JP5774567B2 - Authentication information input device, server device, authentication system, and program - Google Patents

Description

  The present invention relates to a technique for performing authentication by comparing authentication information received by a user's input operation with authentication information stored in advance.

  As a technology for authenticating whether or not the user is a legitimate user, the user side operates a screen such as a touch panel to input authentication information such as a personal identification number, and the input authentication information and authentication information set in advance on the system side, There is a technique for verifying whether the user is a legitimate user by checking. However, in this case, when the user inputs the authentication information by operating the touch panel or the like, the authentication information may be stolen by a third party.

  As a method to prevent authentication information from being seen by a third party, for example, the viewing angle of a touch panel or the like for inputting authentication information is narrowed, or the input authentication information is displayed on the screen with “*” mark or the like. There is a method of displaying only the number of input digits.

  Patent Document 1 (Japanese Patent No. 2985888) discloses a technology of a password input device in which a user inputs a password using a numeric keypad from a terminal such as a financial automatic machine (ATM). In the above Patent Document 1, an input numeric keypad screen and a fake input numeric keypad screen are displayed on the display, and information for instructing the user whether to input a dummy number or a password is presented on the fake input numeric keypad screen. In addition, by inserting a dummy number into the personal identification number, the personal identification number is prevented from being stolen by a third party when the personal identification number is input.

  Patent Document 2 (Japanese Patent Application Laid-Open No. 2005-71202) uses system authentication information by a recording medium incorporated in a system-side electronic device and personal authentication information by a user's personal input operation. A technique for mutually authenticating an individual and a system-side electronic device to be accessed is disclosed. In the above Patent Document 2, two sets of authentication data, that is, personal authentication data indicating personal authentication information and server authentication data indicating system authentication information are registered and set, and server-side authentication using server authentication data; User-side authentication using personal authentication data is performed alternately. In addition, image data is used for personal authentication data and server authentication data.

Japanese Patent No. 2985888 JP-A-2005-71202

  However, the technology disclosed in the above-mentioned Patent Document 1 assumes that a third party is located some distance away, such as a financial automatic machine (ATM). It is not taken into account even if measures are taken when seen. For this reason, for example, not only the movement of the user's hand entering the personal identification number but also the screen on which the personal identification number is entered may be seen due to the shoulder of the user entering the personal identification number or a hidden camera. May be identified as to which input is a dummy number, and the personal identification number may be known to a third party.

  In the above-mentioned Patent Document 2, since server-side authentication using server authentication data and user-side authentication using personal authentication data are alternately performed, all authentication information is instantly known to a third party. It can be prevented to some extent. However, it is not possible to prevent authentication information when watched. In addition, it is necessary to perform the authentication operation with the system-side electronic device a plurality of times, which takes time and effort to complete the authentication operation.

  The present invention has been made in view of the above circumstances, and even when a third party sees a screen on which the user's hand or authentication information is input when inputting the authentication information, the analogy of the authentication information is first. An object of the present invention is to provide an authentication information input device, a server device, an authentication system, and a program that are difficult for the three parties and that enable a user to perform authentication efficiently with a simple operation.

  In order to achieve this object, the present invention has the following features.

<Authentication information input device>
An authentication information input device according to the present invention includes:
At least one or more pieces of key information that can be identified by the user based on the user's own storage and at least one or more pieces of authentication information necessary for permitting the authentication of the user are stored in association with each group. Display means for displaying a display pattern comprising at least one key information selected from storage means and all or a predetermined number of authentication information belonging to the same group as the key information When,
Input means for inputting at least one information selected by a user operation from information constituting the display pattern displayed on the display means as authentication information used when permitting the user authentication; Have
All belonging to the same group as the key information displayed on said display means, or, in the case where the authentication information of a predetermined number is selected by the user operation, the authentication information input by the authentication of the user are permitted A device,
When the authentication information received from the input unit is compared with the authentication information corresponding to the display pattern, the image IDs of the image data constituting the authentication information are ordered. .

  According to the present invention, it is difficult for a third party to guess the authentication information even if the third party sees the screen on which the user's hand or the authentication information is input when inputting the authentication information. However, authentication can be performed efficiently with a simple operation.

2 is a diagram illustrating a configuration example of an authentication information input device 100 according to the present embodiment. FIG. 3 is a diagram illustrating a configuration example of a display pattern 10. FIG. It is a figure which shows the processing operation example at the time of the user authentication of 1st Embodiment. FIG. 10 is a diagram for explaining a case of authentication OK and a case of authentication NG. It is a 1st figure for demonstrating the specific example at the time of user authentication. It is a 2nd figure for demonstrating the specific example at the time of user authentication. It is a figure which shows the system configuration example of an authentication system. It is a figure which shows the example of a processing operation at the time of the user authentication of 2nd Embodiment. It is the 1st figure showing the example of processing operation at the time of user authentication of a 3rd embodiment. It is a 2nd figure which shows the example of a processing operation at the time of the user authentication of 3rd Embodiment. It is a figure which shows the process operation example at the time of the user authentication of 4th Embodiment.

(Outline of Embodiment of Authentication Information Input Device 100 According to the Present Invention)
First, an outline of an authentication information input device 100 according to the present invention will be described with reference to FIGS. 1 and 2. FIG. 1 shows a configuration example of an embodiment of an authentication information input device 100 according to the present invention, and FIG. 2 shows a configuration example of a display pattern 10.

  The authentication information input device 100 according to the present invention belongs to at least one key image data that can be identified by the user based on the user's own memory, and belongs to the same group as the key image data, and is necessary for permitting user authentication. A display unit (corresponding to the display input unit 110) for displaying the display pattern 10 including at least one authentication image data, and among the image data constituting the display pattern 10 displayed on the display unit 110 An input unit (corresponding to the display input unit 110) for inputting at least one image data selected by the user operation as authentication information used when permitting user authentication. The display unit 110 includes: When the user authentication is permitted based on the authentication information input by the input unit 110, a display pattern in which the combination of the key image data and the authentication image data is at least different 10 is displayed.

