JP7398183B2 - Network authentication system using blockchain and authentication method using this - Google Patents

Description

The present invention relates to a network authentication system using blockchain and an authentication method using the same.

With the use of cloud services and the expansion of remote work, there are now no safe spaces in corporate IT environments, as devices move between environmental boundaries inside and outside the company's firewall.

In fact, it was announced in August 2020 that corporate PIN numbers leaked during telework were listed on criminal websites for 900 companies worldwide (38 companies in Japan), and IPA (Information According to the ``Top 10 Information Security Threats 2021'' (Information Promotion Agency), in addition to external cyber attacks, information leaks due to internal improprieties rank high among threats to companies.

Therefore, in response to the trend of ``mandatory security measures for business partners'' that has already begun in Europe and the United States, it is only large companies that are reviewing their internal systems in response to ``supply chain management'', ``General Data Protection Regulations'', etc. This has become an urgent issue for small and medium-sized enterprises as well, and strict authentication is required when accessing business systems.

On the other hand, when accessing a company's business site during telework or a site that conducts electronic transactions via the network, the network endpoint (collective term for various Internet access destinations) may be a fake site prepared by a criminal. Countermeasures are also required to combat the threat of phishing scams.

In other words, there is a need for a new type of mutual authentication cybersecurity that also takes into consideration the authentication of network endpoints.

As shown in FIG. 2, in the conventional authentication process, a user accesses the in-house system 200 via an application S400 for remote access, S401 receives an authentication request S402 from the in-house system 200, and uses the "ID"・Password" is entered in S403, login S404, the ID management database 410 of the in-house system is searched, the entered ID and password are verified in S407, and after determining OK, the start of work is permitted, S408, the user It becomes possible to start work S409.

JP2020-190868 JP2019-8753

Currently, most of the security solutions used to authenticate individuals when accessing internal business systems or conducting electronic transactions via networks rely on IDs and passwords (Patent Document 1, 2).

However, with the recent increase in the speed of computers, IDs and passwords are required to be infinitely more complex, and the effectiveness of IDs and passwords as a security measure is being questioned.

Moreover, authentication using IDs and passwords requires the trouble of remembering IDs and passwords, induces human error due to forgetting them, and is constantly made aware of the threat of ``hacking'' and ``spoofing'' such as eavesdropping and diversion by third parties. It must be said that the company is in a state of bankruptcy.

On the other hand, conventional IC cards used as identification cards, financial cards, and transportation cards are offline terminals, and their internal data is highly confidential and confidential, and they are resistant to falsification or leakage due to external attacks. However, IC cards with fingerprint authentication are adjusted to function as an IC card only by comparing the registered fingerprint information of the cardholder with the cardholder's registered fingerprint information. There is no need to worry about ``spoofing,'' and it is an effective means of security.

However, even when accessing network endpoints using the aforementioned fingerprint authentication IC card, since the same ID and password are required to be entered repeatedly, complete security measures against threats such as eavesdropping are required. It has not become.

Moreover, since the validity and authenticity of network endpoints have not been verified at all, it is impossible to prevent crimes such as ``phishing scams,'' in which people are led to fake endpoints and their IDs and passwords are stolen.

Therefore, the present invention has been made in view of the above-mentioned problems, and does not require the input of an ID/password when accessing a network endpoint, guarantees the validity of personal authentication to the access destination, and provides access. The aim is to provide a complete cybersecurity measure that achieves mutual authentication that guarantees the authenticity of the destination endpoint.

The present invention uses fingerprint authentication using a Secure Finger ID card (SFID) to authenticate the user's identity when accessing Internet endpoints such as various services and business systems on the network. At the same time, as a background authentication process, a blockchain network is installed to manage and store the user's recent access history as a transaction (Tx), and an authentication agent (Authentication Provider Interface) is installed at the entrance of the endpoint. ) (API) and controls access to business systems by comparing the most recent access history recorded in SFID and blockchain on the API.
In order to enable secure data transmission and reception between the SFID and the API, a common key used for encryption and decryption is recorded in the memory inside the SFID and the personal information database connected to the API. When distributing a transaction (Tx) in which a user's access history is written to multiple nodes of multiple blockchain networks from the above API, authentication of the transaction (Tx) distribution source and data transmission on the distribution path are required. The private key of the public key encryption method necessary to verify that there has been no tampering is recorded in the memory inside the SFID, and the public key that becomes the pair is recorded in the personal information database connected to the authentication agent, An authentication system that registers new users, issues SFIDs, and verifies the validity of users' access rights and the authenticity of endpoints between SFID and API, and an authentication method using this system. This is what we propose.

