JP5081696B2 - Information processing system, authentication server, service providing server, authentication method, service providing method, and program - Google Patents

Description

  The present invention provides an information processing system, an authentication server, a service providing server, an authentication method, and a service provision suitable for efficiently executing the entire processing group even when the processing group to be performed includes a process that requires a lot of time. The present invention relates to a method and a program.

In recent years, in order to prevent information leakage and unauthorized use, cards equipped with IC chips have become widespread. Patent Document 1 describes a certifier (server) using an ID issued by an external organization such as a driver's license equipped with an IC chip when performing procedures at a bank ATM (Automated Teller Machine) or a window. ) Authenticates, and a system that provides services while confirming the identity of the person is disclosed.
For example, a system on the service providing side is a group of a plurality of processes such as a user authentication process using an IC card, a process for accepting input of a deposit / withdrawal amount, a process for accepting input of a transfer destination and transfer source, and a process of executing a transfer. (Hereinafter referred to as “processing group”) to provide a service to the user.
JP 2007-241647 A

  By the way, if requests for specific processes such as the process of authenticating users are concentrated, the load of the requested process increases, and not only the requested process but also much time is required until the entire process group is completed. It may be necessary. For example, in the case of executing a series of processing groups including user authentication processing, if a long time is required for user authentication processing, the entire processing group is in a waiting state until the user authentication processing is completed until the authentication result is received, As a result, there is a possibility that the response of the system becomes worse, or the authentication request itself fails due to a timeout. As described above, there is a problem that if there is a process that requires a lot of time in the process group to be performed, the response of the entire process group may be lowered.

  The present invention solves such problems, and an information processing system and an authentication server suitable for efficiently executing the entire processing group even when there are processes that require a lot of time in the processing group to be performed An object is to provide a service providing server, an authentication method, a service providing method, and a program.

In order to achieve the above object, an information processing system according to the first aspect of the present invention provides:
In an information processing system having a user terminal, a service providing server that executes a plurality of processes for providing a service to the user, and an authentication server that authenticates the user,
The user terminal is
An acquisition unit for acquiring authentication data for authenticating the user;
Based on an instruction from the user, a start request transmitting unit that transmits the request for starting the plurality of processes to the service providing server and the acquired authentication data, to the service providing server,
With
The service providing server includes:
For each of the plurality of processes, an authentication necessity information storage unit that stores information indicating whether or not authentication of the user by the authentication server is necessary;
A start request receiving unit that receives the start request and the authentication data from the user terminal;
An authentication request for requesting the authentication server to authenticate the user when the plurality of processes indicated by the received start request includes a process that requires authentication of the user by the authentication server; An authentication request transmission unit that transmits the received authentication data to the authentication server;
With
The authentication server is
A user information storage unit that stores user information for authenticating the user in advance;
An authentication request receiver that receives the authentication request and the authentication data from the service providing server;
When the authentication request receiving unit receives the authentication request, an estimation unit that estimates the time taken from receiving the authentication request to ending the authentication of the user;
An estimated time transmitter for transmitting the estimated estimated time to the service providing server;
An authentication unit that authenticates the user based on the authentication data and the user information stored in the user information storage unit when the authentication request receiving unit receives the authentication request;
An authentication result transmission unit that transmits an authentication result by the authentication unit to the service providing server;
With
The service providing server further includes:
An estimated time receiving unit for receiving the estimated time from the authentication server;
An authentication result receiving unit for receiving the authentication result from the authentication server;
When the estimated time receiving unit receives the estimated time,
(A) From the reception of the start request to the reception of the authentication result, priority is given to processing that does not require authentication of the user by the authentication server among the processing included in the processing group,
(B) After receiving the authentication result indicating that the user has been successfully authenticated, a process that requires authentication of the user by the authentication server is executed.
A service providing unit for providing the user with the service;
It is characterized by providing.

The acquisition unit may acquire personal information stored in advance in an IC (Integrated Circuit) card as the authentication data.
The authentication unit may authenticate using the authentication data transmitted from the user terminal via the service providing server.

The authentication request transmission unit may transmit the authentication request including information indicating the type of the IC card to the authentication server.
In addition, the authentication server further includes a processing time storage unit that stores the time taken from the reception of the authentication request in the past to the end of the authentication of the user in association with the type of the IC card. Can do.
The estimation unit may estimate the estimation time based on a time associated with the type of the IC card indicated by the authentication request received by the authentication request reception unit.

  The authentication unit uses a time taken from the start to the end of the process of authenticating the user to calculate a time corresponding to the type of the IC card among the times stored in the processing time storage unit. It may be updated.

The authentication server may further include an authentication result storage unit that stores an authentication result by the authentication unit.
Further, when the estimated time is greater than or equal to a predetermined value, the authentication result receiving unit transmits the authentication result after the estimated time has elapsed since the estimated time receiving unit received the estimated time. A request may be made to the server, and the authentication result may be received from the authentication server.

In order to achieve the above object, an authentication server according to the second aspect of the present invention provides:
A user information storage unit that stores user information for authenticating the user in advance;
An authentication request receiving unit that receives an authentication request for authenticating the user and authentication data for authenticating the user from a service providing server that provides services to the user;
When the authentication request receiving unit receives the authentication request, an estimation unit that estimates the time taken from receiving the authentication request to ending the authentication of the user;
An estimated time transmitter for transmitting the estimated estimated time to the service providing server;
An authentication unit that authenticates the user based on the authentication data and the user information stored in the user information storage unit when the authentication request receiving unit receives the authentication request;
An authentication result transmission unit that transmits an authentication result by the authentication unit to the service providing server;
It is characterized by providing.

