JP2015225370A - Authentication system, authentication method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an authentication system, an authentication method, and a program that are able to appropriately provide a service using plaintext data communicated wirelessly.SOLUTION: An authentication system of the present invention comprises: first acquisition means 51 for acquiring plaintext data via radio communication with a first communication device that wirelessly transmits plaintext data in a prescribed space; second acquisition means 52 for acquiring encrypted data via radio communication with a second communication device that wirelessly transmits encrypted data in a prescribed space; third acquisition means 53 for acquiring authentication data corresponding to the second communication device when the encrypted data is acquired; authentication means 54 for performing authentication using the encrypted data and the authentication data when the encrypted data and the authentication data are acquired; and permission means 55 for permitting the use of plaintext data if the authentication is a success.

Description

  The present invention relates to an authentication system, an authentication method, and a program.

  In recent years, in order to attract a user to, for example, a real store, a service using the position of a communication terminal possessed by the user has been proposed.

  For example, in Patent Literature 1, when a user's terminal device is present in a communication area of a wireless communication device, information regarding benefits such as points, coupons, or tickets is transmitted from the wireless communication device to the terminal via short-range wireless communication. Techniques for transmitting to a device are disclosed.

JP 2013-223158 A

  However, since the technique described in Patent Document 1 performs short-range wireless communication using plaintext data, for example, after collecting plaintext data transmitted from a wireless communication device within the communication area, In this case, by transmitting the plaintext data to the terminal device using a device other than the wireless communication device, it is possible to transmit information related to the privilege to the terminal device. In other words, once the user has moved into the communication area, the user can acquire information about the privilege without moving again into the communication area. There was a risk that it would be difficult to provide it.

  The present invention has been made in view of the above problems, and an object of the present invention is to provide an authentication system, an authentication method, and a program capable of appropriately providing a service using plaintext data wirelessly communicated.

  In order to solve the above problems, first, the present invention includes a first acquisition unit that acquires the plaintext data via wireless communication with a first communication device that wirelessly transmits the plaintext data within a predetermined space; Second acquisition means for acquiring the encrypted data via wireless communication with a second communication device that wirelessly transmits the encrypted data in the predetermined space; and when the encrypted data is acquired, Authentication means for performing authentication using the encrypted data and the authentication data when the encrypted data and the authentication data are acquired; and third acquisition means for acquiring authentication data corresponding to the two communication devices An authentication system is provided, comprising: means; and permission means for permitting use of the acquired plaintext data when the authentication is successful (invention 1).

  Here, the authentication data may be, for example, key data used for authentication, encrypted data, or plain text data before encryption.

  Further, permitting use of plaintext data may be, for example, permitting access to plaintext data by predetermined software, or transmitting plaintext data to the software. The plain text data may be stored in a storage device accessible by the software.

  According to this invention (Invention 1), in order to use plaintext data, it is necessary to succeed in authentication using encrypted data and authentication data. Data, encrypted data, and authentication data need to be acquired. For this reason, since the plaintext data cannot be used for the user simply by collecting the plaintext data, for example, information on the privilege is acquired without moving to the communication area after moving to the communication area once. The act of doing can be suppressed. Accordingly, it is possible to appropriately provide a service using plaintext data wirelessly communicated.

  In the above invention (Invention 1), there are a plurality of the first communication devices in the predetermined space, and the first acquisition means is the first communication device capable of wireless communication among the plurality of first communication devices. Each time it is detected, the plaintext data is acquired from the detected first communication device, and when the authentication is successful, the permission means permits the use of the plaintext data acquired within a predetermined period. Preferred (Invention 2).

  Here, the predetermined period may be a period after authentication, may be a period before authentication, or may be a period including before and after authentication.

  According to this invention (invention 2), once authentication is successful, it becomes possible to use all plaintext data acquired within a predetermined period. In this case, the number of times authentication processing is executed can be reduced as compared with the case where authentication relating to permission to use plaintext data is performed for every plaintext data acquired within a predetermined period. Therefore, a plurality of plaintext data can be used more quickly.

  In the above inventions (Inventions 1 and 2), the second communication device generates the encrypted data based on the original data when receiving the original data that is plaintext data that is the source of the encrypted data. Preferably, the apparatus further comprises transmission means for transmitting the original data to the second communication device (invention 3).

  According to this invention (invention 3), since the original data can be encrypted by the second communication device, for example, the content of the encrypted data is changed by changing the original data at every predetermined timing. Can do. For this reason, for example, the security of authentication can be improved as compared with the case where authentication is performed using certain encrypted data.

  In the above inventions (Inventions 1 to 3), there are a plurality of the second communication devices in the predetermined space, and the second acquisition means is the second communication capable of wireless communication among the plurality of second communication devices. Each time a device is detected, the encrypted data is acquired from the detected second communication device, and the authentication means includes the encrypted data and the authentication data corresponding to each of the plurality of second communication devices. Preferably, the authentication is performed for each of the plurality of second communication devices, and the permission unit permits the use of the plaintext data when the result of the authentication satisfies a predetermined condition ( Invention 4).

  Here, the predetermined condition may be, for example, that all the authentication results of the plurality of second communication devices are successful, or the second that has been successfully authenticated among the plurality of second communication devices. The ratio or the number of communication devices may be a predetermined threshold value or more.

  According to this invention (invention 4), in order for plaintext data to be used, the authentication result for each of the plurality of second communication devices needs to satisfy a predetermined condition. Thereby, the security with respect to use of plaintext data can be improved more.

  Secondly, the present invention provides a step in which a computer acquires the plaintext data via wireless communication with a first communication device that wirelessly transmits the plaintext data within a predetermined space, and generates encrypted data; and Obtaining the encrypted data via wireless communication with a second communication device that wirelessly transmits the encrypted data within the predetermined space; and when obtaining the encrypted data, the second Obtaining authentication data corresponding to a communication device; performing authentication using the encrypted data and the authentication data when the encrypted data and the authentication data are obtained; and the authentication If the authentication is successful, an authentication method is provided that executes the steps of permitting use of the acquired plaintext data (Invention 5).