In the present invention, the SFID plays the role of authenticating the user's access rights to the business system instead of IDs and passwords, so the SFID contains data that identifies the individual such as the name or employee code. The card is issued to the person with information that is not known to the person, such as a unique encryption key linked to the person, recorded and stored in advance, and then instructions on how to operate the card are required to accurately register fingerprints on the SFID card. Fingerprint registration will be performed in-person or remotely.

After an SFID card with unregistered fingerprints is issued, the event that the registration of the user's fingerprints is completed is recorded as the "user registration date" in the user's record in the "personal information database" installed in the internal system. At the same time, record data (equivalent to one transaction) is generated as the first "access history" that becomes the starting point of the blockchain, and from then on, the "access history" recorded in the blockchain and the "authentication history" recorded in the SFID are generated. By collating information. User access to the business system will be verified.

In other words, in the present invention, an SFID card is assigned to confirm the identity of a legitimate user, and a block records and manages the user's access history to the network endpoint as a "transaction (Tx)". An API that mediates the linkage between the chain network, the IC card SFID, and the blockchain network is deployed to the endpoint, and the API encrypts, decrypts, collects, distributes, and verifies the user's access history information to the endpoint. It authenticates and controls users' access from networks such as remote work.

Furthermore, in the present invention, the latest access history information is updated every time the user accesses and authenticates it, is kept secret in the SFID and the blockchain network, and is collected and distributed based on requests from the API, and verified. By doing so, it becomes a new infrastructure for cybersecurity that realizes mutual authentication of the authenticity of users and endpoints.

In the present invention, an authentication platform (Finger Identity as a Service authentication platform) (hereinafter referred to as FIDaaS authentication platform) using the user's own fingerprint authentication and endpoint access history is formed using SFID, API, and blockchain technology. It becomes possible to mutually authenticate the authenticity of the user and the authenticity of the network access site.

Furthermore, according to the present invention, the above-mentioned authentication is performed without requiring the input of a password when accessing a network endpoint, so there is no need for users to memorize IDs and passwords, and human error caused by forgetting them. It also prevents "hacking" and "spoofing" caused by eavesdropping, making it possible to protect against not only external cyber-attacks but also information leaks caused by internal fraud.

In addition, in the present invention, among multiple business systems, only particularly important business systems, such as core systems that would have a serious impact on business in the event of a cyber attack, are separated from other business systems and created as an independent endpoint. It is also possible to set up an API to perform authentication.

Furthermore, according to the present invention, in order to improve work efficiency, a plurality of related business systems are grouped into one group, and an authentication agent is provided for the endpoint of this group as one portal. It is also possible to implement a service form called single sign-on, which performs one-time authentication all at once.

According to the present invention, the authenticity of a user and the authenticity of an endpoint can be mutually authenticated, and a strict authentication infrastructure in cyberspace can be realized.

Furthermore, according to the present invention, transactions on the blockchain that are protected by user authenticity authentication and strict access history management satisfy the functional requirements as a complete signed timestamp. Therefore, it becomes possible to provide high value-added customization, such as adding and storing document information such as contracts related to business to the data record of the transaction. For example, if the business application that connects and controls this FIDaaS authentication platform is a materials management system in an in-house system, the evidence of contracts related to orders is recorded in transactions, so that order data cannot be tampered with or deleted. This enables safe storage without worrying about.

Furthermore, in the present invention, the authenticity of the user is authenticated by the SFID, and the access history written in the SFID cannot be rewritten and is compared with the content written in the blockchain transaction, which does not cause loss. The authenticity of the business system site is authenticated, the authenticity of the user and the authenticity of the business system site can be mutually authenticated, and strict authentication becomes possible.

