WO2019026873A1 - Mutual authentication system, authentication image, and recording medium - Google Patents

Mutual authentication system, authentication image, and recording medium Download PDF

Info

Publication number
WO2019026873A1
WO2019026873A1 PCT/JP2018/028555 JP2018028555W WO2019026873A1 WO 2019026873 A1 WO2019026873 A1 WO 2019026873A1 JP 2018028555 W JP2018028555 W JP 2018028555W WO 2019026873 A1 WO2019026873 A1 WO 2019026873A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
authentication system
color
mutual authentication
authentication
Prior art date
Application number
PCT/JP2018/028555
Other languages
French (fr)
Japanese (ja)
Inventor
靖典 杉井
信濃 義朗
健一 田渕
一博 青砥
Original Assignee
カレンシーポート株式会社
昌栄印刷株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by カレンシーポート株式会社, 昌栄印刷株式会社 filed Critical カレンシーポート株式会社
Priority to JP2019534519A priority Critical patent/JPWO2019026873A1/en
Publication of WO2019026873A1 publication Critical patent/WO2019026873A1/en

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B42BOOKBINDING; ALBUMS; FILES; SPECIAL PRINTED MATTER
    • B42DBOOKS; BOOK COVERS; LOOSE LEAVES; PRINTED MATTER CHARACTERISED BY IDENTIFICATION OR SECURITY FEATURES; PRINTED MATTER OF SPECIAL FORMAT OR STYLE NOT OTHERWISE PROVIDED FOR; DEVICES FOR USE THEREWITH AND NOT OTHERWISE PROVIDED FOR; MOVABLE-STRIP WRITING OR READING APPARATUS
    • B42D25/00Information-bearing cards or sheet-like structures characterised by identification or security features; Manufacture thereof
    • B42D25/30Identification or security features, e.g. for preventing forgery
    • B42D25/337Guilloche patterns
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K7/00Methods or arrangements for sensing record carriers, e.g. for reading patterns
    • G06K7/10Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
    • G06K7/14Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation using light without selection of wavelength, e.g. sensing reflected white light
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to a mutual authentication system, an authentication image used in the mutual authentication system, or a recording medium on which the authentication image is printed.
  • a method is used in which a sealed letter is mailed based on user information such as an address and a telephone number input by the user for security improvement, and authentication is performed using a code described in the sealed letter.
  • user information such as an address and a telephone number input by the user for security improvement
  • authentication is performed using a code described in the sealed letter.
  • a method of using a color print as described in Japanese Patent Application No. 2017-014559 Japanese Patent Application No. 2016-016243
  • a method of easily accessing information on the Web using a portable terminal for example, a method of using a two-dimensional code such as QR code (registered trademark, hereinafter the same) may be considered (for example, Patent Document 1 etc.).
  • QR code registered trademark, hereinafter the same
  • Patent Document 1 Patent Document 1
  • the present invention is intended to solve such a problem, and an object thereof is to provide a mutual authentication system for simply performing personal authentication without increasing security risk.
  • the mutual authentication system of the present invention links the two-dimensional code including the issuer information, the application information including the information of the user who has applied for the user, and the application information.
  • a mutual authentication system for mutually authenticating that an issuer and a user are valid using ID information configured by combining a plurality of character strings, each of the ID information.
  • the color print forming means for forming a unique color print figure different depending on the type, the color print judgment means for decoding the ID information from the color print figure using a combination pattern of basic color print figures corresponding to each character string;
  • authentication means for determining whether or not the ID information decoded by the color design determination means corresponds to the issuer information included in the two-dimensional code.
  • user authentication can be easily performed without increasing security risk.
  • FIG. 1 It is a figure which shows an example of the whole structure of the mutual authentication system which concerns on embodiment of this invention. It is a figure which shows an example of the information recorded as application information. It is a figure which shows an example of the information recorded as registration information. It is a figure which shows an example of the information contained in registration information. It is a conceptual diagram about the structural example of the token containing the issuer information shown in FIG. It is a figure which shows the symbol for authentication shown in FIG. It is a flowchart which shows an example of the authentication operation
  • a mutual authentication system 100 will be described as a first embodiment of the present invention.
  • the mutual authentication system 100 is registered as a portable terminal 10 as an information communication terminal such as a smartphone or a portable telephone used by the user P, and as a registration means managed by an issuer Q who provides the service to the user P. It is a network system comprised including server 50.
  • the mutual authentication system 100 generates a printing pattern forming an authentication pattern as an authentication image based on application information including personal information of the user P input by the user P accessing the registration server 50. It has a drop printout issue server 80.
  • the mutual authentication system 100 has an authentication server 60 as an authentication means for authenticating the user P using an authentication pattern described later.
  • the present invention is limited to such a configuration. It is not something to be done.
  • the registration server 50 and the authentication server 60 are separately provided in the present embodiment, the integrated server may have the function of the registration server 50 and the function of the authentication server 60.
  • the issuer Q is configured to manage all of the registration server 50, the authentication server 60, and the color print issue server 80. It is not limited to the configuration.
  • the issuer Q may use the external registration server 50, the color print issuing server 80, or the authentication server 60.
  • the registration server 50 is a web server that provides a service provided by the issuer Q, here, for example, a credit card issue service.
  • the registration server 50 has an information input unit 51 for the user P to register the user's own personal information, that is, the application information R, and the application information R of the user P and the issuer Q inputted to the information input unit 51.
  • a token issuing unit 52 that issues a token such as JWT (JSON Web Token) based on the issuer information.
  • the application information R is information including personal information such as the address and telephone number of the user P as shown in FIG. 2, and the registration server 50 receives such information input by the user P itself and the issuer Based on the information such as the identification number of Q, it is recorded as registration information R 'including the information of the issuer Q, with the color print ID 92' and the effective period added as shown in FIG.
  • the color print ID 92 ' is an ID number composed of an array of 6 to 8 alphanumeric characters, and is randomly issued ID information.
  • the color print ID 92 ' is represented by an array of 6 to 8 alphanumeric characters.
  • the present invention is not limited to such a configuration, and an arbitrary number of digits, a character string, a symbol or the like may be used. It is possible.
  • the color print ID 92 'itself may be duplicated, and a combination of the color print ID 92' and the registration information R 'is registered in the registration information R'.
  • the token issuing unit 52 issues at least an issuer identification number for identifying the issuer Q, an issue date and time, a valid period, a start date / end date of the valid period, a destination, etc.
  • JWT which is a token that contains The JWT is a URL safe token, and is signed using the color printing ID 92 '.
  • URL safe indicates that characters such as symbols that can not be included in the URL are not included, and here, the token itself is used in a sense that it can be used as part of the URL.
  • HMAC Hash-based Message Authentication Code
  • JWT is a mechanism for detecting tampering and impersonation by using an iterative encryption hash function such as SHA-2 in combination with a key.
  • JWT is a token obtained using such HMAC, and as shown in FIG. 5, it is divided into a header, an entity, and a footer. The JWT matches the footer (or entity) when processing the value in the entity (or footer) by the header algorithm. That is, the JWT is generated by extracting some information from the registration information R ′, for example, the information shown in FIG.
  • the JWT include a one-time key as a countermeasure against a so-called replay operation in which authentication is performed multiple times using the same token. That is, in this embodiment, the number control function of limiting the number of readings to the token is added. With this configuration, since the authentication operation by the authentication server 60 described later is authenticated only at the first time, the security strength is further improved.
  • an entity of a token is created using information as shown in FIG. 4 in particular. However, the present invention is not limited to such a configuration, and other information may be included as additional information.
  • the registration server 50 transmits the registration information R ′ to the color print issuance server 80.
  • the registration server 50 for performing authentication and token issuance and the separate server from the color print issue server 80 are described as being connected via a network, the configuration is limited to such a configuration. is not. For example, it may be configured to have all functions of authentication, token issuance, and color printing on the same terminal.
  • the color print issuing server 80 hashes the JWT obtained based on the registration information R ′ and embeds it in the form of a two-dimensional code such as a QR code, and combines a list of numbers of color print ID 92 ′ with basic color print figures Convert to a color pattern using a pattern.