  According to this invention (invention 5), in order to use plaintext data, it is necessary to succeed in authentication using encrypted data and authentication data, and in order to perform authentication, plaintext data is required. Data, encrypted data, and authentication data need to be acquired. For this reason, since the plaintext data cannot be used for the user simply by collecting the plaintext data, for example, information on the privilege is acquired without moving to the communication area after moving to the communication area once. The act of doing can be suppressed. Accordingly, it is possible to appropriately provide a service using plaintext data wirelessly communicated.

  Third, the present invention generates, in a computer, a function for acquiring the plaintext data via wireless communication with a first communication device that wirelessly transmits the plaintext data within a predetermined space, and generates encrypted data; and A function of acquiring the encrypted data via wireless communication with a second communication device that wirelessly transmits the encrypted data within the predetermined space; and when the encrypted data is acquired, the second communication device. A function to acquire authentication data corresponding to the function, a function to perform authentication using the encrypted data and the authentication data when the encrypted data and the authentication data are acquired, and the authentication was successful In this case, a program for realizing the function of permitting use of the acquired plaintext data is provided (invention 6).

  According to this invention (Invention 6), in order to use plaintext data, it is necessary to succeed in authentication using encrypted data and authentication data, and in order to perform authentication, plaintext data is required. Data, encrypted data, and authentication data need to be acquired. For this reason, since the plaintext data cannot be used for the user simply by collecting the plaintext data, for example, information on the privilege is acquired without moving to the communication area after moving to the communication area once. The act of doing can be suppressed. Accordingly, it is possible to appropriately provide a service using plaintext data wirelessly communicated.

  According to the authentication system, authentication method, and program of the present invention, it is possible to appropriately provide a service that uses plaintext data that is wirelessly communicated.

It is a figure showing roughly the basic composition of the authentication system concerning a 1st embodiment of the present invention. It is a block diagram which shows the structure of a communication terminal. It is a block diagram which shows the structure of an authentication server. It is a figure which shows the structural example of group data. It is a figure which shows the structural example of key data. It is a functional block diagram for demonstrating the function which plays the main roles in an authentication system. It is a sequence diagram which shows an example of the main processes of the authentication system of 1st Embodiment. It is a functional block diagram of the authentication system which concerns on 2nd Embodiment. It is a sequence diagram which shows an example of the main processes of the authentication system of 2nd Embodiment. It is a figure which shows an example of the relationship between the detection order of a 1st communication apparatus and a 2nd communication apparatus, and a predetermined period in the modification 1. FIG. It is a functional block diagram for demonstrating the function which plays a main role in the authentication system of the modification 2. It is a sequence diagram which shows an example of the main processes of the authentication system of the modification 2.

(First embodiment)
Hereinafter, a first embodiment of the present invention will be described in detail with reference to the accompanying drawings. However, this embodiment is an exemplification, and the present invention is not limited to this.

(1) Basic Configuration of Authentication System FIG. 1 is a diagram schematically showing a basic configuration of an authentication system according to the first embodiment of the present invention. As shown in FIG. 1, for example, in a predetermined indoor space S such as in a store, a first communication device 10 that wirelessly transmits plaintext data (unencrypted data) and a first wireless device that wirelessly transmits encrypted data. 2 communication devices 20 are provided. In this authentication system, the user communication terminal 30 receives (acquires) plaintext data and encrypted data via wireless communication in the space S, receives (acquires) authentication data from the authentication server 40, and encrypts the data. Authentication is performed using data and authentication data, and when the authentication is successful, the use of plain text data is permitted. The communication terminal 30 and the authentication server 40 are connected to a communication network NW (network) such as the Internet or a LAN (Local Area Network). The space S may be an outdoor space.

  In the present embodiment, for a user who visits an actual store, a service that transmits information related to benefits such as points, discount coupons or tickets to the user's communication terminal 30 is a service that uses plaintext data wirelessly communicated. This will be described as an example. That is, the plaintext data in the present embodiment includes information related to benefits.

  The first communication device 10 may be, for example, a beacon with a built-in button-type battery, and is provided in the space S at a position where it can perform near field communication with the communication terminal 30 using Bluetooth (registered trademark). It has been. Further, the first communication device 10 is configured to transmit plaintext data constantly or at predetermined intervals (for example, every several tens to several hundreds of milliseconds). Further, the first communication device 10 may wirelessly transmit a unique device ID together with plain text data. Moreover, plaintext data may be comprised by text data, image data, audio | voice data, or the data which combined these. In addition, although the case where near field communication is performed using Bluetooth (registered trademark) is described as an example here, the present invention is not limited to this case. For example, a wireless communication method such as a wireless LAN (for example, Wi-Fi (registered trademark)), ZigBee (registered trademark), UWB, optical wireless communication (for example, infrared) may be used. Further, the first communication device 10 may be configured to receive data transmitted from the communication terminal 30 via wireless communication.

  The second communication device 20 has substantially the same configuration as the first communication device 20 and is capable of performing short-range wireless communication with the communication terminal 30 using Bluetooth (registered trademark) in the space S. Is provided. The second communication device 20 is configured to transmit the encrypted data constantly or at predetermined intervals (for example, every several tens to several hundreds of milliseconds). Further, the second communication device 20 may wirelessly transmit a unique device ID together with the encrypted data. Here, the second communication device 20 may store an encryption key, and may generate encrypted data using the encryption key. As the encryption method, a well-known one may be adopted. For example, a common key encryption method such as AES (Advanced Encryption Standard), DES (Data Encryption Standard), or TDES (Triple DES) may be used. R. Rivest, A. Shamir, L. Adelman) or a public key cryptosystem such as elliptic curve cryptography. In the present embodiment, a case where a common key encryption method (for example, AES) is used as an encryption method will be described as an example. Further, the second communication device 20 converts the original data, which is plaintext data that is the source of the encrypted data, based on, for example, a predetermined mathematical algorithm or a predetermined rule every time a predetermined time (for example, 1 hour) elapses. May be changed. In this case, it is possible to change the encrypted data every time a predetermined time elapses. Further, the second communication device 10 may be configured to receive data transmitted from the communication terminal 30 via wireless communication.

