JP3950025B2 - Mobile device - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to a mobile terminal, a coupon processing device, and a coupon management server used when realizing an electronic coupon service.
[0002]
[Prior art]
Coupon services are widely used in stores to acquire new customers, and have become established as service forms such as discounts for customers. In these coupon services, a store prints a coupon on a newspaper advertisement or the like, and the customer can receive the service printed on the coupon by bringing the coupon to the store. In addition, recently, the advertisement of the store was put on the Internet, a coupon was displayed, and when the person who referred to the site printed the coupon and brought it to the store, the service described in the coupon was implemented. There are also stores that offer coupon services.
[0003]
Conventional coupon service is distributed to unspecified number of coupons when distributing coupons, so it is the same for customers who receive services from other companies or customers who receive their services Only the same service can be provided with the coupon. It is also easy to forge coupons.
[0004]
Furthermore, coupon services based on newspaper advertisements cost advertising and have few opportunities to be implemented in small stores. In addition, the coupon distribution over the Internet does not cost much advertising, but there is also a problem that the coupon cannot be distributed unless the advertisement site is accessed.
[0005]
On the other hand, mobile terminals such as mobile phones and electronic notebooks are becoming popular. These portable terminals have both a communication function and a calculation function. In terms of the communication function, not only can a telephone be used, but also an Internet connection service using a telephone line is becoming widespread. In recent years, portable terminals having a short-range wireless function represented by Bluetooth (trademark) and IrDA have also become widespread. When these wireless functions are used, communication with no charge burden can be realized, although it is limited to short-range communication. Since these portable terminals are provided with a calculation function, it is possible to generate and verify a digital signature during communication.
[0006]
In addition to conventional terrestrial broadcasting and satellite broadcasting, satellite broadcasting (mobile broadcasting) is planned that can be viewed in moving objects such as automobiles or on devices that are used while moving like mobile terminals. ing.
[0007]
[Problems to be solved by the invention]
Focusing on the widespread use of mobile terminals as described above and communication means that can be used by the public, such as satellite broadcasting, realizes an electronic coupon that has never existed before and is flexible according to its characteristics It is desired to realize a coupon service. In this case, it is necessary to avoid the illegal use of the coupon service due to the forgery of the coupon or the like as in the past.
[0008]
The present invention has been made in view of such circumstances, and an object thereof is to provide a portable terminal, a coupon processing device, and a coupon management server for realizing a coupon service having both flexibility and safety. .
[0009]
[Means for Solving the Problems]
A portable terminal according to the present invention is a portable terminal that can be connected to a coupon processing apparatus and enjoy a coupon service, and is specific to a means for obtaining coupon data from a supplier of the coupon service and a user of the portable terminal Information that can be used to enjoy the coupon service of the mobile terminal is obtained from the internal profile of the portable terminal according to a predetermined processing procedure, and the coupon data is changed based on the information, and the change is added Means for transmitting the coupon data to the coupon processing device.
[0010]
A coupon processing apparatus according to the present invention includes a means for receiving coupon data issued from a coupon service supplier and transmitted from a user of the coupon service through a mobile terminal, and a coupon service specific to the user of the mobile terminal And means for extracting the additional coupon data added in the portable terminal from the received coupon data and determining the offer content of the coupon service according to the additional coupon data. This is a featured coupon processing apparatus.
[0011]
The coupon management server according to the present invention receives coupon data issued from a coupon service supplier and transmitted from a user of the coupon service through a mobile terminal, and processes the coupon data to provide the coupon service. A coupon management server for managing a coupon processing device, the history data about the coupon data from the portable terminal processed by the coupon processing device in use of the coupon service, and means for recording the profile information of the user A coupon management server comprising: a recording unit; and a unit for checking validity of the coupon data based on the profile information and the history data.
[0012]
The coupon processing method which concerns on this invention is a coupon processing method in the portable terminal which can connect with a coupon processing apparatus and can receive a coupon service, Comprising: The step which acquires coupon data from the supply source of the said coupon service, The said portable terminal Acquiring information that can be used to enjoy a coupon service unique to the user of the user according to a predetermined processing procedure from the internal profile of the mobile terminal, and changing the coupon data based on the information; Transmitting the changed coupon data to the coupon processing device. A coupon processing method comprising:
[0013]
A program according to the present invention is a coupon processing program for connecting a computer to a coupon processing device and enjoying a coupon service, a function of acquiring coupon data from a supplier of the coupon service, and a user of the computer Information that can be used to enjoy a coupon service unique to the computer is obtained from the internal profile of the computer according to a predetermined processing procedure, and the coupon data is changed based on the information, and the change is added And a function of transmitting the coupon data to the coupon processing device.
[0014]
The data structure according to the present invention is applied to a coupon service system in which a mobile terminal modifies coupon data issued from a coupon service supplier and transmits the coupon data to a coupon processing device when using the coupon service. It is a data structure of coupon data, and the coupon data includes additional coupon data, and the additional coupon data includes a change content when the portable terminal enjoys the coupon service, a digital signature of the portable terminal, A coupon data structure, comprising: a public key certificate by a predetermined certificate authority for a public key used for verification of the digital signature.
[0015]
DETAILED DESCRIPTION OF THE INVENTION
Hereinafter, embodiments of the present invention will be described with reference to the drawings. First, terms and meanings in the description of the embodiments will be described.
[0016]
The “portable terminal” in the embodiment means a device that has a calculation function and a communication function, such as a mobile phone and an electronic notebook, and is assumed to be used while moving. The “coupon processing device” means a device provided in a store or the like and having a calculation function and a communication function. For example, a POS (point-of-sale) terminal having a coupon processing function is used. It hits.
[0017]
In the embodiment, “user” and “store employee” are assumed to be persons who may cause fraud, while “coupon management server” is trusted in the sense that it does not cause fraud. It is assumed that it is possible. Moreover, the portable terminal and the coupon processing apparatus are positioned between these reliable sites and unreliable sites. For example, even if the portable terminal and the coupon processing apparatus are normal at the shipping stage, the internal structure becomes clear by analysis by a hacker and the like, and the possibility of unauthorized use with weak points of the internal structure cannot be denied. The possibility of such unauthorized use is remarkably increased by a portable terminal that can be used by a user at home. For this reason, the portable terminal needs tamper resistance in the sense that data cannot be read, written, or tampered with in relation to access to the data storage unit or data processing unit (described later). Become.
[0018]
In any of the embodiments, there are several types of portable terminals and coupon processing apparatuses, and it is also true that the ease of analysis differs for each model. For this reason, a mechanism for excluding analyzed devices is introduced. This mechanism is called “revocation” and is realized by distributing a black list called “revocation list” to each portable terminal and coupon processing apparatus.
[0019]
Similarly, if a user or store employee causes fraud, the possibility is unknown. Therefore, in the present embodiment, information on users, employees, or stores who have been cheating in the past is distributed to each mobile terminal and coupon processing device in the form of a revocation list, and the corresponding user, employee Introduces a mechanism that allows employees or stores to be excluded from the coupon system. The removal of unauthorized persons with reference to a revocation list or the like is called “revocation”.
[0020]
In order to realize revocation, it is important to have a mechanism that can reliably identify fraudsters when fraud occurs. The present invention provides a flexible coupon service and improves convenience, while providing a mechanism that can reliably identify a fraudster when fraud occurs. This eliminates fraudsters from the system and prevents fraud itself.
[0021]
The coupon data referred to in the embodiment is composed of basic coupon data and additional coupon data as shown in FIG. 1, and has an internal configuration as shown in FIGS. 2 and 6, respectively. In the present embodiment, for simplicity of explanation, it is assumed that all data attributes have a fixed length unless otherwise specified. This is for simplifying the data extraction method described later, and it is possible to convert fixed-length data into variable-length data by obvious modifications.
[0022]
The basic coupon data is, for example, data broadcast from a broadcasting station, and is coupon information common to all viewers. As shown in FIG. 2, the basic coupon data is composed of an information identifier, keyword information, a basic coupon data body, a public key certificate of the service provider, and a digital signature of the service provider. The information identifier is information indicating that this data is basic coupon data. The digital signature of the service provider is a digital signature on the basic coupon data by the public key encryption of the service provider as will be described later. Note that the range that is the subject of the digital signature is the information identifier and the basic point data body. The keyword information represents what the basic coupon data is about a coupon in the form of a keyword. As shown in FIG. 4, the keyword information is composed of the number n of keywords followed by n keyword data. For example, in the case of a coupon for a hamburger store, a plurality of keyword data such as “restaurant”, “snack”, “hamburger”, and the like are recorded as language data or codes. These keywords are used to select a coupon to be received when the mobile terminal receives coupon data.
[0023]
The basic coupon data body is configured as shown in FIG. 3, for example, and includes a coupon identifier, a service provider ID, a broadcaster ID, a discount amount, an expiration date, and a coupon policy.