  The combination of key image data and authentication image data means a combination of key image data and authentication image data belonging to the same group as the key image data. For example, the display pattern 10 including at least the combination of the key image data P1-1 and the authentication image data P1-2, P1-3, and P1-4, the key image data P2-1, and the authentication image data P2-2. , P2-6, P2-8, or the display pattern 10 including at least the combination of the key image data P1-1 and the authentication image data P1-2, P1-3, P1-4. This means that the display pattern 10 including at least the combination is changed to the display pattern 10 including at least the combination of the key image data P1-1 and the authentication image data P1-2, P1-4, and P1-9. .

  When the authentication of the user is permitted, the authentication information input device 100 according to the present invention displays the display pattern 10 in which the combination of the key image data and the authentication image data is different at the time of the next user authentication. Even when a third party sees the screen on which the user's hand or authentication information is input when inputting information, the analogy of the authentication information can be made difficult for the third party.

  Further, at least one image data selected by a user operation from the image data constituting the display pattern 10 displayed on the display unit 110 is input to the input unit 110 as authentication information used when the user authentication is permitted. Since it is determined whether or not to allow user authentication based on the authentication information input to the input unit 110, the user can efficiently perform authentication with a simple operation.

  When the authentication information input device 100 according to the present invention is a touch panel type portable terminal, it is also conceivable to input the authentication information in a train or a crowd. In this case, when the user is inputting authentication information, the user's hand, a screen on which the authentication information is input, or the like may be seen by a third party from a close range. In addition, it is considered that beginners, elderly people, and the like are very slow in inputting authentication information. In this case, there is a possibility that a screen on which the user's hand movement or authentication information is input is easily seen by a third party and stored.

  However, when the user authentication is permitted, the authentication information input device 100 according to the present invention displays the display pattern 10 in which the combination of the key image data and the authentication image data is different at the next user authentication. Even if the screen on which the user's hand or authentication information is input is viewed by a third party, analogy of the authentication information can be made difficult for the third party. However, since the user can identify the key image data based on the user's own storage, and can identify the authentication image data belonging to the same group as the key image data, the authentication image data is used as the authentication information. Can be input to the input unit 110. Hereinafter, embodiments of an authentication information input device 100 according to the present invention will be described in detail with reference to the accompanying drawings.

(First embodiment)
<Configuration example of authentication information input device 100>
First, a configuration example of the authentication information input device 100 of the present embodiment will be described with reference to FIG.

  The authentication information input device 100 of this embodiment includes a display input unit 110, a control unit 120, and a storage unit 130.

  The display input unit 110 is configured with a touch panel or the like, and displays and inputs information. The display input unit 110 according to the present embodiment displays the display pattern 10 shown in FIG. 2 composed of a plurality of image data. Then, when a user operation is performed on the image data constituting the displayed display pattern 10, the position of the image data where the user operation is performed is detected, and the display is performed based on the detected position information. It is determined which image data is selected by the user operation from the image data constituting the pattern 10.

  The display pattern 10 shown in FIG. 2 belongs to at least one key image data, image data (authentication image data) belonging to the same image group as the key image data, and any key image data image group. 16 image data including at least non-image data and image data (dummy image data) belonging to a different image group from the displayed key image data.

  The key image data is for determining image data to be input as authentication information. Image data (authentication image data) belonging to the same image group as the key image data is image data input as authentication information. For this reason, the image data belonging to the same image group as the key image data needs to include as many pieces as necessary for constituting the authentication information.

  In order to configure the display pattern 10 shown in FIG. 2, image groups are stored in the storage unit 130, and one key is assigned to each image group constituting the authentication information. At least the image data and the number of pieces of image data necessary for configuring authentication information are stored in association with each other. For example, when the number of image data required for configuring authentication information is 3, it is necessary to store at least one key image data and at least three image data in each image group in association with each other. There is. In addition, key image data is not provided in an image group that does not constitute authentication information, and only image data is stored.

  The display pattern 10 of this embodiment is composed of 16 pieces of image data, and the user identifies key image data from among the 16 pieces of image data based on the user's own storage. Then, all or a predetermined number of image data belonging to the same image group as the key image data is input to the display input unit 110 as authentication information. If the authentication is successful based on the authentication information input to the display input unit 110, the new display pattern 10 is displayed on the display input unit 110 at the next user authentication.

  For this reason, a third party who cannot recognize image data (key image data, authentication image data) necessary for permitting user authentication constitutes the display information 10 and 16 pieces of image data. When the number of image data (authentication image data) is 3 or 4, it is necessary to try 16C3 + 16C4 = 2380 input operations at random. Further, even if a third party learns by looking at the image data (authentication image data) constituting the authentication information over the shoulder of the user, for example, the number of image groups is four, and the number of image data in each image group is Assuming that the number of image data (authentication image data) constituting 10 pieces of authentication information is 3, the image data of all 4 image groups will be 40, so all the image data will be sent to the display input unit 110. It is necessary to steal at least 40 ÷ 3 = 13 times or more just by displaying it, and the key image data is not displayed as authentication information but cannot be identified just because it is displayed. To do it, you need to remember 40C16 = 62852101650. For this reason, even when the third party sees the screen on which the user's hand or the authentication information is input when inputting the authentication information, the analogy of the authentication information can be made difficult for the third party. The display pattern 10 may include two or more key image data. In that case, the image data associated with all the displayed key image data is the authentication image data.

  The control unit 120 performs display control of the display pattern 10 displayed on the display input unit 110. Further, authentication control of authentication information input by a user operation from the display input unit 110 is performed. The control unit 120 of this embodiment includes a pattern generation unit 121 and an authentication unit 122.