  The communication terminal 30 performs wireless communication with the first communication device 10 when present in the communicable region of the first communication device 10, and the second communication device 30 when present within the communicable region of the second communication device 20. 2 is configured to perform wireless communication with the communication device 20. The communication terminal 30 is, for example, a mobile terminal, a smartphone, a PDA (Personal Digital Assistant), a personal computer, a television receiver having a bidirectional communication function (including a so-called multi-function smart TV), or the like. It may be a communication terminal operated by an individual user.

  In the present embodiment, the authentication server 40 is configured to be able to communicate with the communication terminal 30 via the communication network NW, and uses the device ID of the second communication device 20 received from the communication terminal 30 as described later. The encryption key of the second communication device 20 is extracted, and authentication data is generated using the extracted encryption key. Then, the authentication server 40 transmits the generated authentication data to the communication terminal 30.

(2) Configuration of Communication Terminal The communication terminal 30 will be described with reference to FIG. FIG. 2 is a block diagram showing an internal configuration of the communication terminal 30. As illustrated in FIG. 2, the communication terminal 30 includes a CPU (Central Processing Unit) 31, a ROM (Read Only Memory) 32, a RAM (Random Access Memory) 33, a nonvolatile memory 34, a display processing unit 35, and the like. The display unit 36, the input unit 37, and the communication interface unit 38 are provided, and a bus 39 for transmitting control signals or data signals between the units is provided.

  When the power is turned on to the communication terminal 30, the CPU 31 loads various programs stored in the ROM 32 or the nonvolatile memory 34 into the RAM 33 and executes them. The CPU 31 receives data transmitted from the communication devices 10 and 20 via the communication interface unit 38 and interprets the data. In addition, the CPU 31 transmits data stored in the ROM 32, RAM 33, or nonvolatile memory 34 to the authentication server 40 via the communication interface unit 38. Note that the CPU 31 may transmit data stored in the ROM 32, RAM 33, or nonvolatile memory 34 to each of the communication devices 10 and 20 via the communication interface unit 38.

  In the present embodiment, the CPU 31 reads out and executes a program stored in the ROM 32 or the nonvolatile memory 34 to thereby execute a first acquisition unit 51, a second acquisition unit 52, a third acquisition unit 53, and an authentication unit 54, which will be described later. And the function of the permission means 55 (shown in FIG. 6) is implement | achieved.

  The nonvolatile memory 34 is, for example, a flash memory, and stores a program executed by the CPU 31 and data referred to by the CPU 31. The nonvolatile memory 34 may store application software that uses plain text data transmitted from the first communication device 10. For example, the application software may be configured to use plain text data by operating the display unit 36 to display information related to a privilege included in the plain text data. The application software may be configured to automatically start when the CPU 31 receives data from the first communication device 10 or the second communication device 20.

  The display processing unit 35 displays the display data given from the CPU 31 on the display unit 36. The display unit 36 is, for example, an LCD (Liquid Cristal Display) monitor including thin film transistors arranged in pixel units in a matrix, and drives the thin film transistors based on the display data to display the displayed data on the display screen. indicate.

  When the communication terminal 30 is a button input type communication terminal, the input unit 37 includes a button group including a plurality of instruction input buttons such as a direction instruction button and a determination button for accepting a user operation input, a numeric keypad, and the like. A button group including a plurality of instruction input buttons, and includes an interface circuit for recognizing a pressing (operation) input of each button and outputting it to the CPU 31.

  When the communication terminal 30 is a touch panel input type communication terminal, the input unit 37 accepts touch panel type input mainly by touching the display screen with a fingertip or a pen. The touch panel input method may be a known method such as a capacitance method.

  The communication interface unit 38 includes an interface circuit for performing communication using the above-described wireless communication method, and an interface circuit for performing communication via the communication network NW.

(3) Configuration of Authentication Server The configuration of the authentication server 40 will be described with reference to FIG. FIG. 3 is a block diagram showing the internal configuration of the authentication server 40. As shown in FIG. 3, the authentication server 40 includes a CPU 41, a ROM 42, a RAM 43, an HDD (Hard Disk Drive) 44, and a communication interface unit 45, and transmits control signals or data signals between the respective units. A bus 46 is provided. The authentication server 40 may be a general-purpose personal computer, for example.

  When the power is turned on to the authentication server 40, the CPU 41 loads various programs stored in the ROM 42 or the HDD 44 into the RAM 43 and executes them.

  The HDD 44 is a nonvolatile storage device, and stores an operating system (OS) and a program executed on the OS. Further, the HDD 44 may store group data representing the correspondence relationship between the first communication device 10 and the second communication device 20 provided in the same space. An example of the data structure of the group data is shown in FIG. The group data shown in FIG. 4 includes device IDs of the first communication device 10 and the second communication device 20 existing in the space for each space (space ID). As shown in FIG. 4, each of the first communication device 10 and the second communication device 20 may be provided in the same space (in the example of the figure, the space ID is “S-01”). Any one of the first communication device 10 and the second communication device 20 may be provided in the same space (in the example of the figure, the space ID is “S-02”). Or it corresponds to the space of “S-03”). A plurality of first communication devices 10 and a plurality of second communication devices 20 may be provided in the same space (in the example of the figure, the space ID corresponds to the space of “S-04”). ).