[0024]
The service trader ID is an identifier of a trader that provides the coupon service. The coupon identifier is for identifying the coupon data from other coupon data, and this information can prevent duplicate coupon data from being stored in the mobile terminal (as will be described later). The service trader ID is information for specifying a trader that performs a coupon service. The broadcaster ID is an identifier of the broadcaster who transmits this coupon. The discount amount indicates the amount that can be discounted by using this coupon. For coupons that are actually used, in addition to presenting the discount amount uniformly, the discount rate is set, the discount amount (rate) is different for each product, and it is not a discount service. Services such as presentation are also being implemented. In the present embodiment, for simplicity of explanation, a discount service with a uniform discount amount for all products is used. However, this does not prevent the application of the present invention to various coupon services in the actual service. The expiration date indicates the expiration date of the coupon service.
[0025]
As shown in FIG. 9A, the coupon policy data includes the number l of coupon policies and l coupon policies. Each coupon policy indicates a generation method of how to generate additional coupon data described in detail later. As shown in FIG. 9B, the coupon policy in this embodiment includes type information, a policy identifier, application conditions, a discount addition amount, a validity period, and a validity period extension flag.
[0026]
The type information is information indicating whether the coupon policy is an indispensable condition or a permission condition. The indispensable condition here is an indispensable condition when receiving a coupon service that the coupon service is not performed unless this condition is satisfied. The permission condition is a condition indicating that the described coupon service can be received if the condition is satisfied. The policy identifier is an identifier of the coupon policy. The application condition is a condition for issuing additional coupon data having the following discount addition amount, valid period, and valid period extension flag, and is a condition for the profile (internal data) of the mobile terminal in the present embodiment. For the specific description, an application condition ID determined by the service provider is used. For example, “Accumulated purchase record at Company A is less than 10,000 yen” is 0x0001, “Accumulated purchase record at Company A is 10,000 yen or more” is 0x0002, and “Accumulated purchase record at Company A is 100,000 yen or more” Is defined as 0x0003. As other applicable conditions, “input of personal information (address, name, age)” used in the sixth variation later can be considered. Of course, a combination of these, such as “Purchase record at company A is 10,000 yen or more and input of personal information (address, name, age)” is also useful. In addition to the method of defining the application condition ID for each combination, a method of describing the application condition by writing the application condition ID together can be considered, and the latter is more elegant.
[0027]
Note that the description method of the applicable conditions is determined by each service provider for convenience, and no matter what the method is, if it is implemented consistently on the service provider's coupon service application, this There is no problem in the processing of the embodiment. The discount addition amount indicates how much can be added if the applicable conditions are satisfied for the discount amount indicated by the basic coupon data, and the validity period is how much the additional coupon data from when the additional coupon data was created It is shown whether the period is valid. For example, when the application condition relates to position information, the coupon condition changes if the position changes. In other words, if the discount rate is set high for people who are far from the store and the discount rate is set low for nearby people, it is always low if anyone makes the additional coupon data immediately before accounting. It becomes a discount rate. Therefore, it is necessary to determine the coupon data while being far from the store. However, since it is a problem that the coupon can be used indefinitely, it is information for determining a certain valid period.
[0028]
The validity period extension flag indicates whether the validity period calculated from the validity period exceeds the validity period in the basic coupon data and can be extended and applied. In the case of, it is impossible to extend.
[0029]
In addition, when there are a plurality of coupon policies having the above-mentioned essential conditions, coupons cannot be issued unless applied to any one of them. On the other hand, when there are a plurality of permission conditions, the following processing is performed. For basic coupon data with a discount of 100 yen, there are three policies that determine the coupon discount addition amount for purchase results. If each purchase result is 0, the purchase result is -100 yen (ie no discount) and 10,000 yen. Suppose there is a description of +1000 yen for a purchase record of +100 yen and 100,000 yen. In this case, a customer with a purchase record of 30,000 yen has a purchase record of 10,000 yen but no purchase record of 100,000 yen, so a coupon increase of +100 yen is implemented, and the basic coupon data is substantially 200 yen. Can be used as a discount coupon.
[0030]
The public key certificate of the service provider is obtained by certifying that the public key is indeed the public key of the service provider ID by a certificate authority described later. As shown in FIG. 5, the service provider public key certificate includes a service provider ID, a service provider name, an expiration date, a service provider public key, and a digital signature of a certificate authority.
[0031]
Here, the digital signature will be briefly described. The digital signature referred to in this embodiment is a method using public key cryptography, and a secret key K _s Public key K signed with _p It is realized by verifying with. In public key cryptography, it is extremely difficult to derive a private key from a public key, and it is practically difficult for a third party to create a digital signature unless the private key is leaked even if the public key is disclosed. . Moreover, the public key for verifying the signature may be disclosed literally. Therefore, it is possible to verify the signature even with the customer of the first visit, and it is most suitable for a system for an unspecified number of people like a coupon service. Public key cryptosystems such as RSA cryptosystem and elliptic curve cryptosystem have been proposed and put into practical use.
[0032]
However, convenient public key cryptography is not without problems. Because, in order to realize public key cryptography, a public / private key pair must be generated, but this generation does not take much time, and anyone with software can easily implement it. Because. Therefore, even if the communicating party transmits coupon data with a digital signature and a public key for verification, it is not immediately known whether the public key is the public key of the service provider indicated by the service provider ID. . In other words, someone impersonating the employee generates a public / private key pair, signs the coupon data using the created private key, and sends the public key as if it belongs to the service provider. Then, the coupon processing apparatus which received this can confirm the validity of the digital signature of coupon data with the transmitted public key. Therefore, it is misunderstood that the coupon data is certainly issued by a service provider having the service provider ID as an ID. In order to prevent such fraud, it is necessary to prove that the public key received by a third party is indeed for the service. A public key certificate is used for this proof.
[0033]
The additional coupon data is data created based on viewer-specific information (profile) and has a role of correcting the basic coupon data. This data is a characteristic part in the present embodiment. By appropriately changing the coupon data for each viewer, a more effective service is realized and coupon data is distributed to an unspecified number of viewers. However, the coupon service does not fail, and a mechanism that leads to sales promotion can be provided. Here, the viewer-specific information is internal information of the mobile terminal (information stored in the mobile terminal). For example, the product purchase record of the company issuing the coupon, the information of the company issuing the coupon This may be product purchase results of related companies, broadcast contract information being distributed, or location information of mobile terminals. Additional coupon information, for example, to increase the discount (or discount rate) for customers with a lot of product purchases, or to reduce the discount (or discount rate) for customers who have no product purchases Used.
[0034]
In addition to the above-mentioned internal information of mobile terminals, in addition to the above-mentioned information, there are multiple mobile terminals such as telephone numbers, addresses, personal information such as names and email addresses associated with telephone functions, mobile terminal manufacturers, and model numbers. It includes a wide range of information that can be stored inside the mobile terminal, such as common information. Personal information such as an address is used when a service is provided on condition that personal information is added to a coupon, as will be described later in a variation of this embodiment. Also, information on the manufacturer of the mobile terminal is used when discounting related devices released by the manufacturer.
[0035]
FIG. 6 is a diagram showing the configuration of additional coupon data. The information identifier is an identifier indicating that the information is additional coupon data. Further, the public key certificate of the portable terminal is data that is certified by the certificate authority to be the public key of the portable terminal, like the public key certificate of the service provider. The public key certificate of the portable terminal is configured as shown in FIG. 8, like the public key certificate of the service provider shown in FIG. Since the meaning of each component is the same in principle, it is not repeated, but it should be noted that the service provider is a user or a portable terminal. That is, in the case of a public key certificate for a service provider, the target is a service provider, but in the case of a public key certificate for a mobile terminal, the direct target of authentication is a mobile terminal. Thereby, the place which should be a user ID is made into portable terminal ID. Therefore, in a service that issues a user ID other than the mobile terminal ID, the present embodiment can be applied by replacing the mobile terminal ID with the user ID. The digital signature of the mobile terminal is a digital signature for this data by public key encryption of the mobile terminal. Here, the range to be digitally signed is an information identifier and an additional point data body.
[0036]
The additional coupon data body is configured as shown in FIG. 7, and includes a mobile terminal ID, a discount addition amount, and an expiration date. The mobile terminal ID is an identifier of the mobile terminal that issued the additional coupon data. The discount addition amount indicates how much is added to the discount amount indicated in the basic coupon data. Although the addition is described here, the discount amount can be reduced by making this value a negative value. As a result, the discount can be set to 0 and the coupon can be invalidated. The expiration date indicates the expiration date of the additional coupon data. This expiration date is generated when coupon data is created based on internal information from basic coupon data, so when the coupon information is generated and stored in a state where the internal information is advantageous to the coupon discount amount, the expiration date Have decided. Therefore, the relationship between the expiration date in the additional coupon data and the expiration date in the basic point data is mainly interpreted by the service provider. That is, since the service provider A provides the coupon service only within the expiration date indicated in the basic coupon data, it is interpreted that the expiration date in the additional coupon data does not fall within the range of the expiration date in the basic coupon data. On the other hand, since service provider B is carrying out a coupon service other than the expiration date indicated in the basic coupon data, priority is given to the expiration date of the additional coupon data. These conditions are described in the expiration date extension flag in the coupon policy in the basic coupon data.
