JP7408486B2 - Evidence preservation method - Google Patents

Description

The present invention relates to an evidence preservation system that is established by generating and verifying electronic signatures.

When transacting financial products such as insurance products or signing real estate sales and rental contracts, a person with business qualifications is required to explain important matters to the contract holder. At that time, it is necessary to leave evidence of who (the person with the qualifications) and who (the contractor) explained important matters and obtained consent.

When explaining important matters in a non-face-to-face manner via a communication network such as an internetwork, the person is required to present an identification card, qualification certificate, etc. to confirm the person's identity. It is also recommended that footage of the process be saved as evidence.

However, stored data such as videos includes the person's face, voice, and information used to confirm the identity of the person, and must be strictly managed as personal information to prevent misuse.

Therefore, one possible method for managing data that includes personal information is to extract and process data that is subject to personal information protection before storing it. For example, in Patent Document 1, an electronic signature is generated using a set of data containing personal information and data that has been processed to protect personal information, and by signing the processed data, the original data is A method has been disclosed that can guarantee and manage the linkage.

WO2018/207424

When explaining important matters via the network, it is required to save a video of the process in progress as evidence, but personal information about the process will also be saved. As a management method for data containing personal information, as described in Patent Document 1, there is a method of processing and managing target data in order to protect personal information. It cannot be used as evidence because it cannot be clarified whether the person was protected.

Therefore, an object of the present invention is to generate data that can be used as evidence for explaining important matters while protecting personal information.

A preferred aspect of the present invention is an evidence preservation system that processes recorded data of a video conference between a first terminal and a second terminal that communicate via a network. This system includes a processing unit that can use an identity verification unit. The processing unit causes the identity verification unit to match the first user's own image data acquired by the first terminal with the first user's image-attached certificate. When the first user's image is successfully matched, the processing unit may store the first user's first private key, first public key, first self-signed certificate, and the first user's first private key, first public key, and first self-signed certificate. First information for restoring the first secret key is generated from one user's own image data.

A preferred aspect of the present invention is an evidence preservation method that is executed in an evidence preservation system that processes recorded data of a video conference between a first terminal and a second terminal that communicate via a network. In this method, the evidence preservation system sends the first user's own image data and the first user's image-attached certificate to the identity verification unit, which are acquired by the first terminal during the video conference. a first step of collating the first private key and the first public key of the first user when the first user's image is successfully collated; a second step in which the processing unit issues a public key certificate of the second user in response to a request from the second terminal; a third step in which the evidence preservation system issues the public key certificate to the processing unit; a fourth step of generating first processed data by deleting or concealing information identifying the first user from the recorded data of the video conference; , a fifth step of executing an electronic signature using the first private key.

According to the present invention, it is possible to generate data that can be used as evidence for explaining important matters while protecting personal information. Problems, configurations, and effects other than those described above will be made clear by the following description of the embodiments.

1 is a diagram showing an overall system configuration of hardware according to a first embodiment of the present invention. 1 is a functional block diagram of a user terminal according to a first embodiment of the present invention. FIG. It is a figure showing an example of a display on a display of a user terminal concerning a 1st embodiment of the present invention. FIG. 2 is a functional block diagram of a vendor terminal according to the first embodiment of the present invention. It is a figure showing an example of a display on a display of a trader terminal concerning a 1st embodiment of the present invention. FIG. 2 is a functional block diagram of an in-house server according to the first embodiment of the present invention. FIG. 3 is a diagram showing an example of data processing in the signature assigning system according to the first embodiment of the present invention. FIG. 3 is a diagram showing an example of data processing in the signature assigning system according to the first embodiment of the present invention. FIG. 2 is a functional block diagram of an internal audit server according to the first embodiment of the present invention. FIG. 3 is a data structure diagram of the storage unit of the internal audit server according to the first embodiment of the present invention. FIG. 2 is a sequence diagram showing main processing of the evidence preservation system according to the first embodiment of the present invention. FIG. 3 is a diagram showing an example of display transition on the display of the vendor terminal according to the first embodiment of the present invention. FIG. 2 is a sequence diagram showing mutual identity verification processing according to the first embodiment of the present invention. It is a flowchart which shows the verification process of the person identification in the mutual identification process based on 1st Embodiment of this invention. FIG. 2 is a sequence diagram showing mutual public key certificate issuing processing according to the first embodiment of the present invention. FIG. 3 is a diagram showing an electronic signature method. FIG. 2 is a sequence diagram showing main processing of the audit system according to the first embodiment of the present invention.

Embodiments will be described in detail using the drawings. However, the present invention should not be construed as being limited to the contents described in the embodiments shown below. Those skilled in the art will readily understand that the specific configuration can be changed without departing from the spirit or spirit of the present invention.

In the configuration of the invention described below, the same parts or parts having similar functions may be designated by the same reference numerals in different drawings, and overlapping explanations may be omitted.

When there are multiple elements having the same or similar functions, the same reference numerals may be given different subscripts for explanation. However, if there is no need to distinguish between multiple elements, the subscript may be omitted in the explanation.

In this specification, etc., expressions such as "first," "second," and "third" are used to identify constituent elements, and do not necessarily limit the number, order, or content thereof. isn't it. Further, numbers for identifying components are used for each context, and a number used in one context does not necessarily indicate the same configuration in another context. Furthermore, this does not preclude a component identified by a certain number from serving the function of a component identified by another number.

The position, size, shape, range, etc. of each component shown in the drawings etc. may not represent the actual position, size, shape, range, etc. in order to facilitate understanding of the invention. Therefore, the present invention is not necessarily limited to the position, size, shape, range, etc. disclosed in the drawings or the like.

The publications, patents, and patent applications cited herein are incorporated in their entirety.

Elements expressed in the singular herein shall include the plural unless the context clearly dictates otherwise.

