JP2023079648A - Authentication system of network using blockchain and authentication method using the same - Google Patents

Abstract

To provide an authentication system which secures validity of authentication and access right of a user in accessing an endpoint on the Internet in various services or application systems on a network, and implements mutual authentication for ensuring authenticity of the endpoint.SOLUTION: An authentication system is configured to: implement authentication of a user in accessing an endpoint on the Internet in various services or application systems on a network through fingerprint authentication using an IC card with fingerprint authentication, and sets a blockchain network for managing and storing, as transactions, most recent access histories of the user as background authentication processing; implement an authentication agent at an entrance of the endpoint; and collate the most recent access histories recorded on the IC card with fingerprint authentication and the blockchain on the authentication agent, to control accesses to the services or the application systems.SELECTED DRAWING: Figure 5

Description

The present invention relates to a network authentication system using blockchain and an authentication method using the same.

With the use of cloud services and the expansion of telecommuting, there is no longer a safe place in the corporate IT environment as devices move back and forth between the environmental boundaries inside and outside the corporate firewall.

In fact, it was announced in August 2020 that 900 companies around the world (38 companies in Japan) had their passwords leaked during teleworking listed as crime sites. Information Security Agency) According to "Information Security 10 Major Threats 2021", information leakage due to internal fraud is ranked high as a threat to companies in addition to external cyber attacks.

Therefore, in response to the trend of "compulsory security measures for business partners" that has already started in Europe and the United States, review of internal systems corresponding to "supply chain management" and "general data protection regulations" is limited to large companies. This has become an urgent issue for small and medium-sized enterprises, and strict authentication is required when accessing business systems.

On the other hand, when accessing a company's business site in telework, or a network endpoint (a general term for various Internet access destinations) such as a site for electronic trading via a network, it is a fake site prepared by criminals. Countermeasures are also required for the threat of phishing scams.

In other words, there is a demand for new mutual authentication cybersecurity that also considers the validity authentication of network endpoints.

As shown in FIG. 2, in the conventional authentication process, the user accesses the in-house system 200 via an application S400 for remote access S401, receives an authentication request S402 from the in-house system 200,・Password" is entered in S403 and logged in in S404, and after searching the ID management database 410 of the internal system, the entered ID and password are collated in S407. can start work S409.

JP 2020-190868 JP 2019-8753

Currently, most of the personal authentication means of security solutions prepared for accessing internal business systems or conducting electronic transactions via networks rely on IDs and passwords (Patent Document 1, 2).

However, with the recent increase in computer speed, IDs and passwords are required to be infinitely complex, and the effectiveness of IDs and passwords as security measures is questionable.

Moreover, ID/password authentication is constantly conscious of the threat of "hacking" and "spoofing", such as the hassle of remembering IDs and passwords, the introduction of human error due to forgetting them, and the eavesdropping and misappropriation of IDs and passwords by third parties. must be said to be in a state of bankruptcy.

On the other hand, conventional IC cards, which are used as identification cards, financial cards, and transportation cards, are offline terminals and have high confidentiality and confidentiality for internal data. Although it is a robust information terminal, the IC card with fingerprint authentication, which is adjusted so that it functions as an IC card only by matching with the registered fingerprint information of the owner in the card, is subject to "skimming" and " There is no need to worry about "spoofing", and it is a powerful means for security safety measures.

However, even when accessing network endpoints using the above-mentioned IC card with fingerprint authentication, as long as the same ID and password are required repeatedly, complete security measures are taken against threats such as eavesdropping. not become

Moreover, since the legitimacy and authenticity of network endpoints are completely untouched, it is impossible to prevent crimes such as "phishing scams" in which IDs and passwords are stolen by being redirected to fake endpoints.

Therefore, the present invention has been made in view of the above problems, and does not require the input of an ID or password when accessing a network endpoint, and assures the access destination of the legitimacy of personal authentication. It aims to provide complete cybersecurity measures that enable mutual authentication to ensure the authenticity of the endpoints.