  The pattern generation unit 121 generates the display pattern 10 shown in FIG. 2 to be displayed on the display input unit 110, and displays the generated display pattern 10 on the display input unit 110. When the authentication unit 122 receives from the display input unit 110 authentication information configured by image data selected by a user operation from the image data configuring the display pattern 10 shown in FIG. In addition, the received authentication information is compared with the authentication information corresponding to the display pattern 10 displayed on the display input unit 110, and it is determined whether or not both authentication information matches.

  The storage unit 130 has an image group table 131 for registering an image group composed of one key image data and at least the number of pieces of image data necessary for configuring authentication information.

  A plurality of image groups are registered in the image group table 131, and one key image data and at least the number of pieces of image data necessary for constituting authentication information are registered in each image group.

  The image group is a group composed of image data that can be identified by the user based on the user's own storage. As shown in FIG. 2, the group ID, the key image ID, and the image ID are managed in association with each other. . The group ID is information for identifying an image group, and the key image ID is information for identifying key image data. The image ID is information for identifying image data. The key image data and image data associated with the image group are registered in advance by the user. The user registers key image data and image data that can be identified by the user for each image group. The image data associated with the image group becomes image data (authentication image data) that needs to be selected by the user when the user authentication is permitted.

As the image group, for example, a group of image data related to the individual is registered.
In this case, for example, photo data for a baby is registered as key image data. Then, photo data for elementary school, photo data for kindergarten, photo data for junior high school, and the like are registered as image data (authentication image data) of a group of own photo data.
Next, the teacher's photo data is registered as key image data. Then, the photo data of the best friend, the photo data of the elementary school building, etc. are registered as image data (authentication image data) of a group of photo data of the person related to him.
Next, the photo data of the glove bought for the first time is registered as key image data. Then, the photograph data of the record jacket that was bought for the first time, the photograph data of the favorite hat, and the like are registered as image data (authentication image data) of a group of thing photo data related to me.

  As key image data and image data associated with an image group, image data created by the user himself / herself, image data obtained by searching a website with an appropriate keyword, and the like can be used.

  In the image group table 131, it is also possible to register an image group composed only of image data without key image data. Image data belonging to an image group having no key image data is dummy image data.

<Example of processing operation during user authentication>
Next, an example of processing operation during user authentication will be described with reference to FIG.

  First, the pattern generation unit 121 generates the display pattern 10 shown in FIG. 2 using the key image data and the image data included in the image group (step S1).

  Since the display pattern 10 of the present embodiment is composed of 16 pieces of image data, 16 pieces of image data including at least one key image data are selected from the image groups stored in the image group table 131. . The display pattern shown in FIG. 2 includes the selected key image data, all or a predetermined number of image data (authentication image data) associated with the key image data, and dummy image data. Generates 10. The display positions of the key image data, authentication image data, and dummy image data are not particularly limited, and can be determined by any method. For example, the display positions of the key image data, authentication image data, and dummy image data can be determined at random. As the dummy image data, not only image data belonging to an image group different from the selected key image data but also image data not associated with any key image data can be selected.

  Next, the pattern generation unit 121 displays the display pattern 10 on the display input unit 110 (step S2).

  The authentication unit 122 starts receiving authentication information when the display pattern 10 is displayed on the display input unit 110 (step S3). Further, the authentication unit 122 monitors authentication information input from the display input unit 110, and determines whether or not to start authentication (step S4).

  The user discriminates the key image data based on the user's own memory, and selects the image data registered in the image group in association with the key image data from the image data constituting the display pattern 10 displayed on the display input unit 110. select. At least one image data selected by the user operation is input to the display input unit 110 as authentication information used when the user authentication is permitted. At this time, the input image data can be discriminated by a third party, but since the key image data is not selected as authentication information, the third party does not know which image data is the key image data.

  The authentication unit 122 determines to start authentication when an authentication start button (not shown) separately installed in the authentication information input device 100 is pressed (step S4 / Yes). When the number of image data to be selected is indefinite, it is necessary to do the above, but when the number of image data to be input in advance is determined, a predetermined number of image data is input. Authentication may be started.

  The authentication unit 122 configures authentication information corresponding to the display pattern 10 displayed on the display input unit 110, that is, the display pattern 10 displayed on the display input unit 110 when authentication is started (step S4 / Yes). Image IDs of all or a predetermined number of image data registered in the image group in association with the key image data to be acquired are acquired from the pattern generation unit 121 (step S5). Next, the authentication unit 122 collates the authentication information received from the display input unit 110 with the authentication information corresponding to the display pattern 10 acquired from the pattern generation unit 121 (step S6).

  When the authentication information on both sides matches (that is, the authentication information received from the display input unit 110 is the same image group as the key image data constituting the display pattern 10 displayed on the display input unit 110) (When configured with image IDs of all or a predetermined number of image data) (step S7 / Yes), it is determined that authentication is OK (step S8), and the process ends (End). Thus, if it is determined that the authentication is OK, the process starts from step S1 described above. Therefore, at the next user authentication, the display pattern 10 is newly generated, and the generated new display pattern 10 is displayed on the display input unit. 110 will be displayed. For this reason, even if a third party steals the authentication information during the authentication OK authentication information input operation, the new display pattern 10 is displayed at the next user authentication. It can be made difficult for the three parties.

  Further, when the authentication information of both does not match (that is, the authentication information received from the display input unit 110 belongs to the same image group as the key image data constituting the display pattern 10 displayed on the display input unit 110) (Or when it is not configured with image IDs of a predetermined number of image data) (step S7 / No), it is determined as authentication NG (step S9). In this case, the same display pattern 10 is displayed again on the display input unit 110 (step S2). This prevents an attack that repeats authentication NG until the same display pattern 10 is displayed even if a third party steals the authentication information during authentication OK input operation. be able to.

<Example of user authentication when authentication is OK>
Next, an example of user authentication in the case of authentication OK will be described with reference to FIG.

