JP5363134B2 - Portable wireless communication terminal, authentication system, portable wireless communication terminal authentication method, portable wireless communication terminal authentication program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a portable radio communication terminal, an authentication system, an authentication method of the portable radio communication terminal, and an authentication program of the portable radio communication terminal for facilitating high-security authentication. <P>SOLUTION: A first unique information acquisition means acquires first unique information x from a UIM card 30 by communicating with the UIM card 30 mounted on a portable radio communication terminal 100. A reader/writer 140 acquires second unique information Y of a non-contact IC card 40 by communicating with the non-contact IC card 40 in a non-contact state. An authentication processing part 134 performs authentication with a server via a communication service by combining the first unique information x with the second unique information y. <P>COPYRIGHT: (C)2010,JPO&amp;INPIT

Description

  The present invention relates to a mobile radio communication terminal such as a mobile phone that performs net banking, an authentication system, an authentication method for a mobile radio communication terminal, and an authentication program for a mobile radio communication terminal.

  Conventionally, in a financial service provided in a mobile environment using a mobile wireless communication terminal such as a mobile phone, the first authentication is basic authentication by inputting a user ID and a password. And when performing a transaction with high risk, such as a large amount of money transfer, authentication with higher safety | security is performed as 2nd authentication. In the second authentication, a random number table or a random number generator is distributed in advance to a user by mail from a financial institution. Then, the user visually observes the reading position of the random number table or the random number generator designated from the bank server at the time of the transaction, and inputs the random number at the corresponding position by operating the button on the portable terminal. As described above, the conventional second authentication method forces the user to perform troublesome operations.

When the second authentication method as described above is not used, it is necessary to rely on the user to store a password that is difficult to remember with Basic authentication because terminal authentication alone is insufficient to confirm whether the user is using the device. There is.
On the other hand, Patent Document 1 and Patent Document 2 disclose a method of performing authentication by passing a tally from the user terminal to the server side as a method of confirming that the user is a regular user while saving user input. Has been.

JP 2004-234632 A JP 2004-234633 A

  However, in the methods disclosed in Patent Document 1 and Patent Document 2, when a card for other purposes (such as a ticket, electronic money, etc.) is used as a non-contact IC card used for authentication, instead of a dedicated card at the time of authentication, A service provider different from the original use knows the card unique ID. In the original use of non-contact type IC cards for other uses, the card unique ID may not identify an individual (unsigned type), and the problem that the connection between the card unique ID and the individual is not preferable in terms of privacy. was there.

  In addition, if a malicious third party obtains the ID of a non-contact type IC card by some method, such as when a non-contact type IC card is stolen or the wiretap of the wireless part, there is a risk of unauthorized use due to impersonation was there.

  Furthermore, in the conventional second authentication method, when a random number table is used, it is possible to easily copy the information of the random number table by taking a picture or stealing, and the user can easily steal it without knowing it. There was a problem of being easily taken.

  An object of the present invention is to provide a portable wireless communication terminal, an authentication system, an authentication method for a portable wireless communication terminal, and an authentication program for a portable wireless communication terminal that can easily perform highly secure authentication.

  The present invention proposes the following matters in order to solve the above problems.

(1) The present invention is a portable wireless communication terminal used for a communication service, communicates with a contact information storage medium mounted in the portable wireless communication terminal, and first unique information related to the communication service The first unique information acquisition means for acquiring the information from the contact information storage medium, the reader / writer that performs non-contact communication with the non-contact information storage medium, and the non-contact information storage medium via the reader / writer A combination of the first unique information and the second unique information as processing related to authentication between the second unique information acquisition means for acquiring the second unique information and the server performed via the communication service. Proposed is a portable wireless communication terminal comprising authentication processing means for generating authentication information on the portable wireless communication terminal and transmitting the authentication information to the server .

According to this invention, the first unique information acquisition means communicates with the contact type information storage medium mounted in the portable wireless communication terminal, and the first unique information related to the communication service is obtained from the contact type information storage medium. get. The reader / writer communicates with the non-contact type information storage medium in a non-contact manner. The second unique information acquisition means acquires second unique information that the non-contact information storage medium has via the reader / writer. The authentication processing means generates authentication information on the portable wireless communication terminal by combining the first unique information and the second unique information as processing related to authentication with the server performed via a communication service. The authentication information is transmitted to the server. Therefore, only a person who knows the combination of the portable wireless communication terminal, the contact information storage medium, and the non-contact information storage medium can perform authentication, and can perform highly secure authentication. Also, complicated operations such as input of random numbers are unnecessary, and authentication can be performed easily. Furthermore, the second unique information can be prevented from leaking when communicating with the server regarding authentication. Furthermore, more complicated authentication information can be processed at high speed.