  Further, the HDD 44 may store key data corresponding to the encryption key of the second communication device 20. An example of the data structure of the key data is shown in FIG. The key data shown in FIG. 5 includes the contents of the key data corresponding to the second communication device 20 for each of the plurality of second communication devices 20 (device IDs of the second communication device). When the common key cryptosystem is adopted as the encryption scheme, the content of the encryption key stored in the second communication device 20 and the content of the key data corresponding to the second communication device 20 are the same. . When the public key cryptosystem is adopted as the encryption scheme, the public key data may be stored in one of the second communication device 20 and the key data, and the secret key data may be stored in the other.

  Further, the CPU 41 may generate encrypted data using the key data for each of the plurality of second communication devices 20. Here, the plaintext data (hereinafter referred to as pre-encryption data) that is the source of the encrypted data generated by the authentication server 40 has an encryption key corresponding to the key data for generating the encrypted data. 2 may be configured to be the same as the original data in the communication device 20. That is, when the common key encryption method is adopted as the encryption method, the encrypted data generated in the second communication device 20 and the encrypted data generated in the authentication server 40 are always the same.

  The communication interface unit 45 includes an interface circuit for performing communication via the communication network NW.

(4) Overview of Functions in Authentication System Functions realized by the authentication system of this embodiment will be described with reference to FIG. FIG. 6 is a functional block diagram for explaining functions that play a main role in the authentication system of the present embodiment. In the functional block diagram of FIG. 6, the first acquisition unit 51, the second acquisition unit 52, the third acquisition unit 53, the authentication unit 54, and the permission unit 55 correspond to the main configuration of the present invention.

  The first acquisition means 51 has a function of acquiring plaintext data via wireless communication with the first communication device 10 that wirelessly transmits plaintext data within the predetermined space S. The function of the 1st acquisition means 51 is implement | achieved as follows, for example.

  For example, when the communication terminal 30 exists in the communicable area of the first communication device 10, the CPU 31 of the communication terminal 30 receives the device ID and plaintext data of the first communication device 10 transmitted from the first communication device 10. And received (acquired) via the communication interface unit 38. Further, the CPU 31 stores the received device ID and plaintext data of the first communication device 10 in the RAM 33, for example.

  When the CPU 31 stores the device ID and plaintext data of the first communication device 10 in the RAM 33, the CPU 31 reads application software that uses the plaintext data of the first communication device 10 from the nonvolatile memory 34 and loads it into the RAM 33. Later, the application software may be activated.

  Further, when the CPU 31 of the communication terminal 30 receives the device ID of the first communication device 10 and the plain text data, the first communication device 10 searches for the second communication device 10 existing in the same space (space S). May be transmitted to the authentication server 40 via the communication interface unit 38 and the communication network NW.

  In this case, when the CPU 41 of the authentication server 40 receives the device ID of the first communication device 10 via the communication interface unit 45, the CPU 41 accesses the group data in the HDD 44 and receives the received device ID of the first communication device 10. The device ID (for example, “20-001”) of the second communication device 20 associated with the same space ID (for example, “S-01”) as (for example, “10-001”) may be extracted. Then, the CPU 41 of the authentication server 40 may transmit the extracted device ID of the second communication device 20 to the communication terminal 30 via the communication interface unit 45 and the communication network NW.

  Then, when the CPU 31 of the communication terminal 30 receives the device ID of the second communication device 20 from the authentication server 40, the CPU 31 of the second communication device 20 may store the received device ID of the second communication device 20 in the RAM 33.

  The second acquisition unit 52 has a function of acquiring encrypted data via wireless communication with the second communication device 20 that wirelessly transmits the encrypted data within the predetermined space S. The function of the 2nd acquisition means 52 is implement | achieved as follows, for example.

  For example, when the communication terminal 30 exists in the communicable area of the second communication device 20, the CPU 31 of the communication terminal 30 receives the device ID and encrypted data of the second communication device 20 transmitted from the second communication device 20. And received (acquired) via the communication interface unit 38. Further, the CPU 31 stores the received device ID and encrypted data of the second communication device 20 in the RAM 33, for example.

  Further, when the CPU 31 of the communication terminal 30 receives the device ID of the second communication device 20 from the authentication server 40 based on the function of the first acquisition unit 51, the CPU 31 stores the device ID stored in the RAM 33 as a search target. The device ID of the second communication device 20 may be searched. Here, when the device ID of the second communication device 20 is searched, the CPU 31 of the communication terminal 30 may perform processing for realizing the function of the third acquisition unit 53 described later. On the other hand, if the device ID of the second communication device 20 is not stored in the RAM 33, the CPU 31 of the communication terminal 30 performs other processing (for example, until the device ID and the encrypted data are received from the second communication device 20). When there are a plurality of first communication devices 10, the device ID and plaintext data of other first communication devices 10 may be acquired based on the function of the first acquisition means 51.

  The third acquisition unit 53 has a function of acquiring authentication data corresponding to the second communication device 20 when the encrypted data is acquired. Here, the authentication data may be, for example, key data used for authentication, encrypted data, or plain text data before encryption.

  The function of the 3rd acquisition means 53 is implement | achieved as follows, for example. Here, a case where the authentication data is encrypted data will be described as an example. When receiving the device ID and the encrypted data from the second communication device 20, the CPU 31 of the communication terminal 30 transmits the device ID of the second communication device 20 to the authentication server 40, and sends the authentication data to the authentication server 40. Request transmission.

  On the other hand, when receiving the request from the communication terminal 30, the CPU 41 of the authentication server 40 accesses the key data in the HDD 44 and obtains the key data corresponding to the device ID of the second communication device 20 transmitted from the communication terminal 30. Extract. Then, the CPU 41 encrypts the data before encryption (in this embodiment, the content of the data before encryption is the same as the content of the original data in the second communication device 20) using the extracted key data. As a result, authentication data is generated. Next, the CPU 41 transmits the generated authentication data to the communication terminal 30.