This example generates its own private key during the explanation of important matters, and signs the data with hidden personal information with the other party to whom the explanation of important matters is carried out, thereby protecting personal information while providing important information. To provide an evidence preservation system that can be used as evidence for explanations. Therefore, signatures are performed twice, once during the explanation of important matters, and once after the explanation has been completed, and these signatures are verified in order.

The first signature is performed when issuing the other party's public key certificate after the identity verification is completed before explaining important matters. The party giving the explanation issues and signs the public key certificate of the party receiving the explanation, and the party receiving the explanation issues and signs the public key certificate of the party giving the explanation using his own private key. The key for signing is a public biometric infrastructure (hereinafter referred to as PBI), which is a publicly known technology, based on your own biometric information (face, etc.) during the explanation of important matters. Create to. The second signature is performed on the processed data in which the individual's personal information is hidden in the video being performed, after the explanation of important matters has been completed.

On the other hand, verification is performed from the second signature. By verifying the second electronic signature, it is possible to verify who signed the processed data. Next, the signer's public key certificate is verified. Since the public key certificate includes the electronic signature given as the first signature, this means that the first electronic signature is verified. By verifying the electronic signature signed the first time, it is possible to link the person holding the public key certificate with the person who issued it (the signer of the first signature). In other words, it can be said that the person of the public key certificate has a relationship with the first signer who has explained important matters.

Next, the processed data is visually checked to confirm whether the first signer is a person who is not hidden in the processed data, and the verification result is compared with the person who is hidden in the processed data. The second signature is used to prove that the person is the person who signed the processed data. From the above, it is clear that the processed data was processed to protect the personal information of the person who signed the processed data, and this can be evidence that important matters were explained.

[Description of the entire hardware system]
FIG. 1 is a diagram showing the overall system configuration of hardware according to the first embodiment of the present invention. This system is a system for explaining important matters before contracting for a service through a video conference over a network, and signing and verifying the content of the explanation and the generated video. Here, the explanation of important matters is carried out in order to confirm the intention of the contractor (hereinafter referred to as the user) before concluding the contract. It includes three elements of explanation of important matters. Furthermore, in a narrow sense, videoconferencing refers to the transmission and reception of images, including audio, over a network, and is a system that enables dialogue between people in remote locations, and that can be used by two or more people. say. However, in this specification, when simply referring to a video conference, it refers to a series of processes from the start to the end of communication performed for a video conference in a narrow sense, and refers to authentication and signatures that do not require the transmission and reception of video including audio. shall include communications for. Below, we will explain the procedure for explaining important matters during a video conference and the procedure for signing and verifying recorded videos.

As shown in FIG. 1, this system includes a user terminal 1 used by a user, an identification card 6 used for user identification, a vendor terminal 2 used by a vendor, and a qualification certificate used for vendor identification. 7, an in-house server 3 of the company to which the vendor belongs, an in-house audit server 4, and a network 5. The user terminal 1 is connected to a vendor terminal 2 via a network 5. Further, the vendor terminal 2, the in-house server 3, and the in-house audit server 4 are communicably connected via the network 5.

Additionally, FIG. 1 shows an identification card 6 for confirming the user's identity and a qualification certificate 7 for confirming the business qualifications of the vendor, which are necessary for explaining important matters. . Here, the identification card 6 is defined as a card (for example, a driver's license) on which the user's name, address, date of birth, and facial image are written. In addition, the qualification certificate 7 is a card-shaped paper on which the name, address, date of birth, face image, and qualification registration number of the business operator are written (for example, a real estate transaction certificate). or rental real estate management certificate). In the system shown in FIG. 1, a user or business person uses the external interface of each terminal to display his or her own identification card 6 or qualification certificate 7 (hereinafter collectively referred to as identification card and qualification certificate) during a video conference. (This is called an identity verification certificate.)

Further, FIG. 1 shows a contract 8 and an important matter explanation sheet 9 that are necessary for carrying out the explanation of important matters. Contract 8 refers to a contract in which the contract number and contract contents are specified. The important matter explanation manual 9 is created in accordance with the law and contract contents, and an important matter manual number linked to the contract number is prepared. The contract 8 and the important matter manual 9 may be paper media or electronic files. Furthermore, the user does not need to receive the contract 8 from the vendor before the teleconference is implemented.

[Description of functional block diagram of user terminal]
The user terminal 1 shown in FIG. 2A is a terminal device used by a user, and is capable of holding a video conference with a vendor terminal 2 via the network 5. The user terminal 1 includes a communication section 10, a display section 20, an external interface section 30, and a processing section 40.

The communication unit 10 connects to the vendor terminal 2 via the network 5, cooperates with the above-mentioned functional units, and executes various functions.

The communication section 10 includes a data reception section 11 and a data transmission section 12. The data receiving unit 11 receives data transmitted from the vendor terminal 2 via the network 5. Specifically, the in-house server 3 processes the video during the video conference and the ID card 6 and qualification certificate 7 presented during the video conference to generate the ID card 6 and the qualification certificate 7. It consists of an image and text data of the contents written on the face of the ticket. The data transmitter 12 transmits the video during the video conference, the user's input data, and the signed data to the vendor terminal 2.

The display section 20 has a function of displaying data from the communication section 10 through the user's display 34, and includes a video display section 21, a received data display section 22, and an intention expression display section 23. The video display section 21 displays video during the video conference.

FIG. 2B is a diagram showing a display example on the display 34 of the user terminal 1. The display screen displayed on the display 34 by the video display unit 21 corresponds to an own video display portion 2001 and an opponent video display portion 2002. The received data display unit 22 displays image data of the identification card 6 or qualification certificate 7 received by the communication unit 10 and text data written on the face of the card. The display screen displayed by the received data display section 22 corresponds to a display portion 2003 of received data. Further, when an editing instruction request is received, the text data is made editable and displayed on the display 34. When user input occurs, the input data is transmitted from the communication unit 10 to the vendor terminal 2. The expression of intention display section 23 displays a screen on the display 34 of the user terminal 1 that is composed of text for expressing the intention and a YES button, as shown in the expression of intention display section 2004 . Input data of button presses by the user is transmitted to the vendor terminal 2 through the communication unit 10.