[0037]
FIG. 11 is a block diagram showing a configuration of the entire coupon service system according to an embodiment of the present invention. This embodiment includes a mobile terminal 1, a coupon processing device 2, a coupon server 3, a broadcast satellite 4, an employee card 5, and a certificate authority 6. The certificate authority 6 issues a public key certificate for each portable terminal device and a public key certificate for each coupon processing device device in advance. Also, a public key certificate for each portable terminal 1 and a public key certificate for each employee are issued for each user. The public key certificate for the portable terminal device and the public key certificate for the user are in the portable terminal 1, the public key certificate for the coupon processing device is in the coupon processing device 2, and the public key certificate for the employee is Each employee card 5 is prepared at the time of system construction. In this system, the certificate authority 6 is responsible only for creating such a public key certificate by confirming the principal (or device).
[0038]
In the present invention, as will be described in detail later, a broadcast viewer receives basic coupon data by broadcast distribution, and the mobile terminal 1 adds an additional coupon based on information in the mobile terminal 1 from the basic coupon data according to a user instruction. Information is added to generate coupon data, which is stored inside the portable terminal 1.
[0039]
The overall processing procedure regarding the use of the generated coupon data will be described along the flowchart shown in FIG. 12 with reference to FIG. First, the portable terminal 1 is connected to the coupon processing device 2 by wireless communication, and the portable terminal 1 held by the customer in accordance with the protocol described in detail in the description of the processing of each device by the wireless communication later, the coupon processing device 2, the coupon processing device 2. Authenticates that the mobile terminal 1 owned by the customer is a legitimate device according to the safety standard of the present invention (S120 to S127). If the authentication is successful, the mobile terminal 1 transmits the coupon data to the coupon processing device 2. If the authentication is not successful, the portable terminal 1 or the coupon processing device 2 may not comply with the safety standards required in the present embodiment, so the processing is stopped at that time (S124, S127). .
[0040]
Next, the coupon processing apparatus 2 acquires the portable terminal ID from the portable terminal 1 (S128), searches the portable terminal revocation list held by the coupon processing apparatus 2, and determines whether or not the portable terminal 1 has been revoked. A check is made (S129). If it is revoked, the process is immediately terminated (S1210). When not revoked, the coupon processing device 2 acquires the store ID, the employee ID, and the employee's public key certificate from the employee card 5 in order to make the portable terminal 1 check whether the employee can be trusted. (S1211), of which the store ID and employee ID are transmitted to the portable terminal 1. In response to this, the portable terminal 1 searches the store employee revocation list owned by itself to check whether or not the store ID and employee ID are revoked (S1212 and S1213). If it has been revoked, the processing is immediately terminated (S1214). When it is not revoked, the portable terminal 1 transmits the coupon data body to the coupon processing device 2 (S1215). The coupon processing apparatus 2 receives this (S1216) and verifies the digital signatures of the basic coupon data and the additional coupon data included in the data (S1217). If the verification is successful, it is recognized that the additional coupon data of the coupon data is not falsified, so the coupon processing device 2 discounts the coupon data (S1220), and the coupon log data is processed in the processing procedure described in detail later. Create (S1221). If the verification is unsuccessful in step S1218, an error is output and the process is immediately terminated (S1219). On the other hand, the portable terminal 1 deletes the coupon data and finishes the process (S1222).
[0041]
Below, the structure of each apparatus and the content of a process are demonstrated in detail in order of the portable terminal 1, the coupon processing apparatus 2, and the coupon server 3. FIG. Note that the certificate authority 6 and the employee card 5 in the system configuration diagram of FIG. 11 are very simple in configuration and processing procedure, and therefore will not be described in detail here.
[0042]
FIG. 13 is a block diagram showing the overall configuration of the mobile terminal. In FIG. 13, the limited reception unit 131, the coupon processing unit 132, and the coupon use unit 133 will be described in detail later. In the following, the processing procedure of the portable terminal will be described in detail in the order of broadcast reception processing, received coupon processing, and processing at the time of using a coupon at a store.
[0043]
FIG. 20 is a block diagram illustrating a configuration of the limited reception unit 131. Limited reception refers to a mechanism that allows only viewing subscribers to receive in pay broadcasting. The limited reception is realized by encrypting and transmitting the broadcast content and distributing a key for decrypting the broadcast content only to the viewing contractor.
[0044]
Information describing the contract status for each channel for performing limited reception is called channel contract information. For example, a channel number is assigned to each channel. For example, as shown in FIG. 14A, a bit string representing a channel contract state depending on whether or not a bit corresponding to the channel number is 1 is channel contract information. FIG. 14A shows that the second, fifth, seventh, and eighth channels have been contracted. Further, a format of channel contract information as shown in FIG. That is, a more detailed contract state is expressed by assigning 4 bits to one channel. Here, out of the above 4 bits, the first bit indicates whether viewing is possible (1 is possible, 0 is not possible), and the second bit is whether the coupon discount is increased by 100 yen (from 1 is possible, 0 is not). Similarly, the third bit indicates whether the coupon discount can be increased by 200 yen, and the fourth bit indicates whether the coupon discount can be increased by 500 yen. That is, in the example of FIG. 14B, the first channel represents a viewing contract with no viewing contract, the second channel represents a viewing contract with a coupon discount increase of 200 yen, and the eighth channel represents a viewing contract with a coupon discount increase of 500 yen. Yes. In the present invention, additional coupon data is created for basic coupon data broadcast to the channel using channel contract information as shown in FIG. 14B, and coupon data for each viewer is created.
[0045]
Further, the contract information is configured by adding information that restricts the channel contract information such as the expiration date of the channel contract information to the channel contract information and information that expresses the subscriber contract form in more detail.
[0046]
Further, the limited reception information for individual subscribers such as the contract information is referred to as individual limited reception information, and the limited reception information common to a plurality of subscribers such as channel key information is referred to as common limited reception information. In the context where it is clear that they are limited reception information, they are called individual information and common information for simplicity.
[0047]
In this embodiment, a key configuration as shown in FIG. 15 is adopted for limited reception. That is, the work key K common to all mobile terminals defined for each channel _w Individual master key K _m Encrypt with and send. Furthermore, the work key K _w To use channel key K _ch Is encrypted and sent. Broadcast content is channel key K _ch Since it is encrypted by a conventional encryption method using this, it can be decrypted with this channel key. Here, the channel key must be changed in a short time of about 10 minutes in order to prevent decryption. If an individual master key is used to transmit this, the amount of transmission becomes enormous. Therefore, it is necessary to use a common work key for all portable terminals. Also, since it is dangerous to use the same key in units of months, it is necessary to change the work key, and this is a mechanism that encrypts it with an individual master key. Thus, even if the master key is known, free viewing can be prevented by changing the work key.
[0048]
Now, there are three types of data received by the broadcast portable terminal in the conditional access system of this embodiment: a content packet, a common limited reception information packet, and an individual limited reception packet. The content packet has a packet data structure shown in FIG. 16, and includes an information identifier, a channel identifier, a channel key identifier, and scrambled broadcast content. The information identifier indicates the type of the packet. Here, an identifier indicating a content packet is described. The channel identifier indicates which channel the broadcast content is. The channel key identifier indicates an identifier of a channel key for decoding the broadcast content. The broadcast content in this embodiment is raw program data or a coupon packet, and a channel key K specified by a channel key identifier. _ch It is encrypted with.
[0049]
The common limited reception packet is also called a channel key information packet and has a packet data structure as shown in FIG. This common limited reception packet is composed of an information identifier, a work key identifier, a channel identifier, a channel key identifier 1, a channel key 1, a channel key identifier 2, and a channel key 2. The portion from the channel identifier to the channel key 2 is And encrypted with the work key indicated by the work key identifier. The information identifier indicates the type of the packet. Here, an identifier indicating a common limited reception packet (channel key information packet) is described. The channel identifier indicates which channel the common conditional access information is for. In addition, the work key identifier indicates which work key K is the common limited reception packet. _w It is information indicating whether or not it is encrypted. The channel key identifier is an identifier of a channel key described next. The channel key indicates a channel key used for encrypting broadcast content of the channel specified by the channel identifier. Here, there are two sets of channel key identifier and channel key. Since the channel key is changed in a relatively short time as described above, it is necessary to smoothly switch the channel key. This is because the channel key to be used next time is sent simultaneously. Of course, the transmission of two sets in this manner does not directly affect the present invention, and therefore one set may be used.
[0050]
As shown in FIG. 17, the individual limited reception packet includes an information identifier, a portable terminal ID, a master key identifier, and encrypted contract information. The information identifier indicates the type of the packet, and here, an identifier indicating the individual limited reception packet is described. The mobile terminal ID is an identifier of the mobile terminal that should receive the contract information. The master key identifier is identification information of a master key that can decrypt the individual limited reception packet. If the master key identifier is correctly transmitted and received, the master key identifier of the portable terminal that has received the packet is described here.
[0051]
As shown in FIG. 18, the contract information includes a mobile terminal ID, channel contract information, an expiration date, the number k of work keys, a pair of k work keys and work key identifiers, and a digital signature. The portable terminal ID is an identifier of the portable terminal that should receive the contract-related information, and is an ID that matches the portable terminal ID in the limited receiving unit 131 inside the portable terminal if it is normally transmitted and received. The channel contract information indicates the contract status of the mobile terminal having the mobile terminal ID as described above. The work key identifier i is an identifier of the subsequent work key i. In this embodiment, since the work key is set for each channel, a set of a work key and a work key identifier corresponding to the channel contract information is entered. The digital signature is information for confirming the validity of the contract information, and is mainly used for preventing forgery.