(2) According to the present invention, in the portable wireless communication terminal of (1), the unique information is read from the non-contact information storage medium selected by the user via the reader / writer and used as the second unique information. A portable wireless communication terminal characterized by comprising a registration means for registering as possible is proposed.

  According to the present invention, the registration means reads the unique information from the non-contact type information storage medium selected by the user via the reader / writer so as to be used as the second unique information. Therefore, a non-contact type information storage medium such as a non-contact type IC card for other uses (tickets, electronic money, etc.) arbitrarily selected by the user can be used for authentication.

(3) The present invention relates to the portable wireless communication terminal according to (1) or (2) , wherein the authentication processing means generates the authentication information using an arithmetic function in the contact information storage medium. A portable wireless communication terminal is proposed.

  According to this invention, the authentication processing means generates the authentication information using the calculation function in the contact information storage medium. Therefore, it is not necessary to read the first unique information, and more secure authentication can be performed.

(4) According to the present invention, in any one of the portable wireless communication terminals from (1) to ( 3 ), the first unique information is information unique to the portable wireless communication terminal and a user of the communication service. A portable wireless communication terminal characterized by being at least one of unique information has been proposed.

  According to this invention, the first unique information is at least one of information unique to the portable wireless communication terminal and information unique to the user of the communication service. Therefore, information that identifies a mobile wireless communication terminal or a user of a communication service that is difficult to be known by a third party can be used for authentication, and safety can be improved.

( 5 ) The present invention relates to any one of the portable wireless communication terminals from (1) to ( 4 ), wherein the second unique information is information unique to the non-contact information storage medium. A portable wireless communication terminal is proposed.

  According to this invention, the second unique information is information unique to the non-contact information storage medium. Generally, information unique to a non-contact type information storage medium can be read even by a third party. Therefore, a non-contact type information storage medium originally intended for other uses can be used for authentication.

( 6 ) The present invention relates to any one of the portable wireless communication terminals from (1) to ( 5 ), wherein the authentication processing means is set as a condition for performing processing related to authentication with the server. A portable wireless communication terminal characterized by requesting an operation from a user has been proposed.

  According to the present invention, the authentication processing means requests the user to perform a preset authentication operation as a condition for performing processing related to authentication with the server. Therefore, authentication with higher safety can be performed.

( 7 ) The present invention proposes a portable wireless communication terminal characterized in that, for the portable wireless communication terminal of ( 6 ), the authentication operation is a screen transition operation for changing a screen to be browsed.

  According to the present invention, the authentication operation is a screen transition operation for transitioning the screen to be browsed. Therefore, it is possible to make an operation at the time of authentication easy for the user to remember.

( 8 ) The present invention provides an authentication system comprising any one of the portable wireless communication terminals from (1) to ( 7 ) and a server that performs authentication between the portable wireless communication terminal via the communication service. is suggesting.

  According to this invention, the authentication system includes any one of the portable wireless communication terminals from (1) to (9) and a server that performs authentication between the portable wireless communication terminal via the communication service. . Therefore, only a person who knows the combination of the portable wireless communication terminal, the contact information storage medium, and the non-contact information storage medium can perform authentication, and can perform highly secure authentication. Also, complicated operations such as input of random numbers are unnecessary, and authentication can be performed easily.

( 9 ) The present invention is an authentication method for a portable wireless communication terminal used for a communication service , wherein the first unique information acquisition means is contact type information mounted in the portable wireless communication terminal using a computer. A first unique information acquisition step of communicating with a storage medium and acquiring first specific information related to the communication service from the contact-type information storage medium; and a second specific information acquisition means comprising: a non-contact type information storage medium; A second unique information acquisition step of acquiring second unique information of the non-contact type information storage medium via a reader / writer that performs non-contact communication and an authentication processing means are performed via the communication service. as processing relating to the authentication of the server, the generated authentication information first by combining the unique information and the second unique information on the mobile wireless communication terminal sending the authentication information to the server It proposes an authentication method for a portable radio communication terminal to perform an authentication processing step of.

According to the present invention, in the first unique information acquisition step, the first unique information acquisition means communicates with the contact information storage medium mounted in the portable wireless communication terminal, and the first unique information acquisition means The unique information is acquired from the contact information storage medium. In the second unique information acquisition step, the second unique information acquisition means has second unique information that the non-contact information storage medium has via a reader / writer that communicates with the non-contact information storage medium in a non-contact manner. To get. In the authentication processing step, the authentication processing means combines the first unique information and the second unique information on the portable wireless communication terminal as processing related to authentication with the server performed via the communication service. Generate authentication information and send the authentication information to the server. Therefore, only a person who knows the combination of the portable wireless communication terminal, the contact information storage medium, and the non-contact information storage medium can perform authentication, and can perform highly secure authentication. Also, complicated operations such as input of random numbers are unnecessary, and authentication can be performed easily.