Returning to FIG. 2A, the external interface section 30 includes a camera 31, a microphone 32, a speaker 33, and a display 34.

The camera 31 has a function of photographing the user. Furthermore, the microphone 32 and speaker 33 serve as an input/output function for audio during a video conference. Further, the display 34 displays data on a screen.

The processing unit 40 has various functions for executing important matter explanation, and includes a PBI execution unit 42 and an important matter explanation execution unit 41.

The PBI execution unit 42 includes a key generation unit 43, a public key certificate issuing unit 44, and a signature adding unit 45. The key generation unit 43 generates a PBI template, a private key, and a public key while capturing a face image based on the flow shown in FIG. 10 . The public key certificate issuing unit 44 issues a public key certificate for a vendor based on a request from the vendor terminal 2. A public key certificate is a certificate that proves the connection between a public key and identification information of its owner (in this case, a business). It usually also contains data about the public key itself. The signature adding unit 45 applies an electronic signature to the object based on the flow shown in FIG. Here, the object is processed data from which the user's personal information has been deleted, which is generated by processing the vendor's public key and its identification information, and the recorded data of the video conference.

The important matter explanation execution unit 41 executes an important matter explanation execution program in order for the vendor terminal 2 to execute various processes.

[Explanation of functional block diagram of vendor terminal]
The vendor terminal 25 shown in FIG. 3A is a terminal device used by a vendor, and can hold a video conference with the user terminal 1 via the network 5. Further, it can be connected to the in-house server 3 and the in-house audit server 4 via the network 5. The vendor terminal 2 includes a communication section 50, a display section 60, an external interface section 70, and a processing section 80.

The communication unit 50 connects to the user terminal 1, the internal server 3, and the internal audit server 4 via the network 5, and cooperates with the above-mentioned functional units to execute various functions.

The communication section 50 includes a data receiving section 51 and a data transmitting section 52. The data receiving unit 51 receives data transmitted from the user terminal 1 and the in-house server 3 via the network 5. Specifically, from the user terminal 1, a video during a video conference, input data and signed data transmitted from the user terminal are received. In addition, from the in-house server 3, the images of the identification card 6 and the qualification certificate 7 processed by the in-house server 3, the text data of the contents written on the face of the ticket, and the results of the contract audit conducted at the time of the trouble are transmitted. Receive. The data transmitting unit 52 transmits to the in-house server 3 the video during the video conference, the user's input data, the signed data, and the contract number for auditing the contract when a trouble occurs.

The display section 60 has a function of displaying the data from the communication section 50 through the vendor's display 74, and includes a video display section 61, a received data display section 62, and an important matter explanation manual display section 63. The video display section 61 displays video during the video conference.

FIG. 3B is a diagram showing an example of a display on the display 74 of the vendor terminal 25. The display screen displayed by the video display unit 61 corresponds to the other party's video display portion 3001 and the own video display portion 3002 in FIG. 3B. The received data display section 62 displays the image data of the identification card 6 or qualification certificate 7 received by the communication section 50 and the text data written on the face of the card. The display screen displayed by the received data display section 62 corresponds to the received data display portion 3003. Further, when an editing instruction request is received, the text data is made editable and displayed on the display. When a trader's input occurs, the input data is transmitted from the communication section 50 to the in-house server 3. The important matter explanation manual display section 63 displays guidance according to the execution status of the important matter explanation implementation program on the display 74 of the vendor terminal 2. The display screen is composed of text indicating the operating procedure for explaining important matters, text for expressing the intention of the vendor, and a YES button, as in the important matter explanation manual display portion 3004. Input data of a button press by a trader is transmitted to the in-house server 3 through the communication section 50.

The external interface unit 70 includes a camera 71, a microphone 72, a speaker 73, and a display 74.

The camera 71 has a function of photographing the user. Furthermore, the microphone 72 and the speaker 73 serve as an input/output function for audio during a video conference. Further, the display 74 displays data on a screen.

The processing unit 80 has various functions for executing important matter explanation, and includes a PBI execution unit 82 and an important matter explanation execution unit 81.

The PBI execution section 82 includes a key generation section 83 , a public key certificate issuing section 84 , and a signature adding section 85 . The key generation unit 83 generates a PBI template, a private key, and a public key while capturing a face image based on the flow shown in FIG. 10 . The public key certificate issuing unit 84 issues a user's public key certificate based on a request from the user terminal 1. The signature adding unit 85 applies an electronic signature to the object based on the flow shown in FIG. Here, the object is processed data that is generated by processing the user's public key and its identification information, and recorded data of a video conference, with personal information of the vendor removed.

The important matter explanation execution unit 81 executes an important matter explanation execution program in order for the vendor terminal 2 to execute various processes.

[Explanation of the functional block diagram of the internal server]
The in-house server 3 shown in FIG. 4A is connected to the vendor terminal 2 via the network 5, and performs video recording, video processing, and identity verification during the video conference held between the user terminal 1 and the vendor terminal 2. It is a device. Here, identity verification is based on the basic information (name, address, date of birth) and facial image written on the presented user's identification card 6 or the vendor's qualification certificate 7. The purpose of this is to verify whether the person is the person indicated by the identity verification certificate. The in-house server 3 includes a control section 90 and an identity verification section 100. Note that at least one of the user terminal 1 and the vendor terminal 2 may have the function of the in-house server 3.

The control section 90 includes a communication section 91, a recording section 92, and a processing section 93. The communication unit 91 connects to the vendor terminal 2 via the network 5 . The recording unit 92 records the video of the display screen of the display 74 of the vendor terminal 2 during the video conference. The processing unit 93 is a device that processes a specific portion of a video that has been recorded. Here, processing refers to processing to hide the face, voice, and presented identity verification certificate of the other party in the video conference in order to protect personal information.