The present invention uses fingerprint authentication using an IC card with fingerprint authentication (Secure Finger ID card) (SFID) to authenticate users when accessing Internet endpoints such as various services and business systems on networks. At the same time, as a background authentication process, a blockchain network that manages and stores the most recent access history of the user as a transaction (Tx) is installed, and an authentication agent (Authentication Provider Interface) is installed at the entrance of the endpoint. ) (API) and controls access to business systems by checking the latest access history recorded in SFID and blockchain on the API,
Record a common key used for encryption/decryption to enable secure data transmission/reception between the SFID and the API in the memory inside the SFID and in the personal information database connected to the API. , when distributing a transaction (Tx) in which the user's access history is written from the API to multiple nodes of multiple blockchain networks, authentication of the transaction (Tx) source and transmission of data on the transmission path The private key of the public key encryption method necessary for verifying that there was no tampering is recorded in the internal memory of the SFID, and the paired public key is recorded in the personal information database connected to the authentication agent, An authentication system that registers new users, issues an SFID, and verifies mutual authentication between the SFID and the API between the legitimacy of the user's access rights and the authenticity of the endpoint, and an authentication method using this is proposed.

In the present invention, the SFID plays a role of authenticating the user's access right to the business system instead of the ID and password. It is issued to the person with information that is not known even to the person, such as a unique encryption key that is tied to the person, recorded and stored in advance, and then instructed on the operation method necessary for accurate fingerprint registration on the SFID card. Perform fingerprint registration while receiving face-to-face or remote.

After the issuance of an SFID card with unregistered fingerprints, the event that the fingerprint registration of the person in question has been completed is recorded as the "user registration date" in the record of the user in the "personal information database" installed in the internal system. At the same time, the record data (equivalent to one transaction) that is the starting point of the blockchain is generated as the first "access history", and after that, the "access history" recorded in the blockchain and the "authentication history" recorded in the SFID are generated. By matching information. The user's access to the business system will be verified.

That is, in the present invention, an SFID card is assigned to verify the identity of a legitimate user, and the user's access history to network endpoints is recorded and managed as a "transaction (Tx)" block. An API that mediates cooperation between the chain network, the IC card SFID, and the blockchain network is deployed at the endpoint, and the access history information to the endpoint by the user is encrypted, decrypted, collected, distributed, and verified by the API. to authenticate and control access from networks such as remote work of users.

Furthermore, in the present invention, the latest access history information is updated each time the user accesses and is authenticated, is hidden in the SFID and the blockchain network, is collected and distributed by request from the API, and is verified. It will be a new infrastructure for cyber security that realizes mutual authentication of users and endpoints.

In the present invention, an authentication infrastructure (Finger Identity as a Service authentication infrastructure) (hereinafter referred to as FIDaaS authentication infrastructure) using the user's own fingerprint authentication and the access history to the endpoint is formed by SFID, API and blockchain technology. It becomes possible to mutually authenticate the legitimacy of the user and the authenticity of the network access site.

In addition, according to the present invention, since the above authentication is performed without the need to enter a password when accessing a network endpoint, it is troublesome for the user to memorize the ID and password, and human error due to forgetting them can be avoided. Furthermore, it is possible to prevent "hacking" and "spoofing" by eavesdropping, etc., and to protect against information leaks due to internal fraud as well as cyber attacks from the outside.

In the present invention, among a plurality of business systems, a particularly important business system, for example, only a core system that would have a serious impact on the business in the event of a cyber attack, is separated from the other business systems and an independent endpoint is created. It is also possible to provide an API to perform authentication.

In addition, according to the present invention, a plurality of related business systems are grouped in order to improve work efficiency, and an authentication agent is provided for the end point of this group as a single portal, and the plurality of business systems in the group can be grouped. It is also possible to implement a service form called single sign-on, in which collective authentication is performed only once.

According to the present invention, the legitimacy of the user and the authenticity of the endpoint can be mutually authenticated, and a strict authentication infrastructure in cyberspace can be realized.