In order to achieve the above object, a service providing server according to the third aspect of the present invention provides:
For each of a plurality of processes for providing a service to a user, an authentication necessity information storage unit that stores information indicating whether or not the user needs to be authenticated by an authentication server that authenticates the user;
A start request receiving unit for receiving a start request to start the plurality of processes and authentication data for authenticating the user from a user terminal used by the user;
If the plurality of processes indicated by the received start request includes a process that requires authentication of the user by the authentication server, an authentication request for requesting the authentication server to authenticate the user; An authentication request transmitter for transmitting the received authentication data to the authentication server;
An estimated time receiving unit that receives from the authentication server an estimated time taken from the authentication server receiving the authentication request to ending the user authentication;
An authentication result receiving unit for receiving the authentication result of the user from the authentication server;
When the estimated time receiving unit receives the estimated time,
(A) From the reception of the start request to the reception of the authentication result, priority is given to processing that does not require authentication of the user by the authentication server,
(B) After receiving the authentication result indicating that the user has been successfully authenticated, a process that requires authentication of the user by the authentication server is executed.
A service providing unit for providing the user with the service;
It is characterized by providing.

In order to achieve the above object, an authentication method according to the fourth aspect of the present invention includes:
An authentication request receiving step of receiving an authentication request for authenticating the user and authentication data for authenticating the user from a service providing server that provides a service to the user;
When the authentication request receiving step receives the authentication request, an estimation step for estimating a time taken from the reception of the authentication request to the end of the authentication of the user;
An estimated time transmitting step of transmitting the estimated estimated time to the service providing server;
When the authentication request receiving step receives the authentication request, an authentication step for authenticating the user based on the authentication data and user information stored in advance in memory for authenticating the user;
An authentication result transmission step of transmitting an authentication result of the authentication step to the service providing server;
It is characterized by providing.

In order to achieve the above object, a service providing method according to the fifth aspect of the present invention includes:
A start request receiving step for receiving a start request for starting a plurality of processes and authentication data for authenticating the user from a user terminal used by the user;
When a plurality of processes indicated by the received start request includes a process that requires authentication of the user by an authentication server, an authentication request for requesting the authentication server to authenticate the user; An authentication request transmission step of transmitting the received authentication data to the authentication server;
An estimated time receiving step for receiving, from the authentication server, an estimated time taken from the authentication server receiving the authentication request to ending the user authentication;
An authentication result receiving step of receiving the authentication result of the user from the authentication server;
When the estimated time receiving unit receives the estimated time,
(A) From the reception of the start request to the reception of the authentication result, priority is given to processing that does not require authentication of the user by the authentication server,
(B) After receiving the authentication result indicating that the user has been successfully authenticated, a process that requires authentication of the user by the authentication server is executed.
A service providing step of providing the user with the service;
It is characterized by providing.

In order to achieve the above object, a program according to a sixth aspect of the present invention provides a computer,
A user information storage unit for storing user information for authenticating the user in advance;
An authentication request receiving unit that receives an authentication request for authenticating the user and authentication data for authenticating the user from a service providing server that provides services to the user;
When the authentication request receiving unit receives the authentication request, an estimation unit that estimates the time taken from the reception of the authentication request to the end of the user authentication,
An estimated time transmitting unit for transmitting the estimated estimated time to the service providing server;
When the authentication request receiving unit receives the authentication request, an authentication unit that authenticates the user based on the authentication data and the user information stored in the user information storage unit,
An authentication result transmission unit for transmitting an authentication result by the authentication unit to the service providing server;
It is made to function as.

In order to achieve the above object, a program according to a seventh aspect of the present invention provides a computer,
For each of a plurality of processes for providing a service to a user, an authentication necessity information storage unit that stores information indicating whether or not the user needs to be authenticated by an authentication server that authenticates the user,
A start request receiving unit that receives a start request to start the plurality of processes and authentication data for authenticating the user from a user terminal used by the user;
If the plurality of processes indicated by the received start request includes a process that requires authentication of the user by the authentication server, an authentication request for requesting the authentication server to authenticate the user; An authentication request transmitter for transmitting the received authentication data to the authentication server;
An estimated time receiving unit that receives from the authentication server an estimated time taken from the authentication server receiving the authentication request to ending the user authentication;
An authentication result receiving unit for receiving the authentication result of the user from the authentication server;
When the estimated time receiving unit receives the estimated time,
(A) From the reception of the start request to the reception of the authentication result, priority is given to processing that does not require authentication of the user by the authentication server,
(B) After receiving the authentication result, execute processing that requires authentication of the user by the authentication server;
A service providing unit that provides the user with the service,
It is made to function as.

  According to the present invention, the entire processing group can be efficiently executed even when the processing group to be performed includes a process that requires a lot of time.

(Embodiment)
An embodiment of the present invention will be described. In the present embodiment, the present invention will be described by taking a bank online system (so-called Internet banking system) via the Internet as an example of the information processing system 100. That is, the service providing server 120 is a server that executes processing for providing an Internet banking service to a user. However, the present invention is not limited to the Internet banking service and can be applied to a system that provides an arbitrary service.

  FIG. 1 is a diagram illustrating a configuration of an information processing system 100 according to the present embodiment. The information processing system 100 includes one or more user terminals 110 (denoted in the figure as 110-1, 110-2, 110-i, etc.) operated by the user and one or more service providing services to the user. A server 120 (described as 120-1, 120-2, 120-j, etc. in this figure) and an authentication server 130 for authenticating a user are provided.

  The service providing server 120 is a server installed by an organization that provides a predetermined service to the user. For example, the service providing server 120 includes various servers such as a server for Internet banking service installed by a bank, a server for administrative service installed by an administrative agency, and a server for medical service installed by a medical institution such as a hospital.

  In the service provided by each service providing server 120, the authentication server 130 performs a user authentication process when there is a process that needs to confirm that the user is indeed the user (hereinafter referred to as "user authentication process"). Can be executed on behalf of each service providing server 120. Therefore, the authentication server 130 may be called an identity verification proxy server. The authentication server 130 receives an authentication request from the service providing server 120, performs user authentication processing, and transmits an authentication result to the service providing server 120 that has made the authentication request.

  The user terminal 110 and the service providing server 120 are connected by a communication network 140 such as the Internet, a LAN (Local Area Network), and a WAN (Wide Area Network). The service providing server 120 and the authentication server 130 are connected by a communication network 150 such as a dedicated line. As with the communication network 140, the Internet, LAN, WAN, or the like can be used as the communication network 150.

  Next, details of each configuration of the user terminal 110, the service providing server 120, and the authentication server 130 will be described with reference to FIG.

