot be used anymore, so that the mutual authentication has failed and the process ends. If the issue destination identification ID can be acquired without completing the process, it is determined whether the acquired identification ID is equal to the identification ID included in the second authentication information. In addition, the identification ID corresponding to the pattern ID of the second authentication information is also acquired from the pattern issuance information storage unit 512 by the same process, and if the identification ID can be acquired without completing the process, the acquired identification can be obtained. It is determined whether the ID is equal to the identification ID included in the first authentication information.

  When it is determined that the identification IDs are equal, the authentication target device 400a and the authentication requesting device 400b have confirmed each other's pattern images normally, and thus the information management device 500 identifies the authentication requesting device 400b. The identification information storage unit 511 acquires the identification information from the identification information storage unit 511 based on the identification ID from which the information has been acquired (S1012). And is transmitted to the authentication requesting device 400b (S1013). When receiving the identification information, the authentication target device 400a and the authentication requesting device 400b perform respective processes based on the received identification information.

  Through the above processing, the consignee authentication target device 400a and the delivery person authentication requesting device 400b can perform mutual authentication by displaying the authentication pattern image using the temporary use pattern ID. Since the temporary use pattern ID cannot be used in the mutual authentication system when the expiration date has passed, it is possible to prevent impersonation in another terminal device even if the pattern image is copied.

  In the third embodiment, an example in which a mutual authentication system is used as a mechanism for unlocking a door will be described. When the pattern image is used as the door unlocking key, the unlocking requester displays the pattern image as the unlocking key on the portable terminal or the like. Then, the unlocking device side captures the pattern image with the camera device installed on the door to be unlocked, and if the captured pattern image is a pattern image registered as an unlocking key, Perform unlocking process. However, when the unlocking requester has a pattern image for unlocking a plurality of doors, a different door may be unlocked by mistake. For example, it is a case where a plurality of unlocking doors are adjacent to each other like a rental locker.

  In order to prevent the wrong door from being unlocked, the unlocking device not only checks whether the pattern image of the unlocking requester is properly registered as the unlocking key, but also unlocks the door. The lock requester also needs to confirm whether the door to be unlocked is the door to be unlocked.

  FIG. 11 illustrates a system configuration diagram in the case of performing door unlocking processing by displaying and authenticating a pattern image on a terminal device as a door unlocking key. The unlock requester possesses the camera-equipped terminal device 400 as the authentication target device 400c, and the unlocking device side represents a case where the terminal device 400d and the camera device 300d process the authentication request.

  FIG. 12 shows a processing sequence in the case where a mechanism for mutually confirming the unlocking requester and the unlocking device side is realized by using the mutual authentication system. A process when the unlocking requester and the unlocking device side mutually confirm will be described along the processing sequence of FIG.

  In the sequence of FIG. 12, the authentication pattern image serving as the unlocking key on the unlocking requester side uses the temporary use pattern ID by the method shown in the second embodiment in order to prevent the authentication pattern image from being duplicated. In this case, the authentication pattern image assigned in advance by the method shown in the first embodiment may be used as the unlocking key.

  First, the unlocking device displays the authentication pattern image assigned to itself on the authentication image display unit 404d in advance (S1201). The authentication image display unit 404d is not a display device or the like integrated with the terminal device 400d, but may be a plate with a pattern image printed thereon as shown in FIG.

  Next, the unlock requester requests the information management apparatus 500 to issue a temporary use pattern ID from the authentication target apparatus 400c (S1202), and the information management apparatus transmits the temporary use pattern ID to the authentication target apparatus 400c (S1203). . In the authentication target device 400c, when the pattern ID is acquired, a pattern image corresponding to the pattern ID is acquired from the pattern information storage unit 411 and displayed as an authentication pattern image on the authentication image display unit 404c (S1204). Processing from S1202 to S1204 for obtaining the temporary use pattern ID and displaying the authentication pattern image is the same as S1001 to S1003 in FIG.

  When the unlock requester displays the authentication pattern image on the authentication target device 400c, the unlocking requester captures the pattern image of the unlocking device and extracts the pattern image (S1205). At the same time, the pattern image displayed on the authentication target device 400c is captured by the camera device 300d on the unlocking device side (S1206), and the pattern image is extracted from the pattern image captured by the camera device 300d (S1207). Here, if the pattern image cannot be extracted in S1205 or S1207, it is determined that the mutual authentication has failed because the authentication process could not be performed, and the process ends.