( 10 ) The present invention relates to an authentication program for a portable wireless communication terminal used for a communication service, which communicates a computer with a contact information storage medium mounted in the portable wireless communication terminal, and relates to the communication service. The non-contact information storage medium has first unique information acquisition means for acquiring first specific information from the contact information storage medium, and a reader / writer that performs non-contact communication with the non-contact information storage medium. A combination of the first unique information and the second unique information as processing related to authentication between the second unique information acquisition means for acquiring the second unique information and the server performed via the communication service. the portable wireless communication terminal authentication program for functioning the authentication information and generates authentication information on the portable wireless communication terminal as an authentication processing means for transmitting to said server It is draft.

According to this invention, the first unique information acquisition means communicates with the contact type information storage medium mounted in the portable wireless communication terminal, and the first unique information related to the communication service is obtained from the contact type information storage medium. get. The second unique information acquisition means acquires second unique information of the non-contact type information storage medium via a reader / writer that communicates with the non-contact type information storage medium in a non-contact manner. The authentication processing unit generates authentication information on the portable wireless communication terminal by combining the first unique information and the second unique information as processing related to authentication with the server performed via the communication service. The authentication information is transmitted to the server. Therefore, only a person who knows the combination of the portable wireless communication terminal, the contact information storage medium, and the non-contact information storage medium can perform authentication, and can perform highly secure authentication. Also, complicated operations such as input of random numbers are unnecessary, and authentication can be performed easily.

  According to the present invention, highly secure authentication can be easily performed. In addition, it is possible to realize authentication that is easy to use “anytime” and “anywhere” unique to portable wireless communication terminals and that does not restrain both hands for a long time.

It is a figure which shows 1st Embodiment of the authentication system containing the portable radio | wireless communication terminal using the authentication method by this invention. It is a flowchart which shows the exchange method of the session key Ks of 1st Embodiment. It is a flowchart which shows the process which registers the non-contact-type IC card 40 for authentication in 1st Embodiment. It is a flowchart which shows a process when authenticating using the non-contact-type IC card 40 in 1st Embodiment. It is a flowchart which shows a process when authenticating using the non-contact-type IC card 40 in 1st Embodiment. It is a figure which shows 2nd Embodiment of the authentication system containing the portable radio | wireless communication terminal using the authentication method by this invention. It is a flowchart which shows a process when authenticating using the non-contact-type IC card 40 in 2nd Embodiment. It is a flowchart which shows the process which registers the non-contact-type IC card 40 for authentication in 3rd Embodiment. It is a figure which shows the example of a confirmation screen. It is a flowchart which shows a process when authenticating using the non-contact-type IC card 40 in 3rd Embodiment.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
Note that the constituent elements in the present embodiment can be appropriately replaced with existing constituent elements and the like, and various variations including combinations with other existing constituent elements are possible. Therefore, the description of the present embodiment does not limit the contents of the invention described in the claims.

(First embodiment)
FIG. 1 is a diagram showing a first embodiment of an authentication system including a portable wireless communication terminal using an authentication method according to the present invention.
The authentication system according to the present embodiment includes a server 10, a base station 20, a UIM (User Identity Module Card) card 30, a non-contact IC card 40, a portable wireless communication terminal 100, and the like.

  The server 10 is a bank server that provides a bank transaction service via a network. The server 10 communicates with the portable wireless communication terminal 100 via the base station 20.

  The base station 20 is connected to the server 10 and performs wireless communication with the portable wireless communication terminal 100. In this embodiment, the base station 20 is managed by a telecommunications carrier that provides a communication service such as a mobile phone service, and the server 10 is managed by a financial operator that is different from the telecommunications carrier that provides this communication service. Yes.

  The UIM card 30 is mounted in the portable radio communication terminal 100 and contacts with a contact terminal (not shown) in the portable radio communication terminal 100 to communicate information with the portable radio communication terminal 100. A card (contact information storage medium). The UIM card 30 stores a user identification ID (hereinafter referred to as first unique information) as a unique number that identifies the user of the communication service. Note that the first unique information is protected so that it cannot be read or written by a third party other than the communication carrier by giving priority to safety. However, for example, unique information that can be read or written only to a specific limited service provider may be used as the first unique information.