In addition, according to the present invention, transactions on the blockchain protected by authentication of user authenticity and strict access history management satisfy the functional requirements as a fully signed time stamp. Therefore, it becomes possible to provide customization with high added value, such as adding and storing document information such as a contract related to the transaction to the data record of the transaction. For example, if the business application that connects to and controls this FIDaaS authentication platform is a material management system in the company system, by recording the evidence of the contract related to the order in the transaction, falsification or deletion of the order form data safe storage without worrying about

Furthermore, in the present invention, the authenticity of the user is authenticated by the SFID, and the access history written in the SFID is not rewritable and is compared with the contents described in the blockchain transaction that does not cause loss. The authenticity of the business system site is authenticated, the authenticity of the user and the authenticity of the business system site can be mutually authenticated, and strict authentication is possible.

Diagram schematically explaining the configuration of the FIDaaS authentication infrastructure according to this invention FIG. 4 is a diagram for explaining the sequence of a conventional authentication process according to the present invention; Diagram for explaining the authentication process sequence in the FIDaaS authentication infrastructure according to this invention A diagram explaining a mutual authentication method between an SFID card and an API according to SCP01 according to the present invention A diagram schematically explaining the mechanism of the FIDaaS authentication infrastructure according to this invention and the correlation of each data A diagram showing the data structure of the blockchain of the FIDaaS authentication infrastructure according to this invention

In the following, we will use SFID fingerprint authentication to perform personal authentication of users when accessing Internet endpoints such as various web services and business system sites on the network according to the present invention. Business system by deploying a blockchain network that manages and stores history as transactions, implements an authentication agent (API) in front of the endpoint, and compares the most recent access history recorded in SFID and blockchain. A preferred embodiment for implementing cyber-physical security to check access rights to is described.

FIG. 1 schematically shows one configuration example of the FIDaaS authentication infrastructure.

As shown in Figure 1, identity authentication of users when accessing Internet endpoints such as business systems is performed by fingerprint authentication using an IC card with fingerprint authentication (SFID), and at the same time, authentication is performed in the background. As a process, a blockchain network that manages and stores the most recent access history of the user as a transaction is installed, an authentication agent (API) is implemented at the entrance of the endpoint, and a personal information database is installed in the authentication agent (API). In an authentication system characterized by controlling access to a business system by connecting, checking and verifying the latest access history recorded in SFID and blockchain respectively on API, SFID has API Record the first half of the blockchain transaction hash ID and access history, including the common key, the private key of the public key encryption method used in the blockchain network, and the most recent access history of the user, and the individual The information database records the common key, the public key for decrypting the private key, and the last half of the transaction hash ID. (See Figure 5)

Regarding the above authentication system, a user 100 (e.g., some selected employees or employees of business partners) who holds SFID 110 as an identification card (e.g., employee ID card) uses a business system (e.g., , the manufacturing system 204) in the in-house system 200 will be used as an example to describe an embodiment of the FIDaaS authentication infrastructure along the diagram.

The authentication procedure in the FIDaaS authentication platform, which adopts a method different from the conventional authentication process, is performed remotely with the API 220, which is the authentication agent software provided for security against external access, with the manufacturing system 204 in Fig. 1 as the endpoint. FIG. 3 shows the authentication process with the SFID 110 possessed by the user 100 who intends to execute a task.