A diagram schematically explaining the configuration of the FIDaaS authentication infrastructure according to this invention A diagram explaining the sequence of the conventional authentication process according to the present invention A diagram explaining the sequence of the authentication process in the FIDaaS authentication infrastructure according to this invention Diagram explaining mutual authentication method between SFID card and API according to SCP01 according to this invention A diagram schematically explaining the structure of the FIDaaS authentication infrastructure and the correlation of each data according to this invention Diagram showing the data structure of the blockchain of the FIDaaS authentication platform according to this invention

Hereinafter, we will use SFID fingerprint authentication to authenticate the user's identity when accessing Internet endpoints such as various web services and business system sites on the network according to the present invention, and at the same time, the user's access By deploying a blockchain network that manages and stores history as transactions, implementing an authentication agent (API) in front of the relevant endpoint, and comparing the SFID with the latest access history recorded on the blockchain, the business system A preferred embodiment for implementing cyber-physical security that checks the right to access will be described.

FIG. 1 schematically shows one configuration example of the FIDaaS authentication infrastructure.

As shown in Figure 1, the user's identity is authenticated when accessing an Internet endpoint such as a business system by fingerprint authentication using an IC card with fingerprint authentication (SFID), and at the same time, background authentication is performed. As a process, we will install a blockchain network that manages and stores the user's recent access history as transactions, implement an authentication agent (API) at the entrance of the endpoint, and add a personal information database to the authentication agent (API). In an authentication system that controls access to business systems by connecting and collating and verifying the latest access history recorded in SFID and blockchain respectively on API, SFID has an API records the first half of the hash ID and access history of the blockchain transaction, including the common key, the private key of the public key encryption method used in the blockchain network, and the user's recent access history, and The information database records the public key for decoding the common key, the private key, and the last half of the transaction hash ID. (See Figure 5)

Regarding the above authentication system, a user 100 (e.g., some selected employees or employees of a business partner) who holds SFID 110 as an identification document (e.g., employee ID card) uses a business system prepared as a work environment (e.g., An embodiment of the FIDaaS authentication platform will be described with reference to the diagram, taking as an example the case of accessing the manufacturing system 204 in the in-house system 200.

The authentication procedure in the FIDaaS authentication platform, which adopts a method different from the conventional authentication process, is performed remotely using the manufacturing system 204 in Figure 1 as an endpoint and the API 220, which is authentication agent software equipped for security against external access. FIG. 3 shows the authentication process with the SFID 110 held by the user 100 who wants to execute a business.

In step 1 of the authentication process, the authentication agent is accessed by permitting communication with the outside of the card through fingerprint authentication of the fingerprint authentication IC card in which the access history expressed as a hash value to the business system has been written. In step 2, the authentication agent obtains a common key from the personal information database, mutually authenticates the authenticity of the fingerprint authentication IC card and the authentication agent based on this common key, and generates a temporary session key to communicate. ensure security on
In step 3, the private key and access history recorded in the fingerprint authentication IC card are each encrypted with a session key and sent to the authentication agent, and the data is transferred by decoding it on the authentication agent side.
In step 4, the authentication agent combines the first half (1/2) of the access history hash value received from the fingerprint authentication IC card with the second half (2/2) of the access history hash value obtained from the personal information database. Using the hash, obtain the transaction record from the blockchain, confirm that the hash value of the access history recorded in this record matches the hash value of the access history in step 3,
In step 5, the authentication agent recognizes the validity of the user's access rights and distributes the transaction to the blockchain as a new access history, and uses the transaction hash value determined after consensus among other nodes to create a new Get the access history hash value.
In step 6, the new access history including the first half of the newly acquired transaction hash value is sent to SFID for authentication at the next access, and within SFID, after updating the access history, the API is notified of the completion of storage. After the API confirms this and updates the remaining half of the transaction hash value of the most recent access history in the personal information database record, the user is allowed to work remotely and the following , each step will be explained in detail.