[0052]
In the present embodiment, since all of these pieces of information are data expressed in a fixed length, the processing procedure for extracting each piece of information from the received packet will not be described again.
[0053]
Next, the configuration of the limited reception unit 131 and the flow of processing will be described along the processing procedure shown in FIG. 21 with reference to FIG. 20 (or FIG. 13). In FIG. 13, when the portable terminal receives a broadcast wave (S210), it converts it into digital data by A / D conversion (S211). Next, error detection / correction is performed (S212), and only packets that have been correctly received are transmitted to the channel selection unit 134. Here, when the packet is broadcast content information (packet) (S213), the channel currently being viewed is obtained via the channel I / F 135, and only the viewing channel is selected by the channel selection unit and the limited reception unit 131 is selected. To the broadcast filter unit 201. As shown in FIG. 20, the broadcast filter unit 201 sends this to the descrambling unit 202 (S215). On the other hand, if it is a common limited reception packet (common control packet) (S216), it is sent from the broadcast filter unit 201 to the common limited reception information decoding unit 203 via the channel selection unit 134 (S217), and decoding is started. Alternatively, if it is an individual limited reception packet (individual control packet) (S218), it is sent from the broadcast filter unit 201 to the individual limited reception information decoding unit 204 via the channel selection unit 134 (S219).
[0054]
The processing for the content packet will be described in detail with reference to the flowchart of FIG. The content packet sent from the broadcast filter unit 201 to the descrambling unit 202 by the above processing is separated into a channel identifier and a channel key identifier, and these are transmitted to the channel key output unit 205. Request output. The channel key output unit 205 extracts the channel key of the reception channel from the channel key storage unit 207 based on the contract determination for the channel in the contract determination unit 206 (S220). Further, the contract determination unit 206 receives the channel identifier transmitted from the channel key output unit 205 and outputs whether or not the channel is contracted for viewing by referring to the channel contract information. If the determination sent by the channel key output unit 205 is permitted (S221), a channel key holding the channel key identifier of the channel is obtained from the channel key storage unit 207, and is transmitted to the descrambling unit 202. If it is permitted, the processing relating to the content packet is terminated. The descrambling unit 202 decrypts the scrambled content with the corresponding channel key (S222). The decrypted content data is transmitted to the second filter unit 134. If this is coupon data, the second filter unit 134 sends it to the coupon processing unit 132 (S224), otherwise sends it to an output device such as an external display (S225).
[0055]
Next, a processing procedure related to the common limited reception packet will be described with reference to FIG. The common limited reception packet is sent from the broadcast filter unit 201 to the common limited reception information decoding unit 203. Here, the work key is acquired from the work key storage unit 208 based on the work key identifier included in the unencrypted part of the common information (S230). If the work key cannot be acquired (S231), the process ends. If the work key is acquired, the common information is decrypted with the work key (S232). From the decrypted common information, the channel key K _ch Is stored in the channel key storage unit 207 (S233).
[0056]
Next, a processing procedure related to the individual limited reception packet will be described with reference to FIG. The individual limited reception packet is sent from the broadcast filter unit 201 to the individual limited reception information decoding unit 204. Here, the mobile terminal ID included in the unencrypted part of the individual information is read and collated with the mobile terminal ID of its own device (S240). If the portable terminal ID does not match that of the own device, the processing of this packet is terminated. If they match, the master key is acquired from the master key storage unit 209 using the master key identifier included in the unencrypted unit as a key. Further, the individual limited reception information is decrypted using the master key (S241), and the work key obtained by decryption is stored in the work key storage unit 208 (S242). Next, the contract information is sent to the contract information authentication unit 2010. The contract information authentication unit 2010 acquires the digital signature verification key from the digital signature verification key storage unit 2011 and verifies the digital signature (S243). If the verification is successful, the contract information is stored in the contract information storage unit 2012 and the process is terminated (S244). If verification fails, the contract information may be forged or destroyed due to poor reception, and the process ends without storing.
[0057]
This is the end of the description of the limited reception unit 131.
[0058]
Next, the coupon processing unit 132 will be described in detail. FIG. 25 is a block diagram showing a configuration of the coupon processing unit 132. The process of the coupon processing unit 132 includes a process of storing basic coupon data broadcasted and a process of generating additional coupon data from the basic coupon data and generating coupon data.
[0059]
FIG. 26 is a flowchart showing a processing procedure of basic coupon data storage processing. The basic coupon data storage process will be described below with reference to the flowchart of FIG. 26 with reference to the overall configuration diagram of FIG. When basic coupon data is input from the second filter unit 134 to the coupon processing unit 132 (S260), the coupon filter unit 251 extracts keywords for narrowing down the coupons to be stored from the keyword data storage unit 252, and the input basics It is compared with the keyword information of the coupon data (S261). As a result of the comparison, if matching is obtained, the basic coupon DB 253 is searched using a coupon identifier or the like as a key (S263). It is confirmed that the basic coupon data is not registered (S264), and if so, the processing related to the basic coupon data is completed (S265). Here, if the input basic coupon data does not match the keyword information (S262), or if the basic coupon data exists in the basic coupon data DB 253, the processing related to the basic coupon data is terminated at that time (S264). .
[0060]
FIG. 27 is a flowchart showing a processing procedure for generating additional coupon data. The basic coupon data storage process will be described below with reference to the flowchart of FIG. 27 with reference to the overall configuration diagram of FIG. The coupon processing unit 132 starts a process of generating additional coupon data (that is, generating coupon data) in response to a request from the coupon using unit 133 or the interface of the mobile terminal. Here, for the sake of simplicity, it is assumed that basic coupon data for which coupon data is to be created is designated by input (using a coupon identifier or the like as a key) at the stage of starting processing. If not, it is necessary to retrieve the basic coupon data corresponding to the required coupon by searching the basic coupon data DB 253 prior to this processing. This processing is performed from the control unit via the user interface. This can be done by searching the DB 253, so the explanation is omitted here.
[0061]
The basic coupon data DB 253 is searched using the coupon ID of the input basic coupon data as a key (S270), and the corresponding basic coupon data is extracted (S271 to S273). Further, a coupon policy is extracted from the extracted basic coupon data (S274), essential conditions are extracted by referring to the type information in the coupon policy, and they are inspected by means described in detail later (S275). Here, when the essential condition is not satisfied, the processing related to the basic coupon data ends (S276, S277). When the essential condition is satisfied, the permission condition is extracted by referring to the type information, and the most advantageous one is selected by referring to the internal information by means described in detail later (S278). This detailed processing procedure will also be described in detail later.
[0062]
By the above processing, it is checked whether any coupon policy has been selected. That is, even if the essential conditions are cleared, there may be no policy corresponding to the permission conditions for the basic coupon data and the internal information (S279). If there is a coupon policy, additional coupon data is created using the discount amount of the coupon policy as the discount amount of the additional coupon data (S2711). If not, the additional coupon data is created with the discount addition amount set to 0 (S2710). In any case, the created coupon data is transmitted to the coupon using unit 133 via the control unit 254 (S2712), and the coupon using unit 133 stores the coupon data in the coupon data DB by means described in detail later (S2713).
[0063]
Next, a process related to a check of essential conditions in the process of generating additional coupon data from the coupon policy will be described with reference to the flowchart of FIG. First, a coupon policy is extracted from the basic coupon data (S280), and the coupon policy number k at the head of the coupon policy data is extracted and set in a variable k. Next, i> k is checked with i = 0 and i = i + 1 (S281 to S283). If i> k, the essential condition check described in detail below is completed. That is, all the essential conditions are satisfied, and the fact that the essential conditions are met is output and the process ends (S284).
[0064]
When i> k is not satisfied, the coupon policy i is extracted (S285), and it is determined with reference to the type information whether the coupon policy is an essential condition (S286). If it is not an indispensable condition, it is not an inspection target in this processing procedure, so i is incremented by 1 and the next coupon policy is inspected.
[0065]
If it is an indispensable condition, first, it is checked by referring to the policy identifier whether it is a policy relating to the coupon issue frequency (S287). If the policy is related to the coupon issue count, the coupon creation result DB 255 is searched (S288), and it is determined whether or not the application condition is met (S289). Here, the policy based on the coupon issue count is for setting an upper limit of the issue count when the same coupon is issued a plurality of times. That is, since the coupon data according to the present invention is issued many times by broadcasting, it can be used any number of times. For this reason, the purpose of this essential condition is to set the upper limit. That is, in this condition check, the coupon creation result DB 255 is searched using the coupon identifier as a key, and it is confirmed that the number of creation does not exceed the limit number in the coupon policy. If the number of creations has exceeded, a message indicating that the essential condition is not met is output, and the process is terminated (S2810).