  • the color print issuing server 80 issues a color print forming unit 81 that forms a color print pattern based on the color print ID 92 ′ and a QR code 91 as a first two-dimensional code based on the registration information R ′.
  • a dimensional code generation means 82 In the present embodiment, the QR code is used as a two-dimensional code to increase the availability of reading, but the present invention is not limited to this configuration, and other two-dimensional codes may be used. Moreover, a barcode etc. may be sufficient.
  • the two-dimensional code generation means 82 forms a hash code, which is an access code obtained by hashing the JWT in particular among the registration information R ′, as a QR code 91 as shown in FIG.
  • the URL of the authentication server 60 is described in the QR code 91.
  • the portable terminal is connected to the URL such as http: //******** / hash code / etc. ing.
  • the color printing pattern forming means 81 converts the pattern of serial numbers into a precise geometric pattern combining unique wavy lines, arcs or circles as shown in FIG.
  • the pattern at this time is referred to as a "color print” and illustrated as a color print figure 92.
  • Such a color pattern is a unique pattern configured to be all different based on each of the color ID 92 ', so the color forming means 81 forms a unique color pattern that is different for each of the ID information.
  • the color print is a set of basic figures defined by 6 to 8 alphanumeric characters in the present embodiment, and it is easy to guess the numbers when the user P or a third party sees the color print 92. It is stylized so that it can not be done. With this configuration, even if the third person steals the color pattern 92, it is difficult to forge or copy.
  • the generation means and the printing method of the color design graphic 92 for example, the patterns of ten types of basic color design graphic of 0 to 9 specific shapes are superimposed in a specific size at a specific position by the number of digits. Methods are conceivable.
  • printing may be performed by the printing method as shown in Japanese Patent Application No. 2016-016243 already mentioned.
  • the color print issuing server 80 uses the QR code 91 and the color print 92 formed so as to surround the QR code 91 as a sheet 90 as an authentication pattern 93 that functions as an authentication image that is an integrated design. Print on a sheet of paper.
  • the delivery address of the user P, the name, the expiration date of the authentication symbol 93, the guidance of the authentication method, etc. may be described on the sheet 90.
  • a pass code such as a PIN code input by the user P at the time of applying for the application information R may be written for identification. That is, the sheet 90 functions as a recording medium for authentication used in the mutual authentication system 100 in the present embodiment.
  • the issuer Q sends the mailed sheet 90 outputted by the color print issuing server 80 to the user P by mail.
  • the sheet 90 As described above, by sending the sheet 90 to the place designated by the application information R, it is confirmed that the applicant user P who is required for the examination item of the card is the person of the registered address and name. be able to.
  • the sheet 90 which is a printed matter is delivered to the user P as mail because it is a credit card application process, but in the case where personal identification may be looser,
  • the authentication symbol 93 may be sent by e-mail or the like.
  • the authentication server 60 determines whether or not the color design determination means 61 for identifying the color design figure 92 from the image of the authentication pattern 93 and the color design figure 92 identified by the color design determination means 61 are valid. And a color print authentication means 62.
  • the authentication server 60 includes a token database 63 in which tokens issued by the token issuing unit 52 are recorded, and a QR code authentication unit 64 that authenticates the validity of the QR code 91 using the token database 63 and the QR code 91; have.
  • the color design determination unit 61 is an image recognition unit that decomposes and identifies the color pattern 92 and the QR code 91 from the image data in which the QR code 91 and the color pattern 92 are included in the same image. For example, in the case of an authentication pattern as shown in FIG. 6, the QR code 91 is read using the identifiers arranged at the four corners of the QR code 91, and a portion other than the QR code 91 is used among the image data. And identify the color pattern 92.
  • FIG. 7 a mechanism for mutual authentication using the mailed sheet 90 will be described with reference to FIGS. 7 and 8.
  • the sheet 90 is delivered to the user P, it is confirmed that the “address” and the “user P”, which are the conditions necessary for the authentication of the financial institution, are valid.
  • Ru The user P first captures the sheet 90 using the application 102 installed on the portable terminal 101 in hand. At this time, the user P captures an image such that at least a part of the authentication symbol 93 fits in the same image, and acquires the image data 94 (step S101).
  • at least one part may be suitably designed in the range which the certification
  • the application 102 may, as its function, identify whether the mailed paper itself is definitely that of the issuer Q or not. Specifically, for example, a minute color print, a graphic for identification, or the like may be printed on the sheet 90 itself, and the recognition pattern 93 may be recognized on condition that the color print for identification is recognized. . According to this configuration, for example, even when the third party spoofs the issuer Q and sends a similar product of the sheet 90, there is an advantage that the user P is not made to access unnecessarily.
  • the application 102 When the application 102 captures the image data 94, it reads the QR code 91 (step S102). As described above, since the URL of the authentication server 60 is designated as the access destination in the QR code 91, the application 102 connects to the corresponding URL (authentication server 60) according to the instruction. At this time, the URI of the connection destination is a connection destination unique to the user P because the JWT includes the hash code hashed. The application 102 then transmits the image data 94 to the authentication server 60 (step S103). The authentication server 60 decomposes and identifies the image data 94 into the color pattern 92 and the QR code 91 using the color pattern determination unit 61 (step S104).
  • the color print authentication means 62 decodes the 6 to 8 digit color print ID 92 ′ based on the combination of the periodicity and the shape of the color print 92 by an operation reverse to that performed by the color print forming means 81.
  • the color design graphic 92 which has been decomposed is inversely converted from the color design graphic 92 to the color print ID 92 'by the color print authentication means 62 (step S105).
  • the QR code authentication unit 64 reads the QR code 91, and compares the obtained hash code with the corresponding JWT recorded in the token database 63 with a signature signed using the fingerprint ID 92 'as a key ( Step S110). As a result of this comparison, the combination of the image pattern 94, that is, the combination of the color design graphic 92 written on the sheet 90 delivered to the user P and the QR code 91 corresponds to the registration information R ′ recorded in the registration server 50. It can be determined without referring to the registration information R '.
  • the registration information R ′ registered in the registration server 50 includes various personal information, it is possible to transmit and receive the registration information R ′ as it is between the registration server 50 and the authentication server 60 on the way route. Create unnecessary security risks such as reading. Therefore, in the present embodiment, the JWT is generated based on the registration information R ′, and the result obtained by signing the JWT with the HMAC is further hashed into a hash code using the color print ID 92 ′ as a key.
  • the hash code is a connection destination of the QR code 91, and can be restored from the QR code 91.
  • the application 102 performs processing to download the JWT main body when accessing the above hash code
  • the hash code included in the URI read from the QR code is compared with the hash of the JWT main body downloaded from the URI -By confirming, it is possible to confirm that the JWT main body in the authentication server 60 is not falsified also on the user P side. Such comparison may not be made.
  • the application 102 only needs to receive authentication as described later, and there is no need to download the JWT main body, so there is an advantage that transmission and reception of the JWT becomes unnecessary and the entity of the JWT is not acquired illegally.
  • JWT is signed using the HMAC with the color print ID 92 'as a key
  • the original information can not be restored from the hash code which is a hash value obtained from the JWT.
  • JWT is a token including the registration information R ′ transmitted by the user P to the registration server 50.
  • the authentication server 60 receives the JWT from the registration server 50 and records it in the token database 63. Since the JWT is recorded in the token database 63, the sheet 90 possessed by the user P and the JWT obtained from the registration information R 'are valid when the token authentication means 62 performs the operation of step S110. It can authenticate that it is a thing.
  • the authentication server 60 determines whether or not both step S106, which is the color printing authentication step of the color printing authentication means 62, and step S110, which is the QR code authentication step of the QR code authentication means 64, are approved. (Step S120). In step S120, on the condition that all are authenticated as valid, the authentication server 60 returns the result of having been authenticated to the portable terminal and transmits the instruction code 65 to the portable terminal (step S201). If it is determined in step S120 that the content is not valid, the fact that authentication is not possible is returned to the portable terminal (step S121).