  If the pattern images can be extracted from each other, next, the authentication target device 400c acquires the pattern ID corresponding to the extracted pattern image from the pattern information storage unit 411, and stores the device information stored in the device information storage unit 410. Is transmitted to the information management apparatus 500 as the first authentication information (S1208). Similarly, the terminal device 300d acquires a pattern ID corresponding to the extracted pattern image from the pattern information storage unit 411, and uses the device information stored in the device information storage unit 410 as second authentication information in the information management device 500. Transmit (S1208).

  When the information management apparatus 500 receives the first authentication information from the authentication target apparatus 400c and acquires the second authentication information from the terminal apparatus 300d, the information management apparatus 500 determines the identification information based on the received information (S1210). Specifically, first, an attempt is made to acquire an issue destination identification ID and an expiration date corresponding to the pattern ID of the second authentication information from the pattern issue information storage unit 512. If the issuer ID cannot be acquired, the pattern ID is not usable, so that the process ends with the authentication failure.

  Even if the issuer identification ID can be acquired, if the expiration date has passed, the pattern ID cannot be used anymore, so that the process ends as a result of authentication failure. If the issuer identification ID can be acquired without completing the process, it is determined whether the acquired identification ID is equal to the identification ID included in the first authentication information.

  When it is determined that the identification ID corresponding to the pattern ID of the second authentication information is the same as the identification ID of the first authentication information, the unlocking request from the unlocking requester to the unlocking device is valid. Since the determination can be made, the information management device 500 acquires the identification information related to the terminal device 300d from the identification information storage unit 511 based on the identification ID of the first authentication information, and transmits the identification information to the authentication target device 400c (S1211). Is acquired from the identification information storage unit 511 on the basis of the identification ID for which the identification information for which it was able to be acquired and transmitted to the terminal device 300d (S1212).

  The authentication target device 400c compares the identification ID of the door that was going to be unlocked with the identification ID included in the identification information based on the acquired identification information about the terminal device 300d, so that the door of the captured pattern image is displayed. Determine if it is the door you were trying to unlock.

  If it is determined that the door is to be unlocked, an unlock request is sent to the terminal device 300d (S1213). If it cannot be determined that the door is to be unlocked, no unlock request is made to prevent the wrong door from being unlocked.

  In the terminal device 300d, when an unlocking request is made, the unlocking requester who owns the unlocking target device 400c grants the unlocking authority for the door based on the identification information regarding the unlocking target device 400c acquired from the information management device 500. Determine if you have. If the user has the unlocking authority, the door is unlocked. If the user has no unlocking authority, the door is not unlocked.

  Through the processing described above, the authentication pattern image can be used as a door unlocking key, and it is possible to prevent an unlocking requester from unlocking the wrong door.

  In the fourth embodiment, an example in which a mutual authentication system is used to verify the validity of a WEB site will be described. For example, in the online WEB shopping site on the Internet, if the purchaser sends information such as a credit card number to the seller's WEB site, check whether the destination WEB site is really a genuine seller's WEB site There is a need to. This is because in the case of a spoofed WEB site, personal information may be transmitted by mistake.

  Accordingly, an embodiment in which a mechanism for confirming whether the WEB site displayed by the purchaser is a genuine WEB site and transmitting the purchaser's information to the seller side is realized using the mutual authentication system. Will be described.

  FIG. 13 is a system configuration diagram in a case where a mechanism for confirming whether a WEB site is a genuine WEB site and transmitting purchaser information to the seller side is realized using a mutual authentication system. In FIG. 13, the purchaser possesses the camera-equipped terminal device 400 as the authentication target device 400e, and the seller uses the terminal device 400f as the authentication requesting device. The seller uses the display of a display device such as a personal computer device for displaying the WEB site owned by the purchaser as the authentication image display unit 404f for displaying the authentication pattern image.

  Similarly, the camera device 300 of the seller also uses a camera device 300f such as a personal computer device 600 for displaying a WEB site owned by the purchaser. The authentication target device 400e, the personal computer device 600 that displays the WEB site, the terminal device 400f, and the information management device 500 are connected by a network line 100, respectively.

  A unique authentication pattern image associated with the identification ID of the authentication target device 400e is issued in advance to the authentication target device 400e and stored in the device information storage unit 410. Information of the issued authentication pattern image is managed by the pattern management information storage unit 510 and the identification information storage unit 511 of the information management device 500, and the pattern image and pattern ID associated with the identification ID of the authentication target device 400e are pattern management. A pattern image is recorded as being used in the information storage unit 510 and cannot be used elsewhere. The identification ID associated with the pattern ID and the terminal device information are stored in the identification information storage unit 511.