In the authentication process, in step 1, by fingerprint authentication of the IC card with fingerprint authentication in which the access history expressed by the hash value to the business system is written, communication with the outside of the card is permitted to access the authentication agent, In step 2, the authentication agent obtains a common key from the personal information database, mutually authenticates the authenticity of the IC card with fingerprint authentication and the authentication agent based on this common key, generates a temporary session key, and communicates. ensure security on
In step 3, the private key and access history recorded in the IC card with fingerprint authentication are encrypted with the session key and sent to the authentication agent, and the data is delivered by the method of restoring on the authentication agent side,
In step 4, the authentication agent combines the first half (1/2) of the access history hash value received from the IC card with fingerprint authentication and the second half (2/2) of the access history hash value obtained from the personal information database. Using the hash, obtain the transaction record from the blockchain, confirm that the hash value of the access history recorded in this record matches the hash value of the access history in step 3,
In step 5, the transaction is distributed to the blockchain as a new access history that the authentication agent has recognized the validity of the user's access right, and a new transaction hash value is used after consensus is formed with other nodes. Get the access history hash value.
In step 6, the new access history including the first half of the newly acquired transaction hash value is sent to SFID for authentication at the next access, and within SFID, after updating the access history, the API is notified of the completion of storage. Then, after the API confirms it and updates the remaining half of the transaction hash value of the most recent access history in the record of the personal information database, the user is permitted to work remotely, and the following , each step is described in detail.

step one
The user 100 in FIG. 3 activates S150 application software for performing remote work on the manufacturing system 204, and uses the fingerprint sensor mounted on the SFID 110 described in "STEP 1" S10 to By performing authentication, communication with the outside of the card and transmission and reception of data stored inside the SFID 110 are made possible. (included in the personal information 112) to access the API.

step 2
"STEP 2" S11 in FIG. 3 shows mutual authenticity authentication between the SFID 110 and the API 220, and subsequent processing for ensuring security in mutual data communication.

In the SFID 110, together with the personal information of the user 100, a "common key K ₀ (113 recorded in the memory 111 in the SFID 110 in FIG. 5)" is recorded in advance and issued. The SFID 110 and the API 220 that reads the common key K ₀ 265 from the personal information database 260 verify the authenticity of each other based on this common key, are generated each time communication is performed, and are disposable only once. Security in communication is ensured by using the "session key K _S ".

Description of SCP As a mutual authentication method based on a common key, there is an authentication scheme based on SCP (Secure Channel Protocol) 01 specified by "globalplatform.org", a global standardization organization for IC card security management systems. However, the case of using this scheme will be described below as an example.

An example of this authentication method is shown in FIG. SFID 110 and API 220 each have a common key K ₀ S501, and when starting authentication, each generate 16B (byte) random numbers Rapi and Rsfid, for example, encrypt them with the common key K ₀ , and send them to the other party. S502. Both of them divide the received random numbers into 4B units, rearrange them according to the arrangement rule of S503, and calculate the ciphertext CRM for the test. S504 encrypts this CRM with the common key _K0 to obtain a session key _KS . The random numbers Rapi and Rsfid are encrypted using this _KS as an encryption key, the ciphertexts Capi and Csfid are calculated, transmitted to each other, and decrypted to return to the original random numbers. is verified, the SFID 110 and API 220 can safely transmit and receive data using this session key K _S .

step 3
"STEP 3" S12 in FIG. 3 means the access history recorded in the memory ₁₁₁ in the SFID in _{FIG .} Using the key K _S , each communication data is encrypted (represented by X. See 10 in FIG. 5), transmitted to the API 220, and restored on the API side to securely transmit and receive data. Equations (1) and (2) below show an example of the processing of TS _i .
(Example) SFID: X _i = E (TS _i , K _S ) (1)
API: TS _i = E ^-1 (X _i , K _S ) (2)
Here, the subscript “i” means the most recent “i-th” access to the API 220 of the manufacturing system 204 of the user 100 .

In the above formulas (1) and (2), E and the inverse function of E, "plaintext = E ^-1 (ciphertext, encryption key)", are used as symbols to represent the function "ciphertext = E (plaintext, encryption key)". E ⁻¹ was used as a symbol for meaning.

step 4
In "STEP 4" S221 of FIG. 3, transaction hash TxH _i 12 generated by concatenating TxH _i (1/2) 117 received from SFID and TxH _i (2/2) 266 recorded in personal information database 260 is used to obtain the transaction record Tx _i 13 of FIG. H(TS _i ) is taken out and compared with the result of calculating the hash value of the data TS _i received in "STEP 3" S12. That is, if the two match, it is verified that the legitimate owner of the SFID 110 whose identity has been verified by fingerprint authentication is the owner of the access right to the manufacturing system 204 whose authenticity has been authenticated.