  • the instruction code 65 is a code for instructing to make a call to the registration server 50 managed by the issuer Q or a specific telephone number.
  • step S201 when the application 102 receives the instruction code 65, the application 102 calls a specific telephone number and the user P is required to input the PIN code input by the user P at the time of registration (step S202).
  • step S202 it can be confirmed whether the telephone number of the user P, which is required in the registration conditions of the financial institution, is the user P's own personal number. With this configuration, when it is necessary to confirm the telephone number of the user P, it is possible to simultaneously confirm whether or not the telephone number of the user P has been called by carrying out such processing.
  • the telephone number is required as the registration condition of the financial institution in step S201 and subsequent steps, it is performed by the mutual authentication system, but the registration condition is appropriately changed according to each field. good.
  • the PIN code is entered by the user P at the time of registration, it is not necessary to enter the PIN code on the sheet 90, and it is possible to register the financial institution in consideration of security.
  • the sheet 90 is distributed to the address of a voter registered in a family register, it can be a voting ticket used for electronic voting on condition that the certification is established. According to this configuration, it is possible to easily detect a plurality of votes by electronic voting using the JWT one-time key, and for the exchange for a regular voting ticket, confirmation may be made at the exchange station as before. The effort is reduced.
  • the color pattern figure 92 is colored using the color pattern forming means 82 that forms unique color pattern figures different depending on the color pattern ID 92 'and the combination pattern of the basic color pattern figures corresponding to each character string.
  • user authentication can be easily performed without increasing security risk.
  • the user P since the user P only needs to send the image data 94 obtained by photographing the authentication symbol 93, the complexity of the operation at the time of authentication can be reduced.
  • a QR code is used as a two-dimensional code.
  • the speed of reading is improved to improve convenience, but authentication is not performed only by reading. Therefore, even if a third party steals the sheet 90, there is no security problem. Reduce security risk.
  • the QR code 91 is formed based on a token including issuer information.
  • the JWT has a frequency control function for limiting the number of times of reading.
  • the authentication server 60 authenticates that the JWT including the information of the issuer Q described in the QR code 91 is signed with the color print ID 92 ′ as a key. With this configuration, the authentication does not pass even when the information of the issuer Q is falsified, so the security against impersonation is enhanced.
  • the mutual authentication system of this embodiment authenticates using the authentication pattern 93 in which the QR code 91 and the color design figure 92 were integrally formed, and the sheet
  • the authentication server 60 confirms that the seat 90 is valid by photographing the authentication symbol 93.
  • the user P can authenticate that the mail delivered to the user P is genuine only by photographing the authentication symbol 93, thereby achieving both security improvement and convenience improvement. it can.
  • the authentication symbol 93 is formed integrally with the QR code 91 and the color design figure 92, and the color design figure 92 is formed to surround the QR code 91.
  • the mutual authentication system 200 is a mutual authentication system using a distributed file management system called InterPlanetary File System (IPFS) that determines an address using a hash of a data object.
  • IPFS InterPlanetary File System
  • the mutual authentication system 200 has the same configuration as that of the first embodiment but differs only in the authentication method.
  • the registration server 50 adds the information of the issuer Q to the application information R to generate registration information R '.
  • the token issuing unit 52 issues the JWT signed with the color print ID 92 'in the form including the information of the issuer Q similarly to the first embodiment based on the registration information R'.
  • the QR code 91 is first read, and a hash code having a hashed JWT is generated as in the first embodiment. Ru. Since the hash code is the address of the main body of the JWT issued by the token issuing unit 52, the application 102 can connect to the address of the JWT to download the JWT main body.
  • the mutual authentication system 200 decodes the color print ID 92 ′ from the image data 94, and the one obtained by signing the JWT main body placed at the address specified by the QR code 91 with the color print ID 92 ′ matches the address. Determine if it is. When they match, the JWT main body at the address concerned is transmitted to the portable terminal, and when it does not match, it is displayed on the application 102 that the authentication has not been performed. Such determination is an action similar to step S120 in the first embodiment, and the mutual authentication system 200 itself has a function as an authentication unit.
  • the registration information R ′ is stored at an address that can not be analogized from the outside simultaneously with the generation of the JWT, and only the user P possessing the sheet 90 can access the address, It can be authenticated that the user P is a valid user.
  • such an authentication means is performed by the IPFS file system itself, but it is sufficient if the address is determined by the hash and the signature is made by the ID information corresponding to the color print ID. Specifically, even in the case of a distributed ledger system such as a block chain, for example, a similar authentication system is established (see Non-Patent Document 1 for the IPFS implementation of the block chain).
  • the point provision system 300 is an authentication system using a sheet 90 on which a QR code 91 and a color design graphic 92 are integrally printed, as in the first embodiment.
  • the point grant system 300 includes a token issuing unit 52 that issues a token such as JWT using the registration information R ′, a color print issue server 80, and an authentication server 60.
  • the registration information R ' is, for example, product information created based on information such as a sold store or item, a price, etc., and includes a color print ID 92'.
  • the color print issuing server 80 generates a color print forming means 81 that forms a unique color print figure different for each color print ID 92 ', and generates a two-dimensional code that issues a first two-dimensional code based on the registration information R'. And means 82.
  • the point grant system 300 sends a sheet 90 as a delivery note such as a receipt sent to the user P when the user P purchases at a store or a net shop.
  • authentication is completed only by photographing using the application 102 by using the sheet 90 on which the QR code 91 and the color design graphic 92 are integrally printed in the delivery note. Aims to provide such a mutual authentication system.
  • the application 102 When the user P captures the sheet 90 using the application 102, the application 102 reads the QR code 91 and transmits the captured image data 94 to the authentication server 60.
  • the authentication server 60 authenticates in accordance with steps S101 to S120 of the first embodiment whether or not the QR code 91 and the color print ID 92 ′ are a valid combination. According to such a configuration, it is possible to give points only to the person who has received the product without inputting information such as a point card in advance through the Internet shopping, so the convenience is improved.
  • the JWT is used for the QR code 91, it is difficult to disguise the issuer Q and falsify the expiration date, and the security risk can be reduced.
  • the application 102 installed in the portable terminal it is sufficient to link and manage the granted points with the application 102, so that the input of personal information becomes unnecessary, and the convenience of the user P is improved. At the same time, it is possible to reduce the security risk of entering unnecessary personal information.
  • Registration Server 60 Authentication Method (Authentication Server) 80 color print issuing server 81 color print forming means 82 two-dimensional code generation means 90 recording medium (sheet) 91 1st two-dimensional code (QR code) 92 color pattern 92 'ID information (color pattern ID) 93 Authentication design 100 Mutual authentication system 200 Mutual authentication system 300 Mutual authentication system (Point grant system) R application information R 'registration information (including issuer information)

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Toxicology (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • General Health & Medical Sciences (AREA)
  • Electromagnetism (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Credit Cards Or The Like (AREA)
  • Accessory Devices And Overall Control Thereof (AREA)

Abstract

A mutual authentication system is provided for easily performing personal authentication without increasing security risk. A mutual authentication system for mutually authenticating that an issuer and a user are valid, the system using a two-dimensional code including issuer information, application information that includes information about the user that was submitted by the user, and ID information associated with the application information, the ID information being configured by combining a plurality of character strings, wherein the mutual authentication system is characterized by having: a colored figure formation means that forms a unique colored figure diagram that differs according to each of the ID information items; a colored figure determination means that decodes the ID information from the colored figure diagram using a combination pattern of a basic colored figure diagram corresponding to each character string; and an authentication means that determines whether the ID information decoded by the colored figure determination means corresponds to the issuer information included in the two-dimensional code.

Description

相互認証システム、認証用画像及び記録媒体Mutual authentication system, authentication image and recording medium
 本発明は、相互認証システム及び当該相互認証システムに用いられる認証用画像または当該認証用画像が印刷された記録媒体に関する。 The present invention relates to a mutual authentication system, an authentication image used in the mutual authentication system, or a recording medium on which the authentication image is printed.