[0066]
If the number of creations is less than or equal to the upper limit, or if the coupon policy is not related to the coupon issuance number, it is checked using the policy identifier whether the coupon policy is related to the purchase record (S2811). . The coupon policy for purchase results is, for example, “issue coupons only for customers with a certain amount of purchases”, such as issuing coupons only to customers with a purchase amount of 1000 yen or more. The coupon policy is “issue coupon”. By defining the coupon policy in this way, unlimited coupon usage can be prevented and the coupon can be used as an effective sales promotion means. In order to realize this, the purchase record DB 257 is searched from the coupon creation unit 256 (S2812), and it is investigated how much the corresponding purchase has been made. It is determined whether the required condition is satisfied by comparing the purchase amount obtained therewith with the coupon policy (S2813). If so, i is incremented by 1 and the next coupon policy is inspected (S282). If not, the fact that the essential condition is not met is output and the process ends (S2814).
[0067]
In this embodiment, since the coupon issue results and the product purchase results are shown as indispensable conditions, even if a coupon policy other than that is entered, it is ignored, but in general, points of a certain amount or more are accumulated. There may be indispensable conditions determined by other performance elements and identification information such as being a member of a coupon issuing organization. In order to realize these essential conditions, the processing procedure described so far is possible except that a DB or memory corresponding to the conditions is required.
[0068]
Further, the process related to checking the permission condition is the same as the process related to the indispensable condition described above, and is omitted here.
[0069]
Next, a process for searching for the most advantageous permission condition from among the permission conditions will be described with reference to the flowchart of FIG. First, the coupon policy is extracted from the basic coupon data, the coupon policy number k at the head of the coupon policy data is extracted (S290), and the counter i for the variable k is set to zero. Next, the memory for storing the additional coupon condition (the most advantageous condition for creating the additional coupon) is initialized (S292). Here, initialization is to set the discount addition amount, the valid period, and the valid period extension flag to 0. Subsequently, i> k is checked with i = i + 1 (S293, S294). If i> k, the permission condition check described in detail below is terminated, and the condition described in the additional coupon condition is output as the most advantageous permission condition (S2910).
[0070]
If i> k is not satisfied, the coupon policy i is extracted (S295), and it is determined with reference to the type information whether the coupon policy is a permission condition (S297). If it is not a permission condition, it is not an inspection target in this processing procedure, so i is incremented by 1 and the next coupon policy is inspected.
[0071]
If it is a permission condition, the application condition written in the coupon policy is inspected by referring to the internal information. If this is the case, the information on the discount addition amount, the validity period, and the extension of the expiration date is compared with the current additional coupon condition (S298), and if the additional coupon condition is more advantageous than the condition presented in the coupon policy. For example, i is incremented by 1 and the next security policy is checked. If the condition presented in the coupon policy is more advantageous, the additional coupon condition is replaced with the coupon policy (S299).
[0072]
Here, there are various implementation modes for comparing the additional coupon data and the coupon policy. For example, in the present embodiment, the comparison is realized as follows. That is, the importance is determined in the order of the discount addition amount, the valid period, and the expiration date extension flag, and it is advantageous that the discount addition amount is large in comparison. If the discount is the same, the longer validity period is advantageous. If the validity period is the same, the one with the validity period extension flag of 1 is prioritized. Of course, more complex coupon policies are actually conceivable, and such a comparison may not be valid. In general cases, in order to improve usability, not only a more complicated comparison has to be performed, but also in some cases it is necessary for the user to select advantageous conditions through the user I / F.
[0073]
Such a process is repeated for all coupon policies while incrementing i, and finally the additional coupon condition is output and the process ends. The coupon policy includes purchase information, contract information for limited reception, position information by GPS, and the like. In particular, with regard to location information, if the location where the mobile terminal is located is far from the store, the discount addition amount is increased, and if the location is close, the discount addition amount is suppressed, thereby making it possible to attract customers effectively. These implementations require data outside the coupon processing unit 132, which is collected through the control unit.
[0074]
This is the end of the description of the two types of processing in the coupon processing unit 132.
[0075]
Next, the coupon use unit 133 will be described in detail. FIG. 30 is a block diagram showing the configuration of the coupon usage unit 133. The coupon use unit 133 performs a process of transmitting the coupon data stored in the coupon data DB 301 to an external coupon processing device using a communication unit. However, the transmission / reception process is a process performed to receive a coupon service here, and it is necessary to prove that the mutually trusted people use the reliable equipment to send / receive the correct data. Authentication processing is included.
[0076]
Below, the process at the time of coupon use is demonstrated along the flowchart shown in FIG. If coupon data to be transmitted does not exist in the coupon data DB 301, a coupon creation instruction is sent to the coupon processing unit 132 at that time, and coupon data is created and used according to the above-described procedure.
[0077]
When using a coupon, the coupon processing device is first called by communication from the customer's mobile terminal (S310). The communication considered here is not communication via a telephone station but short-range wireless communication represented by Bluetooth (trademark), IrDA, or the like. This is not only free of telephone charges, but also has advantages such as high-speed communication, so it is easy to use for coupon services. However, the following embodiments can be similarly applied to public line type communication via a telephone office.
[0078]
When the coupon processing apparatus responds in response to the call from the portable terminal, connection is made by a predetermined protocol (S311). After the connection is made, the portable terminal performs device authentication of the coupon processing device by the device authentication unit 301 (S312). Here, the authentication process will be described in detail. The authentication performed by the device according to the present invention is authentication for confirming whether the communication partner is a correct device. As described at the beginning of the embodiment, in the present embodiment, the portable terminal and the coupon processing apparatus itself are considered to be reliable if tamper resistance can be assumed. In other words, a device that can be easily hacked by a special method and can rewrite or read data inside the device without any tamper resistance can no longer be considered a reliable device. Device authentication is performed in order to eliminate such untrusted devices and devices that are not approved for use as a coupon service system because they do not have the level of security that coupon services can be implemented.
[0079]
FIG. 33 is a flowchart showing a device authentication processing procedure. First, a challenge for inquiring about the device ID of the coupon processing apparatus is created (S330), and output to the coupon processing apparatus via the control unit 305 and the transmission / reception unit 304 (S331). Next, it waits for the response of the coupon processing apparatus to the challenge (S332). When receiving the response, the device authentication unit 301 extracts the coupon processing device ID from the response from the device data storage unit 302, and searches the device revocation list 303 with the coupon processing device ID (S333). When the coupon processing apparatus device ID is described in this list (S334), it is determined that the coupon processing apparatus is a device that has already collapsed the security system or a device that does not have a predetermined security system, An error message indicating that the authentication is terminated due to insufficient creditworthiness of the device is output and the process is terminated (S335).
[0080]
Here, when the device ID of the coupon processing device does not exist in the revocation list 303, at least the creditworthiness of the device that has responded is recognized, so that the coupon processing device really does not have the coupon processing device ID. Proceed to verification of the device. For this purpose, as described above, authentication using information that only the coupon processing apparatus can know may be performed. That is, a challenge for inquiring about the device public key certificate of the coupon processing apparatus is created (S336), this is sent to the coupon processing apparatus in the same procedure as above (S337), and a response is received (S338). The public key certificate here is a public key certificate for device authentication, and has a configuration as shown in FIG. When the response is received, a public key certificate is acquired from the response, a device ID is acquired from the public key certificate, and is compared with the device ID that has been previously responded. If they do not match as a result of the comparison, an error message indicating that the public key certificate or device ID is false is output and the authentication is terminated. If they match, the public key certificate is further authenticated with the public key of the certificate authority (S339). If the authentication is successful, the public key certificate is proved to be correct, so the next step is to challenge. If the authentication fails, an error message indicating that the authentication of the public key certificate has failed is output, and the authentication process is terminated.
[0081]
If the authentication of the device public key certificate is successful, i = 0 is set (S3311), and the message M _i A challenge requesting the creation of a digital signature that can be verified with the public key is created (S3312) and output (S3313). When a response is received, message M _i Is verified (S3315). If the verification fails, an error output indicating that the signature verification failed is output (S3317). If successful, i is incremented by 1 and the same challenge response is repeated N times while changing the plaintext (S3312 to S3316). If all N times are successful, the coupon processing apparatus is recognized as signing the message using a secret key known only to the device ID, so that it can be confirmed that the device has the device ID. As a result, a notification to the effect that authentication has been completed and transmitted is sent to the portable terminal (S3318). The above is the apparatus authentication process of the coupon processing apparatus.
[0082]
When the coupon processing apparatus is successfully authenticated by the above processing procedure, the mobile terminal is authenticated by the coupon processing apparatus performed by the same processing procedure. This authentication processing procedure is shown in FIG. First, the mobile terminal receives a challenge from the coupon processing apparatus by the transmission / reception unit 304 (S320). The received challenge is sent to the device authentication unit via the control unit 305. There are two types of “questions” here: a question that simply asks for a coupon processing device ID, and a question that cannot be answered unless information that is known only to a mobile terminal is used. In the case of the former inquiry, the device authentication unit acquires the device ID from the device data storage unit and transmits it to the portable terminal via the control unit 305 and the transmission / reception unit 304.
[0083]
In the case of the latter question, similarly, the device authentication unit 301 extracts secret data from the device data storage unit 302 and performs the process in the challenge. Specifically, the latter question is to generate a digital signature on a plaintext (message) transmitted using a secret key of public key cryptography held secretly by the device. The device authentication here is not basically performed for each device, but for example for the device type name. That is, devices having the same model name have the same device ID, the same (authentication) secret key, and are authenticated by the same standard.