  The non-contact type IC card 40 is a non-contact type information storage medium capable of non-contact communication with a reader / writer 140 described later. In this embodiment, as will be described later, the non-contact type IC card 40 is used when performing authentication processing with the server 10, but any application can be used as long as non-contact communication with the reader / writer 140 is possible. Even a card issued in can be used for authentication. For example, the user can arbitrarily select an electronic money card, a point card, a membership card, an identification card, a ticket card, etc., and use it for authentication. The non-contact type IC card 40 has various applications 41 according to the various uses. In addition, a unique number indicating the ID of the non-contact type IC card 40 itself is assigned to the non-contact type IC card 40 in the form of a card manufacturing number or the like independently of the application 41. Hereinafter, the ID of the non-contact type IC card 40 itself is referred to as second unique information.

  The mobile wireless communication terminal 100 is a mobile phone that can communicate with the server 10 via the base station 20. The portable wireless communication terminal 100 includes a communication unit 110, a calculation unit 120, and a reader / writer 140.

  The communication unit 110 performs wireless communication with the base station 20. The communication unit 110 is connected to the calculation unit 120.

  The arithmetic unit 120 is a microcomputer (computer) that controls the overall operation of the mobile wireless communication terminal 100. The calculation unit 120 is connected to an operation unit, a display unit, and the like (not shown) in addition to the communication unit 110 and the reader / writer 140. In addition, the calculation unit 120 communicates with the UIM card 30 that is mounted on a UIM mounting unit (not shown). Furthermore, the calculation unit 120 can execute various terminal applications (programs). In the present embodiment, description will be made assuming that an application for bank transaction service is executed as the terminal application 130 executed on the arithmetic unit 120. With this bank transaction service application, the computing unit 120, which is a computer, functions as a first unique information acquisition unit 131, a second unique information acquisition unit 132, a registration unit 133, and an authentication processing unit 134.

  The first unique information acquisition unit 131 communicates with the UIM card 30 mounted in the mobile wireless communication terminal 100 and acquires the first unique information from the UIM card 30.

  The second unique information acquisition unit 132 acquires second unique information from the non-contact type IC card 40 via a reader / writer 140 described later.

  The registration unit 133 performs processing for registering the second unique information of the non-contact type IC card 40 selected by the user as information that can be used for authentication processing with the server 10.

The authentication processing unit 134 performs authentication processing by combining the first specific information acquired by the first specific information acquisition unit 131 and the second specific information acquired by the second specific information acquisition unit 132.
Here, as authentication processing of the server 10 in the bank transaction service of the present embodiment, first authentication and second authentication are provided.
The first authentication is an authentication process used when performing a balance inquiry or a small transaction. The first authentication is performed by acquiring a terminal unique number associated with an account number and manually inputting a four-digit password (PIN). This first authentication is a well-known technique and will not be described in detail in this specification.
The second authentication is an authentication process that is used when higher security is required, such as when changing registration information such as an address or when conducting a transaction of a large amount (for example, an amount exceeding 100,000 yen).
The second authentication is performed by the authentication processing unit 134 by combining the first unique information and the second unique information. In the following description, unless otherwise stated, the authentication process performed by the authentication processing unit 134 indicates the second authentication.

  The reader / writer 140 communicates with the non-contact type IC card 40 in a non-contact manner. Although there are a plurality of communication standards for contactless IC cards, the reader / writer 140 of this embodiment needs to support at least one type of communication standard. It is desirable that the reader / writer 140 be compatible with a plurality of types of communication standards in order to make the system highly convenient for the user.

Next, an authentication process of the authentication system according to the first embodiment will be described.
First, a method for exchanging the session key Ks used when registering the non-contact type IC card 40 will be described.
FIG. 2 is a flowchart showing the session key Ks exchange method according to the first embodiment.
Note that the flowchart shown in FIG. 2 is performed when a new application for a bank transaction service is applied. Then, it is assumed that the terminal unique number and the four-digit password are already registered in the database (not shown) of the server 10 for the first authentication, and the account number is assigned in a state associated with the terminal unique number. .

In step (hereinafter simply referred to as S) 101, the server 10 generates a random number a associated with the account number (or terminal unique number).
In S102, the server 10 records the random number a in the database.
In S103, the random number a is encrypted with a common key having the session key Ks1 = H (first authentication password).
In S104, the encrypted a is transmitted from the server 10 to the terminal application of the mobile wireless communication terminal 100.

In S105, the user inputs the first authentication password at the portable wireless communication terminal 100.
In S106, the terminal application 130 calculates Ks1 = H (first authentication password).
In S107, the terminal application 130 decrypts the encrypted a using Ks1 as a key.
In S108, the decrypted a is transmitted to the UIM card 30.

In S109, the UIM card 30 generates a random number b.
In S110, the UIM card 30 calculates Ks = H (a || b). || represents the concatenation of keys.
In S111, Ks is recorded in the UIM card 30.
In S112, the random number b is transmitted from the UIM card 30 to the terminal application 130.
In S113, the terminal application 130 encrypts the random number b using Ks1 as a common key.
In S114, the encrypted random number b is transmitted from the terminal application 130 to the server 10.