  Assume that the pattern generation unit 121 generates the display pattern 10 shown in FIG. 4A and displays the generated display pattern 10 on the display input unit 110. Based on the user's own memory, the user can identify the image data of P1-1 as the key image data from the image data constituting the display pattern 10 displayed on the display input unit 110. Therefore, the user can select image data P1-2, P1-5, and P1-9 belonging to the same image group as the key image data P1-1 based on the user's own memory. In this case, the display input unit 110 inputs the image data of P1-2, P1-5, and P1-9 selected by the user as authentication information. The authentication unit 122 includes authentication information (P1-2, P1-5, P1-9) input from the display input unit 110 and authentication information (P1-2) corresponding to the display pattern 10 displayed on the display input unit 110. , P1-5, P1-9). In this case, since both authentication information matches, it is determined that the authentication is OK. Then, at the next user authentication, the display pattern 10 is newly generated, and the generated new display pattern 10 is displayed on the display input unit 110. For this reason, even if a third party steals the authentication information during the authentication OK authentication information input operation, the new display pattern 10 is displayed at the next user authentication. It can be made difficult for the three parties. In addition, since the number of image data to be selected varies depending on the display pattern 10, analogy can be made very difficult for a third party.

<Example of user authentication for authentication NG>
Next, an example of user authentication in the case of authentication NG will be described with reference to FIG.

  Assume that the pattern generation unit 121 generates the display pattern 10 shown in FIG. 4B and displays the generated display pattern 10 on the display input unit 110. Based on the user's own memory, the user can identify the image data of P1-1 as the key image data from the image data constituting the display pattern 10 displayed on the display input unit 110. Therefore, the user can select image data P1-2, P1-5, and P1-9 belonging to the same image group as the key image data P1-1 based on the user's own memory. However, it is assumed that the user has selected image data P1-2, P1-9, and P2-2. In this case, the display input unit 110 inputs the image data of P1-2, P1-9, and P2-2 selected by the user as authentication information. The authentication unit 122 includes authentication information (P1-2, P1-9, P2-2) input from the display input unit 110 and authentication information (P1-2) corresponding to the display pattern 10 displayed on the display input unit 110. , P1-5, P1-9). In this case, since the authentication information of both does not match, it is determined as authentication NG. In this case, at the next user authentication, the same display pattern 10 as in FIG. 4B is displayed on the display input unit 110. For this reason, even if a third party steals the authentication information during authentication OK authentication information input operation, it prevents an attack that repeats authentication NG until the same display pattern 10 is displayed as when it was accidentally stolen. be able to.

  Note that the authentication information input device 100 of the present embodiment, when collating the authentication information received from the display input unit 110 with the authentication information corresponding to the display pattern 10, It is also possible to give order to the image ID. For example, the image IDs of the image data constituting the authentication information corresponding to the display pattern 10 are P1-2, P1-5, and P1-9, and have the order of P1-2 → P1-5 → P1-9. Let ’s say. The image IDs of the image data constituting the authentication information received from the display input unit 110 are P1-2, P1-5, and P1-9, and the order of P1-9 → P1-5 → P1-2 Is input from the display input unit 110. In this case, the image IDs of the image data constituting both pieces of authentication information match, but since the order of the image IDs is different, authentication NG is determined. As described above, the security can be further improved by performing the collation with the order of the image IDs constituting the authentication information.

<Specific example>
Next, a specific example of user authentication will be described with reference to FIGS.

  First, as shown in FIG. 5A, the user registers a plurality of image groups (Momotaro group, child group, workplace companion group, uncle aunt group) in the image group table 131. In the Momotaro group, image data of Momotaro is registered as key image data, and image data of monkeys, frogs, dogs, and oni are registered as image data. In the child group, the image data of the mother is registered as the key image data, and the image data of the eldest son, the eldest daughter, and the second daughter is registered as the image data. In addition, the image data of the president is registered as key image data, and the image data of Mr. A, Mr. B, and Mr. C are registered as image data in the work associate group. Also, in the uncle aunt group, the image data of the father is registered as the key image data, and the image data of Mr. S, T, and U is registered as the image data. It is assumed that other groups than those described above are registered in the image group table 131.

  Next, the pattern generation unit 121 refers to the image group table 131 and selects key image data and image data (authentication image data) from at least one image group. Image data is also selected from other image groups. And the display pattern shown in FIG.5 (b) is produced | generated based on the image data selected from each image group. Thereby, the display pattern shown in FIG. 5B can be displayed on the display input unit 110.

  Based on the user's own memory, the user can identify the image data of “Momotaro” as the key image data from the image data constituting the display pattern displayed on the display input unit 110. For this reason, as shown in FIG. 6 (a), the user selects the image data of “Rin, Oni, Monkey” belonging to the same image group as the key image data of “Momotaro” based on the user's own memory, It can be input to the display input unit 110 as authentication information. The authentication unit 122 compares authentication information (情報, oni, monkey) input from the display input unit 110 with authentication information (情報, oni, monkey) corresponding to the display pattern displayed on the display input unit 110. To do. In this case, since both authentication information matches, it is determined that the authentication is OK. Then, at the next user authentication, as shown in FIG. 6B, a new display pattern is generated, and the generated new display pattern is displayed on the display input unit 110. For this reason, even if a third party steals authentication information (雉, oni, monkey) during the input operation of authentication information for authentication OK, the new display shown in FIG. Since the pattern is displayed, the analogy of the authentication information can be made difficult for a third party.

  For example, even if a third party selects the image data “雉, oni, monkey” with the display pattern shown in FIG. 6B displayed on the display input unit 110, the display shown in FIG. Since the authentication information corresponding to the pattern is “eldest son, eldest daughter, second daughter”, the authentication information of both does not match and it is determined as authentication NG. In this case, since the same display pattern as that in FIG. 6B is displayed on the display input unit 110 at the next user authentication, a third party can use the authentication information (雉, oni, monkey) when the authentication OK authentication information is input. ) Can be prevented from repeating the authentication NG until the same display pattern as shown in FIG. 6A is displayed.