[0084]
The response created by the above procedure is transmitted from the transmission / reception unit 304 to the coupon processing apparatus via the control unit 305 (S322). In response to the response, the end of authentication or continuation is received from the coupon processing apparatus, and if the end of authentication is received (S323), the control unit 305 determines whether the authentication is successful (S324). ) If the authentication fails, output the reason and exit. Here, the determination as to whether or not the authentication is successful can be made based on, for example, whether or not an error code is added to the end notification from the coupon processing apparatus. If an error code is added, authentication has failed, and authentication has failed for the reason indicated by the error code. If the authentication fails, an error is output based on the error code (S325). On the other hand, when the authentication is not completed, it waits for the next challenge to be transmitted from the coupon processing device, and when the challenge is received, the same processing as described above is performed.
[0085]
Here, it returns to description of FIG.
[0086]
If the device authentication is passed, the mobile terminal continues to receive an inquiry about the mobile terminal ID from the coupon processing device 2. Therefore, the mobile terminal extracts the mobile terminal ID in the limited receiving unit 131 and transmits the mobile terminal ID to the coupon processing apparatus 2 (S318). On the coupon processing device 2 side, as shown in FIG. 34, this is sent from the control unit 341 to the mobile terminal ID verification unit 342, and it is checked whether the mobile terminal ID has been revoked by referring to the mobile terminal revocation list 343 ( S319). If it is revoked, an output indicating that it is a customer requiring attention is output and the process ends (S3110). Here, the mobile terminal revocation list 343 is a list of mobile terminal IDs that are customers who have made illegal transactions of coupon data in the past and are within the transaction suspension period. For this reason, if the mobile terminal ID is registered in this list, the transaction must be terminated at that time.
[0087]
If it is not revoked, the control unit 341 of the coupon processing apparatus 2 obtains the store ID, employee ID, and employee public key certificate written on the employee card 5 from the employee card reading unit 344. (S3111). Here, the employee card 5 is an electronic identification of the employee and is usually mounted in the form of an IC card. When an employee operates the coupon processing apparatus 2, the employee must insert his / her employee card 5 into the insertion slot of the coupon processing apparatus 2. This aims to clarify employee responsibilities for coupon services and to eliminate fraudsters. The store ID and employee ID acquired from the employee card are transmitted to the mobile terminal via the transmission / reception unit 342 (S3112), and it is checked on the mobile terminal side whether the store or the employee has been revoked. . Here, when it is found that the revocation has been made, the mobile terminal immediately transmits information indicating that the transaction has been canceled to the coupon processing apparatus, so that the coupon processing apparatus outputs an error and ends (S3114).
[0088]
If not revoked, the mobile terminal transmits coupon data to the coupon processing device (S3115). The coupon processing device receives the coupon data (S3116), and verifies the coupon data by a method described in detail in the description of the processing procedure of the later coupon processing device (S3117). Here, when the verification is successful, the coupon processing apparatus performs a discount by using the coupon (S3120). After the discount is implemented, the coupon data is deleted from the coupon data DB 301 and the process is terminated (S3121). If the verification is not successful, an output indicating that there is an error in the coupon data is output from the coupon processing apparatus, and based on this, an error is output on the portable terminal side and the process is terminated.
[0089]
Above, the description regarding the process by the side of a portable terminal is complete | finished.
[0090]
Next, the coupon processing device will be described in detail. Since the processing procedure of the coupon processing apparatus has many portions that overlap with those of the mobile terminal, the description will focus on the different portions.
[0091]
FIG. 34 is a block diagram showing the overall configuration of the coupon processing apparatus, and FIG. 35 is a flowchart showing a processing procedure until coupon data is received and a discount is implemented. Hereinafter, processing of the received coupon will be described along the flowchart of FIG. 35 with reference to the overall configuration diagram of FIG.
[0092]
First, a coupon processing apparatus is called and connected by communication from a customer's mobile terminal (S350). If the connection is made, the mutual device authentication with the coupon processing apparatus is performed in the same manner as the processing procedure on the portable terminal side described above, and if the authentication fails, an error output or the like is performed and the process ends (S351 to S356). If the device authentication is successful, the control unit 341 requests the portable terminal to output the portable terminal ID, and the portable terminal acquires the portable terminal ID from the portable terminal ID storage unit of the limited receiving unit 131 in the portable terminal, and the control unit (S357). The acquired mobile terminal ID is transmitted to the coupon processing apparatus via the transmission / reception unit, and the coupon processing apparatus performs authentication using the revocation list of the mobile terminal ID (S358). If the authentication fails, an error is output and the process ends (S359). If the authentication is successful, the control unit 341 sends the employee ID, store ID, and employee public key certificate to the employee card reading unit 344. Is read (S3510, S2511), and the read employee ID, store ID, and employee public key certificate are transmitted to the portable terminal (S3512). In response to this, the portable terminal searches the store / employee revocation list 306 and confirms whether the store with the store ID or the employee with the employee ID at the store with the store ID has been revoked. If it has been revoked, an error output indicating that the employee is a watchful employee is made, and the process ends here (S3514). If it has not been revoked, verification has succeeded, and the process moves to the control unit 305.
[0093]
The control unit 341 receives coupon data from the mobile terminal (S3516), transmits the coupon data to the coupon data verification unit 345, and verifies the coupon data. Verification of coupon data first extracts the service provider ID and coupon identifier from the basic coupon data portion of the coupon data, and also extracts the expiration date from the additional coupon data to determine the validity of the coupon data. First of all, the service provider ID is matched to confirm the validity of the service provider ID (or partner), and whether the coupon identifier is a currently available service is checked. It is performed by confirming that it is within the expiration date (S3517). If it is not available, an error is output to that effect and the process is terminated (S3518). If it is available, the basic coupon data is continuously authenticated (S3519). The basic point data is authenticated by obtaining a public key certificate of the service provider from the basic point data and authenticating it with the public key of the certificate authority in the certificate authority public key storage unit 346. If the authentication fails, the process ends there and an error is output (S3521). When the authentication is successful, the digital signature of the service provider included in the basic point data is verified using the public key of the public key certificate. If the verification fails, an error is output and the process ends. If the verification is successful, the additional point data is subsequently authenticated (S3522). The verification of the additional point data is the same as the verification of the basic point data, and will be omitted.
[0094]
When the verification of the additional point data is completed, the control unit 341 calculates the discount amount by correcting the discount amount of the basic coupon data with the additional coupon data (S3526), performs the discount using the coupon (S3527), and discounts from the purchase amount. Reduce the amount and charge. Further, the fact that the coupon service has been implemented is transmitted to the portable terminal (S3528), and the portable terminal receives this and erases the coupon data. Next, the control unit 341 moves the processing to the coupon log creation unit 347, and adds the service execution time, the digital signature with the employee's private key, and the employee's public key certificate to the coupon data as shown in FIG. The file is completed (S3529). This log file is transmitted to the coupon server 3 (S3530), stored in a database on the coupon server 3, and used for fraud detection processing as will be described in detail below.
[0095]
Next, the processing of the coupon server will be described in detail. FIG. 37 is a block diagram showing the overall configuration of the coupon server, and FIG. 38 is a flowchart showing a processing procedure for inspecting a coupon. The coupon inspection process will be described below with reference to the flowchart of FIG. 38 with reference to the overall configuration diagram of FIG.
[0096]
The coupon server 3 receives the coupon log data transmitted from the coupon processing device 2 via the transmission / reception unit 371 and stores the coupon log data in the coupon log data DB 373 via the coupon log data management unit 372. Here, the basic coupon data distributed by broadcast is in the basic coupon data DB 374, the purchase results of the user are in the purchase result DB 375, the viewing contract information is in the viewing contract DB 376, the basic coupon data input / output unit 376, the purchase result input / output 377 and viewing contract input / output unit 378 are input and managed.
[0097]
In the following, if a fraudulent transaction occurs by inspecting the cupologon data for each mobile terminal, the fact is detected, and the unauthorized person is identified from the mobile terminal ID, store ID, employee ID, etc. of the coupon log data. The processing procedure is shown. This processing procedure is started by the control unit 379 when the collection of coupon log data from each coupon processing apparatus is completed. The control unit 379 instructs the coupon log inspection unit 3710 to inspect coupon log data. In response to this, the coupon log data inspection unit 3710 sets i = 0 and starts the inspection (S382).
[0098]
The inspection is performed according to the following procedure. It is assumed that all portable terminal IDs are set between 0 and MAXID. First, the coupon log data DB 373 is searched for the presence of coupon data that includes i as the mobile terminal ID (S383). If there is no coupon data including such a portable terminal ID, it is confirmed that i <MAXID, i is incremented by 1, and the presence of coupon log data is searched again. Here, if i <MAXID is not satisfied, it means that the process has been completed, and the process ends (S381).
[0099]
If coupon log data having i as the mobile terminal ID exists in the coupon log DB 373, all coupon log data is searched and all such coupon log data is extracted (S384). These are sorted based on the use time information in the coupon log data, and are arranged in order from the earliest time (S385).