Step 1
The user 100 in FIG. 3 starts up the application software S150 to perform remote work on the manufacturing system 204, and uses the fingerprint sensor mounted on the SFID 110 described in "STEP 1" S10 to print a fingerprint. By performing authentication, it is possible to communicate with the outside of the card and send and receive data stored inside the SFID 110. For example, the employee code (262 of the personal information database 260 or recorded in the memory 111 of the SFID 110 in Access the API by sending personal information (included in personal information 112).

Step 2
“STEP 2” S11 in FIG. 3 shows mutual authentication between the SFID 110 and the API 220, and subsequent processing to ensure security in mutual data communication.

In the SFID 110, a "common key K ₀ (113 recorded in the memory 111 in the SFID 110 in FIG. 5)" is recorded in advance and issued together with the personal information of the user 100. This SFID 110 and the API 220 that reads the common key K ₀ 265 from the personal information database 260 verify the authenticity of each other based on this common key. Communication security is ensured by using the "session key K _S ".

Explanation of SCP As a mutual authentication method based on a common key, there is an authentication scheme based on SCP (Secure Channel Protocol) 01 specified by "globalplatform.org", a global standardization organization for IC card security management systems. However, the case where this scheme is used will be explained below as an example.

An example of this authentication method is shown in Figure 4. SFID110 and API220 each have a common key _K0 (S501), and when starting authentication, each generates 16B (byte) random numbers Rapi and Rsfid, encrypts them with, for example, the common key _K0 , and sends them to the other party. S502. Both parties divide the random numbers received from each other into 4B units, rearrange them according to the arrangement rules in S503, and calculate the test ciphertext CRM. S504 encrypts this CRM with the common key _K0 and sets it as the session key _KS . Using this K _S as an encryption key, the random numbers Rapi and Rsfid are encrypted to calculate the ciphertext Capi and Csfid, which are sent to each other and decrypted to confirm that they return to the original random numbers. This method verifies the authenticity of each other. At the same time, SFID 110 and API 220 can safely send and receive data using this session key K _S.

Step 3
“STEP 3” S12 in FIG _. 3 means the access history recorded in the memory ₁₁₁ in the SFID in _FIG . The data is sent and received safely by encrypting it using the key K _S (each communication data is represented by X, see 10 in Figure 5), sending it to the API 220, and restoring it on the API side. Equations (1) and (2) below show examples of TS _i processing.
(Example) SFID: X _i = E (TS _i , K _S ) ... (1)
API: TS _i = E ^-1 (X _i , K _S ) ... (2)
Here, the subscript "i" means the most recent "i-th" access to the API 220 of the manufacturing system 204 of the user 100.

In the above formulas (1) and (2), E and the inverse function of E, "plaintext = E ^-1 (ciphertext, encryption key)" are used as symbols to mean the function "ciphertext = E (plaintext, encryption key)". E ^-1 was used as the meaning symbol.

Step 4
In "STEP 4" S221 in FIG. 3, a transaction hash TxH _i 12 is generated by concatenating TxH _i (1/2) 117 received from SFID and TxH _i (2/2) 266 recorded in the personal information database 260. The transaction record Tx _i 13 in Figure 5 is obtained from the blockchain database 351 using H(TS _i ) is extracted and compared with the result of calculating the hash value of the data TS _i received in "STEP 3" S12. That is, if the two match, it is verified that the legitimate holder of the SFID 110 whose identity has been verified through fingerprint authentication is the holder of the right to access the manufacturing system 204 whose authenticity has been authenticated.

Here, the symbol H(X) represents a hash function that takes data X as an argument, and the value of the calculation result is nothing but a "hash value."

A specific example of "generating by concatenating TxH _i (1/2) 117 and TxH _i (2/2) 266 recorded in the personal information database 260" mentioned above is expressed by the following formulas (3) and (4). , (5) and (6).

TxH _i = TxH _i (1/2) + TxH _i (2/2) ... (3)
TxH _i (1/2) = “6b88c87243aa29yfhhtdfh1d4rws2jb1” ・・・(4)
TxH _i (2/2) = “2b67gg32hhjrvud3343421987wev4f32” ・・・(5)
TxH _i = “6b88c87243aa29yfhhtdfh1d4rws2jb12b67gg32hhjrvud3343421987wev4f32” ... (6)

For example, it means combining 32B of data in each of (4) and (5) to create 64B of TxH _i 12 data as in (6).