  First, the configuration of the user terminal 110 will be described. The user terminal 110 includes a storage unit 111, an input reception unit 112, a communication unit 113, an output unit 114, an interface 115, and a control unit 116.

  The storage unit 111 includes a ROM (Read Only Memory), a RAM (Random Access Memory), a hard disk device, and the like. The storage unit 111 stores in advance a program, an operating system (OS), and the like for executing processing on the user terminal 110 side of the Internet banking system. In addition, intermediate data and result data when executing each process are also stored.

  The input receiving unit 112 includes an input device such as a keyboard and a mouse, and receives various instruction inputs from the user. The instruction input includes, for example, an instruction input for requesting establishment of a new account and an instruction input for requesting transfer.

  The communication unit 113 includes a NIC (Network Interface Card) and a modem for connecting to a communication network 140 such as the Internet or a LAN.

  The output unit 114 includes a display device such as a display and an output device such as a speaker. The user can operate the user terminal 110 while viewing the screen displayed on the display device.

  The interface 115 includes an IC card reader / writer (hereinafter referred to as “IC card R / W”). In the present embodiment, the user terminal 110 uses information stored in various IC cards such as a driver's license, a health insurance card, a social security card, a basic resident register card, a cash card, and a credit card equipped with an IC chip as an IC. It can be read by the card R / W. In order to use the service of the information processing system 100, the user may need to perform identity verification using an IC card in addition to checking the user and password.

  The control unit 116 includes a CPU (Central Processing Unit) and the like. The control unit 116 controls the entire user terminal 110, is connected to each component, and exchanges control signals and data. For example, the control unit 116 executes a program for executing processing on the user terminal 110 side of the Internet banking system.

  As the user terminal 110, a known personal computer can be used.

  The IC card contains a CPU and a nonvolatile memory such as an EEPROM (Electrically Erasable and Programmable ROM) or a flash memory. The non-volatile memory of the IC card stores personal information such as an account number and a secret key. The CPU of the IC card may calculate a hash value from information such as an account number stored in the non-volatile memory, and output the ciphertext obtained by encrypting the calculated hash value with a secret key to the outside. it can. The CPU of the IC card can use an arbitrary hash function.

  Next, the configuration of the service providing server 120 will be described. The service providing server 120 includes a storage unit 121, a control unit 122, and a communication unit 123.

  The storage unit 121 includes a ROM, a RAM, a hard disk device, and the like. The storage unit 121 stores in advance a program, an OS, and the like for executing processing on the service providing server 120 side of the Internet banking system.

  The storage unit 121 stores service list information 125 shown in FIG. The service list information 125 is information in which the service code, the content of the process, and the necessity of identity verification are associated with each process group.

Here, the process group is a group of processes obtained by grouping a plurality of different processes. For example, when opening a bank account for a user,
・ (Process 1) Process to fill in necessary information such as user name and address ・ (Process 2) Process to assign account number ・ (Process 3) License to user ・ Process to explain contract contents ・ (Process 4) It is necessary to execute a plurality of processes such as a process for selecting a card design by the user and a process for determining (application 5) an application. That is, the service of “opening a new account” is completed by executing all the processes 1-5. Processes 1 to 5 are collectively referred to as a process group.

  One process group includes at least one process. The number of processing groups and the number of processes included in each processing group are arbitrary.

  The service code is a code unique to each process, and is typically expressed using letters, numbers, symbols, and the like.

  The service code indicates a desirable execution order when executing each process included in the process group. For example, it is possible to store information indicating that it is desirable to execute processing in ascending order of numbers by using numbers for specific digits of the service code.

  The desirable execution order is a typical order when executing the processes included in the processing group, and the processes are not necessarily executed in this order.

  For example, in FIG. 3, in order to provide the service “open new account”, the control unit 122 executes processing in the order of service codes A1, A2, A3, A4, and A5 as a predetermined order. However, when it takes a long time to process “account numbering (service code A2)” or when it is estimated that it takes a long time, the control unit 122 processes the service code A1. After the processing of, the processing of the service code A2 may be skipped and the processing of the service code A3 may be started, and the processing of the service code A2 may be started after the processing of the service code A3 is completed.

  Alternatively, the control unit 122 may start the processing of the service code A2 after the processing of the service code A1, and start the processing of the service code A3 (for example, by multitasking) before the processing of the service code A2 is completed. Good.

  The necessity of identity verification is information indicating whether each process is a process that requires the authentication server 130 to authenticate the identity of the person using an IC card. For example, in order to execute the processing of “numbering of account number (service code A2)” in FIG. 3, it is necessary to authenticate using an IC card. On the other hand, in order to execute the processing of “entry required information (service code A1)”, it is not necessary to authenticate using an IC card.

  In other words, when the control unit 122 executes a process that requires identity verification, authentication is performed by the authentication server 130 before the process is started or after the process is started and completed, and the user is normally Confirmation needs to be completed (authenticated as user).

  In this embodiment, when providing a service requested by a user, the control unit 122 first includes a process that requires authentication by the authentication server 130 in a group of processes for providing the requested service. It is determined whether or not. When the processing that requires authentication by the authentication server 130 is included, the control unit 122 requests the user to present the IC card, reads information necessary for authentication from the IC card, and authenticates the authentication server 130. Request. As in the two processes of service codes A2 and A5 in FIG. 3, when there are a plurality of processes that require identity verification in one process group, a session or transaction that has been once successfully authenticated as the user. In this case, the authentication server 130 may not be requested to perform authentication processing again.

  In addition, the storage unit 121 stores a simple authentication database 126 that stores a user name and a password in association with each user. For example, the control unit 122 can execute a simple user authentication process without using an IC card by determining whether or not a password input by a user matches a password registered in advance. .

  The control unit 122 includes a CPU and the like. The control unit 122 controls the entire service providing server 120, is connected to each component, and exchanges control signals and data. For example, the control unit 122 receives information read from the IC card presented by the user from the user terminal 110, transmits the received information to the authentication server 130, and requests more detailed user authentication using the IC card. For example, the control unit 122 receives an authentication result from the authentication server 130 and notifies the user terminal 110 of the result.