FIG. 4B is a diagram illustrating a display example of processed data A of a moving image after data processing that hides the user's personal information such as the user's video display portion 4001 and the user data display portion 4002 in the signature adding system. . The area shown in gray is hidden (or deleted), and a video display area 4003 of the vendor and an important matter explanation manual display area 4004 are shown.

FIG. 4C is a diagram illustrating a display example of processed data B of a moving image that has been processed to hide personal information of a vendor, such as a video display portion 4003 of the vendor, a display portion 4005 of vendor data, etc., in the signature adding system. . The area shown in gray is hidden (or deleted), and a user video display portion 4001 and an important matter explanation manual display portion 4004 are shown.

The identity verification section 100 includes a certificate detection section 101, an OCR (Optical Character Recognition) section 103, and a face image matching section 102. The certificate detection unit 101 detects the presented identity verification certificate from the video received by the control unit 90 (communication unit 91). The OCR unit 103 reads the name, address, date of birth, qualification registration number, etc. from the detected image of the identity verification certificate, and creates text data. The face image matching unit 102 performs face authentication using the received video and the detected face image of the identification certificate, and matches the two. The result of the identity verification determined through processing by the OCR section 103 and the face image matching section 104 is transmitted to the vendor terminal 2 through the control section 90 (communication section 91).

[Explanation of the functional block diagram of the audit server]
The internal audit server 4 shown in FIG. 5A stores signed videos and public key certificates, and plays the role of verifying the stored data as part of a contract audit if a trouble occurs after the contract is concluded. The internal audit server 4 is connected to the vendor terminal 2 via the network 5.

The internal audit server 4 includes a data receiving section 110, a storage section 113, a signature verification section 111, and an audit result transmitting section 112. The data receiving unit 110 connects to the vendor terminal 2 via the network 5 and receives the signed data, the contract number, and the important matter explanation number. Here, the signed data includes the processed video and the public key certificate of the vendor that are signed by the user, and the processed data and the public key certificate of the user that are signed by the vendor. The storage unit 113 is a storage area for storing the received signed data and contract number in association with each other. The signature verification unit 111 acquires signed data associated with the received contract number. It also verifies who gave the electronic signature. The audit result transmitting unit 112 verifies the electronic signature and the processed video and transmits the determined result to the vendor terminal 2. Note that the function of the internal audit server 4 may be provided by the vendor terminal 2.

FIG. 5B is a diagram showing the data structure of data corresponding to one contract number stored in the storage unit 113. For contract number 1131, important matter explanation number 1132, processed video 1133 with the user's signature in which the user's personal information is hidden, processed video 1134 with the vendor's signature in which the vendor's personal information is hidden, and the user with the vendor's signature 1135, the vendor's public key certificate with the user's signature 1136, the user's public key certificate with the user's signature (user's self-signed certificate) 1137, the vendor's public key certificate with the vendor's signature ( A trader's self-signed certificate) 1138, a user PBI template 1139 created by the user, and a trader PBI template 1140 created by the trader are stored in association with each other. As a specific example, data shown in FIG. 5B is recorded in association with one video conference in which one important matter was explained. As shown in FIG. 5B, the private key itself is not stored in the internal audit server 4. The private key can only be used by the person using his/her biometric information and PBI template, so the risk of the private key being leaked is low.

The terminals and servers whose functional blocks are shown in FIGS. 2A, 3A, 4A, and 5 can be configured with general computers. As is well known, a computer includes an input device, an output device, a processing device, and a storage device. In this embodiment, the calculation and control of functions other than hardware such as cameras, microphones, speakers, and displays are performed by a processing device that executes a program stored in a storage device. Realized in collaboration with hardware. A program executed by a computer or the like, its function, or a means for realizing that function may be called a "function," "means," "section," "unit," "module," etc. It is assumed that each program is stored in advance in the storage device of each terminal or server by a well-known method such as downloading from a network.

The above configuration may be configured by a single computer, or any part of the input device, output device, processing device, storage device, etc. may be configured by other computers connected via a network. .

In this embodiment, functions equivalent to those configured by software can also be realized by hardware such as FPGA (Field Programmable Gate Array) and ASIC (Application Specific Integrated Circuit).

[Explanation of main processing sequence diagram]
Referring to FIG. 6A, a main processing sequence of the evidence preservation system using a video conference in this embodiment will be described. FIG. 6A is a sequence diagram showing processing during a video conference in a user terminal, a vendor terminal, an in-house server, and an in-house audit server according to the first embodiment of the present invention.
FIG. 6B is a diagram showing an example of display transition on the display 74 of the vendor terminal 2.

First, in step S100 of FIG. 6A (hereinafter, the step is omitted, e.g. S100), a user and a vendor who wish to explain important matters using a video conference start up the video conference system of the user terminal 1 and the vendor terminal 2. , start a video conference. This connects the user terminal 1 and the vendor terminal 2, making it possible to exchange images including audio. Thereafter, the display section 60 (important matter explanation manual display section 63) of the vendor terminal 2 sequentially displays guidance on operations for explaining important matters according to the execution status of the important matter explanation execution program of the important matter explanation execution section 81. Output.

First, the important matter explanation manual display unit 63 outputs a button (YES) to start recording the video conference (see screen 1 in FIG. 6B). When the vendor presses the displayed button, recording is started on the in-house server 3 in S101.

Next, the important matter explanation manual display unit 63 outputs a button (YES) for requesting the start of mutual identity verification in order to verify the identity of the user and the vendor connected via video conference (see screen 2 of FIG. 6B). ). When the trader presses the request acceptance button (YES), mutual identity verification in S102 is started.

[Explanation of mutual identity verification sequence diagram]
FIG. 7 shows a sequence of processing between the vendor terminal 2 and the in-house server 3 in mutual identity verification S102.
In S200 of FIG. 7, the communication unit 50 of the vendor terminal 2 transmits a notification of the start of user identification to the in-house server 3 in accordance with the button input received by the important matter explanation manual display unit 63.