<Operation / Effect of Authentication Information Input Device 100 of this Embodiment>
As described above, the authentication information input device 100 according to the present embodiment uses the key image data and the image data included in the image group, and uses at least one key image data and image data belonging to the same image group as the key image data. Display image 10 including at least (authentication image data) is generated and displayed on the display input unit 110. Next, at least one image data selected by a user operation from the image data constituting the display pattern 10 displayed on the display input unit 110 is displayed and input as authentication information used when permitting user authentication. Input to part 110. When authentication information is input from the display input unit 110, the input authentication information is compared with authentication information corresponding to the display pattern 10 displayed on the display input unit 110. When both authentication information matches (that is, all the authentication information input from the display input unit 110 belongs to the same image group as the key image data constituting the display pattern 10 displayed on the display input unit 110, or (When configured with a predetermined number of image data), it is determined that authentication is OK, and a new display pattern 10 is displayed on the display input unit 110 at the next user authentication. Further, when the authentication information of both does not match (that is, the authentication information input from the display input unit 110, all the authentication information input from the display input unit 110 belongs to the same image group as the key image data constituting the display pattern 10) If the image data is not composed of a predetermined number of image data), it is determined as authentication NG, and the same display pattern 10 is displayed on the display input unit 110 at the next user authentication.

  When the authentication is OK, the authentication information input device 100 of the present embodiment displays a new display pattern 10. Therefore, when the authentication information is input, the user's hand and the screen on which the authentication information is input can be seen by a third party. Even if it has been, the analogy of authentication information can be made difficult for a third party.

  In addition, the authentication information input device 100 according to the present embodiment displays, in the display input unit 110, a display pattern 10 including at least one key image data and image data belonging to the same image group as the key image data. At least one image data selected by user operation from among the image data constituting the display pattern 10 displayed and displayed on the display input unit 110 is displayed as authentication information used when user authentication is permitted. Since the user authentication is input to the input unit 110, the user can efficiently perform the authentication with a simple operation.

(Second Embodiment)
Next, a second embodiment will be described.

  In the first embodiment, the case where user authentication is performed by the authentication information input apparatus 100 shown in FIG. 1 has been described.

  In the second embodiment, a case where user authentication is performed by the authentication information input device 100 and the server device 200 illustrated in FIG. 7 will be described. In the case of the second embodiment, the generation processing of the display pattern 10 and the authentication processing are performed on the server device 200 side. Hereinafter, the second embodiment will be described with reference to FIGS. 7 and 8.

<System configuration example of authentication system>
First, a system configuration example of the authentication system of this embodiment will be described with reference to FIG.

  The authentication system of the present embodiment is configured by connecting an authentication information input device 100 and a server device 200 via a network NW. The network NW can be applied to any communication form regardless of wired or wireless, and the authentication information input apparatus 100 and the server apparatus 200 are connected in any connection form to perform two-way information communication.

  The authentication information input device 100 according to the present embodiment includes a display input unit 110, a control unit 120, and a communication unit 140. The display input unit 110 has the same function as in the first embodiment. The control unit 120 performs display control of the display pattern 10 displayed on the display input unit 110. The communication unit 140 communicates with the server device 200 in an arbitrary communication form.

  The server device 200 according to the present embodiment includes a control unit 220, a storage unit 230, and a communication unit 240.

  The control unit 220 of this embodiment includes a pattern generation unit 221 and an authentication unit 222. The functions of the pattern generation unit 221 and the authentication unit 222 have the same functions as those in the first embodiment. The communication unit 240 communicates with the authentication information input device 100 in an arbitrary communication form. The image group table 231 stored in the storage unit 230 is the same as that in the first embodiment.

  The server device 200 transmits the display pattern 10 generated by the pattern generation unit 221 to the authentication information input device 100 via the communication unit 240. The authentication information input device 100 displays the display pattern 10 received via the communication unit 140 on the display input unit 110. In addition, the image ID string of the authentication information input by the user operation from the display input unit 110 is transmitted to the server device 200 via the communication unit 140. The server device 200 uses the image ID sequence received via the communication unit 240 to perform verification using the authentication unit 222.

<Example of processing operation during user authentication>
Next, an example of processing operation during user authentication will be described with reference to FIG.

  The pattern generation unit 221 of the server device 200 generates the display pattern 10 as in the first embodiment, and transmits the generated display pattern 10 to the authentication information input device 100 via the communication unit 240 (Step A1). , A2).

  The authentication information input device 100 receives the display pattern 10 via the communication unit 140 and displays the received display pattern 10 on the display input unit 110. Also, the authentication information input acceptance is started (step A3). As a result, the authentication information input device 100 displays a display pattern 10 including at least one key image data and image data (authentication image data) belonging to the same image group as the key image data. 110 can be displayed.

  The user discriminates the key image data based on the user's own memory, and selects the image data registered in the image group in association with the key image data from the image data constituting the display pattern 10 displayed on the display input unit 110. select. At least one image data selected by the user operation is input to the display input unit 110 as authentication information used when the user authentication is permitted. At this time, the input image data can be discriminated by a third party, but since the key image data is not selected as authentication information, the third party does not know which image data is the key image data.

  The display input unit 110 determines to start authentication when an authentication start button (not shown) separately installed in the authentication information input device 100 is pressed (step A4 / Yes). When the number of image data to be selected is indefinite, it is necessary to do the above, but when the number of image data to be input in advance is determined, a predetermined number of image data is input. Authentication may be started.

  When starting the authentication (step A4 / Yes), the display input unit 110 transmits the authentication information input from the display input unit 110 to the server device 200 via the communication unit 140 (step A5).

  When the server device 200 receives the authentication information via the communication unit 240, the authentication unit 222 authenticates the authentication information corresponding to the display pattern 10 displayed on the display input unit 110 on the authentication information input device 100 side, that is, Pattern generation of image IDs of all or a predetermined number of image data registered in the image group in association with the key image data constituting the display pattern 10 displayed on the display input unit 110 on the authentication information input device 100 side Obtained from the part 221 (step A6). Next, the authentication unit 222 collates the authentication information received from the authentication information input device 100 with the authentication information corresponding to the display pattern 10 acquired from the pattern generation unit 221 (step A7).