  The communication unit 123 includes a NIC for connecting to a communication network 140 such as the Internet and a NIC for connecting to a communication network 150 such as a dedicated line. The control unit 122 can transmit and receive data to and from the user terminal 110 via the communication network 140 by the communication unit 123. The control unit 122 can also transmit and receive data to and from the authentication server 130 via the communication network 150 by the communication unit 123.

  Next, the configuration of the authentication server 130 will be described. The authentication server 130 includes a storage unit 131, a control unit 132, and a communication unit 133.

  The storage unit 131 includes a ROM, a RAM, a hard disk device, and the like. The storage unit 131 stores a program for executing user authentication processing, an OS, and the like in advance.

  The storage unit 131 stores an authentication database 135 in advance. As shown in FIG. 4, the authentication database 135 stores information in which the card type and the authentication strength are associated with each other.

  The card type is, for example, a type such as a driver's license, health insurance card, social security card, basic resident register card, or cash card.

  The authentication strength is a so-called security level, and defines what authentication method is used for user authentication.

  In this embodiment, “internal” and “external” are adopted as user authentication methods. The control unit 132 selects the user authentication method based on the card type of the IC card presented by the user and the authentication strength predetermined according to the requested service (or processing group or processing).

Here, “internal” is a method of authenticating by a series of processes of steps A1 to A3 described below.
(A1) The control unit 132 of the authentication server 130 generates a random number, and transmits the generated random number to the IC card via the service providing server 120. The CPU of the IC card receives a random number via the service providing server 120.
(A2) The CPU of the IC card encrypts the received random number with the secret key, and transmits the obtained ciphertext to the authentication server 130 via the service providing server 120. The control unit 132 of the authentication server 130 receives the ciphertext via the service providing server 120.
(A3) The control unit 132 of the authentication server 130 decrypts the received ciphertext using the public key, and collates the data obtained by decryption with the random number transmitted in step A1. As a result of the collation, the control unit 132 determines that the authentication is successful if it matches, and determines that the authentication fails if it does not match.

Or you may authenticate like following step B1-B4 as a modification of said "internal" authentication system.
(B1) The CPU of the IC card hashes the information stored in the nonvolatile memory in the IC card, encrypts the obtained hash value using the secret key, and outputs the obtained ciphertext.
(B2) The control unit 116 of the user terminal 110 reads the ciphertext with the IC card R / W and transmits it to the service providing server 120.
(B3) The control unit 122 of the service providing server 120 receives the ciphertext and transmits it to the authentication server 130. The control unit 132 of the authentication server 130 receives the ciphertext.
(B4) The control unit 132 of the authentication server 130 decrypts the received ciphertext with the public key stored in advance in the storage unit 131, data obtained by decrypting the encrypted text, and information stored in the user information database 136 described later. Is compared with the hash value obtained by hashing. As a result of the collation, the control unit 132 determines that the authentication is successful if it matches, and determines that the authentication fails if it does not match.

“External” is a method of authenticating by a series of processes in steps X1 to X4 described below.
(X1) The control unit 132 of the authentication server 130 transmits a public key for external authentication to the IC card via the service providing server 120. The CPU of the IC card receives the public key via the service providing server 120.
(X2) The CPU of the IC card generates a random number and transmits the generated random number to the authentication server 130 via the service providing server 120. The control unit 132 of the authentication server 130 receives a random number via the service providing server 120.
(X3) The control unit 132 of the authentication server 130 encrypts the received random number with the private key for external authentication stored in the storage unit 132 in advance, and converts the obtained ciphertext to the IC via the service providing server 120. Send to card. The CPU of the IC card receives the ciphertext via the service providing server 120.
(X4) The IC card CPU decrypts the ciphertext received at step X3 using the public key received at step X1, and collates the data obtained by decryption with the random number transmitted at step X2. To do. As a result of the collation, the CPU of the IC card determines that the authentication is successful, and if not, determines that the authentication is unsuccessful.

Or you may authenticate like the following steps Y1-Y4 by applying said "external" authentication system.
(Y1) The control unit 132 of the authentication server 130 hashes the information stored in the user information database 136, encrypts the obtained hash value with the public key stored in advance in the storage unit 131, and encrypts the ciphertext as a service providing server. 120.
(Y2) The control unit 122 of the service providing server 120 receives the ciphertext and transmits it to the user terminal 110. The control unit 116 of the user terminal 110 receives the ciphertext.
(Y3) The control unit 116 of the user terminal 110 transmits the ciphertext to the IC card. The CPU of the IC card receives the ciphertext.
(Y4) The IC card CPU decrypts the received ciphertext with the secret key stored in advance in the non-volatile memory, and obtains the data obtained by decrypting the information and the information stored in the non-volatile memory by hashing. The hash value is checked against. As a result of the collation, the CPU of the IC card determines that the authentication is successful if they match, and determines that the authentication fails if they do not match.

  An authentication method other than the above can also be adopted. It is also possible to freely change the association between the card type and the authentication strength.

  The storage unit 131 further stores a user information database 136. As shown in FIG. 5, the user information database 136 stores information on each item such as a unique user ID, registered card ID, name, and address for each user in association with each other.

  The storage unit 131 stores a processing time table 137. The processing time table 137 is information indicating the time (actual time taken) from the start to the end of one user authentication process for each card type. For example, the control unit 132 calculates an average time within a predetermined time or an average time for a predetermined number of elapsed times from the start to the end of one user authentication process, and stores it in the processing time table 137. To do. The time stored in the processing time table 137 is used to estimate the time taken to complete the user authentication process when the user authentication process is newly started. Details will be described later.

  When the control unit 132 is requested to authenticate a user USR1 and “internal” is designated as the authentication method, the control unit 132 decrypts the ciphertext transmitted from the IC card with the public key of the user USR1 and The hash value obtained by hashing the data (or the random number transmitted to the IC card) of the item used by the IC card to calculate the hash value out of the information stored in the user information database 136 is collated. The authentication result is transmitted to the service providing server 120. The control unit 132 may store the collation result in the user information database 136 as a log.