  FIG. 13 shows a processing sequence in the case where the purchaser confirms whether or not the WEB site of the seller is a regular WEB site and transmits the purchaser information in this embodiment. Processing in the case where the WEB site displayed on the purchaser side along the sequence shown in FIG. 13 is confirmed to be a legitimate seller's WEB site and the purchaser's information is transmitted will be described. First, the purchaser displays the authentication pattern image stored in the device information storage unit 410 on the authentication image display unit 404e of the authentication target device 400e (S1401).

  Next, the purchaser requests the information management apparatus 500 to issue a temporary usage pattern ID from the authentication target apparatus 400e (S1402). The issuance request for the temporary usage pattern ID is made by transmitting the identification information of the authentication target device 400e together. When the pattern ID generation unit 502 of the information management apparatus 500 receives the temporary use pattern ID issuance request, the pattern management information storage unit 510 acquires one unused pattern ID from the pattern management information storage unit 510 and uses the acquired pattern ID. Change the flag while in use.

  Then, the pattern ID acquired in the “pattern ID” of the pattern issue information storage unit 512, the identification ID transmitted from the authentication target device 400e as the “issue destination identification ID”, and the pattern ID issued as the “expiration date” Each time limit for which the corresponding pattern image can be used as an authentication pattern image is registered. For the expiration date, for example, an arbitrary period such as a date and time one hour after the date and time when the pattern ID is acquired is set.

  When the pattern ID is acquired, the acquired pattern ID is transmitted from the information management device 500 to the seller's terminal device 300f (S1403). In the terminal 300f, when the pattern ID is acquired, a pattern image corresponding to the pattern ID is acquired from the pattern information storage unit 411 and displayed as an authentication pattern image on the authentication image display unit 404f of the purchaser's personal computer device 600 (S1404). .

  In the second and third embodiments, the authentication pattern image corresponding to the temporary usage pattern ID is displayed on the authentication image display unit 404 of the terminal device 300 or the like that has transmitted the temporary usage pattern ID issuance request. The present embodiment is characterized in that the temporary use pattern image is displayed on the authentication image display unit 404 of the counterpart terminal device 300 or the like.

  When the authentication pattern image is displayed on the authentication image display unit 404e of the purchaser's authentication target device 400e and the authentication image display unit 404f of the personal computer device 600 controlled by the seller's terminal device 300f, respectively, The camera device 300e of the authentication target device 400e captures the pattern image displayed on the authentication image display unit 404f of the personal computer device 600 and extracts the pattern image (S1405).

  At the same time, the camera device 300d of the personal computer device 600 captures the pattern image displayed on the authentication image display unit 404e of the authentication target device 400e (S1406), and extracts the pattern image from the pattern image captured by the terminal device 300f. (S1407). Here, if the pattern image cannot be extracted in S1405 or S1407, it is determined that the mutual authentication has failed because the authentication process could not be performed, and the process ends.

  If each pattern image can be extracted, then the authentication target device 400e acquires the pattern ID corresponding to the extracted pattern image from the pattern information storage unit 411, and acquires the device information stored in the device information storage unit 410. It transmits to the information management apparatus 500 as 1st authentication information (S1408). Similarly, the terminal device 300f acquires a pattern ID corresponding to the extracted pattern image from the pattern information storage unit 411, and uses the device information stored in the device information storage unit 410 as second authentication information in the information management device 500. Transmit (S1409).

  When the information management apparatus 500 receives the first authentication information from the authentication target apparatus 400e and acquires the second authentication information from the terminal apparatus 300f, the information management apparatus 500 determines the identification information based on the received information (S1410). Specifically, first, an attempt is made to obtain an issue destination identification ID and an expiration date corresponding to the pattern ID of the first authentication information from the pattern issue information storage unit 512.

  If the issuer ID cannot be acquired, the pattern ID is not usable, so that the process ends with the authentication failure. Even if the issuer identification ID can be acquired, if the expiration date has passed, the pattern ID cannot be used anymore, so that the process ends as a result of authentication failure. If the issuer identification ID can be acquired without completing the process, it is determined whether the acquired identification ID is equal to the identification ID included in the first authentication information.

  In the first to third embodiments, the comparison determination between the identification ID acquired from the authentication information and the identification ID acquired from the pattern ID is a comparison between the first authentication information and the second authentication information. However, in this embodiment, in S1404, the temporary usage pattern image displayed on the authentication image display unit 404 is a pattern corresponding to the pattern ID acquired by making a temporary usage pattern ID issue request from the authentication target device 400e. Since it is an image, it is a comparison determination between the identification ID acquired from the first authentication information and the identification ID acquired from the pattern ID of the first authentication information.

  As for the verification of the pattern ID of the second authentication information, as in the first to third embodiments, the identification ID corresponding to the pattern ID of the second authentication information is acquired from the identification information storage unit 511 and the acquired identification ID is the first ID. This is performed by determining whether or not it is equal to the identification ID included in one authentication information.