 金融機関の本人認証システムにおいては、セキュリティ向上のため、ユーザーが入力した住所や電話番号等の利用者情報に基づいて封書を郵送し、封書に記載のコードを用いて認証する方法が用いられている。
 しかしながら、このような方法では、ユーザーは封書に書かれたURLに自身の携帯端末等を用いてアクセスし、その上で記載されたPINコード等を入力する手間がかかるため、ユーザーの認証にかかる手間が大きかった。
 また、偽装されにくい郵送物の例としては例えば特願2017-014559(特願2016-016243)に記載されたような彩紋を印刷物とする手法が考えられるが、Web上にあるデータとかかる彩紋とを関連付けるのが難しい。 In the personal identification system of a financial institution, a method is used in which a sealed letter is mailed based on user information such as an address and a telephone number input by the user for security improvement, and authentication is performed using a code described in the sealed letter. There is.
However, in such a method, it takes time and effort for the user to access the URL written in the sealed letter using his / her portable terminal and the like and to input the PIN code etc. written thereon, which requires the user's authentication. It was a lot of trouble.
In addition, as an example of mailed articles that are difficult to be disguised, for example, a method of using a color print as described in Japanese Patent Application No. 2017-014559 (Japanese Patent Application No. 2016-016243) can be considered. It is difficult to associate with the crest.
 こうした問題を回避するために、携帯端末を用いて簡単にWeb上の情報にアクセスする方法としては、例えばQRコード(登録商標、以下同じ)のような二次元コードを用いる方法が考えられる(例えば特許文献1等参照)。
 しかしながらQRコードは基本的に読み取ることができれば誰でもアクセスできてしまうために、途中経路で第3者に見られる等のセキュリティリスクが増大してしまう。 In order to avoid such problems, as a method of easily accessing information on the Web using a portable terminal, for example, a method of using a two-dimensional code such as QR code (registered trademark, hereinafter the same) may be considered (for example, Patent Document 1 etc.).
However, since the QR code can basically be accessed by anyone if it can be read, security risks such as being seen by a third party along the way will increase.
 また、このような郵送方式では、例えば悪意ある第3者によりQRコードを送付されたときには、利用者が不用意にアクセスしてしまう等の問題もあり、利用者と発行者とで相互に認証可能な方法であることが最も望ましい。 In addition, in such a mailing method, for example, when a malicious third party sends a QR code, there is a problem that the user may access carelessly, and the user and the issuer mutually authenticate each other. It is most desirable to be a possible method.
特開2009-124311号公報JP, 2009-124311, A
 本発明は、かかる問題を解決するためのものであり、セキュリティリスクを増大させることなく、簡易に本人認証を行うための相互認証システムの提供を目的とする。 The present invention is intended to solve such a problem, and an object thereof is to provide a mutual authentication system for simply performing personal authentication without increasing security risk.
 上述した課題を解決するため、本発明の相互認証システムは、発行者情報を含んだ二次元コードと、利用者が申請した当該利用者自身の情報を含む申請情報と、前記申請情報と紐づけられて、複数の文字列を組み合わせて構成されるID情報と、を用いて、発行者と利用者とが正当であることを互いに認証するための相互認証システムであって、前記ID情報のそれぞれによって異なる固有の彩紋図形を形成する彩紋形成手段と、各文字列に対応した基本彩紋図形の組み合わせパターンを用いて前記彩紋図形から前記ID情報を復号する彩紋判別手段と、前記彩紋判別手段によって復号された前記ID情報が、前記二次元コードに含まれた前記発行者情報と対応するものであるか否かを判別する認証手段と、を有することを特徴とする。 In order to solve the problems described above, the mutual authentication system of the present invention links the two-dimensional code including the issuer information, the application information including the information of the user who has applied for the user, and the application information. A mutual authentication system for mutually authenticating that an issuer and a user are valid using ID information configured by combining a plurality of character strings, each of the ID information The color print forming means for forming a unique color print figure different depending on the type, the color print judgment means for decoding the ID information from the color print figure using a combination pattern of basic color print figures corresponding to each character string; And authentication means for determining whether or not the ID information decoded by the color design determination means corresponds to the issuer information included in the two-dimensional code.
 本発明によれば、セキュリティリスクを増大させることなく、簡易に本人認証を行うことができる。 According to the present invention, user authentication can be easily performed without increasing security risk.
本発明の実施形態に係る相互認証システムの全体構成の一例を示す図である。It is a figure which shows an example of the whole structure of the mutual authentication system which concerns on embodiment of this invention. 申請情報として記録される情報の一例を示す図である。It is a figure which shows an example of the information recorded as application information. 登録情報として記録される情報の一例を示す図である。It is a figure which shows an example of the information recorded as registration information. 登録情報に含まれる情報の一例を示す図である。It is a figure which shows an example of the information contained in registration information. 図1に示した発行者情報を含むトークンの構成例についての概念図である。It is a conceptual diagram about the structural example of the token containing the issuer information shown in FIG. 図1に示した認証用の図柄を示す図である。It is a figure which shows the symbol for authentication shown in FIG. 図1に示した相互認証システムの認証動作の一例を示すフロー図である。It is a flowchart which shows an example of the authentication operation | movement of the mutual authentication system shown in FIG. 図1に示した相互認証システムのデータのやり取りを示す図である。It is a figure which shows exchange of the data of the mutual authentication system shown in FIG. 本発明の第2の実施形態の構成の一例を示す図である。It is a figure which shows an example of a structure of the 2nd Embodiment of this invention. 本発明の変形例の構成の一例を示す図である。It is a figure which shows an example of a structure of the modification of this invention.
 本発明の第1の実施形態として、相互認証システム100について説明する。
 相互認証システム100は、利用者Pが用いているスマートフォンや携帯電話等の情報通信端末としての携帯端末10と、利用者Pに対してサービスを提供する発行者Qが管理する登録手段としての登録サーバー50と、を含んで構成されるネットワークシステムである。
 相互認証システム100は、利用者Pが登録サーバー50にアクセスすることで入力された利用者Pの個人情報を含む申請情報に基づいて、後述する認証用画像たる認証図柄を発行する彩紋形成手段たる彩紋発行サーバー80を有している。
 相互認証システム100は、後述する認証図柄を用いて利用者Pの認証を行うための認証手段としての認証サーバー60を有している。 A mutual authentication system 100 will be described as a first embodiment of the present invention.
The mutual authentication system 100 is registered as a portable terminal 10 as an information communication terminal such as a smartphone or a portable telephone used by the user P, and as a registration means managed by an issuer Q who provides the service to the user P. It is a network system comprised including server 50.
The mutual authentication system 100 generates a printing pattern forming an authentication pattern as an authentication image based on application information including personal information of the user P input by the user P accessing the registration server 50. It has a drop printout issue server 80.
The mutual authentication system 100 has an authentication server 60 as an authentication means for authenticating the user P using an authentication pattern described later.
 なお、本実施形態においては、発行者Qの提供するクレジットカード発行サービスについて、利用者Pが取得を申請し、利用者Pと発行者Qとが互いに認証する方法について述べるが、かかる構成に限定されるものではない。
 また、本実施形態では特に登録サーバー50と認証サーバー60とを別個に設けたが、一体のサーバー内に登録サーバー50の機能と、認証サーバー60の機能とを持たせるものであっても良い。
 また、本実施形態では説明の簡単化のため、図1に示すように、発行者Qが登録サーバー50と認証サーバー60と彩紋発行サーバー80の全てを管理するような構成としたが、かかる構成に限定されるものではない。例えば発行者Qが外部の登録サーバー50や彩紋発行サーバー80や認証サーバー60を利用する形であっても良い。 In this embodiment, a method is described in which the user P applies for acquisition of the credit card issuing service provided by the issuer Q, and the user P and the issuer Q mutually authenticate each other, but the present invention is limited to such a configuration. It is not something to be done.
Moreover, although the registration server 50 and the authentication server 60 are separately provided in the present embodiment, the integrated server may have the function of the registration server 50 and the function of the authentication server 60.