  When the CPU 31 of the communication terminal 30 receives (acquires) authentication data from the authentication server 40, the CPU 31 stores the authentication data in the RAM 33, for example.

  The authentication unit 54 has a function of performing authentication using the encrypted data and the authentication data when the encrypted data and the authentication data are acquired.

  The function of the authentication means 54 is implement | achieved as follows, for example. When acquiring the encrypted data and the authentication data, the CPU 31 of the communication terminal 30 performs authentication using the encrypted data and the authentication data. Here, in this embodiment, authentication is performed by determining whether or not the encrypted data and the authentication data are the same. If the encrypted data and the authentication data are the same, the authentication is performed. The result is a success, and if it is not the same, the authentication result is a failure. Note that the authentication method is not limited to this case, and a known authentication method may be employed as appropriate.

  The permission unit 55 has a function of permitting the use of plaintext data when authentication is successful. Here, permitting the use of plaintext data may be, for example, permitting access to plaintext data by predetermined software, or transmitting plaintext data to the software. Alternatively, the plain text data may be stored in a storage device accessible by the software.

  The function of the permission means 55 is implement | achieved as follows, for example. Here, a case will be described as an example where permission to use plaintext data is to store plaintext data in a storage device accessible by predetermined application software. When the authentication is successful, the CPU 31 of the communication terminal 30 stores the plaintext data acquired from the first communication device 10 in an area in the RAM 33 that is accessible to application software that uses the plaintext data. Thereafter, the application software can use the plain text data acquired from the first communication device 10.

  When the software that uses the plaintext data is executed by another device (for example, an application server), the CPU 31 converts the plaintext data acquired from the first communication device 10 into the communication interface unit 38 and the communication network NW. It may be transmitted to the other device via

(5) Sequence of Main Processes of Authentication System of Present Embodiment Next, an example of a sequence of main processes performed by the authentication system of the present embodiment will be described with reference to the sequence diagram of FIG.

  First, in the space S, the first communication device 10 wirelessly transmits a device ID and plaintext data (step S100), and the second communication device 20 wirelessly transmits a device ID and encrypted data ( Step S102). When the communication terminal 30 exists in the communicable area of the first communication device 10 in the space S, the CPU 31 of the communication terminal 30 displays the device ID and plaintext data transmitted from the first communication device 10 as a communication interface unit. It is received (acquired) via 38 (step S104). Here, the CPU 31 of the communication terminal 30 may read application software using plain text data from the nonvolatile memory 34 and load it into the RAM 33 to start the application software.

  Next, the CPU 31 of the communication terminal 30 transmits the device ID of the first communication device 10 to the authentication server 40 via the communication interface unit 38 and the communication network NW (step S106). On the other hand, when the CPU 41 of the authentication server 40 receives the device ID of the first communication device 10 via the communication interface unit 45, the CPU 41 accesses the group data in the HDD 44 and receives the received device ID of the first communication device 10 ( For example, the device ID (for example, “20-001”) of the second communication device 20 associated with the same space ID (for example, “S-01”) as “10-001”) is extracted (step S108). Then, the CPU 41 of the authentication server 40 transmits the extracted device ID of the second communication device 20 to the communication terminal 30 via the communication interface unit 45 and the communication network NW (step S110).

  Next, the CPU 31 of the communication terminal 30 searches for the device ID of the second communication device 20 using the device ID stored in the RAM 33 as a search target (step S112). Here, when the device ID of the second communication device 20 is searched, the CPU 31 of the communication terminal 30 performs a process of step S116 described later. On the other hand, when the device ID of the second communication device 20 is not stored in the RAM 33, the CPU 31 of the communication terminal 30 receives other device IDs and encrypted data from the second communication device 20 (step S114). Processing may be performed.

  Next, when receiving the device ID and the encrypted data from the second communication device 20, the CPU 31 of the communication terminal 30 transmits the device ID of the second communication device 20 to the authentication server 40 and authenticates the authentication server 40. A request for transmission of data for use is made (step S116). On the other hand, when receiving the request from the communication terminal 30, the CPU 41 of the authentication server 40 accesses the key data in the HDD 44 and obtains the key data corresponding to the device ID of the second communication device 20 transmitted from the communication terminal 30. Extract. Then, the CPU 41 generates authentication data by encrypting the pre-encrypted data using the extracted key data (step S118). Next, the CPU 41 transmits the generated authentication data to the communication terminal 30 (step S120).

  When the CPU 31 of the communication terminal 30 acquires the plaintext data of the first communication device 10, the encrypted data of the second communication device 20, and the authentication data, the CPU 31 performs authentication using the encrypted data and the authentication data ( Step S122). Here, in this embodiment, authentication is performed by determining whether or not the encrypted data and the authentication data are the same. If the encrypted data and the authentication data are the same, the authentication is performed. The result is a success, and if it is not the same, the authentication result is a failure.

  Then, when the authentication is successful, the CPU 31 of the communication terminal 30 permits the use of the plain text data acquired from the first communication device 10 (step S124). For example, the CPU 31 of the communication terminal 30 may store the plain text data in an area in the RAM 33 that can be accessed by application software that uses the plain text data. Thereafter, this application software can use plain text data.

  As described above, according to the authentication system, authentication method, and program of the present embodiment, in order to use plaintext data, it is necessary to successfully perform authentication using encrypted data and authentication data. In order to perform authentication, it is necessary to acquire plaintext data, encrypted data, and authentication data. For this reason, since the plaintext data cannot be used for the user simply by collecting the plaintext data, for example, information on the privilege is acquired without moving to the communication area after moving to the communication area once. The act of doing can be suppressed. Accordingly, it is possible to appropriately provide a service using plaintext data wirelessly communicated.

(Second Embodiment)
Hereinafter, a second embodiment of the present invention will be described. The authentication system according to the present embodiment is different from the first embodiment in that the authentication server 40 performs authentication. Hereinafter, a configuration different from the first embodiment will be described.