  When it is determined that the respective identification IDs are equal, it is mutually confirmed that the purchaser's authentication target device 400e is an authorized user and that the seller's terminal device 400f is a WEB site intended by the authorized purchaser. Since the information can be confirmed, the information management apparatus 500 acquires the identification information regarding the terminal apparatus 400f from the identification information management unit 511 based on the identification ID that can be acquired, and transmits the identification information to the authentication target apparatus 400e (S1411). Is acquired from the identification information management unit 511 on the basis of the identification ID for which the identification information related to can be acquired, and transmitted to the terminal device 300f (S1412).

  Upon receiving the identification information, the authentication target device 400e verifies the seller's WEB site information based on the received identification information, and if there is no problem, transmits the seller's information to the WEB site. Further, when receiving the identification information, the terminal device 300f acquires the purchaser information based on the received identification information, sends the information to the WEB site, and performs processing on the WEB site.

  Here, the personal information of the purchaser is registered and managed in advance in the identification information storage unit 511 of the information management apparatus 500 as identification information, so that the necessary personal information is transmitted from the information management apparatus 500 to the terminal device 300f. May be.

  The specific examples of the mutual authentication system according to the present invention have been described above using the first to fourth examples. As shown in the embodiment, by using the mechanism of the mutual authentication system of the present invention, the authentication requester not only authenticates the authentication target person, but also the authentication target person authenticates the authentication requester. An authentication mechanism can be realized.

  In the above-described embodiment, the description has been given based on each processing unit of the mutual authentication system. However, in the above-described embodiment, a computer in which various processes are executed by hardware logic or a program is executed. It may be a method, or may be a program that is executed by causing a computer to read and execute a program prepared in advance in the above embodiment.

  Further, the technical scope of the present invention is not affected by the above-described embodiment, and modifications that are apparent to those skilled in the art within the scope of the technical idea described in the claims. Naturally, it belongs to the technical scope of the present invention.

DESCRIPTION OF SYMBOLS 100 Network line 200 Terminal apparatus 300 Camera apparatus 400 Terminal apparatus with a camera apparatus 401 Camera image | video acquisition part 402 Pattern image recognition part 403 Authentication information transmission part 404 Authentication image display part 405 Pattern ID request | requirement part 406 Identification information acquisition part 410 Equipment information storage part 411 Pattern information storage unit 500 Information management device 501 Identification information determination unit 502 Pattern ID generation unit 503 Identification information transmission unit 510 Pattern management information storage unit 511 Identification information storage unit 512 Pattern issue information storage unit 600 Personal computer device

Claims (4)

A mutual authentication system including one or more terminal devices, a camera device connected to each of the terminal devices, and an information management device,
The terminal device
An authentication image display unit for displaying a pattern image corresponding to the pattern ID corresponding to the terminal device;
A camera video acquisition unit that acquires video captured by a camera device connected to the terminal device;
A pattern image recognition unit for extracting a pattern image from the video imaged by the camera video acquisition unit;
An authentication information transmission unit for transmitting authentication information including the pattern image extracted by the pattern image recognition unit and identification information of the terminal device to the information management device;
An identification information acquisition unit that acquires identification information from the information management device;
The information management device includes:
Receiving the first authentication information and the second authentication information respectively transmitted from the terminal device, the identification information corresponding to the pattern image of the first authentication information matches the identification information of the terminal that transmitted the second authentication information, and An identification information determination unit that determines whether the identification information corresponding to the pattern image of the second authentication information matches the identification information of the terminal that transmitted the first authentication information;
A mutual authentication system, comprising: an identification information transmitting unit that transmits the identification information to the terminal device when the identification information determining unit determines that the identification information matches. The mutual authentication system according to claim 1,
The information management device includes:
A pattern ID generating unit that generates a pattern ID corresponding to each of the terminal devices;
The terminal device
A pattern ID requesting unit that requests the information management apparatus to issue a pattern ID corresponding to the terminal;
The authentication image display unit is an authentication image display unit that receives the pattern ID generated by the pattern ID generation unit of the information management apparatus and displays a pattern image corresponding to the received pattern ID. system. The mutual authentication system according to claim 2,
The identification information determination unit receives the first authentication information and the second authentication information respectively transmitted from the terminal device, and the identification information corresponding to the pattern image of the first authentication information identifies the terminal that has transmitted the first authentication information. An identification information determination unit that determines whether or not the identification information corresponding to the pattern image of the second authentication information matches the identification information of the terminal that transmitted the first authentication information. Mutual authentication system. A mutual authentication program for operating a computer as the mutual authentication system according to claim 1.