Further, in the present embodiment, for simplification of the description, as shown in FIG. 1, the issuer Q is configured to manage all of the registration server 50, the authentication server 60, and the color print issue server 80. It is not limited to the configuration. For example, the issuer Q may use the external registration server 50, the color print issuing server 80, or the authentication server 60.
 登録サーバー50は、発行者Qの提供するサービス、ここでは例えばクレジットカードの発行サービスを行うWebサーバーである。
 登録サーバー50は、利用者Pが利用者自身の個人情報すなわち申請情報Rを登録するための情報入力部51と、情報入力部51に入力された利用者Pの申請情報Rと発行者Qの発行者情報とに基づいてJWT(JSON Web Token)等のトークンを発行するトークン発行部52と、を有している。 The registration server 50 is a web server that provides a service provided by the issuer Q, here, for example, a credit card issue service.
The registration server 50 has an information input unit 51 for the user P to register the user's own personal information, that is, the application information R, and the application information R of the user P and the issuer Q inputted to the information input unit 51. And a token issuing unit 52 that issues a token such as JWT (JSON Web Token) based on the issuer information.
 ここで申請情報Rは、図2に示すような利用者Pの住所や電話番号などの個人情報を含んだ情報であり、登録サーバー50は、利用者P自身が入力したかかる情報と、発行者Qの識別番号などの情報に基づいて、図3のように彩紋ID92’や有効期間等を付記した形で、発行者Qの情報を含む登録情報R’として記録する。
 彩紋ID92’は、6桁~8桁の英数字の羅列で構成されたID番号であり、ランダムに発行されるID情報である。なお本実施形態では、特に6~8桁の英数字の羅列により彩紋ID92’を表すこととしたが、かかる構成に限定されるものではなく、任意の桁数や文字列・記号等を用いることが可能である。
 後述する署名の仕組みにより、彩紋ID92’自身は重複しても良く、登録情報R’内には、彩紋ID92’と登録情報R’との組み合わせが登録されている。
 トークン発行部52は、図4、図5に示すように、少なくとも発行者Qを識別するための発行者識別番号や、発行日時、有効期間、有効期間の開始日・終了日、宛先等の発行者情報を含んだトークンであるJWTを発行する。かかるJWTは、URLセーフのトークンであり、彩紋ID92’を用いて署名される。
 なお、「URLセーフ」とは、URLに含めることの出来ない記号等の文字を含まないことを示し、ここではトークンそのものをURLの一部として利用可能である程度の意味で用いている。 Here, the application information R is information including personal information such as the address and telephone number of the user P as shown in FIG. 2, and the registration server 50 receives such information input by the user P itself and the issuer Based on the information such as the identification number of Q, it is recorded as registration information R 'including the information of the issuer Q, with the color print ID 92' and the effective period added as shown in FIG.
The color print ID 92 'is an ID number composed of an array of 6 to 8 alphanumeric characters, and is randomly issued ID information. In the present embodiment, the color print ID 92 'is represented by an array of 6 to 8 alphanumeric characters. However, the present invention is not limited to such a configuration, and an arbitrary number of digits, a character string, a symbol or the like may be used. It is possible.
According to the structure of a signature to be described later, the color print ID 92 'itself may be duplicated, and a combination of the color print ID 92' and the registration information R 'is registered in the registration information R'.
As shown in FIGS. 4 and 5, the token issuing unit 52 issues at least an issuer identification number for identifying the issuer Q, an issue date and time, a valid period, a start date / end date of the valid period, a destination, etc. Issue JWT, which is a token that contains The JWT is a URL safe token, and is signed using the color printing ID 92 '.
Note that "URL safe" indicates that characters such as symbols that can not be included in the URL are not included, and here, the token itself is used in a sense that it can be used as part of the URL.
 JWTについての説明をする前に、鍵付きハッシュとも呼ばれるHMAC(Hash-based Message Authentication Code)という処理について説明する。
 HMACは、SHA-2などの反復暗号ハッシュ関数を鍵と組み合わせて使用することで改ざんや偽装を検知するための仕組みである。
 JWTは、かかるHMACを用いて得られるトークンであり、図5に示すように、ヘッダと、エンティティと、フッタと、に分かれている。
 JWTはエンティティ(またはフッタ)にある値にヘッダのアルゴリズムで処理をかけるとフッタ(またはエンティティ)に一致する。
 すなわちJWTは、登録情報R’から一部の情報、例えば図4に示すような情報を抜き出してエンティティとし、彩紋ID92’を鍵として、ヘッダに含まれるアルゴリズムに基づき処理することで生成されるトークンである。
 なお、このような処理を、本実施形態においては「(JWTを)彩紋ID92’によって署名する」と表記するが、このような処理は、実装上は彩紋ID92’をエンティティとして、図4のエンティティの内容を鍵としても成立する。  Before describing JWT, a process called HMAC (Hash-based Message Authentication Code), which is also called keyed hash, will be described.
HMAC is a mechanism for detecting tampering and impersonation by using an iterative encryption hash function such as SHA-2 in combination with a key.
JWT is a token obtained using such HMAC, and as shown in FIG. 5, it is divided into a header, an entity, and a footer.
The JWT matches the footer (or entity) when processing the value in the entity (or footer) by the header algorithm.
That is, the JWT is generated by extracting some information from the registration information R ′, for example, the information shown in FIG. 4 as an entity, and processing based on an algorithm included in the header with the color printing ID 92 ′ as a key. It is a token.
In the present embodiment, such a process is described as “(JWT) is signed by the fingerprint ID 92 ′”, but such a process uses the fingerprint ID 92 ′ as an entity in FIG. The contents of the entity of are also established as a key.
 なお、JWTには、同じトークンを用いて複数回認証させる、所謂リプレイ行為に対する対策として、ワンタイムキーを盛り込んでおくことが望ましい。すなわち、本実施形態では、トークンに対して読み取り回数を制限する回数制御機能を付加されている。
 かかる構成にすることで、後述する認証サーバー60による認証操作が初回のみ認証されることとなるので、よりセキュリティ強度が向上する。
 本実施形態では、特に図4に示すような情報を用いてトークンのエンティティを作成したが、かかる構成に限定されるものではなく、その他の情報を付加情報として含んでいても良い。 It is desirable that the JWT include a one-time key as a countermeasure against a so-called replay operation in which authentication is performed multiple times using the same token. That is, in this embodiment, the number control function of limiting the number of readings to the token is added.
With this configuration, since the authentication operation by the authentication server 60 described later is authenticated only at the first time, the security strength is further improved.
In the present embodiment, an entity of a token is created using information as shown in FIG. 4 in particular. However, the present invention is not limited to such a configuration, and other information may be included as additional information.
 登録サーバー50は、登録情報R’を彩紋発行サーバー80へと送信する。
 なお、本実施形態では、認証およびトークン発行を行う登録サーバー50と、彩紋発行サーバー80とは別個のサーバーがネットワークを介して接続されている態様として記載するが、かかる構成に限定されるものではない。
 例えば、同一端末上で認証、トークン発行、彩紋発行、の全ての機能を備える構成としても良い。 The registration server 50 transmits the registration information R ′ to the color print issuance server 80.
In the present embodiment, although the registration server 50 for performing authentication and token issuance and the separate server from the color print issue server 80 are described as being connected via a network, the configuration is limited to such a configuration. is not.
For example, it may be configured to have all functions of authentication, token issuance, and color printing on the same terminal.
 彩紋発行サーバー80は、登録情報R’に基づいて得られたJWTをハッシュ化してQRコード等の二次元コードの形式で埋め込むとともに、彩紋ID92’の数字の羅列を基本彩紋図形の組み合わせパターンを用いて彩紋図形へと変換する。
 言い換えると彩紋発行サーバー80は、彩紋ID92’に基づいて彩紋図形を形成する彩紋形成手段81と、登録情報R’に基づいて第1の二次元コードとしてQRコード91を発行する二次元コード生成手段82とを有している。
 なお、本実施形態では、読み取りの可用性を高めるために二次元コードとしてQRコードを用いているが、かかる構成に限定されるものではなく、その他の二次元コードを用いたとしても良い。またバーコードなどであっても良い。 The color print issuing server 80 hashes the JWT obtained based on the registration information R ′ and embeds it in the form of a two-dimensional code such as a QR code, and combines a list of numbers of color print ID 92 ′ with basic color print figures Convert to a color pattern using a pattern.