  In addition, when the control unit 132 is requested to authenticate a certain user USR1 and “external” is designated as the authentication method, the control unit 132 uses information of a predetermined item among information stored in the user information database 136 using a public key. The ciphertext is generated and transmitted to the service providing server 120. Note that the authentication result on the IC card side may be received from the service providing server 120 and the verification result may be stored as a log in the user information database 136.

  The control unit 132 includes a CPU and the like. The control unit 132 controls the entire authentication server 130, is connected to each component, and exchanges control signals and data. For example, when receiving a request for authenticating a user from the service providing server 120, the control unit 132 refers to the authentication database 135 to determine an authentication method, and authenticates the user using the determined authentication method.

  The content of the information transmitted from the service providing server 120 includes, for example, IC card information such as card identification information read by the IC card R / W of the user terminal 110, and the user name input to the user terminal 110 by the user. , Password, PIN, etc.

  The communication unit 133 includes a NIC for connecting to the communication network 150. The control unit 132 can transmit and receive data to and from the service providing server 120 via the communication network 150 by the communication unit 133.

  Next, the flow of service providing processing executed in the information processing system 100 will be described with reference to FIGS. In the following description, a case where the information processing system 100 executes the “new account opening” service in the Internet banking service will be described as an example. The service providing server 120 provides an Internet banking service to the user, and the authentication server 130 performs a process of performing user identity verification (user authentication process).

  First, the control unit 116 of the user terminal 110 determines whether or not an instruction input for starting service provision has been received by the input receiving unit 112. When receiving an instruction input for starting service provision, the control unit 116 requests the service provision server 120 to start the service (step S601). If an instruction input for starting service provision is not accepted, the system waits until an instruction input is received.

  The control unit 122 of the service providing server 120 determines whether or not the processing group for the requested service includes a process that requires the user authentication process, that is, the user authentication (the person himself / herself) to provide the requested service. It is determined whether or not confirmation is necessary (step S602).

  For example, when the processing group and processing are the contents shown in FIG. 3 and the service of “new account opening” is requested, the control unit 122 refers to the necessity of identity verification corresponding to the processing of the service codes A1 to A6. . As a result, since the processing group includes processes that require user authentication (two service codes A2 and A5), it is determined that user authentication is necessary.

  If user authentication is not required (step S602; NO), the process proceeds to step S801 described below. On the other hand, when user authentication is necessary (step S602; YES), the control unit 122 notifies the user terminal 110 that user authentication is necessary for providing the service (step S603).

  When receiving the notification that user authentication is required, the control unit 116 of the user terminal 110 requests the user to present an IC card and input a PIN (Personal Identification Number), a user name, a password, and the like (step S604). ). For example, the control unit 116 displays a screen requesting the user to present an IC card and input a PIN or the like. The control unit 116 sets the IC card R / W to a readable state. Further, the control unit 116 causes the output unit 114 to display a screen having a user interface that accepts an input such as a PIN, and accepts an input such as a PIN.

  The control unit 116 reads card identification information from the IC card using the IC card R / W. In addition, the control unit 116 acquires a PIN or the like (step S605). The control unit 116 authenticates using a PIN (PIN authentication) whether or not the user is the owner of the IC card.

  Here, the card identification information is information (for example, a driver's license registration number or a credit card number) that can uniquely identify a card. It is desirable that the IC card remains fixed so that the IC card R / W can read data until the service (processing group) ends.

  The control unit 116 transmits the acquired card identification information, user name, password, and the like to the service providing server 120 (step S606). It is desirable that the control unit 116 transmits the data after encryption using a predetermined encryption algorithm.

  The control unit 122 of the service providing server 120 receives the card identification information, the PIN, and the like (step S607). The control unit 122 can perform decryption using a decryption algorithm corresponding to the encryption algorithm used in step S606.

  The control unit 122 performs simple user authentication using the received user name, password, and the like (step S608). For example, the control unit 122 performs simple user authentication by comparing the received PIN, user name, and password with the PIN, user name, and password stored in advance in the simple authentication database 126. If they match as a result of the collation, it is determined that the simple authentication is successful, and the service providing process is continued. If they do not match, it is determined that simple authentication has failed, and the service providing process is terminated.

  Further, the control unit 122 requests the authentication server 130 to execute user authentication using the IC card (step S609). The control unit 122 transmits the received card identification information to the authentication server 130.

  The control unit 132 of the authentication server 130 confirms whether or not the received card identification information is recorded as registered in the registered card ID of the user information database 136. If not registered, the control unit 132 stores the received card identification information in the user information database 136 as registered.

  The control unit 132 estimates the time required for user authentication (step S610).

  Specifically, the control unit 133 refers to the processing time table 137 as shown in FIG. 9 and acquires the average processing time of the card type corresponding to the received card identification information. The control unit 132 estimates the product of the acquired average processing time and the number of jobs currently registered in a queue (queue) for executing user authentication processing as the time required for the requested user authentication. In other words, the calculated estimated time is a time estimated to be taken from the time of registration in the queue until the end of the requested user authentication processing and the termination of the user authentication processing.

  For example, data as shown in FIG. 10 is stored in the queue. The number represents the order registered in the queue. The reception time is the time registered in the queue.

  In FIG. 10, there is only one queue, but a queue may be defined for each card type. For example, a user authentication process queue using a driver's license and a user authentication process queue using a basic resident register card are prepared separately, and a user authentication process using a driver's license; The user authentication process using the basic resident register card may be executed in parallel.

  The control unit 132 transmits the estimated time required for the user authentication process to the service providing server 120. In addition, the control unit 132 registers the requested user authentication in a queue for executing the user authentication process (step S611). The queue is held in a FIFO (First In First Out) list structure.

  The user authentication request registered (queued) in the queue is executed as soon as the processing order comes around. The job corresponding to the completed user authentication is deleted from the queue. Therefore, if the number of data registered in the queue is small, the user authentication process for the requested user is started immediately, and if the number of data registered in the queue is large, the request is actually received after receiving the request. There may be a relatively long time lag before starting.