In S115, the server 10 decrypts the random number b encrypted using Ks1 as a key.
In S116, the server 10 calls the random number a recorded in the database from the database, and calculates Ks = H (a || b).
In S117, the server 10 records it in the database in association with the account number (or terminal unique number) as the user-specific session key Ks.

Next, a process for registering the contactless IC card 40 selected by the user so that it can be used for the second authentication will be described.
FIG. 3 is a flowchart showing processing for registering the non-contact type IC card 40 for authentication in the first embodiment.
In S201, the UIM card 30 calculates Hash = H (x) using the unique number x on the UIM application 31. In this embodiment, the hash function SHA-1 is used, but other functions may be used.
In S202, H (x) is transmitted from the UIM card 30 to the terminal application 130 of the portable wireless communication terminal 100.
In S <b> 203, the terminal unique number is transmitted from the terminal application 130 to the server 10 together with “Hello message”.
In S204, the server 10 associates Z with the account number from the terminal unique number as a customer registration process.
In S <b> 215, notification of customer registration completion is sent from the server 10 to the terminal application 130.

  In S221, the contactless IC card unique number Y (second unique information) is transmitted from the contactless IC card 40 to the terminal application 130 via the reader / writer 140. This S221 is performed by guiding the user with a display unit (not shown) of the portable wireless communication terminal 100 to the user, and the user bringing the non-contact type IC card 40 close to the reader / writer 140 of the portable wireless communication terminal 100. Is called.

In S222, the terminal application 130 determines whether Y is smaller than 12 bytes. When Y is smaller than 12 bytes, the process proceeds to S223, and when Y is not smaller than 12 bytes, the process proceeds to S225.
In S223, the terminal application 130 generates a random number c.
In S224, (Y || c) is registered in the terminal application 130.

  In S225, Y is registered in the terminal application 130. Here, Y stores the past registration data for two times, and duplicate registration is rejected. In the terminal application 130, the current Y data is encrypted using the hash value of the terminal unique number as a secret key, and the result is stored in the terminal application 130. The storage location may be in the UIM application 31 in the UIM card 30.

In S226, the terminal application 130 calculates Z = H (H (x) || Y) and P = H (Z). In this embodiment, the hash value of x is calculated in order to conceal x, but this calculation may be omitted. Even if this calculation is omitted, the encryption strength does not change.
In S227, E (Ks, Z || P) is transmitted from the terminal application 130 to the server 10. Here, E (A, B) is a common key encryption function with A as a key and B as a message.
In S228, the server 10 calls the secret key Ks associated with the user from the database of the server 10, and uses this to decrypt Z and P. Thereafter, P ′ = H (Z) is calculated using the decrypted Z.

In S229, the server 10 determines whether P and P ′ are equal to confirm the contents of Z. If P and P ′ are equal, the process proceeds to S230, and if P and P ′ are not equal, the process returns to S222 to inform the terminal application 130 that the registration of the user ID has failed, and the user ID Redo the registration operation.
In S230, the server 10 registers Z as a user ID.
In step S231, the terminal application 130 is notified that the registration of the user ID has been successful.

Next, processing when the user authenticates with the server 10 when using the bank transaction service will be described.
4 and 5 are flowcharts showing processing when authentication is performed using the non-contact type IC card 40 in the first embodiment.
In S <b> 301, when the user brings the non-contact type IC card 40 close to the reader / writer 140, the unique number Y of the non-contact type IC card 40 is transmitted to the terminal application 130 via the reader / writer 140.
In S <b> 302, the terminal unique number is transmitted from the terminal application 130 to the server 10 together with “Hello message”.
In S303, the server 10 verifies the account number from the terminal unique number which is the first authentication user ID.

In S <b> 311, the terminal application 130 determines whether or not Y transmitted from the contactless IC card 40 in S <b> 301 is the same as Y registered in the terminal application 130. If Y is the same, the process proceeds to S315. If Y is not the same, the process proceeds to S312 and the process is interrupted.
In S313, the UIM card 30 calculates Hash = H (x) using the unique number (first unique information) x on the UIM application 31. Note that the hash function SHA-1 is also used here. In this embodiment, the hash function SHA-1 is used, but other functions may be used.
In S314, H (x) is notified from the UIM card 30 to the terminal application 130. In this embodiment, the hash value of x is calculated in order to conceal x, but this calculation may be omitted. Even if this calculation is omitted, the encryption strength does not change.

In S315, the terminal application 130 calculates Z = H (H (x) || Y) and generates a random number β.
In S316, the server 10 generates a random number α.
In S317, the random number α is transmitted from the server 10 to the terminal application 130.
In S318, the terminal application 130 notifies the UIM card 30 of the random number α and the random number β, and the terminal application 130 calls Ks to the UIM card 30.