Here, the symbol H(X) represents a hash function with data X as an argument, and the value of the calculation result is nothing but a "hash value".

A specific example of "generating TxH _i (1/2) 117 and TxH _i (2/2) 266 recorded in the personal information database 260" is given by the following formulas (3) and (4). , (5) and (6).

TxH _i = TxH _i (1/2) + Tx H _i (2/2) (3)
TxH _i (1/2) = "6b88c87243aa29yfhhtdfh1d4rws2jb1" (4)
TxH _i (2/2) = “2b67gg32hhjrvud3343421987wev4f32” (5)
TxH _i = “6b88c87243aa29yfhhtdfh1d4rws2jb12b67gg32hhjrvud3343421987wev4f32” (6)

For example, it means combining 32B of data in (4) and (5) to make 64B of TxH _i 12 data as in (6).

step 5
In "STEP 5" S222 of Fig. 3, as a result of the verification of "STEP 4" S221 described in [0039] above, it is recognized that the user 100 is a legitimate holder of access rights, and remote work is allowed. Although permitted, this fact must be recorded as an access history required for verification when this user 100 accesses next time. Therefore, the transaction Tx _i+1 (see 15 in FIG. 5) containing the hash value of the access history TS _i+1 corresponding to the current time in the blockchain network 300 shown in FIG. A digital signature obtained by encryption using a secret key K _B according to an encryption method is attached and distributed. Also called “broadcasting” to multiple blockchain nodes (351-353 in Figure 1).

The blockchain node that received the transaction Tx _i+1 15 decrypts the received digital signature with the public key PK _B (employee code 262 of the personal information database 260 in FIG. 5) corresponding to the private key K _B , and converts TxH _i By verifying that the hash value of ₊₁ matches, it is authenticated that the sender of the transaction is a transmission from a person who has a private key that is a public key pair. Verify that the data has not been tampered with.

Description of Blockchain Network As shown in FIG. 1, data in a blockchain network 300 is synchronously recorded in a plurality of nodes 351 to 353 that constitute a distributed network. As shown in FIG. 6, the data structure that makes up the blockchain has the event related to the transmission and reception of data as one unit "transaction Tx13", and the hash value is added as "transaction hash ID, TxH12". , a plurality of transactions Tx13 that occurred in a certain period are collected (in the example of FIG. 6, D1 to ID8 are shown as eight Tx), encrypted according to the blockchain protocol and converted into block units 310 (320, 330 and 340 ), and records are accumulated like a chain while verifying the validity of the block between nodes. In the example of FIG. 6, the reason for the chain structure is that the hash value 311 of the "j+1"th block 310 includes the hash value 312 generated from the "j"th information. This chain structure makes it difficult to falsify or delete transaction data. At the same time, since data is recorded synchronously by a plurality of nodes, it also serves a function of backing up data.

In addition, a value called a nonce is added as a parameter to the calculation of the hash value of each block, and by adjusting this value, a hash value that meets the determined conditions is found. It is assumed that consensus is reached on the validity of the block by repeating the experiment to reproduce the result of the value, and TxH _i+1 is newly determined.

That is, as described above, only when the validity of transaction Tx _i+1 (15 in FIG. 5) is confirmed by another node, it is stored in the blockchain database as one of the eight transactions in block 310 in FIG. TxH _i+1 (see 14 in FIG. 5) can be retrieved again.