  A functional block diagram of the authentication system of this embodiment is shown in FIG. As shown in FIG. 8, this functional block diagram is different from that shown in FIG. 6 in that the third acquisition unit 53 and the authentication unit 54 are provided in the authentication server 40.

  The function of the 3rd acquisition means 53 in this embodiment is implement | achieved as follows, for example. Here, a case where the authentication data is key data used for authentication will be described as an example. First, when receiving the device ID and encrypted data from the second communication device 20, the CPU 31 of the communication terminal 30 transmits the device ID and encrypted data of the second communication device 20 to the authentication server 40. On the other hand, when the CPU 41 of the authentication server 40 receives the device ID and encrypted data of the second communication device 20 from the communication terminal 30, the CPU 41 accesses the key data in the HDD 44 and transmits the second communication device transmitted from the communication terminal 30. Key data (authentication data) corresponding to the device ID of 20 is extracted (acquired).

  Moreover, the function of the authentication means 54 in this embodiment is implement | achieved as follows, for example. When acquiring the key data (authentication data), the CPU 41 of the authentication server 40 encrypts the pre-encrypted data using the key data. Here, this encrypted data is referred to as generated data. Next, the CPU 41 performs authentication by determining whether or not the encrypted data and the generated data of the second communication device 20 are the same, and the encrypted data and the generated data of the second communication device 20 are the same. If it is, it is determined that the authentication has succeeded, and if it is not the same, it is determined that the authentication has failed.

  Note that the CPU 41 decrypts the encrypted data of the second communication device 20 using the key data corresponding to the second communication device 20, and whether the decrypted data and the data before encryption are the same. Authentication may be performed by determining whether or not. In this case, when the decrypted data and the pre-encryption data are the same, it may be determined that the authentication has succeeded, and when they are not the same, it may be determined that the authentication has failed. Then, the CPU 41 of the authentication server 40 transmits the authentication result to the communication terminal 30.

  An example of a sequence of main processes performed by the authentication system of this embodiment will be described with reference to the sequence diagram of FIG. The processing contents of steps S200 to S214 shown in FIG. 9 are the same as the processing contents of steps S100 to S114 shown in FIG.

  First, when receiving the device ID and the encrypted data from the second communication device 20, the CPU 31 of the communication terminal 30 transmits the device ID and the encrypted data of the second communication device 20 to the authentication server 40 (step S216). On the other hand, when the CPU 41 of the authentication server 40 receives the device ID and encrypted data of the second communication device 20 from the communication terminal 30, the CPU 41 accesses the key data in the HDD 44 and transmits the second communication device transmitted from the communication terminal 30. Key data (authentication data) corresponding to the device ID 20 is extracted (acquired) (step S218).

  Next, when acquiring the key data (authentication data), the CPU 41 of the authentication server 40 encrypts the pre-encrypted data using the key data. Here, this encrypted data is referred to as generated data. The CPU 41 performs authentication by determining whether or not the encrypted data and the generated data of the second communication device 20 are the same (step S220), and the encrypted data and the generated data of the second communication device 20 are If they are the same, it is determined that the authentication has succeeded, and if they are not the same, it is determined that the authentication has failed. Then, the CPU 41 of the authentication server 40 transmits the authentication result to the communication terminal 30 (step S222).

  If the authentication result is successful, the CPU 31 of the communication terminal 30 permits the use of the plain text data acquired from the first communication device 10 (step S224). For example, the CPU 31 of the communication terminal 30 may store the plain text data in an area in the RAM 33 that can be accessed by application software that uses the plain text data. Thereafter, this application software can use plain text data.

  As described above, according to the authentication system, authentication method, and program of this embodiment, a service that uses plaintext data that is wirelessly communicated can be appropriately provided, as in the first embodiment.

  Hereinafter, modified examples of the above-described embodiments will be described.

(Modification 1)
In each embodiment mentioned above, although the case where one 1st communication apparatus 10 was provided in the space S was demonstrated as an example, it is not restricted to this case. For example, a plurality of first communication devices 10 may be provided in the space S. In this case, the first acquisition unit 51 acquires plaintext data from the detected first communication device 10 every time it detects the first communication device 10 capable of wireless communication among the plurality of first communication devices 10. Good. Further, the permission unit 55 may permit the use of the plain text data acquired within a predetermined period when the authentication is successful. Here, the predetermined period may be a period after the authentication, a period before the authentication, or a period including before and after the authentication.

  The function of the 1st acquisition means 51 in this modification is implement | achieved as follows, for example. The CPU 31 of the communication terminal 30 transmits the device ID and plaintext transmitted from each first communication device 10 each time the communication terminal 30 exists in each communicable area of the plurality of first communication devices 10 in the space S. By receiving the data, each first communication device 10 is detected, and the device ID and plaintext data of each first communication device 10 are acquired. Further, the CPU 31 may store the received device ID and plaintext data of the first communication device 10 in, for example, the RAM 33 according to the detection order of the first communication device 10.

  The function of the permission means 55 in this modification is implement | achieved as follows, for example. When the authentication is successful, the CPU 31 of the communication terminal 30 refers to, for example, the RAM 33 and corresponds to the device ID acquired within a predetermined period among the device IDs of the plurality of first communication devices 10 stored in the RAM 33. Allow use of plain text data.

  Here, an example of plaintext data permitted to be used will be described with reference to FIG. FIG. 10 is a diagram illustrating an example of the relationship between the detection order of the first communication device and the second communication device and a predetermined period. As illustrated in FIG. 10, for example, the RAM 33 stores the device ID of the first communication device 10 and the device ID of the second communication device 20 in the order of detection of each communication device. Here, it is assumed that authentication is performed when the device ID of the second communication device 20 (“20-001” in the example in the figure) is detected. In this case, if the predetermined period is the post-authentication period T1, the CPU 31 may permit the use of the plaintext data of the first communication device 10 that is detected seventh to eleventh in FIG. Further, when the predetermined period is the period T2 before authentication, the CPU 31 may permit the use of the plaintext data of the first communication device 10 detected first to fifth in FIG. Further, when the predetermined period is a period T3 including before and after the authentication, the CPU 31 may permit the use of the plaintext data of the first communication device 10 detected in the fourth to ninth positions in FIG. Thereby, when the authentication is successful once, it becomes possible to use all the plaintext data acquired within a predetermined period (period T1, T2 or T3).