  The control unit 122 of the service providing server 120 receives the estimated time required for the user authentication process. The control unit 122 preferentially executes a process that can be executed even if the user authentication process is not completed from the process group corresponding to the requested service (step S612). That is, the control unit 122 refers to the service list information 125 and selects a process that does not require identification. For example, in FIG. 3, the control unit 122 selects and executes three processes of service codes A1, A3, and A4 from the process group for opening a new account.

  At this time, it is desirable that the control unit 122 executes the selected processes in the order as close as possible to the default order. For example, if the selected process is three processes of service codes A1, A3, and A4, A1, A3, and A4, which are the closest to the predetermined order (A1, A2, A3, A4, and A5). Each process is executed in the order of. However, the control unit 122 may execute each process in an arbitrary order.

  If the estimated time is less than the predetermined value, the control unit 122 executes the processing group in a predetermined order. If the estimated time is equal to or greater than the predetermined value, the control unit 122 selects an executable process even if the user authentication process is not finished. Then, it may be preferentially executed.

  Further, when the estimated time is equal to or greater than a predetermined value, the control unit 122 may notify the service providing process so that the user authentication process is requested again after a predetermined waiting time has elapsed. Upon receiving this notification, the service providing process can open the port at an early stage without occupying the port opened with the authentication server 130 for the user authentication process, thereby reducing the load on the service providing server 120. be able to.

  As will be described later, the authentication result by the authentication server 130 is stored in a predetermined storage area of the storage unit 131. Therefore, when the estimated time is equal to or greater than the predetermined value, the control unit 122 ends the first session for obtaining the authentication result by requesting the user authentication process, and after the estimated time has passed, the authentication result is transmitted to the authentication server 130. The second session to be acquired by inquiring may be started, and the authentication result may be acquired. Even when the first session ends, the control unit 132 of the authentication server 130 does not delete the user authentication processing job from the queue, but deletes the user authentication processing after the user authentication processing ends. .

  The control unit 116 of the user terminal 110 executes processing on the user terminal 110 side corresponding to the processing (on the service providing server 120 side) executed by the control unit 122 of the service providing server 120 (step S613).

  For example, in FIG. 3, “input of necessary information (service code A1)” is a process that does not require identity verification. Therefore, the control unit 122 of the service providing server 120 starts processing the service code A1. The control unit 116 of the user terminal 110 reads information such as the name and address from the IC card, encrypts the information using a predetermined encryption algorithm, and transmits the encrypted information to the service providing server 120. The control unit 122 of the service providing server 120 collects information necessary for opening a new account and obtainable from the IC card.

  By the way, user authentication processing is queued in the authentication server 130, and when the processing order comes around, user authentication processing is started in parallel with steps S612 to S613. As described above, there are two types of authentication methods. Here, a case where “internal” is selected as the authentication method will be described as an example.

  The control unit 132 starts a user authentication process (FIG. 7; step S701) and notifies the service providing server 120.

  The control unit 122 of the service providing server 120 requests the user terminal 110 to read the card information (step S702).

  The control unit 116 of the user terminal 110 reads the ciphertext generated by the CPU of the IC card using the IC card R / W (step S703).

  The control unit 116 transmits the read ciphertext to the service providing server 120. The service providing server 120 transmits the received ciphertext to the authentication server 130 (step S704).

  In step S703, the control unit 132 of the authentication server 130 acquires the card identification information together, and checks whether the card identification information acquired in step S605 matches. If they match, the process proceeds to step S705, and if they do not match, the card identification information is newly registered in the registered card ID, and then the process proceeds to step S705.

  The control unit 132 decrypts the received ciphertext using a predetermined decryption algorithm, and obtains the decrypted data and the hash value (or transmitted random number) generated from the information stored in the user information database 136. Collation is performed (step S705). The control unit 132 determines that authentication is successful when the two match, and determines authentication failure when they do not match.

  The control unit 132 stores the authentication result in a predetermined storage area (for example, the user information database 136) of the storage unit 131.

  The control unit 132 transmits the authentication result in step S705 to the service providing server 120. Further, the control unit 132 records the time taken for the user authentication process as log information in the storage unit 131 (step S706). The control unit 132 updates the processing time table 137 using the time taken for the user authentication process. For example, the control unit 132 recalculates the average processing time and stores it in the processing time table 137.

  The control unit 122 of the service providing server 120 receives the authentication result from the authentication server 130 (step S707).

  As described above, the control unit 122 of the service providing server 120 may request the authentication server 130 to transmit the authentication result after the estimated time has elapsed from the time when the estimated time is received in step S612. . When the control unit 132 of the authentication server 130 receives the request, the control unit 132 of the service providing server 120 transmits the authentication result stored in the predetermined storage area of the storage unit 131 to the service providing server 120. The authentication result may be received from 130.

  In the case of authentication failure (step S708; NO), the control unit 122 notifies the user terminal 110 that the authentication has failed and ends the service providing process. The control unit 122 rolls back the processing group that has been executed. The control unit 116 of the user terminal 110 notifies the user that service provision cannot be continued.

  Alternatively, the process returns to step S701, and the user authentication process is retried a predetermined number of times. The user authentication process may be retried after re-registering in the queue.

  When the authentication is successful (step S708; YES), the control unit 122 notifies the user terminal 110 that the authentication is successful. Further, the control unit 122 executes a process that is not selected in step S612, that is, a process that is determined to be executable unless user authentication is successful in the user authentication process (step S709).

  At this time, it is desirable for the control unit 122 to execute processing in the order as close as possible to the default order. For example, the processes selected in step S612 are the three service codes A1, A3, and A4. The process group is in this order, and the process of the service code A3 is executed when notified that the authentication is successful. If it is in the middle, after the processing of the service code A3 is completed, the processing of the service code A2 is executed first, not the processing of the service code A4. That is, as a result, the control part 122 performs a process in order of A1, A3, A2, A4, A5. However, the control unit 122 may execute each process in an arbitrary order.

  The control unit 116 of the user terminal 110 executes processing on the user terminal 110 side corresponding to the processing (on the service providing server 120 side) executed by the control unit 122 of the service providing server 120 (step S710).

  The control unit 122 of the service providing server 120 determines whether all the processes included in the process group corresponding to the service requested by the user have been completed (step S711).