Next, in S201, the in-house server 3 that received the notification acquires the user's image from the video of the video conference. The user's image is received by the communication unit 50 of the vendor terminal 2 from the user terminal 1 . When obtaining an image of a user, the merchant may ask the user to provide identification or provide instructions on a display.
In S202, the identity verification unit 100 verifies the user's identity.

[Explanation of identity verification flow diagram]
Here, the verification of identity verification S202 (and S207) will be explained based on FIG. 8.
In S300 of FIG. 8, the identity verification unit 100 (certificate detection unit 101) determines whether the identity verification certificate can be detected from the acquired image. If it is detectable (S301: YES), the identity verification unit 100 moves the process to S301. On the other hand, if detection is not possible (S301: NO), the identity verification unit 100 moves the process to S306A.

Next, in S301, the face image matching unit 102 performs image processing. Here, image processing is a process that performs face authentication using the face image in the video image captured during the video conference and the face image written on the detected identity verification certificate, and then compares the two. be.

Next, in S302, if the verification results match (S302: YES), the identity verification unit 100 moves the process to S303. On the other hand, if the verification results do not match (S302: NO), the identity verification unit 100 moves the process to S306A.

Next, in S303, the OCR unit 103 performs character recognition processing, converts the character string written in the identification certificate into text, and creates text data. In the case of the identification card 6, the text data is basic information for identifying an individual, or in the case of the qualification certificate 7, it is a qualification registration number, etc., and both of them include each item name.

Next, in S304, it is determined whether there is an instruction to edit the text data (OCR result) created by the OCR unit 103. If the text data has been edited (S304: YES), the identity verification unit 100 moves to S305. On the other hand, if the information has not been edited (S304: NO), the identity verification unit 100 moves to S306. Here, the case of editing refers to a case where there is an error in character recognition or a change in the written items.

Next, in S305, the OCR unit 103 modifies the text data according to the edited content. At this time, in order to detect fraud, the OCR unit 103 may compare the data with the data before editing and determine whether to modify based on the difference in the amount of modification. Edited content can be confirmed by both the user and the vendor via video conference.

Next, in S306, the identity verification unit 100 determines that the identity verification is successful. Thereafter, this process is ended and the process moves to S203 in FIG.

On the other hand, in S306A, the identity verification unit 100 determines that the identity verification has failed. Thereafter, this process is ended and the process moves to S203 in FIG.

[Explanation of mutual identity verification sequence diagram]
Returning to FIG. 7, in S203, the control unit 90 (communication unit 91) transmits the user's identity verification result to the vendor terminal 2.

Next, in S204, if the result of the user's identity verification is successful (S204: YES), the important matter explanation manual display unit 63 outputs to the display 74 of the vendor terminal 2 that the user's identity verification has been completed. On the other hand, if the result is failure (S204: NO), the process moves to S211.

Next, in S<b>205 , the important matter explanation manual display unit 63 displays the start of the vendor's identity verification on the in-house server 3 , and the data transmitting unit 52 transmits a notification to the in-house server 3 . Next, in S206, the in-house server 3 that received the notification acquires an image of the vendor from the video of the video conference.

In S207, the identity verification unit 100 verifies the identity of the merchant in the same way as the user (see FIG. 8). The image of the vendor is acquired from the external interface section of the vendor terminal 2.

Next, in S208, the communication unit 91 transmits the result of the merchant's identity verification to the merchant terminal 2.

Next, in S209, if the result of the identity verification of the merchant is successful (S209: YES), the important matter explanation manual display unit 63 outputs to the display 74 of the merchant terminal 2 that the identity verification of the merchant has been completed. On the other hand, if the result is failure (S209: NO), the process moves to S211.

Next, in S210, the important matter explanation manual display section 63 outputs to the display 74 of the vendor terminal 2 that the mutual identity verification between the user and the vendor has been completed. Thereafter, the vendor terminal 2 and the in-house server 3 end this process and move the process to FIG. 6A.

[Explanation of main processing sequence diagram (continued)]
Returning to FIG. 6A, the important matter explanation manual display section 63 outputs a screen for issuing a mutual public key certificate. When the vendor presses a button on the screen, the issuance of the mutual public key certificate in S103 is started.

[Explanation of mutual public key certificate issuance sequence diagram]
Here, mutual public key certificate issuance S103 will be explained using FIG. 9. FIG. 9 is a sequence diagram showing the issuance of mutual public key certificates among the user terminal 1, the vendor terminal 2, and the internal audit server 4.

In S400 of FIG. 9, the important matter explanation manual display section 63 outputs a button (YES) for requesting private key generation (see screen 3 of FIG. 6B). When the vendor presses the request acceptance button (YES), the issuance of the mutual public key certificate in S103 is started.

The communication unit 50 (data transmitting unit 52) of the vendor terminal 2 transmits a key generation execution request to the user terminal 1. After that, in S401 and S402, the PBI execution unit 42 of the user terminal 1 generates a private key, a public key, a self-signed certificate (a public key certificate in which a public key is signed with a corresponding private key), and a PBI template as shown in FIG. Generate the key based on the key generation flow. Thereafter, in S403, the communication unit 10 (data transmitting unit 12) of the user terminal 1 transmits a response indicating completion of key generation to the vendor terminal 2.

Further, in S404 and S405, the PBI execution unit 82 of the vendor terminal 2 generates a private key, a public key, a self-signed certificate, and a PBI template based on the key generation flow shown in FIG.

Next, in S406, the communication unit 50 (data transmitting unit 52) of the vendor terminal 2 transmits the public key to the user terminal 1 and requests the issuance of the vendor's public key certificate. At that time, the public key certificate should include the name of the vendor, the name of the user as the issuer, and items to be linked to the ongoing video conference, such as the contract number and important matter explanation number. Give instructions.