[0100]
And about each coupon log data in it, the employee's digital signature added to coupon log data is first verified (S386). In this authentication, first, the employee's public key certificate attached to the coupon log data is authenticated with the public key of the certificate authority, and if the authentication is successful, a digital signature is signed with the public key embedded in the public key certificate. Validate. Here, when authentication fails in either public key certificate authentication or digital signature authentication, an abnormal output (S389) is performed, the verification process of the portable terminal is interrupted, and i is incremented by 1 (S380). ), The process proceeds to the next coupon log data processing (S383-).
[0101]
If the digital signature is successfully authenticated (S387), then the basic coupon data is authenticated (S388). Since the authentication method is the same as the same processing in the coupon processing apparatus, it is omitted here. If there is coupon log data that fails authentication (S3810), an abnormal output is performed (S3811), the verification process of the mobile terminal is interrupted, and i is incremented by 1, and the next coupon log data Transition to processing. If no abnormality has occurred in the basic coupon data in all coupon log data, the additional coupon log data is next authenticated (S3812). This process is the same as that in the coupon processing apparatus, and the process when the authentication fails is the same as in the case of basic coupon data.
[0102]
If there is no abnormality in the additional coupon data in all coupon log data, then the coupon usage history, purchase record, and broadcast contract status up to the previous point will be displayed. The validity of the additional point data is verified with reference to the log DB 373, the purchase record DB 375, and the viewing contract DB 376 (S3815). That is, it is inspected whether the additional coupon data having such conditions can be created when the additional coupon data is created. Accordingly, even if the security function of a specific mobile terminal or coupon processing device is broken, fraud can be detected. If the additional coupon data is valid for all coupon log data, it is determined that the coupon log data of the portable terminal is normal (S3816), i is incremented by 1, and the coupon of the portable terminal of the next portable terminal ID is determined. Validate log data. However, if any contradiction occurs, an abnormal output is made (S3817), the verification process of the mobile terminal is interrupted, i is incremented by 1, and the coupon log data of the mobile terminal with the next mobile terminal ID is verified.
[0103]
Now, for the mobile terminal ID determined to be abnormal as a result of the inspection, the interface of the revocation list input / output unit 3711 is used to search the plurality of DBs including the coupon log data DB 373 to find the cause of the abnormality, Identify fraudsters. It should be noted here that an unauthorized person is not necessarily a holder of a portable terminal. This is because there is a possibility that the employee is illegally using the user's data by copying it. In the latter case, the criminal can be specified because the employee ID of the coupon log data is always the same person. For these reasons, it is difficult to automate the process of identifying unauthorized persons without error.
[0104]
If an unauthorized person is specified, in this embodiment, if the store or employee is illegal using the revocation list input / output unit 3711, the store / employee revocation list management unit 3712 may be used. If there is a mobile device revocation list management unit 3713, and if a device hacking is detected, the device is registered in each revocation list DB (3715, 3716, 3717) via the device revocation list management unit 3714.
[0105]
Further, in order to reflect these revocation lists on the actual portable terminal and coupon processing device, the following processing may be performed. First, to the coupon processing device, for example, by the start of every business day, a new device revocation list and a mobile terminal revocation list or a difference between them yesterday is transmitted from the coupon server to each coupon processing device. For the portable terminal, the device revocation list and the store / employee revocation list may be changed about once a month through a public line, or the portable terminal itself may be downloaded from a homepage on the Internet.
[0106]
This is the end of the description of the basic configuration and processing of the embodiment. Next, some variations are described.
[0107]
The first variation is a method in which coupon distribution in the present embodiment is performed by two-way communication such as a telephone using a public line instead of broadcasting. Coupon data is reliably transmitted to the viewer by using the two-way communication. This eliminates the need for repeated distribution because the viewing time varies depending on the viewer in broadcasting. However, it takes a communication cost to distribute to a relatively large area. Therefore, a method of downloading a coupon only to a viewer who accesses using the Internet can be considered. This method solves the problem of communication costs described above. However, the coupon is distributed only to a specific viewer who happens to access. As described above, when coupon distribution is performed by two-way communication, there is a problem that recipients are actually biased. However, in the case of coupons for sales promotion of shops to small local residents and sales of specialized goods that only some people use, this variation method is superior to broadcasting in terms of cost. Yes.
[0108]
In the second variation, pay broadcasting has been considered as broadcasting in the present embodiment, but the present invention can be implemented without pay broadcasting. For example, a variation is considered in which the basic coupon data is transmitted by a free broadcast broadcasted by the shopping street in the shopping street. In this case, if the broadcast content is not encrypted, the limited receiving unit of the portable terminal is not necessary. However, even in this case, the portable terminal ID included in the limited receiving unit must be provided separately from the limited receiving unit. With this configuration, not only a smaller configuration can be achieved, but also complicated operations are eliminated, eliminating troublesome operations.
[0109]
The third variation is a variation in which a user ID is added to the additional coupon data instead of the mobile terminal ID. In this way, even if an unauthorized person changes the mobile terminal, it can be revoked reliably. However, in order to configure in this way, the user side must have an IC card having user-specific information. For this reason, it may be costly and difficult to spread. Further, when considering introducing this into a mobile phone, an IC card such as a SIM card is used instead of a normal IC card. This variation can also be realized without changing the configuration and processing procedure of each device.
[0110]
The fourth variation is a configuration method that does not perform revocation. In this way, it seems that even if an unauthorized person can be identified, it cannot be caught, but if the user, the store, and the employee register in advance and start the service, they can directly contact the unauthorized person from the address etc. Compensation for fraud can be sought. In addition, since the processing related to revocation that appears in various places in this embodiment can be omitted, a high-speed service can be provided. Actually, some services using the wireless communication function of the current portable terminal have a problem of processing time for the service, and this variation is effective in such a case.
[0111]
In the fifth embodiment, the fifth variation is configured by a mobile terminal. However, since it is essential that the mobile terminal is mobile, it can also be used by a receiving terminal mounted on a car as described in the prior art. In this case, since the receiving terminal cannot be taken out of the car, the connection process between the receiving terminal and the coupon processing apparatus becomes a problem, but when using the communication by Bluetooth (trademark) described in the prior art, 10 m arrives without directivity. Therefore, it can be connected sufficiently.
[0112]
The sixth variation is a configuration method in which personal information such as name, address, age, and mail address is input to the additional point data. So far, in the present embodiment, the data added to the additional points is only the discount addition rate information obtained from the information such as the purchase history, and is not necessarily information for identifying the individual customer. However, since coupon services have been used for new customer development, personal information such as address and name is extremely useful (for service providers). For this reason, it is necessary to add personal information as well as the discount addition amount as in this variation.
[0113]
In order to satisfy this request, "addition of personal information (address, name, email address)" is included in the permission conditions in the coupon policy, and the addition of personal information is a condition for issuing a coupon. As shown, the user name, user address, and user email address may be added to the additional point data body.
[0114]
The seventh variation is a configuration method that does not place importance on security. In the service form that is directly linked to money like the discount amount addition of this embodiment, it must be configured with an emphasis on security, but even if fraud occurs, such as offering a crude product to the coupon service Some are less affected. In such a coupon service, the configuration as in the present embodiment in which security is emphasized has a problem that it takes a considerable amount of processing time for the authentication process and is rather difficult to use. In such a case, it is desirable to adopt a method in which security processing is omitted.
[0115]
The basic coupon data and the additional coupon data in the coupon data of this variation are configured as shown in FIGS. 40 and 41, and the public key certificate and the digital signature are excluded from each of the basic coupon data and the additional coupon data in the embodiment described above. It has a form. Actually, in order to satisfy sufficient safety, these data are larger in size than other data, and a secondary effect of reducing the amount of communication by deleting this portion can be expected.
[0116]
A variation in which only one of the basic coupon data and the additional coupon data is configured as described above is also conceivable. Such a configuration is generally valuable when the value of information is considerably different between basic coupon data and additional coupon data. For example, if the discount amount is set at 1000 yen in the basic coupon data and the discount addition amount is ± 100 yen in the additional coupon data, there is a concept that it is sufficient to protect the safety of only the basic coupon data. Conversely, when the discount amount in the basic coupon data is 100 yen and the discount addition amount in the additional coupon data is ± 1000 yen, there is also an idea that it is sufficient to keep the safety of only the additional coupon data contrary to the above.
[0117]
The eighth variation relates to a combination of the sixth variation and the seventh variation. In other words, the permission condition is “presentation of personal information (address, name, e-mail address)”, and when considering a service with a low risk of fraud as a coupon service, the service provider is advanced in the sense of authentication. There is no need to consider security. In such a case, it is preferable to realize this by adding the additional coupon data as shown in FIG. 42 to the basic coupon data as shown in FIG. 40 in the seventh variation. It is also possible to proceed by changing the basic coupon data according to the information of the additional coupon data as shown in FIG. In this configuration method, not only the amount of data can be reduced but also data processing is facilitated by linking associated data. In the example of FIG. 43, the expiration date of the coupon ID, the coupon policy data, and the basic coupon data is less than when the basic coupon data and the additional coupon data are configured separately.
[0118]
Actually, most coupon services using current coupons are implemented in the form of presenting crude information by presenting personal information in this way, and this variation is an application of the present invention to the current service. Is shown.