In S319, the random number α and the random number β are recorded on the UIM card 30.
In S320, Ks is notified from the UIM card 30 to the terminal application 130.
In S321, Γ ′ = E (Ks, Z || α || β) is calculated.
Moving to FIG. 5, in S351, Γ ′ is transmitted from the terminal application 130 to the server 10.
In S352, the server 10 decrypts Γ ′ with Ks and acquires Z, α, and β.
In S353, the server 10 checks whether Z and α match the data registered in the database. If they match, the process proceeds to S354, and if they do not match, the process proceeds to S367.

In S354, the server 10 calculates Γ = E (Ks, α || β).
In S355, Γ is transmitted from the server 10 to the terminal application 130.
In S356, Γ is notified from the terminal application 130 to the UIM card 30.
In S357, the UIM card 30 obtains α and β by decoding Γ with Ks.
In S <b> 358, it is determined whether α and β acquired by the UIM card 30 in S <b> 357 match the data recorded in the UIM card 30. If they match, the process proceeds to S359, and if they do not match, the process proceeds to S364.

In S359, the UIM card 30 determines that mutual authentication is OK.
In S360, the UIM card 30 notifies the terminal application 130 of mutual authentication OK.
In step S361, the terminal application 130 notifies the server 10 of mutual authentication OK.
In S362, the server 10 instructs the terminal application 130 to display the result of the authentication OK on the display unit of the portable wireless communication terminal 100.

In S363, the terminal application 130 displays the result of the authentication OK on the screen of the display unit.
In S364, the UIM card 30 determines to be mutual authentication NG.
In S365, the mutual authentication NG is notified from the UIM card 30 to the terminal application 130.
In S366, the terminal application 130 notifies the server 10 of mutual authentication NG.
In S367, the server 10 instructs the terminal application 130 to display the result of the authentication NG on the display unit of the mobile wireless communication terminal 100.
In S368, the terminal application 130 displays the result of authentication NG on the screen of the display unit.

  As described above, according to the first embodiment, the non-contact type IC card recorded on the non-contact type IC card 40 using the user identification ID recorded on the UIM card 30 as the first unique information. The unique number Y is set as second unique information, and authentication is performed using these two unique information. Therefore, authentication with high safety can be easily performed.

(Second Embodiment)
FIG. 6 is a diagram showing a second embodiment of an authentication system including a portable wireless communication terminal using the authentication method according to the present invention.
In the first embodiment described above, the terminal application 130 performs various calculations related to the authentication process. However, in the second embodiment, a part of the calculation related to the authentication process is performed using a calculation function in the UIM card. It is.
In addition, the same code | symbol is attached | subjected to the part which fulfill | performs the same function as 1st Embodiment mentioned above, and the overlapping description is abbreviate | omitted suitably.

  In the second embodiment, the processing performed by the authentication processing unit 134 included in the terminal application 130 of the first embodiment is divided into the terminal application authentication processing unit 135 and the UIM authentication processing unit 32.

FIG. 7 is a flowchart showing processing when authentication is performed using the non-contact type IC card 40 in the second embodiment.
In S <b> 331, the user brings the non-contact type IC card 40 close to the reader / writer 140, whereby the unique number Y of the non-contact type IC card 40 is transmitted to the terminal application 130 via the reader / writer 140.
In S <b> 332, the terminal unique number is transmitted from the terminal application 130 to the server 10 together with “Hello message”.
In S333, the server 10 verifies the account number from the terminal unique number that is the first authentication user ID.

  In S334, the terminal application 130 determines whether or not Y transmitted from the contactless IC card 40 in S331 is the same as Y registered in the terminal application 130. If Y is the same, the process proceeds to S336. If Y is not the same, the process proceeds to S335 and the process is interrupted.

In S336, the server 10 generates a random number α.
In S337, the random number α is transmitted from the server 10 to the terminal application 130.
In S338, Y and α are notified from the terminal application 130 to the UIM card 30.
In S339, the UIM card 30 calculates Z = H (H (x) || Y).
In S340, the UIM card 30 calls Ks stored in the UIM card 30 when the account is opened.
In S341, the UIM card 30 generates a random number β and records the random number α and the random number β on the UIM card 30.
In S342, the UIM card 30 calculates Γ ′ = E (Ks, Z || α || β).
In S343, Γ ′ is notified from the UIM card 30 to the terminal application 130.
The operation after the execution of S343 is the operation after S351 shown in FIG.

  As described above, in the second embodiment, a part of the calculation related to the authentication process is performed in the UIM card 30. As a result, the authentication process can proceed without taking out the information in the UIM card 30, and a more secure authentication process can be performed.