Next, the display section 20 (display section 23 for declaration of intention) of the user terminal 1 outputs a button (YES) for consenting to issuance of a public key certificate (see screen 4-2 in FIG. 6B). When the user presses the issue consent button (YES), the PBI execution unit 42 (public key certificate issuing unit 44) of the user terminal 1 issues the vendor's public key certificate in S407.

In step S407, the public key certificate of the person with whom the user is having a conversation through the video conference, that is, the vendor whose qualifications have been confirmed, is issued using the user's own private key. Thereafter, in S408, the issued vendor's public key certificate is transmitted to the vendor terminal 2. The vendor terminal 2 transmits the transmitted vendor's public key certificate, the self-signed certificate generated by itself, and the PBI template to the internal audit server 4. In S409, the internal audit server 4 stores the vendor's public key certificate 1136 with the user's signature, the vendor's public key certificate with the vendor's signature (self-signed certificate) 1138, and the vendor's PBI template 1140 in the storage unit 113. Save to. Note that the PBI template 1140 may be stored in the vendor terminal 2.

As explained in FIG. 10, the user's PBI template 1139 is generated by the key generation unit 43 by extracting features from the user's image captured by the camera 31 as feature data, and by unidirectionally converting the feature data. . The PBI template 1140 for a trader is generated by the key generation unit 83 by extracting features from the picture of the trader captured by the camera 71 as feature data, and by unidirectionally converting the feature data. The PBI template is used to recover the private key from the user's or vendor's image feature data.

Next, in S410, the communication unit 10 (data transmitting unit 12) of the user terminal 1 transmits the public key to the vendor terminal 2 to request issuance of the user's public key certificate. At that time, the public key certificate should include the user's name, the name of the issuer, and items such as the contract number and important matter explanation number that will be linked to the ongoing video conference. Give instructions.

Next, the display unit 60 (important matter explanation manual display unit 63) of the vendor terminal 2 outputs a button (YES) to approve the issuance of the public key certificate (see screen 4 in FIG. 6B). When the vendor presses the issue consent button (YES), the PBI execution unit 82 (public key certificate issuing unit 84) of the vendor terminal 2 issues the user's public key certificate in S411. As a result, a public key certificate of a person with whom a business is talking through a video conference, that is, a user whose identity has been confirmed, is issued using the business's own private key.

In this way, a user's (business) public key certificate issued by a business (user) is a user's (business) public key certificate issued by a user (business) with an issuance request (for this public key, the user's (business) name and contract number are In response to a request for the issuance of a public key certificate containing information such as the following information, a trader (user) issues a certificate by signing it with his or her own private key and meeting the requirements. This is generally similar to the mechanism by which a certification authority issues public key certificates. In this embodiment, both parties to the video conference serve as certification authorities for each other.

Thereafter, in S412, the issued user's public key certificate is transmitted to the user terminal 1. The user terminal 1 transmits the user's public key certificate, the self-signed certificate generated by itself, and the PBI template to the internal audit server 4 via the vendor terminal 2. In S413, the internal audit server 4 stores the user's public key certificate 1135 with the vendor's signature, the user's public key certificate with the user's signature (self-signed certificate) 1137, and the user's PBI template 1139 in the storage unit 113. Save to. Note that the PBI template 1139 may be stored in the user terminal 1.

Thereafter, the user terminal, vendor terminal, and internal audit server end this process and move the process to FIG. 6A. Data such as each public key and each certificate shall be transmitted through a secure route.

As described above, in this embodiment, the private key, public key, self-signed certificate, and PBI template are generated for each user and vendor after verifying their identity during the video conference. Attendees can be linked to this data. Therefore, using this, it is possible to create a signature to generate evidence of important matter explanations while protecting personal information.

[Explanation of main processing sequence diagram (continued)]
Returning to FIG. 6A, in S104, important matters are explained. Here, regarding the method of explanation, for example, the vendor may read out important matters and check the user's understanding level through dialogue. Further, important items may be sequentially displayed on the received data display sections 22 and 62 of the user's display 34 and the vendor's display 74, and the degree of understanding may be confirmed by pressing a button.

Next, the important matter explanation manual display unit 63 outputs an important matter explanation completion button (YES) to the display 74 of the vendor terminal 2 (see screen 5 in FIG. 6B). The vendor explains important matters related to the contract to the user through a video conference, and after completing the explanation in S104, presses a completion button. By pressing the completion button (YES), a notification of completion of important matter explanation in S105 is obtained.

Next, the important matter explanation manual display section 63 outputs input fields for the contract number and the important matter explanation number (see screen 6 in FIG. 6B). By inputting the contract number and important matter explanation number corresponding to the current important matter explanation into this, the contract number and important matter explanation number are acquired in S106, and the data transmission unit 52 sends the information to the internal audit server 4. send to.

In S107, the internal audit server 4 stores the received contract number 1131 and important matter explanation number 1132 in the storage unit 113. Completion of saving is notified to the vendor terminal.

Next, the important matter explanation manual display section 63 outputs a button (YES) for accepting the end of recording (see screen 7 in FIG. 6B). When the trader presses the button, the control unit 90 (recording unit 92) ends recording in S108.

Subsequently, in S109, the important matter explanation manual display section 63 outputs a button (YES) for requesting processing of the recorded video (see screen 8 in FIG. 6B). The trader presses a button, and in S119, the processing unit 93 processes the video. Here, the processing work includes the work of hiding the user's video (including audio) and the user's identification card 6 in order to protect the user's personal information, and the work of hiding the user's image (including audio) and the user's ID card 6 in order to protect the personal information of the trader. There are two types of work: hiding the video (including audio) and the contractor's qualification certificate 7. Therefore, the video data that has been processed to protect the user's personal information will be named processed data A. On the other hand, video data that has been processed to protect the personal information of the vendor is named processed data B.

Next, in S110, the communication unit 91 transmits the processed data A and the processed data B to the vendor terminal 2.