[0119]
In this variation, the purpose is to simplify the data by changing the basic coupon data. In this sense, the digital signature and public key certificate of the mobile terminal or user are added to the changed coupon data. It does not prevent you from doing. In fact, such a configuration can prevent fraud of a mobile terminal user (whose fraud probability is high).
[0120]
The present invention is not limited to the above-described embodiment, and can be implemented with various modifications.
[0121]
【The invention's effect】
As described above, according to the present invention, it is possible to provide a mobile terminal, a coupon processing device, and a coupon management server for realizing a coupon service having both flexibility and safety.
[Brief description of the drawings]
FIG. 1 is a diagram showing a data structure of coupon data according to an embodiment of the present invention.
FIG. 2 is a diagram showing a data structure of basic coupon data according to the embodiment of the present invention.
FIG. 3 is a diagram showing a data structure of a basic coupon data body according to the embodiment of the present invention.
FIG. 4 is a view showing a data structure of keyword information according to the embodiment of the present invention.
FIG. 5 is a view showing a data structure of a public key certificate of a service provider according to the embodiment of the present invention.
FIG. 6 is a diagram showing a data structure of additional coupon data according to the embodiment of the present invention.
FIG. 7 is a view showing a data structure of an additional coupon data body according to the embodiment of the present invention.
FIG. 8 is a diagram showing a data structure of a public key certificate of the mobile terminal according to the embodiment of the present invention.
FIG. 9 is a view showing a data structure of coupon policy data according to the embodiment of the present invention.
FIG. 10 is a view showing a data structure of a public key certificate for device authentication according to the embodiment of the present invention.
FIG. 11 is a block diagram showing the overall configuration of a coupon service system according to an embodiment of the present invention.
FIG. 12 is a flowchart showing an overall processing procedure regarding use of coupon data according to the embodiment of the present invention.
FIG. 13 is a block diagram showing the overall configuration of the mobile terminal according to the embodiment of the present invention.
FIG. 14 is a view showing a bit string corresponding to channel contract information according to the embodiment of the present invention.
FIG. 15 is a diagram showing a key configuration in conditional access according to the embodiment of the present invention.
FIG. 16 is a diagram showing a data structure of a content packet according to the embodiment of the present invention.
FIG. 17 is a diagram showing a data structure of an individual limited reception packet according to the embodiment of the present invention.
FIG. 18 is a diagram showing a data structure of contract information according to the embodiment of the present invention.
FIG. 19 is a view showing a data structure of a common limited reception packet according to the embodiment of the present invention.
FIG. 20 is a block diagram showing a configuration of a conditional access unit according to the embodiment of the present invention.
FIG. 21 is a flowchart showing a processing procedure of a conditional access unit according to the embodiment of the present invention.
FIG. 22 is a flowchart showing a processing procedure for a content packet according to the embodiment of the present invention.
FIG. 23 is a flowchart showing a processing procedure regarding a common limited reception packet according to the embodiment of the present invention.
FIG. 24 is a flowchart showing a processing procedure related to an individual limited reception packet according to the embodiment of the present invention.
FIG. 25 is a block diagram showing a configuration of a coupon processing unit according to the embodiment of the present invention.
FIG. 26 is a flowchart showing a processing procedure of basic coupon data storage processing according to the embodiment of the present invention.
FIG. 27 is a flowchart showing a processing procedure for generating additional coupon data according to the embodiment of the present invention.
FIG. 28 is a flowchart showing a procedure for checking essential conditions in the process of generating additional coupon data from the coupon policy according to the embodiment of the present invention.
FIG. 29 is a flowchart showing a processing procedure when searching for the most advantageous permission condition from the permission conditions according to the embodiment of the present invention.
FIG. 30 is a block diagram showing a configuration of a coupon using unit according to the embodiment of the present invention.
FIG. 31 is a flowchart showing a processing procedure when using a coupon according to the embodiment of the present invention.
FIG. 32 is a flowchart showing the authentication processing procedure of the portable terminal by the coupon processing apparatus according to the embodiment of the present invention.
FIG. 33 is a flowchart showing a device authentication processing procedure according to the embodiment of the present invention.
FIG. 34 is a block diagram showing the overall configuration of the coupon processing apparatus according to the embodiment of the present invention.
FIG. 35 is a flowchart showing a processing procedure from receipt of coupon data according to an embodiment of the present invention until execution of a discount.
FIG. 36 is a view showing the data structure of a coupon log file according to the embodiment of the present invention.
FIG. 37 is a block diagram showing the overall configuration of the coupon server according to the embodiment of the present invention.
FIG. 38 is a flowchart showing a processing procedure for inspecting a coupon according to the embodiment of the present invention.
FIG. 39 is a view showing a data structure of an additional point data body according to a modification of the embodiment of the present invention.
FIG. 40 is a diagram showing a data structure of basic coupon data according to a modification of the embodiment of the present invention.
FIG. 41 is a view showing the data structure of additional coupon data according to a modification of the embodiment of the present invention.
FIG. 42 is a diagram showing a data structure of additional coupon data according to a modification of the embodiment of the present invention.
FIG. 43 is a diagram showing the connection of basic coupon data and additional coupon data according to a modification of the embodiment of the present invention.
[Explanation of symbols]
1 ... Mobile terminal
2 ... Coupon processing device
3. Coupon server
4. Broadcast satellite
5 ... Employee card
6 ... Certificate Authority

Claims (7)

A portable terminal that can be connected to a coupon processing device and enjoy a coupon service,
Means for acquiring basic coupon data including a plurality of coupon policies each describing additional coupon data and an application condition that is a condition for issuing the additional coupon data from a coupon service supplier;
A first database for storing the basic coupon data;
A second database storing an internal profile representing information unique to the user of the mobile terminal;
In response to an instruction from the user interface, means for searching the first database using a coupon identifier as a key and extracting basic coupon data;
By extracting one coupon policy from the extracted basic coupon data and comparing the application condition described in the extracted coupon policy with the information indicated by the internal profile, the information indicated by the internal profile is obtained. It is determined whether or not the application condition is satisfied. If the application condition is satisfied, the additional coupon data of the coupon policy is stored in the memory as the additional coupon condition, and another coupon policy is extracted from the basic coupon data. In addition, by comparing the application condition described in the extracted coupon policy with the information indicated by the internal profile, the internal profile determines whether the information indicated by the internal profile satisfies the application condition. To satisfy the application condition and The whether the coupon policy is more advantageous than adding coupon conditions stored in Lee, determined along a predetermined criteria, including the discount amount, of the coupons policy if it is determined to be advantageous Means for updating additional coupon conditions stored in the memory with additional coupon data;
Means for transmitting coupon data obtained by adding additional coupon data stored as additional coupon conditions in the memory to the basic coupon data to the coupon processing device;
A portable terminal comprising:   The internal profile of the mobile terminal includes the geographical location information of the mobile terminal, purchase history information of products related to the coupon service supplier, viewing contract information related to the coupon data broadcast, and the coupon service supplier. 2. The mobile terminal according to claim 1, comprising any of member registration information of the mobile terminal user.   3. The portable terminal according to claim 1, further comprising means for attaching at least a digital signature by the portable terminal to the coupon data transmitted to the coupon processing apparatus.   4. The portable terminal according to claim 3, further comprising means for attaching a public key certificate certified by a predetermined certificate authority for the public key for the digital signature.   The mobile terminal according to any one of claims 1 to 4, wherein the basic coupon data is received from a supplier of the coupon service based on one-way communication by satellite broadcasting.   The mobile terminal according to any one of claims 1 to 4, wherein the basic coupon data is received from a supply source of the coupon service based on bidirectional communication including request transmission from the mobile terminal. A coupon processing method in a portable terminal that can be connected to a coupon processing device and enjoy a coupon service,
A coupon processing means for acquiring basic coupon data including a plurality of coupon policies each describing additional coupon data and an application condition that is a condition for issuing the additional coupon data, from a coupon service supplier;
Allowing the control means to store the basic coupon data in a first database;
A step of said control unit an internal profile representing information specific to the user of the mobile terminal causes storage in the second database,
In response to an instruction from the user interface, the control means searches the first database using a coupon identifier as a key, and extracts basic coupon data;
The control unit extracts one coupon policy from the extracted basic coupon data, and compares the application condition described in the extracted coupon policy with information indicated by the internal profile, thereby information indicating the profile is determined based on whether or not to satisfy the 該適for conditions in the internal profile, a step of causing the storage in the memory as an additional coupon conditions additional coupon data of the coupon policy if satisfying該適for conditions ,
The control unit extracts another coupon policy from the basic coupon data, and compares the application condition described in the extracted coupon policy with information indicated by the internal profile, thereby indicating the internal profile. Whether the information satisfies the application condition is determined based on the internal profile, and whether the coupon policy is advantageous over the additional coupon condition that satisfies the application condition and stored in the memory Determining according to a predetermined criterion including a discount amount, and updating the additional coupon condition stored in the memory with the additional coupon data of the coupon policy if determined to be advantageous;
A coupon using means for sending coupon data obtained by adding the additional coupon data stored as an additional coupon condition in the memory to the basic coupon data to the coupon processing device. Processing method.

Images