Step 5
In "STEP 5" S222 of FIG. 3, as a result of the verification in "STEP 4" S221 described in [0039] above, it is recognized that the user 100 is the holder of legitimate access rights, and remote work is possible. Although permission is granted, this fact must be recorded as an access history that will be necessary for verification the next time this user 100 accesses. For this purpose, the hash value is added to the transaction Tx _i+1 (see 15 in Figure 5) that includes the hash value of the access history TS _i+1 corresponding to the current time in the blockchain network 300 shown in Figure 1, and the hash value is added to the public key. It is distributed with a digital signature obtained by encrypting it using a cryptographic method using a private key K _B. It is also called "broadcast" to multiple blockchain nodes (corresponding to 351 to 353 in Figure 1).

The blockchain node that received the transaction Tx _i+1 15 decrypts the received digital signature using the public key PK _B (employee code 262 of the personal information database 260 in Figure 5) corresponding to the private key K _B , and sends it to TxH _i By verifying a match with the hash value of ₊₁ , the sender of the transaction authenticates that the transmission is from a person who has a private key that is a pair of public keys. Verify that the data has not been tampered with.

Description of the Blockchain Network As shown in FIG. 1, data in the blockchain network 300 is recorded synchronously in a plurality of nodes 351 to 353 that constitute a distributed network. As shown in Figure 6, the data structure that makes up the blockchain is such that events related to data transmission and reception are treated as one unit, ``transaction Tx13,'' and its hash value is added as ``transaction hash ID, TxH12.'' , multiple transactions Tx13 that occurred during a certain period of time are collected (in the example in Figure 6, D1 to ID8 are shown as 8 Tx), and encrypted according to the blockchain protocol to create block units of 310 (320, 330, and 340). (Similarly), and records are connected like a chain and accumulated between nodes while verifying the validity of the block. In the example of FIG. 6, the reason for the chain structure is that the hash value 311 of the "j+1"th block 310 includes the hash value 312 generated from the "j"th information. This chain structure makes it difficult to tamper with or delete transaction data. At the same time, since data is recorded synchronously on multiple nodes, it also functions as a data backup.

In addition, a value called a nonce is added as a parameter to the calculation of the hash value of each block, and by adjusting this value, a hash value that meets the predetermined conditions is found, and the hash value is also calculated by other nodes. It is assumed that a consensus has been formed on the validity of the block by retrying to reproduce the value result, and TxH _i+1 is newly determined.

That is, as mentioned above, only after the validity of transaction Tx _i+1 (15 in Figure 5) is confirmed by another node, is it stored in the blockchain database as one of the eight transactions in block 310 in Figure 6. TxH _i+1 (see 14 in Figure 5) can be searched again.

In contrast to the conventional method in which blocks are allowed to be accumulated (for example, in the case of the blockchain of the virtual currency Bitcoin), in the case of private blockchains, restrictions on hash values are relaxed, and parameters that meet the conditions ( It is also possible to adopt a method that can quickly and easily discover nonces).

Step 6
In "STEP 6" S13 of Figure 3, the access history including the first half (1/2) of the newly determined TxH _i+1 {TS _i+1 , TxH _i+1 (1/2)} 115 is used for the next access. Within SFID, after updating the access history 115, the API is notified of the completion of storage, and the API confirms this, and the most recent access in the records of the personal information database 260 is sent to SFID for authentication. After updating the remaining half 266 of the transaction hash value of the history, remote work is permitted and the user 100 starts working on the manufacturing system 204 S151.

As mentioned above, what should be particularly noted in this invention is that in the sequence of authentication processing shown in FIG. After that, permission for remote work start S151 is issued, and the process until the start of work is automatically performed between SFID, API, and the relevant blockchain network in the background without the user's knowledge. It is a point. In other words, the trouble of entering IDs and passwords, which was a burden for the user 100, as well as the burden of remembering them, forgetting them, operational errors, and even eavesdropping are eliminated.