Next, after the vendor terminal 2 (communication section 50) receives the processed data A and the processed data B, the important matter explanation manual display section 63 displays a button (YES) to request signatures for the processed data A and processed data B. (See screen 9 in Figure 14). When the trader presses the request acceptance button (YES), the process of adding signatures to processed data A and processed data B is started.

First, the communication unit 50 (data transmitting unit 52) of the vendor terminal 2 transmits processed data A to the data receiving unit 11 of the user terminal 1.

After receiving the processed data A, the intention display section 23 of the user terminal 1 outputs a signature acceptance button (YES) (see screen 4-2 in FIG. 6B). When the user presses the signature consent button (YES), the PBI execution unit 42 (signature adding unit 45) applies an electronic signature to the processed data A using the user's private key in S111. Thereafter, the data transmitter transmits the signed processed data A to the vendor terminal 2.

Note that in order to perform an electronic signature using the user's private key, as will be explained later in FIG. Restore and sign.

Subsequently, the data transmitting unit 52 of the vendor terminal 2 transmits the received signed processed data A to the internal audit server 4. In S112, the storage unit 113 stores the received user-signed processed video (processed data A) 1133. At that time, it is linked to the contract number 1131 and important matter explanation number 1132 saved in S107 of FIG. 6A.

Next, the PBI execution unit 82 of the vendor terminal 2 requests the processed data B from the in-house server 3 and obtains the processed data B (S113). Thereafter, in S114, an operation is performed to electronically sign the processed data B using the private key of the vendor.

Note that in order to perform an electronic signature using the private key of the trader, as will be explained later in FIG. Restore and sign.

The data transmitter 52 transmits the signed processed data B to the internal audit server 4. In S115, the storage unit 113 stores the received processed video with the vendor's signature (processed data B) 1134. At that time, it is linked with the contract number 1131 and important matter explanation number 1132 saved in S107 of FIG. 6A.

Next, if the signed processed data is successfully saved in S112 and S114, the vendor terminal 2 is notified in S116 that the data has been successfully saved, and the video conference ends. The original recorded data before processing will be discarded. Thereafter, the user terminal 1 and the vendor terminal 2 end this process and end communication.

[Explanation of PBI processing flow diagram]
The electronic signature method will be described with reference to FIG. FIG. 10 shows a processing flow of PBI key generation and signature verification.

First, in key generation, as shown in FIG. 10, feature amounts are extracted from biometric information (face image, etc.) acquired from the user (or business) using a generally known method. Next, a private key based on a known public key authentication infrastructure (PKI) and a public key corresponding to the private key are generated using an existing key generation algorithm (such as RSA). A PBI template is generated by unidirectionally converting the features extracted from this private key and biometric information, and this PBI template is stored in the certification server that is the certification authority (in-house audit server 4 in this example). Ru. At the same time, a public key certificate issuance request requesting validation of the public key is generated based on the generated private key and public key, and the public key certificate is stored in the authentication server.

In the example of FIG. 10, the certificate is issued by a certification authority (certification server), but in this embodiment, the public key certificates include a public key certificate with a self-signed signature (self-signed certificate) and a TV You are using a public key certificate issued by the person you are meeting with.

When creating an electronic signature, an electronic signature is generated using a private key restored by combining the user's biometric information and a PBI template stored in the authentication server, and the signature is executed on the data to be signed.

Next, the electronic signature is verified based on the signed data by checking the consistency with the data to be signed using the public key listed in the public key certificate whose validity has been confirmed. do. As described in [Explanation of Audit Sequence Diagram], in this example, the validity is confirmed based on the data of the signed public key certificate of the other party in the video conference. The public key is used to confirm consistency with the data to be signed.

Here, a mechanism that combines biometric signature technology and public key authentication infrastructure using a PBI template is known as a public biometric infrastructure (PBI) (for example, see Japanese Patent Laid-Open No. 2013-122680). .

In PBI, the user's biometric information and private key are stored in a one-way converted state (in a form that cannot be restored) and stored in a registration authority (server, etc.), allowing users to use the national ID infrastructure and "empty-handed". Biometric authentication for payment services, passwordless cloud authentication, physical security, etc. can be used without registering for individual services. The PBI template is sometimes called "private key recovery information" or "public template."

[Explanation of audit sequence diagram]
Referring to FIG. 11, a sequence showing a process of verifying an attached electronic signature in the vendor terminal 2 and the internal audit server 4 in this embodiment will be described. Here, a video conference including an explanation of important matters was held according to the procedure shown in Figure 6A, and a contract was concluded, but some trouble occurred and an audit was required for the content of the explanation of important matters. Suppose. In addition, although processed data A with a signature (video data processed to protect the user's personal information) will be set as the audit target, and an explanation will be given using a sequence diagram, processed data B may also be audited. Note that the processing in the internal audit server 4 may be executed by the vendor terminal 2.

First, in S500, the data transmitter 52 of the vendor terminal 2 transmits the contract number of the contract in which the trouble occurred to the internal audit server 4.

Next, in S501, the internal audit server 4 queries the storage unit 113 for the received contract number. Thereafter, in S502, the important matter explanation number 1132 and the signed data that were stored in association with the contract number 1131 are acquired. Here, the signed data refers to the user's signed processed video (processed data A) 1133, the user's public key certificate 1135 with the vendor's signature, and the vendor's public key certificate with the vendor's signature (self-signed certificate). 1138 (see Figure 5B). These data are verified by the signature verification unit 111.

Next, in S503, the signature verification unit 111 extracts the user's public key from the user's public key certificate 1135 with the vendor's signature, and uses this to electronically sign the processed video (processed data A) 1133 with the user's signature. Verify. This ensures that the processed data A is not tampered with after it is signed until it is sent, stored, or acquired. In addition, the person who signed the processed data A can be identified from the items listed in the user's public key certificate 1135 with the vendor's signature. (The person who does so becomes a user.)