  If there is a process that has not been completed yet (step S711; NO), the control unit 122 continues the process. When all the processes are completed (step S711; YES), the service provision is terminated.

  As described above, the information processing system 100 estimates the time required for the user authentication process and efficiently executes the entire process group by preferentially executing the process that can be provided even if the user authentication process is not completed. become able to. For example, in a time zone that requires a relatively long time for user authentication processing (a time zone in which access is concentrated and crowded), processing that does not require user authentication processing proceeds first, while user authentication processing is It is done in parallel in the background so that the rest of the processing can be performed after identity verification. Further, in a time zone in which the user authentication process can be completed immediately (a time zone in which access is low and free), the process proceeds in a predetermined order. In either case, the user can perform the procedure to be performed as a result in an efficient order, so that a user-friendly system design is possible. Also, from the user's standpoint, it is not easy to know that the user authentication process is taking a long time, and the procedure seems to be proceeding slowly, so there is an effect of not feeling stress.

  In the present embodiment, an Internet banking service is assumed as a service provided by the information processing system 100. However, it can also be applied to systems that provide other services. For example, there are various cases, such as a case where identity verification is performed at the time of processing such as issuance of a resident's card in an administrative service provided by an administrative organization, or a case where identity verification is performed at the time of medical reception in a medical service provided by a medical organization such as a hospital. The present invention can be used in the field.

  In the present embodiment, the user authentication process in the Internet banking service has been described as being executed by the authentication server 130 different from the service providing server 120. That is, the user authentication process is assumed as a process that may take a lot of time (a process that may become a bottleneck) in the information processing system 100 as a whole. However, an embodiment in which the authentication server 130 is replaced with an operation server that executes other arbitrary processing may be employed.

  For example, in a shopping site on the Internet where earned points can be used for settlement, the information processing system 100 provides a service that allows a user to purchase a product. It is assumed that the process of acquiring user acquisition points, purchase history, and the like and displaying it on the monitor of the user terminal 110 is a process that may take a relatively long time. At this time, in the above description, the present invention can be applied by adopting an embodiment in which the authentication server 130 is replaced with an operation server that manages user acquisition points, purchase history, and the like.

  In other words, in a time zone where access is low and free, as the default processing order, (Processing A) processing for acquiring and displaying the current number of acquired points, (Processing B) processing for selecting a product, and (Processing C) shipping A process for specifying a method, (process D) a process for specifying a settlement method, and (process E) an order confirmation process are executed in order.

  On the other hand, when the process A is heavy in a time zone where access is concentrated and crowded, the service providing server 120 preferentially executes the processes B and C, and acquires the current number of points acquired from the process A The processing server executes the processing part in the background. After acquiring the acquired points, the service providing server 120 executes process A, process D, and process E.

  As described above, the present invention can be used to efficiently execute the entire processing group when there is a processing that may take a lot of time in the processing group to be performed.

  The present invention is not limited to the above-described embodiments, and various modifications and applications are possible.

  As described above, according to the present invention, an information processing system, an authentication server, and a service suitable for efficiently executing the entire processing group even when there are processes that require a lot of time in the processing group to be performed. A providing server, an authentication method, a service providing method, and a program can be provided.

It is a figure for demonstrating the structure of an information processing system. It is a figure for demonstrating each structure of a user terminal, a service provision server, and an authentication server. It is a structural example of the data stored in service list information. It is a structural example of the data stored in an authentication database. It is a structural example of the data stored in a user information database. It is a figure for demonstrating the flow of a service provision process. It is a figure for demonstrating the flow of a service provision process (continuation). It is a figure for demonstrating the flow of a service provision process (continuation). It is an example of a structure of the data stored in a processing time table. It is a structural example of the data stored in a queue.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Information processing system 110 User terminal 111 Storage part 112 Input reception part 113 Communication part 114 Output part 115 Interface 116 Control part 120 Service provision server 121 Storage part 122 Control part 123 Communication part 125 Service list information 126 Simple authentication database 130 Authentication server 131 Storage Unit 132 Control Unit 133 Communication Unit 135 Authentication Database 136 User Information Database 137 Processing Time Table 140, 150 Communication Network

Claims (11)