  The authentication unit 222 is a key that configures the display pattern 10 that is displayed on the display input unit 110 on the authentication information input device 100 side when the authentication information on both sides matches (that is, the authentication information received from the authentication information input device 100). All of the image data belonging to the same image group as the image data or a predetermined number of image data image IDs) are determined to be authentication OK. If the authentication information of both does not match (that is, the authentication information received from the authentication information input device 100 is the key image data constituting the display pattern 10 displayed on the display input unit 110 on the authentication information input device 100 side) All of the images belonging to the same image group or a case where the image IDs of a predetermined number of image data are not used are determined to be authentication NG. The authentication unit 222 transmits the verification result described above to the authentication information input device 100 via the communication unit 240 (step A8).

<Operation and effect of authentication system of this embodiment>
As described above, the server device 200 configuring the authentication system of the present embodiment displays the display pattern 10 generated by the server device 200 on the display input unit 110 on the authentication information input device 100 side. The authentication information input device 100 transmits at least one image data selected by a user operation from the display patterns 10 displayed on the display input unit 110 to the server device 200 as authentication information. The server device 200 performs user authentication based on the authentication information received from the authentication information input device 100.

  As a result, the authentication system of the present embodiment can obtain the same effects as those of the first embodiment, and further improve security compared to performing user authentication by the authentication information input device 100 alone as in the first embodiment. Can be made.

  Further, the display pattern 10 is generated on the server device 200 side, and the generated display pattern 10 is displayed on the display input unit 110 on the authentication information input device 100 side. Then, the server apparatus 200 receives the image data selected by the user operation from the display pattern 10 displayed on the display input unit 110 as authentication information, and performs user authentication based on the received authentication information. For this reason, since authentication such as challenge and response can be performed, spoofing of the terminal itself (including spoofing of a program on the terminal) can be prevented.

(Third embodiment)
Next, a third embodiment will be described.

  In the first embodiment, as shown in FIG. 3, in the process of step S1, the display pattern 10 is generated at the timing of displaying the display pattern 10. Further, in the process of step S6, the authentication information input from the display input unit 110 and the authentication information selected in the process of step S1 corresponding to the display pattern 10 displayed on the display input unit 110 are collated. .

  In the third embodiment, as shown in FIG. 9, a plurality of display patterns 10 are generated in advance and stored in the storage unit 130, and authentication information corresponding to each display pattern 10 is stored as a hash function (one-way function). ) To calculate a hash value, and the calculated hash value is stored in advance in the storage unit 130 for each display pattern 10 (steps B1 to B4). When ordering image IDs configured as authentication information, it is preferable to use a code (for example, P1-9 → P1-5 → P1-2) generated by connecting image IDs in the order of input. In addition, if the image IDs configured as authentication information are not ordered, codes generated by concatenating the image IDs in ascending order (for example, P1-2, P1-5, P1-9) The image ID can be composed of prime numbers, and the product of the image IDs (for example, P1-2 × P1-5 × P1-9) can be used.

  In order to store the hash value in advance in the storage unit 130 for each display pattern 10, first, an image group is registered in the image group table 131, and key image data and image data are registered in the image group (step B1). ). Thereby, for example, the image group shown in FIG. 5A can be registered in the image group table 131. Next, using at least one key image data and image data (authentication image data) belonging to the same image group as the key image data, using the key image data and the image data included in the image group. A plurality of display patterns 10 to be generated are generated (step B2). Thereby, for example, the display pattern 10 shown in FIG. 5B described above can be generated. Next, the hash value is calculated by hashing the authentication information corresponding to the generated display pattern 10 with a hash function (one-way function) (step B3). Then, the calculated hash value and the display pattern 10 are associated with each other and stored in the storage unit 130 for each display pattern 10 (step B4). Accordingly, the hash value corresponding to the display pattern 10 can be stored and managed in advance in the storage unit 130 for each display pattern 10. Then, the image group registered in the image group table 131 is discarded.

  As a result, a plurality of display patterns 10 and hashed authentication information (hash values) corresponding to the display patterns 10 are stored in the storage unit 130. The storage information related to the display pattern 10 stored in the storage unit 130 includes only the same contents as the display pattern 10 seen at the time of authentication, and it is difficult to determine authentication information (image ID) and key image data from that information. It is. Further, since the hashed authentication information (hash value) cannot be restored to the original image ID, the authentication information cannot be similarly determined. Therefore, even when searching in the storage unit 130, it is possible to identify which image data (image ID) is the key image data, the authentication image data (which of course belongs to which image group), or the dummy image data. Can not. As a result, even when the authentication information input device 100 itself is obtained and the information in the storage unit 130 is analyzed, confidential information cannot be extracted from the storage unit 130.

  When authentication is started in this embodiment, as shown in FIG. 10, one display pattern 10 is selected from a plurality of display patterns 10 stored in advance in the storage unit 130 (step S21). The display pattern 10 is displayed on the display input unit 110 (step S22).

  At the time of collation (step S24 / Yes), the authentication unit 122 refers to the storage unit 130 and acquires the hash value corresponding to the display pattern 10 together with the display pattern 10 (step S25). Further, the authentication information input from the display input unit 110 is hashed with a hash function (one-way function) to calculate a hash value. Then, the hash value obtained from the authentication information is collated with the hash value corresponding to the display pattern 10 acquired from the storage unit 130 (step S26).

  If both hash values match (step S27 / Yes), it is determined that the authentication is OK (step S28). If both hash values do not match (step S27 / No), it is determined as authentication NG (step S29).

<Operation / Effect of Authentication Information Input Device 100 of this Embodiment>
As described above, the authentication information input apparatus 100 according to the present embodiment stores the hash value calculated by hashing the authentication information corresponding to the display pattern 10 in the storage unit 130 for each display pattern 10 in advance. As a result, even if a third party who obtains the authentication information input device 100 analyzes the information in the storage unit 130, it is possible to prevent the identification of authentication information for which authentication is OK. As a result, security can be further improved.