In addition, in contrast to the conventional method where block accumulation is permitted (for example, in the case of the blockchain of the virtual currency Bitcoin), in the case of a private blockchain, the hash value limit is relaxed, and the parameters that meet the conditions ( It is also possible to adopt a method that can quickly and easily find the nonce.

step 6
In "STEP 6" S13 of Fig. 3, the access history {TS _i+1 , TxH _i+1 (1/2)} 115 including the first half (1/2) of newly determined TxH _i+ 1 is In SFID, the API is notified of the completion of storage after updating the access history 115, the API confirms it, and the most recent access in the record of the personal information database 260 After updating the remaining half 266 of the historical transaction hash value, remote work is permitted and work on the manufacturing system 204 by the user 100 begins S151.

As described above, what should be particularly noted in the present invention is that in the sequence of authentication processing shown in FIG. Subsequent remote work start S151 permission is issued, and the process until work starts is automatically processed between SFID, API, and the blockchain network in the background that the user does not perceive. It is a point. In other words, not only is the user 100 burdened with the trouble of inputting IDs and passwords, but also the burden of memorizing them, forgetfulness, operational errors, and wiretapping can be eliminated.

In Example 1 described along FIG. 204) separately from other business systems and managed by the authentication infrastructure according to the present invention.

In this case, the SFID (IC card with fingerprint authentication) 110 is issued and distributed only to employees who have been selected to access the specific system.

Unlike the above, in order to improve the work efficiency of internal systems, group multiple related business systems into one group, define one unified access point as a portal for that group, and use one API (authentication agent). Implementations can configure and provide single sign-on (SSO) functionality within a group. For example, the personnel system 201, accounting system 202, and materials system 203 in FIG. That is, the user 100 is permitted to use three different services, which are conventionally managed with separate IDs and passwords, by one-time fingerprint authentication using an SFID card.

In summary, according to the present invention, it is possible to provide an endpoint authentication system in which complete security measures are implemented and strict authentication is performed when accessing a network such as a business system.