In other words, the color print issuing server 80 issues a color print forming unit 81 that forms a color print pattern based on the color print ID 92 ′ and a QR code 91 as a first two-dimensional code based on the registration information R ′. And a dimensional code generation means 82.
In the present embodiment, the QR code is used as a two-dimensional code to increase the availability of reading, but the present invention is not limited to this configuration, and other two-dimensional codes may be used. Moreover, a barcode etc. may be sufficient.
 二次元コード生成手段82は、登録情報R’のうち、特にJWTをハッシュ化したアクセスコードであるhashコードを図6に示すようにQRコード91として形成する。
 QRコード91には、認証サーバー60のURLが記載されており、例えばhttp://************/hashコード/等のURLへ携帯端末を接続させるようになっている。
The two-dimensional code generation means 82 forms a hash code, which is an access code obtained by hashing the JWT in particular among the registration information R ′, as a QR code 91 as shown in FIG.
The URL of the authentication server 60 is described in the QR code 91. For example, the portable terminal is connected to the URL such as http: // ********** / hash code / etc. ing.
 彩紋形成手段81は、彩紋ID92’に基づいて、数字の羅列のパターンから図6に示すような特有の波状線・弧線または円形などを組み合わせた精密な幾何学的模様に変換する。
 このときの模様を「彩紋」と呼称し、彩紋図形92として図示する。
 かかる彩紋図形は、彩紋ID92’のそれぞれに基づいてすべて異なるように構成された固有の図柄であり、従って彩紋形成手段81は、ID情報のそれぞれによって異なる固有の彩紋図形を形成する。
 彩紋は、本実施形態では、6桁~8桁の英数字によって定められる基本図形の集合であり、利用者Pや第3者が彩紋図形92を見たときに、容易に番号を類推することができないように図案化されている。
 かかる構成により、彩紋図形92を第3者が盗み見たとしても、偽造や複製が困難である。 Based on the color printing ID 92 ', the color printing pattern forming means 81 converts the pattern of serial numbers into a precise geometric pattern combining unique wavy lines, arcs or circles as shown in FIG.
The pattern at this time is referred to as a "color print" and illustrated as a color print figure 92.
Such a color pattern is a unique pattern configured to be all different based on each of the color ID 92 ', so the color forming means 81 forms a unique color pattern that is different for each of the ID information. .
The color print is a set of basic figures defined by 6 to 8 alphanumeric characters in the present embodiment, and it is easy to guess the numbers when the user P or a third party sees the color print 92. It is stylized so that it can not be done.
With this configuration, even if the third person steals the color pattern 92, it is difficult to forge or copy.
 なお、かかる彩紋図形92の生成手段や印刷方法については、例えば0~9の十種類の特定形状の基本彩紋図形のパターンを、桁数による特定の位置に、特定の大きさで重ね合わせて形成する等の方法が考えられる。
 また、既に挙げた特願2016-016243に示すような印刷方法によって印刷されるものであっても良い。 In addition, regarding the generation means and the printing method of the color design graphic 92, for example, the patterns of ten types of basic color design graphic of 0 to 9 specific shapes are superimposed in a specific size at a specific position by the number of digits. Methods are conceivable.
In addition, printing may be performed by the printing method as shown in Japanese Patent Application No. 2016-016243 already mentioned.
 彩紋発行サーバー80は、かかるQRコード91と、QRコード91の周囲を囲繞するように形成された彩紋図形92とを、一体の図案である認証用画像として機能する認証図柄93としてシート90の紙面に印刷する。 The color print issuing server 80 uses the QR code 91 and the color print 92 formed so as to surround the QR code 91 as a sheet 90 as an authentication pattern 93 that functions as an authentication image that is an integrated design. Print on a sheet of paper.
 シート90には、例えば認証図柄93の他、利用者Pの送付先住所、氏名、かかる認証図柄93の有効期限や、認証方法の案内などを記載しても良い。
 また、例えば利用者P本人が申請情報Rの申し込み時に入力したPINコードのようなパスコードを本人確認用に記載しても良い。
 すなわち、シート90は本実施形態では、相互認証システム100に用いられる認証用記録媒体として機能する。 In addition to the authentication symbol 93, for example, the delivery address of the user P, the name, the expiration date of the authentication symbol 93, the guidance of the authentication method, etc. may be described on the sheet 90.
Further, for example, a pass code such as a PIN code input by the user P at the time of applying for the application information R may be written for identification.
That is, the sheet 90 functions as a recording medium for authentication used in the mutual authentication system 100 in the present embodiment.
 発行者Qは、かかる彩紋発行サーバー80の出力した郵送物たるシート90を、利用者Pへと郵送により送付する。
 このように、シート90を申請情報Rで指定した場所に送付することで、カードの審査項目に必要な、申請した利用者P本人が、登録した住所・氏名の人物であることの確認を行うことができる。
 なお、ここでは郵送としたが、その他の方法であっても良い。また、本実施形態においては、クレジットカードの申請処理であるために、郵送として、印刷物であるシート90を利用者Pに届ける方法としているが、本人確認をもっと緩くしても良い場合には、例えば認証図柄93を電子メール等で送付する形式であっても良い。 The issuer Q sends the mailed sheet 90 outputted by the color print issuing server 80 to the user P by mail.
As described above, by sending the sheet 90 to the place designated by the application information R, it is confirmed that the applicant user P who is required for the examination item of the card is the person of the registered address and name. be able to.
In addition, although it was set as mail here, another method may be used. Further, in the present embodiment, the sheet 90 which is a printed matter is delivered to the user P as mail because it is a credit card application process, but in the case where personal identification may be looser, For example, the authentication symbol 93 may be sent by e-mail or the like.
 認証サーバー60は、認証図柄93の画像から彩紋図形92を識別するための彩紋判別手段61と、彩紋判別手段61が識別した彩紋図形92が正当なものであるかどうかを判別する彩紋認証手段62と、を有している。
 認証サーバー60は、トークン発行部52が発行したトークンが記録されているトークンデータベース63と、トークンデータベース63とQRコード91とを用いてQRコード91の正当性を認証するQRコード認証手段64と、を有している。 The authentication server 60 determines whether or not the color design determination means 61 for identifying the color design figure 92 from the image of the authentication pattern 93 and the color design figure 92 identified by the color design determination means 61 are valid. And a color print authentication means 62.
The authentication server 60 includes a token database 63 in which tokens issued by the token issuing unit 52 are recorded, and a QR code authentication unit 64 that authenticates the validity of the QR code 91 using the token database 63 and the QR code 91; have.
 彩紋判別手段61は、QRコード91と彩紋図形92とが同一の画像に収まった画像データから、彩紋図形92とQRコード91とを分解して識別する画像認識手段である。
 例えば、図6に示したような認証図柄であれば、QRコード91の4隅に配置された識別子を用いて、QRコード91を読み取り、かかる画像データのうち、QRコード91以外の部分を用いて彩紋図形92を識別する。 The color design determination unit 61 is an image recognition unit that decomposes and identifies the color pattern 92 and the QR code 91 from the image data in which the QR code 91 and the color pattern 92 are included in the same image.
For example, in the case of an authentication pattern as shown in FIG. 6, the QR code 91 is read using the identifiers arranged at the four corners of the QR code 91, and a portion other than the QR code 91 is used among the image data. And identify the color pattern 92.
 さて、かかる郵送されたシート90を用いて相互に認証する仕組みについて図7、図8を用いて説明する。 Now, a mechanism for mutual authentication using the mailed sheet 90 will be described with reference to FIGS. 7 and 8. FIG.