(Third embodiment)
In the third embodiment, when authentication with the server 10 is performed, a screen transition described below is added as an authentication condition. Therefore, since the portions other than the portion relating to the screen transition are the same as those in the first embodiment, the portions that perform the same functions as those in the first embodiment described above are denoted by the same reference numerals, and the repeated description is appropriately omitted. .
FIG. 8 is a flowchart showing processing for registering the non-contact type IC card 40 for authentication in the third embodiment.
S201 to S204 are the same as S201 to S204 in FIG. 3 of the first embodiment.

In S205, the server 10 instructs the terminal application 130 to guide the screen transition registration.
Here, the screen transition refers to a history of screen transition displayed on a display unit (not shown) of the mobile wireless communication terminal 100 when the user operates the mobile wireless communication terminal 100. An example of screen transition is given below.
(Example 1) The operation of ATM lock OFF after ATM lock ON is repeated three times. Here, the ATM lock is an operation for switching permission / prohibition of use of ATM by an operation from the portable wireless communication terminal 100.
(Example 2) After the PC lock is turned on, the PC lock is turned off, and then the ATM lock is turned on. Here, the PC lock is an operation for switching permission / prohibition of bank transaction service use from a general computer, not from the portable wireless communication terminal 100.
(Example 3) After displaying the transfer screen, the passbook screen is displayed, and then the charge screen for electronic money is displayed.
(Example 4) After the ATM lock is turned on, the ATM lock is turned off, and then a screen for charging electronic money is displayed.

In S <b> 206, the terminal application 130 prompts the user for a screen transition operation as an authentication operation used for authentication, and the user operates the mobile wireless communication terminal 100 to repeat screen browsing.
In S207, the server 10 records the screen transition operation. Note that S206 and S207 are repeated until the screen transition registration is confirmed.
In S208, the screen transition list up to now is transmitted from the server 10 to the terminal application 130.
In S209, the terminal application 130 displays a confirmation screen on the display unit of the portable wireless communication terminal 100.
FIG. 9 is a diagram illustrating an example of a confirmation screen. The example shown in FIG. 9 shows the case of (Example 4) described above.

Returning to FIG. 8, in S210, the user is inquired whether or not the terminal application 130 is OK for screen transition registration. In response to this, the user selects whether or not the user is OK.
In S <b> 211, the terminal application 130 notifies the server 10 of the result of whether or not the registration is selected by the user.
In S212, the operation is branched based on the information indicating whether or not the registration is OK obtained from the terminal application 130. In the case of screen transition registration OK, the process proceeds to S213, and in the case of redoing, the process returns to S205 and redoes registration.
In S213, the server 10 associates the screen transition list with the account number and registers it in the database. Note that the registration of screen transition is not limited to the server 10, and may be registered in the terminal application 130, for example.
In S214, the server 10 notifies the terminal application 130 of the completion of registration.
The operations after S221 are the same as those after S221 in FIG. 3 of the first embodiment.

Next, processing when the user authenticates with the server 10 when using the bank transaction service will be described.
FIG. 10 is a flowchart showing processing when authentication is performed using the non-contact type IC card 40 in the third embodiment.
S301 to S303 are the same as S301 to S303 in FIG. 4 of the first embodiment.
In S304, the server 10 instructs the terminal application 130 to guide the start of screen transition.
In S <b> 305, the terminal application 130 prompts the user to perform a screen transition operation for authentication, and the user operates the portable wireless communication terminal 100 to repeat screen browsing.
In S306, the server 10 confirms the screen transition operation. Note that S305 and S306 are repeated until the screen transition registration is confirmed.

In S307, the server 10 checks whether the screen transition registered in the database of the server 10 and the screen transition operated by the user confirmed in S306 are the same. If the screen transitions are the same, the process proceeds to S310, and if they do not match, the process proceeds to S308.
In S308, the server 10 determines whether the number of mismatches is the third time. If it is the third time, the process proceeds to S309 and the process is interrupted. If it is the first time or the second time, the process returns to S304, and the screen transition operation by the user is started again from the beginning.
In S310, the result is transmitted from the server 10 to the terminal application 130 as the screen transition confirmation OK.
The operations after S311 are the same as those after S311 in FIGS. 4 and 5 of the first embodiment.

  As described above, according to the third embodiment, when authentication with the server 10 is performed, screen transition is added as an authentication condition. As a result, even if the contactless IC card is stolen or the first unique information or the second unique information is stolen, it can be confirmed that the correct user is performing the authentication operation. , Can be safer.