100 A user of this FIDaaS authentication infrastructure who is a business application user who remotely accesses a manufacturing system in the company system 110 SFID card (IC card with fingerprint authentication) owned by the user
111 Memory in the SFID card 112 General personal information such as the user's name and contact information recorded in the memory in the SFID 113 Between the SFID card and the API of the business system recorded in the memory in the SFID Common key data 114 for safely communicating data in SFID Private key data necessary for the public key cryptosystem used in the FIDaaS authentication infrastructure of the present invention, recorded in the memory within the SFID. It is paired with the public key used for the employee code.
115 The most recent access history of this SFID holder's access to the business system, recorded in the memory within the SFID 116 The most recent access history of this SFID holder's access to the business system, recorded in the memory of the SFID Access time data 117 Data in the first half of the transaction hash ID of the transaction in which the most recent access history to the business system recorded in the blockchain database is written, recorded in the memory in the SFID 120 Fingerprint verification 200 Overall in-house system including multiple business systems that allow remote access 201 Personnel system that allows remote access in the in-house system 202 Accounting system that allows remote access in the in-house system 203 Material system that allows remote access in the in-house system 204 Manufacturing system allowing remote access among in-house systems 205 R&D system allowing remote access among in-house systems 206 System management work allowing remote access among in-house systems.
210 Authentication agent software (API: Authentication Provider Interface) that treats the personnel system, accounting system, and material system as one joint access point among the internal systems and controls access.
220 Authentication Agent Software (API) that controls access to manufacturing systems among in-house systems. Referenced by way of example 230 in the description of embodiments of the present invention Among in-house systems, an authentication agent software (API) that controls access to the R&D system.
240 Authentication Agent Software (API) that controls access to system administration tasks within in-house systems.
260 A database that records and manages the personal information of all users who access internal systems. 261 General personal data records, such as users' names and contact information, in the "personal information database." 262 "Personal information database." In the record that records the employee code, the public key paired with the secret key hidden in the SFID required for the public key encryption method used in the FIDaaS authentication infrastructure of the present invention is used as the employee code 263, 267 " Spare data record of personal information database 264 In the "personal information database", the data record of the time when the user's fingerprint registration to the SFID card is completed or the time when the user is registered for the access right to the business system. 265 A data record in the "personal information database" that records a common key for securely communicating data between the user's SFID card and the business system's API.
266 In the "personal information database", a data record that records the second half of the transaction hash ID of the transaction that describes the most recent access history to the business system recorded in the blockchain database 300 Blockchain network 310 The “J+1”th block in the blockchain database, which corresponds to one of the nodes. Blocks are accumulated in ascending order from the lowest number.
311 Hash value representing the “J+1”th block in the blockchain database 312 Hash value representing the “J”th block in the blockchain database 313, 314 Hash value representing the “J+1”th block in the blockchain database A hash tree (Merkle tree) consisting of eight pieces of transaction data constituting a block and its root are shown.
320 The “J”th block in the blockchain database.
340 A block that records the access history starting from the “new user registration time” or “fingerprint registration completion time to the SFID card” in the blockchain database.
350 Cloud with blockchain nodes 351, 352, 352
S400-S409 shows each processing step of a flowchart of a conventional authentication process for remote access.
410 Identity management database used for remote access traditional authentication process
S150 As an example of an embodiment of the present invention, application software for remotely accessing an API of a manufacturing system
S151 As an example of an embodiment of the present invention, it means a process of starting and implementing remote work to a manufacturing system after obtaining API authentication.
S10 to S13 As an example of an embodiment of the present invention, each processing step of the process of verifying between SFID and API mutual authentication of user access rights and endpoints required when implementing remote work of a manufacturing system is described below. show.
S221-S222 As an example of an embodiment of the present invention, between an API of data required for mutual authentication of user access rights and endpoints required when implementing remote work of a manufacturing system and a blockchain database Indicates each process of reading and writing of
S500 to S505 Shown are the respective processing steps of the flowchart of the mutual authentication process between the SFID card and the API based on the authentication scheme SCP01 defined by the global standardization organization for IC card security management systems.
10 Based on authentication scheme SCP01, encrypted data sent from SFID to API using session key recalculated for each authentication 11 Based on authentication scheme SCP01, recalculated for each authentication Encrypted data sent from the API to the SFID using a session key12 Transaction hash ID of the transaction containing the most recent access history to the business system recorded in the blockchain database
13 Transaction record in which the latest access history to the business system recorded in the blockchain database is written 122 Employee code indicating the user included in the transaction data in which the latest access history to the business system is written. Public key 123 paired with the private key hidden in the SFID necessary for the public key cryptosystem used in the FIDaaS authentication infrastructure of the present invention Business included in transaction data in which the most recent access history to the business system is written Most recent access time data 124 to the system Spare record 125 included in the transaction data describing the most recent access history to the business system Customization included in the transaction data describing the most recent access history to the business system 14 Transaction hash ID of the transaction record containing the access history data immediately after the access right to the business system has been authenticated
15 A transaction record containing access history data immediately after the access right to the business system has been authenticated

Claims (5)