In Example 1, which is explained in accordance with Figure 1, important business systems among in-house systems, such as core systems that would have a serious impact on business in the event of a cyber attack (for example, the "manufacturing system" in Figure 1), are 204) is separated from other business systems and managed using the authentication infrastructure according to the present invention.

In this case, SFIDs (IC cards with fingerprint authentication) 110 will be issued and distributed to only those employees who have been selected to access a specific system.

Different from the above, in order to improve the work efficiency of internal systems, multiple related business systems are grouped together, one unified access point is established as a portal for that group, and one API (authentication agent) is established. By implementing it, you can configure and provide single sign-on (SSO) functionality within a group. For example, in the personnel system 201, accounting system 202, and materials system 203 in FIG. 1, access authentication is managed using a common API 210. That is, the user 100 is permitted to use three different services, which are conventionally managed using separate IDs and passwords, by performing one-time fingerprint authentication using an SFID card.

In summary, according to the present invention, it is possible to provide an authentication system at an endpoint in which complete security measures are taken and strict authentication is performed when accessing a network such as a business system.

100 A user of this FIDaaS authentication platform and a user of a business application that remotely accesses a manufacturing system within an in-house system 110 An SFID card (IC card with fingerprint authentication) owned by the user
111 Memory in the SFID card 112 General personal information such as the user's name and contact information recorded in the memory in the SFID 113 Between the SFID card and the business system API recorded in the memory in the SFID Common key data 114 for securely communicating data Private key data necessary for the public key cryptosystem used in the FIDaaS authentication infrastructure of the present invention, which is recorded in the memory in the SFID. Pairs with the public key used for the employee code.
115 History of the most recent access to the business system by the holder of this SFID, recorded in the memory of the SFID 116 History of the most recent access to the business system by the holder of this SFID, recorded in the memory of the SFID Access time data 117 Data in the first half of the transaction hash ID of the transaction containing the most recent access history to the business system recorded in the blockchain database, which is recorded in the memory in the SFID 120 Finger used for fingerprint verification 200 Entire internal system including multiple business systems that allow remote access 201 Human resources system that allows remote access among internal systems 202 Accounting system that allows remote access among internal systems 203 Material system that allows remote access among internal systems 204 Manufacturing systems that allow remote access among in-house systems 205 R&D systems that allow remote access among in-house systems 206 System management operations that allow remote access among in-house systems.
210 Authentication agent software (API: Authentication Provider Interface) that treats the human resources system, accounting system, and materials system among internal systems as one joint access point and controls access.
220 Authentication agent software (API) that controls access to manufacturing systems within an in-house system. Mentioned by way of example in the description of embodiments of the invention 230 Authentication Agent Software (API) that controls access to the R&D system within the internal system.
240 Authentication agent software (API) that controls access to system management operations within an in-house system.
260 A database that records and manages the personal information of all users who access internal systems 261 General personal data records such as users' names and contact information in the "Personal Information Database" 262 "Personal Information Database" 263, 267 "This is a record that records the employee code, and the public key paired with the private key hidden in the SFID, which is necessary for the public key encryption method used in the FIDaaS authentication infrastructure of the present invention, is used as the employee code. 263, 267 " Preliminary data record in the "Personal Information Database" 264 Data record in the "Personal Information Database" of the time when fingerprint registration on the user's SFID card was completed or the time when the user was registered with access rights to the business system. 265 A data record in the "Personal Information Database" that records the common key for securely communicating data between the user's SFID card and the business system's API.
266 Data record in the “Personal Information Database” where the data in the second half of the transaction hash ID of the transaction in which the most recent access history to the business system recorded in the blockchain database is recorded 300 Blockchain network 310 The “J+1”th block in the blockchain database corresponding to one of the nodes. Blocks are accumulated in ascending order starting from the smallest number.
311 Hash value representing the “J+1”th block in the blockchain database 312 Hash value representing the “J”th block in the blockchain database 313, 314 Hash value representing the “J+1”th block in the blockchain database This figure shows a hash tree (Merkle tree) consisting of eight pieces of transaction data that make up a block and its root.
320 The “J” block in the blockchain database.
340 A block in which the access history starting from the "time of new user registration" or "time of completion of fingerprint registration on SFID card" in the blockchain database is recorded.
350 Cloud where blockchain nodes 351, 352, and 352 are placed
S400 to S409 show each processing step of a flowchart of a conventional authentication process for remote access.
410 ID management database used in traditional authentication process for remote access
S150 As an example of an embodiment of the present invention, application software for remotely accessing the API of a manufacturing system
S151 As an example of the embodiment of the present invention, this refers to the process of obtaining API authentication and starting remote work to the manufacturing system.
S10 to S13 As an example of the embodiment of the present invention, each processing step of the process of verifying user access rights and mutual authentication of endpoints between SFID and API, which is required when implementing remote work in a manufacturing system, will be explained. show.
S221 to S222 As an example of the embodiment of the present invention, between an API and a blockchain database of data necessary for user access rights and mutual authentication of endpoints required when implementing remote work of a manufacturing system This shows each reading and writing process.
S500 to S505 Each processing step of a flowchart of a mutual authentication process between an SFID card and an API based on the authentication scheme SCP01 specified by the global standardization organization for IC card safety management systems is shown.
10 Based on the authentication scheme SCP01, encrypted data sent from SFID to the API using a session key that is recalculated every time there is an authentication.11 Based on the authentication scheme SCP01, the session key is recalculated every time there is an authentication. Encrypted data sent from the API to SFID using the session key 12 Transaction hash ID of the transaction containing the most recent access history to the business system recorded in the blockchain database
13 Transaction record containing the most recent access history to the business system recorded in the blockchain database 122 Employee code indicating the user included in the transaction data containing the most recent access history to the business system. A public key 123 paired with a private key hidden in the SFID necessary for the public key cryptosystem used in the FIDaaS authentication infrastructure of the present invention Business operations included in transaction data that describes the most recent access history to the business system Latest access time data to the system 124 Preliminary record 125 included in the transaction data that records the latest access history to the business system Customization included in the transaction data that records the latest access history to the business system Reserve record 14 used for transaction hash ID of the transaction record containing access history data immediately after authentication of access rights to the business system is completed
15 Transaction record containing access history data immediately after authentication of access rights to the business system is completed