  The processing of the portable radio communication terminal 100 is recorded on a computer system readable recording medium, and the program recorded on the recording medium is read into the calculation unit 120 of the portable radio communication terminal 100 and executed, thereby executing the present invention. The portable wireless communication terminal 100 and the authentication method can be realized. The computer system here includes an OS and hardware such as peripheral devices.

  Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW (World Wide Web) system is used. The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.

  The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, what is called a difference file (difference program) may be sufficient.

  The embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the embodiments, and includes designs and the like that do not depart from the gist of the present invention.

(Deformation)
(1) In each embodiment, the mobile wireless communication terminal 100 has been described by taking an example of a mobile phone. However, the present invention is not limited to this. For example, the mobile wireless communication terminal 100 may be a wireless communication terminal having no call function.

(2) In each embodiment, the authentication of the bank transaction service has been described as an example. However, the present invention is not limited to this. For example, the authentication may be used for any authentication such as authentication when using various member services.

(3) In each embodiment, although the example using a non-contact type IC card has been described, any non-contact type information storage medium may be used. For example, not only the form of a card but various non-contact type RFID tags may be used.

  In addition, although 1st Embodiment-3rd Embodiment and modification can also be used in combination suitably, detailed description is abbreviate | omitted.

DESCRIPTION OF SYMBOLS 10 Server 20 Base station 30 UIM card 40 Non-contact type IC card 100 Portable wireless communication terminal 110 Communication part 120 Operation part 130 Terminal application 140 Reader / writer

Claims (10)

A portable wireless communication terminal used for communication service,
First unique information acquisition means for communicating with a contact information storage medium mounted in the portable wireless communication terminal, and acquiring first unique information related to the communication service from the contact information storage medium;
A reader / writer that performs non-contact communication with a non-contact type information storage medium;
Second specific information acquisition means for acquiring second specific information of the non-contact information storage medium via the reader / writer;
As processing related to authentication with the server performed via the communication service , the authentication information is generated by generating authentication information on the portable wireless communication terminal by combining the first unique information and the second unique information. Authentication processing means for transmitting to the server ;
A portable wireless communication terminal. The portable wireless communication terminal according to claim 1,
Comprising registration means for reading the unique information from the non-contact information storage medium selected by the user via the reader / writer and registering it so as to be used as the second unique information;
A portable wireless communication terminal characterized by the above. In the portable radio communication terminal according to claim 1 or 2 ,
The authentication processing means generates the authentication information using an arithmetic function in the contact-type information storage medium;
A portable wireless communication terminal characterized by the above. In the portable radio | wireless communication terminal of any one of Claim 1- Claim 3 ,
The first unique information is at least one of information unique to the portable wireless communication terminal and information unique to a user of the communication service;
A portable wireless communication terminal characterized by the above. In the portable wireless communication terminal according to any one of claims 1 to 4 ,
The second unique information is information unique to the contactless information storage medium;
A portable wireless communication terminal characterized by the above. In the portable wireless communication terminal according to any one of claims 1 to 5 ,
The authentication processing means requesting a user to perform an authentication operation as a condition for performing processing related to authentication with the server;
A portable wireless communication terminal characterized by the above. The portable wireless communication terminal according to claim 6 ,
The authentication operation is a screen transition operation for transitioning a screen to be browsed,
A portable wireless communication terminal characterized by the above. A portable wireless communication terminal according to any one of claims 1 to 7 ,
A server that performs authentication with the portable wireless communication terminal via the communication service;
An authentication system comprising: An authentication method for a portable wireless communication terminal used for a communication service,
Using a computer
A first unique information acquisition unit communicates with a contact information storage medium mounted in a portable wireless communication terminal, and acquires first unique information related to the communication service from the contact information storage medium. An information acquisition step;
Second unique information acquisition means for acquiring second unique information of the non-contact type information storage medium via a reader / writer that communicates with the non-contact type information storage medium in a non-contact manner. Steps,
An authentication processing unit generates authentication information on the portable wireless communication terminal by combining the first unique information and the second unique information as processing related to authentication with the server performed via the communication service. Authentication processing step for transmitting the authentication information to the server ;
The authentication method of the portable radio | wireless communication terminal which performs . An authentication program for a portable wireless communication terminal used for a communication service,
First unique information acquisition means for communicating a computer with a contact-type information storage medium mounted in a portable wireless communication terminal, and acquiring first specific information related to the communication service from the contact-type information storage medium;
Second specific information acquisition means for acquiring second specific information of the non-contact type information storage medium via a reader / writer that performs non-contact communication with the non-contact type information storage medium;
As processing related to authentication with the server performed via the communication service , the authentication information is generated by generating authentication information on the portable wireless communication terminal by combining the first unique information and the second unique information. An authentication program for a portable wireless communication terminal for functioning as an authentication processing means for transmitting to the server .

Images