 図7に示すように、シート90が利用者Pの手元に届けられた時点で、金融機関の認証に必要な条件である、「住所」と「利用者P」が正当であることが確認される。
 利用者Pは、まずシート90を手持ちの携帯端末101にインストールされたアプリ102を用いて撮影する。
 このとき、利用者Pは、認証図柄93のうち少なくとも一部が同一の画像に収まるように撮影し、画像データ94を取得する(ステップS101)。なお、「少なくとも一部」とは認証図柄93の認証が通る範囲で適宜設計されて良いが、QRコード91の四隅に配置された識別子が全て入ること、彩紋図形92の1/4以上を含むこと、の2点を満たしていることが望ましい。
 彩紋図形92は、周期性を持つため、全体の1/4以上があれば彩紋ID92’を判別可能である。 As shown in FIG. 7, when the sheet 90 is delivered to the user P, it is confirmed that the “address” and the “user P”, which are the conditions necessary for the authentication of the financial institution, are valid. Ru.
The user P first captures the sheet 90 using the application 102 installed on the portable terminal 101 in hand.
At this time, the user P captures an image such that at least a part of the authentication symbol 93 fits in the same image, and acquires the image data 94 (step S101). In addition, although "at least one part" may be suitably designed in the range which the certification | authentication of the authentication pattern 93 passes, that all the identifiers arrange | positioned at the four corners of QR Code 91 enter, 1/4 or more of the color pattern 92 It is desirable to satisfy two points of including.
Since the color pattern 92 has periodicity, it is possible to determine the color ID 92 'if there is 1/4 or more of the whole.
 また、ステップS101において、例えばアプリ102がその機能として、郵送されてきた紙自体が、間違いなく発行者Qのものであるかどうかを識別するとしても良い。
 具体的には、例えばシート90自体に微小な彩紋や、識別用の図形等を印刷し、かかる識別用の彩紋を認識したことを条件として、認証図柄93の認識を行うこととしても良い。
 かかる構成によれば、例えば第3者が発行者Qに成りすましてシート90の類似品を送付したときにも、利用者Pに不要なアクセスをさせることがないという利点がある。 Also, in step S101, for example, the application 102 may, as its function, identify whether the mailed paper itself is definitely that of the issuer Q or not.
Specifically, for example, a minute color print, a graphic for identification, or the like may be printed on the sheet 90 itself, and the recognition pattern 93 may be recognized on condition that the color print for identification is recognized. .
According to this configuration, for example, even when the third party spoofs the issuer Q and sends a similar product of the sheet 90, there is an advantage that the user P is not made to access unnecessarily.
 アプリ102は、画像データ94を撮影すると、QRコード91を読み取る(ステップS102)。
 既に述べたように、QRコード91にはアクセス先として認証サーバー60のURLが指示されているから、アプリ102は、かかる指示に従って該当するURL(認証サーバー60)に接続する。
 このとき、接続先のURIは、JWTがハッシュ化されたhashコードを含んでいるから、利用者Pに固有の接続先である。
 アプリ102は、次いで画像データ94を認証サーバー60に送信する(ステップS103)。
 認証サーバー60は、画像データ94について、彩紋判別手段61を用いて彩紋図形92とQRコード91とに分解して識別する(ステップS104)。 When the application 102 captures the image data 94, it reads the QR code 91 (step S102).
As described above, since the URL of the authentication server 60 is designated as the access destination in the QR code 91, the application 102 connects to the corresponding URL (authentication server 60) according to the instruction.
At this time, the URI of the connection destination is a connection destination unique to the user P because the JWT includes the hash code hashed.
The application 102 then transmits the image data 94 to the authentication server 60 (step S103).
The authentication server 60 decomposes and identifies the image data 94 into the color pattern 92 and the QR code 91 using the color pattern determination unit 61 (step S104).
 彩紋認証手段62は、彩紋形成手段81が形成したのと逆の操作により、彩紋図形92の周期性と形状の組み合わせに基づいて、6~8桁の彩紋ID92’を復号する。言い換えれば分解された彩紋図形92は、彩紋認証手段62によって、彩紋図形92から彩紋ID92’へと逆変換される(ステップS105)。 The color print authentication means 62 decodes the 6 to 8 digit color print ID 92 ′ based on the combination of the periodicity and the shape of the color print 92 by an operation reverse to that performed by the color print forming means 81. In other words, the color design graphic 92 which has been decomposed is inversely converted from the color design graphic 92 to the color print ID 92 'by the color print authentication means 62 (step S105).
 ステップS104において分割されたQRコード91については、彩紋認証手段62による認証と並行してQRコード認証手段64によって、QRコード91自体の認証が進められる。
 QRコード認証手段64は、QRコード91の読み取りを行い、得られたhashコードと、トークンデータベース63に記録された対応するJWTを、彩紋ID92’を鍵として用いて署名したものと比較する(ステップS110)。
 かかる比較によって、画像データ94すなわち利用者Pに届いたシート90に記載された彩紋図形92と、QRコード91との組み合わせが、登録サーバー50において記録された登録情報R’と対応する組み合わせであるか否かを、登録情報R’を参照することなく判別できる。 For the QR code 91 divided in step S104, in parallel with the authentication by the color print authentication unit 62, the authentication of the QR code 91 itself is advanced by the QR code authentication unit 64.
The QR code authentication means 64 reads the QR code 91, and compares the obtained hash code with the corresponding JWT recorded in the token database 63 with a signature signed using the fingerprint ID 92 'as a key ( Step S110).
As a result of this comparison, the combination of the image pattern 94, that is, the combination of the color design graphic 92 written on the sheet 90 delivered to the user P and the QR code 91 corresponds to the registration information R ′ recorded in the registration server 50. It can be determined without referring to the registration information R '.
 この点について具体的に説明する。
 登録サーバー50に登録された登録情報R’は、様々な個人情報を含んでいるが、かかる登録情報R’をそのまま登録サーバー50と認証サーバー60との間で送受信することは、途中経路での読み取りなど不要なセキュリティリスクを生じる。
 そこで、本実施形態では、登録情報R’に基づいてJWTを生成するとともに、彩紋ID92’を鍵として、HMACでJWTを署名した結果をさらにハッシュ化してhashコードとしている。
 かかるhashコードは、QRコード91の接続先であり、QRコード91から復元可能である。
 ここで、アプリ102が、前記のhashコードにアクセスした時点でJWT本体をダウンロードする処理とすれば、QRコードから読み取ったURIに含まれるhashコードと、URIからダウンロードしたJWT本体のハッシュとを比較・確認することで、利用者P側においても、認証サーバー60にあるJWT本体が改ざんされていないことが確認できる。
 なお、かかる比較はやらなくても良い。その場合にはアプリ102は後述する認証の可否のみを受け取ればよく、JWT本体をダウンロードする必要がなくなるから、JWTの送受信が不要になってJWTのエンティティを不正取得されないというメリットがある。 This point is specifically described.
Although the registration information R ′ registered in the registration server 50 includes various personal information, it is possible to transmit and receive the registration information R ′ as it is between the registration server 50 and the authentication server 60 on the way route. Create unnecessary security risks such as reading.
Therefore, in the present embodiment, the JWT is generated based on the registration information R ′, and the result obtained by signing the JWT with the HMAC is further hashed into a hash code using the color print ID 92 ′ as a key.
The hash code is a connection destination of the QR code 91, and can be restored from the QR code 91.
Here, if the application 102 performs processing to download the JWT main body when accessing the above hash code, the hash code included in the URI read from the QR code is compared with the hash of the JWT main body downloaded from the URI -By confirming, it is possible to confirm that the JWT main body in the authentication server 60 is not falsified also on the user P side.
Such comparison may not be made. In such a case, the application 102 only needs to receive authentication as described later, and there is no need to download the JWT main body, so there is an advantage that transmission and reception of the JWT becomes unnecessary and the entity of the JWT is not acquired illegally.