Next, the public key certificate of the signer of the signature verified in S503 (or the user in the case of handling processed data A) is targeted for verification. In S504, the signature verification unit 111 verifies the target public key certificate (in the case of processing processed data A, this is the public key certificate 1135 of the user with the signature of the vendor). From the items listed in the public key certificate, it is possible to confirm who issued the public key certificate (in the case of handling processed data A, the issuer is a business).

Furthermore, the public key is obtained from the self-signed certificate of the person who issued the public key certificate (when handling processed data A, the public key is obtained from the vendor's public key certificate (self-signed certificate) 1138 signed by the vendor. get the public key). Next, the obtained public key is used to verify the target public key certificate (in the case of handling processed data A, the user's public key certificate 1135 with the signature of the vendor is verified). If the verification result is OK, the target public key certificate has been issued normally, and the reliability of the public key described can be guaranteed.

Here, the target public key certificate is issued in S109 or S112 of FIG. 6A, and at the time of issuance, items such as the contract number and important matter explanation number are entered to link it to the ongoing video conference. Therefore, it is possible to prove that the subject of the public key certificate is a person who is connected during a video conference with the issuer who issued the public key certificate (processed data A). (The person listed on the public key certificate is the user, and the issuer who issued the public key certificate is the business).

After that, if you visually check the video of processed data A, you will find that the person who issued the verified public key certificate is the person who is not hidden in processed data A (when handling processed data A, ) can be confirmed.

From the above, the person who signed the processed data A is the person who is connected during the video conference with the person who is not hidden in the processed data A (in the case of processing processed data A, the company). When dealing with A, it means that it is a user). In other words, it can be proven that the person who signed the processed data A is the person hidden within the processed data A.

In this embodiment, when verifying, you only trust what you issued and what you chain. Therefore, what is used when verifying processed data A is the user's certificate issued by the vendor and the vendor's self-signed certificate (trust anchor).

In this way, even in data where personal information is hidden, it is possible to guarantee whose personal information is hidden, so there is evidence that important matters have been explained or have been explained before contracting for the service. becomes.

Next, the audit result transmitting unit 112 of the internal audit server 4 transmits the verification result to the vendor terminal 2 in S505.

Next, in S506, the vendor terminal 2 receives the audit result, and the audit of the important matter explanation accompanying the contract number is completed. Thereafter, the vendor terminal 2 and the internal audit server 4 end this process.

[summary]
As described above, in the first embodiment of the present invention, a key is created in real time on a user's terminal (for example, a user terminal) during a video conference for explaining important matters, and By signing two types of signatures: one on the video with your personal information edited, you can hide your personal information and use it as proof that important matters have been explained. You can create data.

Furthermore, by verifying the electronic signatures that have been given, it is possible to confirm whose personal information is hidden without checking the original data.

In addition, in conventional PBI, when issuing a public key certificate, prior identity verification by a third party is required, but in the first embodiment of the present invention, identity verification is performed before important matters are explained. Since this can be done using the results of , PBI signatures can be executed without prior registration of the user.

In addition, data that contains personal information is processed to hide the personal information, but the evidence of the data is not lost, so it is managed as data that does not contain evidence of personal information. can do.

Note that each of the above embodiments may be modified in the following manner. In each of the above embodiments, it is assumed that a public key certificate is immediately issued during a video conference by utilizing PBI, but the present invention is not limited to PBI. If a user or a vendor holds a public key certificate issued by an arbitrary certification authority, the processed data is digitally signed using the private key that is paired with the public key certificate.

1 User terminal 2 Vendor terminal 4 Internal audit server 6 Identification card 7 Qualification certificate 63 Important matter explanation manual display section 81 Important matter explanation execution section 82 PBI execution section 100 Identity confirmation section 111 Signature verification section

Claims (4)

A first terminal used by a first user, a second terminal used by a second user, and a server including a processing section, an identity verification section, and a storage section are used to connect the first terminal and the second terminal to each other. An evidence preservation method for processing recorded data of a video conference conducted via a network between terminals of
The identity verification unit collates the first user's own image data acquired by the first terminal during the video conference with the image data of the first user's image-attached certificate. 1, and a second identity verification that compares the second user's own image data acquired by the second terminal with the image data of the second user's image-attached certificate. mutual identity verification processing,
If the mutual identity verification process is successful, the first terminal uses the first private key, the first public key, and the first public key of the first user with the first private key. the second user's second private key, the second public key, and the second public key; A key generation execution process that generates a second self-signed certificate signed with the private key of
The first terminal transmits the first public key to the second terminal, and the second terminal provides a first public key certificate for the first public key using the second private key. At the same time, the second terminal transmits the second public key to the first terminal, and the first terminal uses the first private key to issue the second public key. Mutual public key certificate issuing processing for issuing a second public key certificate;
The processing unit generates first processed data by deleting or concealing information identifying the first user from the recorded data of the video conference, and generates first processed data from the recorded data of the video conference. video processing that generates second processed data by deleting or concealing information that identifies the user;
The first terminal digitally signs the first processed data with the first private key, and the second terminal digitally signs the second processed data with the second private key. A signature process that performs
The storage unit stores the first processed data, the second processed data, the first public key certificate, the second public key certificate, the first self-signed certificate, and the first processed data. evidence preservation processing that links the self-signed certificates in step 2 and stores them as saved data;
Evidence preservation method to carry out. The server includes a signature verification unit,
The signature verification unit,
reading the first processed data and the first public key certificate from the storage unit;
extracting the first public key from the first public key certificate and verifying the first processed data using the first public key;
The evidence preservation method according to claim 1. The signature verification unit,
further reading the second self-signed certificate from the storage unit;
retrieving the second public key from the second self-signed certificate and verifying the first public key certificate using the second public key;
The evidence preservation method according to claim 2. The key generation execution process further generates a first PBI template for restoring the first private key from the first user's own image data, and generates a first PBI template from the second user's own image data. generating a second PBI template for restoring the second private key;
The evidence preservation process further stores the first PBI template and the second PBI template in the storage unit in association with the saved data.
The evidence preservation method according to claim 1.

Images