Claims (3)

The user's identity is authenticated when accessing an Internet endpoint by fingerprint authentication using an IC card with fingerprint authentication, and at the same time, as a background authentication process, the user's most recent access history is recorded as a transaction. A blockchain network for management and storage is installed, an authentication agent is installed at the entrance of the endpoint, and the most recent access history recorded in the fingerprint authentication IC card and the blockchain are verified on the authentication agent. Encryption/decryption to enable secure data transmission and reception between an IC card with fingerprint authentication and an authentication agent in an authentication system characterized by controlling access to services and business systems by The common key used for authentication is recorded in the internal memory of the fingerprint authentication IC card and the personal information database connected to the authentication agent, and the transactions in which the user's access history is written are stored in multiple blockchain networks. When distributing transactions from the authentication agent to multiple nodes, fingerprint authentication is performed to authenticate the private key of the public key encryption method, which is necessary to authenticate the source of the transaction and to verify that the data has not been tampered with during the transfer route. The paired public key is recorded in the internal memory of the IC card with a fingerprint authentication, and the paired public key is recorded in the personal information database connected to the authentication agent, and the new user is registered and an IC card with fingerprint authentication is issued. An authentication system characterized by verifying mutual authentication of the validity of access rights and the authenticity of an endpoint between an IC card with fingerprint authentication and an authentication agent. Among multiple business systems, only particularly important business systems are separated from other business systems and used as endpoints, and an authentication agent is installed at the entrance of that business system to control authentication. Claim 1, characterized in that it is also possible to realize a method in which a plurality of related business systems are grouped into one group, and an authentication agent is provided with this group as one end point to collectively authenticate the business systems in the group. Authentication system described. High security is achieved by adding document information of business contracts to the transaction data record and storing it in blockchain transactions, which are protected by user authenticity authentication and strict access history management. 2. The authentication system according to claim 1, wherein the authentication system makes it possible to implement a signed time stamp function.

Images