(Fourth embodiment)
Next, a fourth embodiment will be described.

  In the third embodiment, hash values calculated by hashing authentication information corresponding to each display pattern 10 generated in advance are stored in advance in the storage unit 130 for each display pattern 10.

  In the fourth embodiment, all image IDs of image data stored in the image group table 131 are hashed. As a result, since the hashed image ID stored in the image group table 131 cannot be restored to the original image ID, it is possible to prevent the authentication information from being discriminated.

  When authentication is started in this embodiment, as shown in FIG. 11, one display pattern 10 is selected from a plurality of display patterns 10 stored in advance in the storage unit 130, as in the third embodiment. Then, the selected display pattern 10 is displayed on the display input unit 110 (step S32).

  At the time of collation (step S34 / Yes), the authentication unit 122 searches the image group table 131 based on the authentication information (hash value) input from the display input unit 110 (step S35). Then, it is determined whether or not all hash values constituting the authentication information input from the display input unit 110 belong to the same image group (step S36).

  When all the hash values constituting the authentication information do not belong to the same image group (step S36 / No), it is determined as authentication NG (step S40).

  When all the hash values constituting the authentication information belong to the same image group (step S36 / Yes), the image group table 131 is searched based on the hash values of all the image data which are not included in the display pattern 10 and have not been input. (Step S37), the hash values corresponding to the key image data of the image group are present in the hash values of all the image data not constituting the display pattern 10 and are associated with the key image data. It is determined whether or not there is a hash value corresponding to the received image data (step S38).

  A hash value corresponding to the key image data is present in the hash values of all the image data that have not been input constituting the display pattern 10, and the hash value corresponding to the image data associated with the key image data Is not present (step S38 / Yes), it is determined that the authentication is OK (step S39). In other cases (step S38 / No), it is determined as authentication NG (step S40).

<Operation / Effect of Authentication Information Input Device 100 of this Embodiment>
As described above, the authentication information input apparatus 100 according to the present embodiment has all the image IDs of the image data stored in the image group table 131 hashed. As a result, since the hashed image ID stored in the image group table 131 cannot be restored to the original image ID, it is possible to prevent the authentication information from being discriminated. As a result, security can be further improved.

  The above-described embodiment is a preferred embodiment of the present invention, and the scope of the present invention is not limited to the above-described embodiment alone, and various modifications are made without departing from the gist of the present invention. Implementation is possible.

  For example, in the above-described embodiment, as shown in FIG. 2, the display pattern 10 includes at least one key image data and at least one image data (authentication image data) belonging to the same image group as the key image data. And image data that does not belong to the same image group as the key image data (dummy image data). However, the display pattern 10 is an example, and can be configured by an arbitrary number of image data.

  In the above-described embodiment, the display pattern 10 is configured by image data. However, the display pattern 10 is not limited to image data, and key image data, authentication image data, and dummy image data can each be composed of arbitrary information.

  In the above-described embodiment, the display input unit 110 that combines the function of displaying the display pattern 10 and the function of inputting the image data constituting the authentication information has been described as an example. However, a function (display unit) for displaying the display pattern 10 and a function (input unit) for inputting image data constituting the authentication information can be provided separately.

  Further, the control operation in the authentication information input device 100 and the server device 200 of the present embodiment described above can be executed using hardware, software, or a combined configuration of both.

  In the case of executing processing using software, it is possible to install and execute a program in which a processing sequence is recorded in a memory in a computer incorporated in dedicated hardware. Alternatively, the program can be installed and executed on a general-purpose computer capable of executing various processes.

  For example, the program can be recorded in advance on a hard disk or ROM (Read Only Memory) as a recording medium. Alternatively, the program can be stored (recorded) temporarily or permanently in a removable recording medium. Such a removable recording medium can be provided as so-called package software. Examples of the removable recording medium include a floppy (registered trademark) disk, a CD-ROM (Compact Disc Read Only Memory), an MO (Magneto optical) disk, a DVD (Digital Versatile Disc), a magnetic disk, and a semiconductor memory.

  The program is installed in the computer from the removable recording medium as described above. In addition, it is wirelessly transferred from the download site to the computer. In addition, it is transferred to the computer via a network by wire.

  Further, the authentication information input device 100 and the server device 200 in the present embodiment are not only executed in time series according to the processing operation described in the above embodiment, but also the processing capability of the device that executes the processing, or necessary. It is also possible to construct to execute in parallel or individually.

100 Authentication Information Input Device 110 Display Input Unit (Display Unit, Input Unit)
120 Control Unit 121 Pattern Generation Unit 122 Authentication Unit (Authentication Unit)
130 storage unit (authentication storage means)
131 Image group table (storage means)
140 Communication unit (transmission means)
200 Server Device 220 Control Unit 221 Pattern Generation Unit 222 Authentication Unit (Authentication Unit)
230 Storage Unit 231 Image Group Table (Storage Unit)
240 Communication unit (transmission means, reception means)
NW network

Claims (11)