  According to the authentication system, authentication method, and program of this modification, the number of times authentication processing is executed is reduced as compared with the case where authentication relating to the use of plaintext data is performed for every plaintext data acquired within a predetermined period. be able to. Therefore, a plurality of plaintext data can be used more quickly.

(Modification 2)
FIG. 11 shows a functional block diagram of Modification 2 of the authentication system, authentication method, and program of each of the above embodiments. As shown in FIG. 11, this functional block diagram is different from that shown in FIGS. 6 and 11 in that a transmission means 56 is added.

  In the present modification, the second communication device 20 is configured to generate encrypted data based on the original data when receiving the original data that is plaintext data that is the source of the encrypted data. More specifically, when receiving the original data, the second communication device 20 generates encrypted data by encrypting the original data using an encryption key.

  In the present modification, the transmission unit 56 has a function of transmitting original data to the second communication device 20. The function of the transmission means 56 is implement | achieved as follows, for example. The CPU 31 of the communication terminal 30 transmits the device ID of the first communication device 10 to the authentication server 40 when receiving the device ID and plain text data of the first communication device 10 based on the function of the first acquisition means 51, for example.

  On the other hand, when receiving the device ID of the first communication device 10, the CPU 41 of the authentication server 40 accesses the group data in the HDD 44, and receives the received device ID (for example, “10-001”) of the first communication device 10. The device ID (for example, “20-001”) of the second communication device 20 associated with the same space ID (for example, “S-01”) is extracted. In addition, the CPU 41 of the authentication server 40 accesses the key data in the HDD 44 and acquires key data corresponding to the extracted device ID of the second communication device 20. Then, the CPU 41 generates authentication data by encrypting the original data (pre-encryption data) using the acquired key data. Next, the CPU 41 transmits the device ID, original data, and authentication data of the second communication device 20 to the communication terminal 30. The CPU 41 may change the content of the original data based on, for example, a predetermined mathematical algorithm or a predetermined rule every time a predetermined time (for example, 1 hour) elapses.

  When the CPU 31 of the communication terminal 30 receives the device ID, original data, and authentication data of the second communication device 20, the CPU 31 transmits the original data to the second communication device 20 via the communication interface unit 38. In this way, the function of the transmission means 56 is realized.

  Further, when receiving the original data, the second communication device 20 generates encrypted data using the original data and the encryption key, and wirelessly transmits the encrypted data.

  An example of a sequence of main processes performed by the authentication system of this modification will be described with reference to the sequence diagram of FIG. The processing contents of steps S300 to S308 shown in FIG. 12 are the same as the processing contents of steps S100 to S108 shown in FIG.

  When the CPU 41 of the authentication server 40 extracts the device ID of the second communication device 20 in the process of step S308, the CPU 41 accesses the key data in the HDD 44 and obtains the key data corresponding to the extracted device ID of the second communication device 20. get. And CPU41 produces | generates the data for authentication by encrypting original data (data before encryption) using the acquired key data (step S310). Next, the CPU 41 transmits the device ID, original data, and authentication data of the second communication device 20 to the communication terminal 30 (step S312).

  When receiving the device ID, original data, and authentication data of the second communication device 20, the CPU 31 of the communication terminal 30 transmits the original data to the second communication device 20 via the communication interface unit 38 (step S314). On the other hand, when receiving the original data, the second communication device 20 generates encrypted data using the original data and the encryption key (step S316), and wirelessly transmits the encrypted data (step S318).

  When acquiring the encrypted data, the CPU 31 of the communication terminal 30 performs authentication using the encrypted data and the authentication data (step S320). If the authentication is successful, the plaintext data acquired from the first communication device 10 is obtained. Use is permitted (step S320).

  According to the authentication system, authentication method, and program of this modification, the second communication device 20 can encrypt the original data. For example, the encrypted data can be changed by changing the original data at predetermined timings. The contents of can be changed. For this reason, for example, the security of authentication can be improved as compared with the case where authentication is performed using certain encrypted data.

(Modification 3)
In each of the above-described embodiments, the case where one second communication device 20 is provided in the space S has been described as an example. However, the present invention is not limited to this case. For example, a plurality of second communication devices 10 may be provided in the space S. In this case, the second acquisition unit 52 acquires encrypted data from the detected second communication device 10 every time it detects the second communication device 20 capable of wireless communication among the plurality of second communication devices 20. Also good. Further, the authentication unit 54 may perform authentication for each of the plurality of second communication devices 20 when acquiring the encrypted data and the authentication data corresponding to each of the plurality of second communication devices 20. Further, the permission unit 55 may permit the use of plaintext data when the result of the authentication satisfies a predetermined condition. Here, the predetermined condition may be, for example, that all the authentication results of the plurality of second communication devices are successful, or the second that has been successfully authenticated among the plurality of second communication devices. The ratio or the number of communication devices may be a predetermined threshold value or more (for example, 50% or more or 10 or more).

  The function of the 2nd acquisition means 52 in this modification is implement | achieved as follows, for example. The CPU 31 of the communication terminal 30 transmits the device ID and the encryption transmitted from each second communication device 20 every time the communication terminal 30 exists in each communicable area of the plurality of second communication devices 20 in the space S. By receiving the encrypted data, each second communication device 20 is detected, and the device ID and encrypted data of each second communication device 20 are acquired. Further, the CPU 31 may store the received device ID and encrypted data of the second communication device 20 in the RAM 33, for example.