In an information processing system having a user terminal, a service providing server that executes a plurality of processes for providing a service to the user, and an authentication server that authenticates the user,
The user terminal is
An acquisition unit for acquiring authentication data for authenticating the user;
Based on an instruction from the user, a start request transmitting unit that transmits the request for starting the plurality of processes to the service providing server and the acquired authentication data, to the service providing server,
With
The service providing server includes:
For each of the plurality of processes, an authentication necessity information storage unit that stores information indicating whether or not authentication of the user by the authentication server is necessary;
A start request receiving unit that receives the start request and the authentication data from the user terminal;
An authentication request for requesting the authentication server to authenticate the user when the plurality of processes indicated by the received start request includes a process that requires authentication of the user by the authentication server; An authentication request transmission unit that transmits the received authentication data to the authentication server;
With
The authentication server is
A user information storage unit that stores user information for authenticating the user in advance;
An authentication request receiver that receives the authentication request and the authentication data from the service providing server;
When the authentication request receiving unit receives the authentication request, an estimation unit that estimates the time taken from receiving the authentication request to ending the authentication of the user;
An estimated time transmitter for transmitting the estimated estimated time to the service providing server;
An authentication unit that authenticates the user based on the authentication data and the user information stored in the user information storage unit when the authentication request receiving unit receives the authentication request;
An authentication result transmission unit that transmits an authentication result by the authentication unit to the service providing server;
With
The service providing server further includes:
An estimated time receiving unit for receiving the estimated time from the authentication server;
An authentication result receiving unit for receiving the authentication result from the authentication server;
When the estimated time receiving unit receives the estimated time,
(A) From the reception of the start request to the reception of the authentication result, priority is given to processing that does not require authentication of the user by the authentication server among the processing included in the processing group,
(B) After receiving the authentication result indicating that the user has been successfully authenticated, a process that requires authentication of the user by the authentication server is executed.
A service providing unit for providing the user with the service;
An information processing system comprising: The acquisition unit acquires personal information stored in advance in an IC (Integrated Circuit) card as the authentication data,
The authentication unit authenticates using the authentication data transmitted from the user terminal via the service providing server,
The information processing system according to claim 1, wherein: The authentication request transmission unit transmits the authentication request including information indicating the type of the IC card to the authentication server,
The authentication server further includes a processing time storage unit that stores the time taken from the reception of the authentication request in the past to the end of the authentication of the user in association with the type of the IC card.
The estimating unit estimates the estimated time based on a time associated with the type of the IC card indicated by the authentication request received by the authentication request receiving unit.
The information processing system according to claim 2, wherein: The authentication unit uses a time taken from the start to the end of the process of authenticating the user to calculate a time corresponding to the type of the IC card among the times stored in the processing time storage unit. Update,
The information processing system according to claim 3, wherein: The authentication server further includes an authentication result storage unit that stores an authentication result by the authentication unit,
When the estimated time is greater than or equal to a predetermined value, the authentication result receiving unit transmits the authentication result to the authentication server after the estimated time has elapsed since the estimated time receiving unit received the estimated time. Requesting and receiving the authentication result from the authentication server,
The information processing system according to any one of claims 1 to 4, wherein the information processing system is characterized in that: A user information storage unit that stores user information for authenticating the user in advance;
An authentication request receiving unit that receives an authentication request for authenticating the user and authentication data for authenticating the user from a service providing server that provides services to the user;
When the authentication request receiving unit receives the authentication request, an estimation unit that estimates the time taken from receiving the authentication request to ending the authentication of the user;
An estimated time transmitter for transmitting the estimated estimated time to the service providing server;
An authentication unit that authenticates the user based on the authentication data and the user information stored in the user information storage unit when the authentication request receiving unit receives the authentication request;
An authentication result transmission unit that transmits an authentication result by the authentication unit to the service providing server;
An authentication server comprising: For each of a plurality of processes for providing a service to a user, an authentication necessity information storage unit that stores information indicating whether or not the user needs to be authenticated by an authentication server that authenticates the user;
A start request receiving unit for receiving a start request to start the plurality of processes and authentication data for authenticating the user from a user terminal used by the user;
If the plurality of processes indicated by the received start request includes a process that requires authentication of the user by the authentication server, an authentication request for requesting the authentication server to authenticate the user; An authentication request transmitter for transmitting the received authentication data to the authentication server;
An estimated time receiving unit that receives from the authentication server an estimated time taken from the authentication server receiving the authentication request to ending the user authentication;
An authentication result receiving unit for receiving the authentication result of the user from the authentication server;
When the estimated time receiving unit receives the estimated time,
(A) From the reception of the start request to the reception of the authentication result, priority is given to processing that does not require authentication of the user by the authentication server,
(B) After receiving the authentication result indicating that the user has been successfully authenticated, a process that requires authentication of the user by the authentication server is executed.
A service providing unit for providing the user with the service;
A service providing server comprising: An authentication request receiving step of receiving an authentication request for authenticating the user and authentication data for authenticating the user from a service providing server that provides a service to the user;
When the authentication request receiving step receives the authentication request, an estimation step for estimating a time taken from the reception of the authentication request to the end of the authentication of the user;
An estimated time transmitting step of transmitting the estimated estimated time to the service providing server;
When the authentication request receiving step receives the authentication request, an authentication step for authenticating the user based on the authentication data and user information stored in advance in memory for authenticating the user;
An authentication result transmission step of transmitting an authentication result of the authentication step to the service providing server;
An authentication method comprising: A start request receiving step for receiving a start request for starting a plurality of processes and authentication data for authenticating the user from a user terminal used by the user;
When a plurality of processes indicated by the received start request includes a process that requires authentication of the user by an authentication server, an authentication request for requesting the authentication server to authenticate the user; An authentication request transmission step of transmitting the received authentication data to the authentication server;
An estimated time receiving step for receiving, from the authentication server, an estimated time taken from the authentication server receiving the authentication request to ending the user authentication;
An authentication result receiving step of receiving the authentication result of the user from the authentication server;
When the estimated time receiving unit receives the estimated time,
(A) From the reception of the start request to the reception of the authentication result, priority is given to processing that does not require authentication of the user by the authentication server,
(B) After receiving the authentication result indicating that the user has been successfully authenticated, a process that requires authentication of the user by the authentication server is executed.
A service providing step of providing the user with the service;
A service providing method comprising the steps of: Computer
A user information storage unit for storing user information for authenticating the user in advance;
An authentication request receiving unit that receives an authentication request for authenticating the user and authentication data for authenticating the user from a service providing server that provides services to the user;
When the authentication request receiving unit receives the authentication request, an estimation unit that estimates the time taken from the reception of the authentication request to the end of the user authentication,
An estimated time transmitting unit for transmitting the estimated estimated time to the service providing server;
When the authentication request receiving unit receives the authentication request, an authentication unit that authenticates the user based on the authentication data and the user information stored in the user information storage unit,
An authentication result transmission unit for transmitting an authentication result by the authentication unit to the service providing server;
A program characterized by functioning as Computer
For each of a plurality of processes for providing a service to a user, an authentication necessity information storage unit that stores information indicating whether or not the user needs to be authenticated by an authentication server that authenticates the user,
A start request receiving unit that receives a start request to start the plurality of processes and authentication data for authenticating the user from a user terminal used by the user;
If the plurality of processes indicated by the received start request includes a process that requires authentication of the user by the authentication server, an authentication request for requesting the authentication server to authenticate the user; An authentication request transmitter for transmitting the received authentication data to the authentication server;
An estimated time receiving unit that receives from the authentication server an estimated time taken from the authentication server receiving the authentication request to ending the user authentication;
An authentication result receiving unit for receiving the authentication result of the user from the authentication server;
When the estimated time receiving unit receives the estimated time,
(A) From the reception of the start request to the reception of the authentication result, priority is given to processing that does not require authentication of the user by the authentication server,
(B) After receiving the authentication result, execute processing that requires authentication of the user by the authentication server;
A service providing unit that provides the user with the service,
A program characterized by functioning as

Images