At least one or more pieces of key information that can be identified by the user based on the user's own storage and at least one or more pieces of authentication information necessary for permitting the authentication of the user are stored in association with each group. Display means for displaying a display pattern comprising at least one key information selected from storage means and all or a predetermined number of authentication information belonging to the same group as the key information When,
Input means for inputting at least one information selected by a user operation from information constituting the display pattern displayed on the display means as authentication information used when permitting the user authentication; Have
All belonging to the same group as the key information displayed on said display means, or, in the case where the authentication information of a predetermined number is selected by the user operation, the authentication information input by the authentication of the user are permitted A device,
When the authentication information received from the input unit is compared with the authentication information corresponding to the display pattern, the image IDs of the image data constituting the authentication information are ordered. Authentication information input device. The display means includes
If authentication of the user is permitted, a display pattern different from the display pattern displayed on the display means is displayed,
The authentication information input device according to claim 1, wherein when the user authentication is not permitted, the same display pattern as the display pattern displayed on the display means is displayed. The display means includes
And including at least one of the authentication information belonging to a group different from the key information selected from the storage means and information not associated with all the key information stored in the storage means The authentication information input device according to claim 1, wherein the display pattern to be displayed is displayed. The storage means;
All or a predetermined number of the authentication information belonging to the same group as the key information constituting the display pattern displayed on the display means, and the authentication information input by the input means, An authentication unit that verifies and permits authentication of the user when the authentication information of both matches,
The authentication information input device according to claim 1, further comprising: Transmitting means for transmitting the authentication information input to the input means to a server device connected to the authentication information input device;
When all of the groups belonging to the same group as the key information displayed on the display means or a predetermined number of the authentication information are transmitted to the server apparatus by the transmission means, the server apparatus side causes the user to The authentication information input device according to any one of claims 1 to 3, wherein the authentication is permitted. Authentication storage means for storing the authentication information obtained by hashing the authentication information included in the display pattern displayed on the display means in association with the display pattern;
The authentication information obtained by hashing the authentication information input by the input unit; and the hashed authentication information associated with the display pattern displayed on the display unit stored in the authentication storage unit; And authentication means for permitting the user authentication when the hashed authentication information matches.
The authentication information input device according to any one of claims 1 to 3, further comprising: The storage means for storing the hashed key information and the hashed authentication information in association with each other; and
The authentication information obtained by hashing the authentication information input by the input means with reference to the storage means belongs to the same group, and is displayed on the display means not input by the input means When the hashed key information exists in the information obtained by hashing the information constituting the display pattern, and the hashed authentication information associated with the hashed key information does not exist. Authentication means for authorizing the user;
The authentication information input device according to any one of claims 1 to 3, further comprising: Connected to an authentication information input device that gives order to the image IDs of the image data constituting the authentication information when the authentication information received from the input means is compared with the authentication information corresponding to the display pattern. Server device,
At least one or more pieces of key information that can be identified by the user based on the user's own storage and at least one or more pieces of authentication information necessary for permitting the authentication of the user are stored in association with each group. The authentication information input is a display pattern that includes at least one of the key information selected from the storage means and all or a predetermined number of the authentication information belonging to the same group as the key information. Transmitting means for transmitting to the device;
At least one piece of information selected by a user operation from information constituting the display pattern displayed on the display means on the authentication information input device side is used as authentication information used when permitting the user authentication. Receiving means for receiving the authentication information input to the input means on the authentication information input device side;
The authentication information received by the receiving unit belongs to the same group as the key information constituting the display pattern transmitted to the authentication information input device by the transmitting unit, or a predetermined number of the authentication information And an authentication means for permitting authentication of the user,
The server apparatus characterized by having. An authentication system comprising an authentication information input device and a server device,
The server device
At least one or more pieces of key information that can be identified by the user based on the user's own storage and at least one or more pieces of authentication information necessary for permitting the authentication of the user are stored in association with each group. The authentication information input is a display pattern that includes at least one of the key information selected from the storage means and all or a predetermined number of the authentication information belonging to the same group as the key information. Transmitting means for transmitting to the device;
At least one piece of information selected by a user operation from information constituting the display pattern displayed on the display means on the authentication information input device side is used as authentication information used when permitting the user authentication. Receiving means for receiving the authentication information input to the input means on the authentication information input device side;
The authentication information received by the receiving unit belongs to the same group as the key information constituting the display pattern transmitted to the authentication information input device by the transmitting unit, or a predetermined number of the authentication information And an authentication means for permitting authentication of the user,
The authentication information input device includes:
The display means for displaying the display pattern received from the server device;
Input means for inputting at least one information selected by a user operation from information constituting the display pattern displayed on the display means as authentication information used when permitting the user authentication;
Together and a transmission means for transmitting the authentication information input to the input unit to the server device
An authentication characterized in that when the authentication information received from the input means is compared with the authentication information corresponding to the display pattern, the image IDs of the image data constituting the authentication information are ordered. system. At least one or more pieces of key information that can be identified by the user based on the user's own storage and at least one or more pieces of authentication information necessary for permitting the authentication of the user are stored in association with each group. A display pattern configured to include at least one key information selected from the storage unit and all or a predetermined number of the authentication information belonging to the same group as the key information is displayed on the display unit. Display processing to
Input processing for inputting at least one information selected by user operation from information constituting the display pattern displayed on the display means to the input means as authentication information used when permitting the user authentication And let the computer run
When all or a predetermined number of the authentication information belonging to the same group as the key information displayed on the display means are selected by a user operation, the user authentication is permitted and input from the input means the authentication information was accepted, the authentication information corresponding to the display pattern, when matching, the Ru to have a sequence of the image ID of the image data forming the authentication information, a program, characterized in that. A program to be executed by a computer of a server device connected to an authentication information input device,
At least one or more pieces of key information that can be identified by the user based on the user's own storage and at least one or more pieces of authentication information necessary for permitting the authentication of the user are stored in association with each group. The authentication information input is a display pattern that includes at least one of the key information selected from the storage means and all or a predetermined number of the authentication information belonging to the same group as the key information. A transmission process to send to the device;
At least one piece of information selected by a user operation from information constituting the display pattern displayed on the display means on the authentication information input device side is used as authentication information used when permitting the user authentication. A receiving process for receiving the authentication information input to the input means on the authentication information input device side;
The authentication information received by the reception process belongs to the same group as the key information constituting the display pattern transmitted to the authentication information input device by the transmission process, or a predetermined number of the authentication information And an authentication process for permitting authentication of the user,
A process of giving order to the image IDs of the image data constituting the authentication information when verifying the authentication information received from the input means and the authentication information corresponding to the display pattern;
To cause the computer to execute the program.

Images