  The function of the authentication means 54 in this modification is implement | achieved as follows, for example. The CPU 31 of the communication terminal 30 uses the encrypted data of the plurality of second communication devices 20 in the space S and the authentication data of each second communication device 20 acquired based on the function of the third acquisition means 53. Thus, authentication is performed for each of the plurality of second communication devices 20. Note that the CPU 31 may perform authentication for every second communication device 20 in the space S, or may perform authentication for each part of the second communication devices 20 in the space S.

  The function of the permission means 55 in this modification is implement | achieved as follows, for example. Here, a case where the predetermined condition is that all the authentication results of the plurality of second communication devices are successful will be described as an example. The CPU 31 of the communication terminal 30 permits the use of plain text data acquired from the first communication device 10 when all the authentication results of the plurality of second communication devices are successful.

  According to the authentication system, authentication method, and program of this modification, in order for plaintext data to be used, the authentication result for each of the plurality of second communication devices 20 needs to satisfy a predetermined condition. Thereby, the security with respect to use of plaintext data can be improved more.

  The program of the present invention may be stored in a computer-readable storage medium. The storage medium storing this program may be the ROM 32 or the nonvolatile memory 34 of the communication terminal 30 shown in FIG. 2, or the ROM 42 or the HDD 44 of the authentication server 40 shown in FIG. . Further, it may be a CD-ROM that can be read by being inserted into a program reading device such as a CD-ROM drive. Further, the storage medium may be a magnetic tape, a cassette tape, a flexible disk, an MO / MD / DVD, or a semiconductor memory.

  The embodiment described above is described for facilitating understanding of the present invention, and is not described for limiting the present invention. Therefore, each element disclosed in the above embodiment is intended to include all design changes and equivalents belonging to the technical scope of the present invention.

  For example, in each of the embodiments described above, the case where the encrypted data is acquired from the second communication device 20 after the plain text data is acquired from the first communication device 10 has been described as an example. After obtaining the data, the plain text data may be obtained from the first communication device 10. Even in this case, in order to use the plaintext data, it is necessary to succeed in the authentication using the encrypted data and the authentication data. Further, in order to perform the authentication, the plaintext data and the encrypted data are required. In addition, since it is necessary to acquire authentication data, it is possible to appropriately provide a service using the plaintext data wirelessly communicated.

  In the first embodiment described above, each function of the first acquisition unit 51, the second acquisition unit 52, the third acquisition unit 53, the authentication unit 54, and the permission unit 54 is realized by the communication terminal 30. It is not limited to the configuration. For example, it is good also as a structure which implement | achieves at least one part means by the authentication server 40 like 2nd Embodiment.

  The authentication system, the authentication method, and the program of the present invention as described above can appropriately provide a service using plaintext data communicated wirelessly, and the industrial applicability is extremely large.

DESCRIPTION OF SYMBOLS 10 ... 1st communication apparatus 20 ... 2nd communication apparatus 30 ... Communication terminal 40 ... Authentication server 51 ... 1st acquisition means 52 ... 2nd acquisition means 53 ... 3rd acquisition means 54 ... Authentication means 55 ... Authorization means 56 ... Transmission means S ... space

Claims (6)

First acquisition means for acquiring the plaintext data via wireless communication with a first communication device that wirelessly transmits the plaintext data within a predetermined space;
Second acquisition means for acquiring the encrypted data via wireless communication with a second communication device that wirelessly transmits the encrypted data in the predetermined space;
Third acquisition means for acquiring authentication data corresponding to the second communication device when the encrypted data is acquired;
Authentication means for performing authentication using the encrypted data and the authentication data when the encrypted data and the authentication data are acquired;
Permission means for permitting use of the acquired plaintext data when the authentication is successful;
An authentication system comprising: A plurality of the first communication devices exist in the predetermined space,
The first acquisition means acquires the plaintext data from the detected first communication device each time the first communication device capable of wireless communication among the plurality of first communication devices is detected.
The authentication system according to claim 1, wherein when the authentication is successful, the permission unit permits use of the plaintext data acquired within a predetermined period. The second communication device is configured to generate the encrypted data based on the original data when receiving the original data that is plaintext data that is the source of the encrypted data;
The authentication system according to claim 1, further comprising transmission means for transmitting the original data to the second communication device. A plurality of the second communication devices exist in the predetermined space,
The second acquisition means acquires the encrypted data from the detected second communication device each time the second communication device capable of wireless communication among the plurality of second communication devices is detected,
The authentication unit performs the authentication for each of the plurality of second communication devices when acquiring the encrypted data and the authentication data corresponding to each of the plurality of second communication devices,
The authentication system according to any one of claims 1 to 3, wherein the permission unit permits the use of the plaintext data when the result of the authentication satisfies a predetermined condition. Computer
Obtaining the plaintext data via wireless communication with a first communication device that wirelessly transmits plaintext data within a predetermined space;
Obtaining the encrypted data via wireless communication with a second communication device that wirelessly transmits the encrypted data in the predetermined space;
Obtaining authentication data corresponding to the second communication device when the encrypted data is obtained;
Performing authentication using the encrypted data and the authentication data when the encrypted data and the authentication data are acquired;
Permitting use of the acquired plaintext data if the authentication is successful;
An authentication method that executes each of the steps. On the computer,
A function of acquiring the plaintext data through wireless communication with a first communication device that wirelessly transmits the plaintext data within a predetermined space;
A function of acquiring the encrypted data via wireless communication with a second communication device that wirelessly transmits the encrypted data in the predetermined space;
A function of acquiring authentication data corresponding to the second communication device when the encrypted data is acquired;
A function of performing authentication using the encrypted data and the authentication data when the encrypted data and the authentication data are acquired, and use of the acquired plaintext data when the authentication is successful. Allowed functions,
A program to realize

Images