Personal authentication of users when accessing Internet endpoints such as various services on the network and business systems is performed by fingerprint authentication using an IC card with fingerprint authentication, and at the same time, as authentication processing in the background , Install a blockchain network that manages and stores the most recent access history of the user as a transaction, implement an authentication agent at the entrance of the endpoint, and the most recent history recorded on the IC card with fingerprint authentication and the blockchain In an authentication system characterized in that access to services and business systems is controlled by collating access history on the authentication agent, secure data transfer between the IC card with fingerprint authentication and the authentication agent. A common key used for encryption/decryption to enable transmission and reception is recorded in the memory inside the IC card with fingerprint authentication and in the personal information database connected to the authentication agent, and the access history of the user is recorded. Necessary for verifying that there was no tampering with data on the transmission path of authentication and distribution of transactions when the written transaction is distributed from the authentication agent to a plurality of nodes of a plurality of blockchain networks. The private key of the public key encryption method is recorded in the memory inside the IC card with fingerprint authentication, and the paired public key is recorded in the personal information database connected to the authentication agent, and new user registration and fingerprint authentication are performed. An authentication system characterized by issuing an IC card and verifying mutual authentication between the validity of a user's access right and the authenticity of an endpoint between an IC card with fingerprint authentication and an authentication agent. Fingerprint authentication using an IC card with fingerprint authentication is used to authenticate users when accessing Internet endpoints such as various services and business systems on the network, and at the same time, as authentication processing in the background, Install a blockchain network that manages and stores the user's most recent access history as a transaction, implement an authentication agent at the entrance of the endpoint, and record the most recent access recorded in the IC card with fingerprint authentication and the blockchain, respectively. Safe transmission and reception of data between an IC card with fingerprint authentication and an authentication agent in an authentication system characterized by controlling access to services and business systems by collating history on the authentication agent. A common key used for encryption/decryption is recorded in the memory inside the IC card with fingerprint authentication and in the personal information database connected to the authentication agent, and the user's access history is written. Disclosure necessary to verify that there was no tampering with data on the transmission path of the transaction and authentication of the source of the transaction when the transaction is distributed from the authentication agent to a plurality of nodes of a plurality of blockchain networks. The private key of the key encryption method is recorded in the memory inside the IC card with fingerprint authentication, and the public key to be paired with it is recorded in the personal information database connected to the authentication agent to register a new user and IC with fingerprint authentication. An authentication system method characterized by issuing a card and verifying mutual authentication between the legitimacy of a user's access right and the authenticity of an endpoint between an IC card with fingerprint authentication and an authentication agent,
In step 1, by fingerprint authentication of the IC card with fingerprint authentication, communication with the outside of the card is permitted, authentication agent is accessed,
In step 2, the authentication agent obtains a common key from the personal information database, mutually authenticates the authenticity of the IC card with fingerprint authentication and the authentication agent based on this common key, generates a temporary session key, and communicates. ensure security on
In step 3, the private key and access history recorded in the IC card with fingerprint authentication are encrypted with the session key and sent to the authentication agent, and the data is delivered by the method of restoring on the authentication agent side,
In step 4, one half (1/2) of the access history hash value received from the IC card with fingerprint authentication is combined with the other half (2/2) of the access history hash value obtained from the personal information database in the authentication agent. Using the obtained transaction hash, obtain a transaction record from the blockchain, confirm that the hash value of the access history recorded in this record matches the hash value of the access history in step 3 above,
In step 5, the transaction is distributed to the blockchain as a new access history that the authentication agent has recognized the validity of the user's access right, and a new transaction hash value is used after consensus is formed with other nodes. Get the access history hash value,
In step 6, a new access history including half of the newly obtained transaction hash value is sent to the fingerprint authentication IC card for authentication at the next access, and the access history is updated in the fingerprint authentication IC card. to the User after notifying the Authentication Agent of the completion of the storage later, confirming it, and updating the other half of the transaction hash value of the most recent access history in the personal information database record An authentication method that permits remote work and allows users to start working on services and business systems. In addition to the user's personal information such as name or employee code in the internal memory, the unique common key, secret key, etc. encryption key assigned to the individual user is recorded and stored in advance. According to claim 1 or claim 2, fingerprints are registered while receiving instructions face-to-face or remotely about the operation method necessary for accurate fingerprint registration to the IC card with fingerprint authentication, and the registered fingerprint data is also written. IC card with fingerprint authentication. Among multiple business systems, only a particularly important business system is isolated from other business systems and used as an endpoint, and an authentication agent is provided at the entrance of that business system to control authentication, or to improve work efficiency Claim 1 is characterized in that it is also possible to implement a system in which a plurality of related business systems are grouped together, an authentication agent is provided with this group as one endpoint, and the business systems in the group are collectively authenticated. 3. The authentication system or authentication method according to claim 2. High security by adding and storing document information such as contracts related to business to blockchain transactions protected by user authenticity authentication and strict access history management. 3. The authentication system or method according to claim 1, wherein a signed timestamp function can be realized.

Images