 さて、彩紋ID92’を鍵として、HMACを用いてJWTを署名すると、JWTから得られたハッシュ値であるhashコードからは、元の情報を復元することができない。
 なおこのときJWTは、利用者P自身が登録サーバー50に送信した登録情報R’を含むトークンである。 Now, when the JWT is signed using the HMAC with the color print ID 92 'as a key, the original information can not be restored from the hash code which is a hash value obtained from the JWT.
At this time, JWT is a token including the registration information R ′ transmitted by the user P to the registration server 50.
 登録情報R’に基づいて生成されたエンティティを同様の手順によって彩紋ID92’によって署名すると、同一のトークンを得ることができるため、ハッシュ値が同一であることにより、HMACの際に署名に用いられた彩紋ID92’と、トークンとの組み合わせが正当であることを認証できる。 If an entity generated based on the registration information R 'is signed by the fingerprint ID 92' by the same procedure, the same token can be obtained. Therefore, since the hash value is identical, it is used for the signature in the HMAC. It is possible to certify that the combination of the printed color print ID 92 'and the token is valid.
 従って、認証サーバー60は、JWTを登録サーバー50から受け取り、トークンデータベース63に記録している。
 トークンデータベース63には、JWTが記録されているから、トークン認証手段62がステップS110の操作を行うことで、利用者Pの持つシート90と、登録情報R’から得られたJWTとが正当なものであることを認証できる。 Therefore, the authentication server 60 receives the JWT from the registration server 50 and records it in the token database 63.
Since the JWT is recorded in the token database 63, the sheet 90 possessed by the user P and the JWT obtained from the registration information R 'are valid when the token authentication means 62 performs the operation of step S110. It can authenticate that it is a thing.
 認証サーバー60は、彩紋認証手段62の彩紋認証ステップであるステップS106と、QRコード認証手段64のQRコード認証ステップであるステップS110とが何れも正当であると承認されたかどうかを判別する(ステップS120)。
 ステップS120において、何れも正当であると認証されたことを条件として、認証サーバー60は、認証された旨の結果を携帯端末に返すとともに、指示コード65を携帯端末に送信する(ステップS201)。
 なお、ステップS120において、正当なものではないと判断された場合には、認証不可の旨を携帯端末に返す(ステップS121)。 The authentication server 60 determines whether or not both step S106, which is the color printing authentication step of the color printing authentication means 62, and step S110, which is the QR code authentication step of the QR code authentication means 64, are approved. (Step S120).
In step S120, on the condition that all are authenticated as valid, the authentication server 60 returns the result of having been authenticated to the portable terminal and transmits the instruction code 65 to the portable terminal (step S201).
If it is determined in step S120 that the content is not valid, the fact that authentication is not possible is returned to the portable terminal (step S121).
 指示コード65は、本実施形態では、発行者Qが管理する登録サーバー50あるいは特定の電話番号に対して電話をかけるように指示するためのコードである。
 ステップS201において、アプリ102が指示コード65を受信すると、アプリ102から特定の電話番号に電話をかけ、電話口において登録時に利用者Pが入力したPINコードの入力を求められる(ステップS202)。
 ステップS202において、金融機関の登録条件において必要とされる、利用者Pの電話番号が利用者P本人のものであるかどうかの確認を行うことができる。
 かかる構成により、利用者Pの電話番号の確認が必要な場合には、かかる処理を入れることで、同時に利用者P本人の電話番号からかけられたかどうかの確認を行うことができる。 In the present embodiment, the instruction code 65 is a code for instructing to make a call to the registration server 50 managed by the issuer Q or a specific telephone number.
In step S201, when the application 102 receives the instruction code 65, the application 102 calls a specific telephone number and the user P is required to input the PIN code input by the user P at the time of registration (step S202).
In step S202, it can be confirmed whether the telephone number of the user P, which is required in the registration conditions of the financial institution, is the user P's own personal number.
With this configuration, when it is necessary to confirm the telephone number of the user P, it is possible to simultaneously confirm whether or not the telephone number of the user P has been called by carrying out such processing.
 なお、ステップS201以降のステップについては、金融機関の登録条件として電話番号が要求されるために、相互認証システムで行うものとしたが、かかる登録条件は、それぞれの分野に合わせて適宜変更して良い。
 なお、ここではPINコードを登録時に利用者P本人が入力したものとしたため、シート90にはかかるPINコードを記載する必要がなくなり、さらにセキュリティに配慮した状態で金融機関の登録が可能となる。 In addition, since the telephone number is required as the registration condition of the financial institution in step S201 and subsequent steps, it is performed by the mutual authentication system, but the registration condition is appropriately changed according to each field. good.
Here, since it is assumed that the PIN code is entered by the user P at the time of registration, it is not necessary to enter the PIN code on the sheet 90, and it is possible to register the financial institution in consideration of security.
 また、かかるシート90を戸籍に登録された有権者の住所に配布すれば、認証が成立したことを条件として電子投票に用いる投票券とすることもできる。かかる構成によれば、JWTのワンタイムキーによって電子投票による複数投票を容易に検知できるとともに、通常の投票券への引き換えには従来通り引換所にて確認を行えばいいので、利用者Pの手間が軽減される。 In addition, if the sheet 90 is distributed to the address of a voter registered in a family register, it can be a voting ticket used for electronic voting on condition that the certification is established. According to this configuration, it is possible to easily detect a plurality of votes by electronic voting using the JWT one-time key, and for the exchange for a regular voting ticket, confirmation may be made at the exchange station as before. The effort is reduced.
 本実施形態では、彩紋ID92’のそれぞれによって異なる固有の彩紋図形を形成する彩紋形成手段82と、各文字列に対応した基本彩紋図形の組み合わせパターンを用いて彩紋図形92から彩紋ID92’を復号する彩紋判別手段61と、彩紋判別手段61によって復号された彩紋ID92’が、QRコードに含まれた発行者情報と対応するものであるか否かを判別する認証手段60と、を有している。
 かかる構成により、セキュリティリスクを増大させることなく、簡易に本人認証を行うことができる。
 また、利用者Pは、認証図柄93を撮影した画像データ94を送付するだけで良いため、認証時における操作の煩雑さを軽減することができる。 In the present embodiment, the color pattern figure 92 is colored using the color pattern forming means 82 that forms unique color pattern figures different depending on the color pattern ID 92 'and the combination pattern of the basic color pattern figures corresponding to each character string. Authentication to determine whether or not the color design determination unit 61 that decodes the pattern ID 92 ′ and the color formation ID 92 ′ that is decoded by the color design determination unit 61 correspond to the issuer information included in the QR code And a means 60.
With this configuration, user authentication can be easily performed without increasing security risk.
In addition, since the user P only needs to send the image data 94 obtained by photographing the authentication symbol 93, the complexity of the operation at the time of authentication can be reduced.
 本実施形態では、二次元コードとしてQRコードを用いる。かかる構成により、読み取りの速度が向上して利便性を向上させつつも、読み取りを行うだけでは認証が行われないため、第3者がシート90を盗み見たとしても、セキュリティ上問題にならず、セキュリティリスクを低減する。 In the present embodiment, a QR code is used as a two-dimensional code. With this configuration, the speed of reading is improved to improve convenience, but authentication is not performed only by reading. Therefore, even if a third party steals the sheet 90, there is no security problem. Reduce security risk.
 また本実施形態では、QRコード91は、発行者情報を含んだトークンに基づいて形成される。
 かかる構成により、発行者Qの情報を含めて改ざんを行うとトークンによる認証が通らなくなるので、セキュリティが強化される。 Further, in the present embodiment, the QR code 91 is formed based on a token including issuer information.
With this configuration, if tampering is performed including the information of the issuer Q, the authentication by the token is not passed, thereby enhancing security.
 また、本実施形態では、JWTには読み取り回数を制限する回数制御機能を付加している。
 かかる構成により、例えば既に使われたシート90が、再度用いられて認証サーバー60の認証を通そうとしたときにも、複数回登録による警告画面を表示するなどの対策が可能となる。 Further, in the present embodiment, the JWT has a frequency control function for limiting the number of times of reading.
With this configuration, it is possible to take measures such as displaying a warning screen by multiple registration even when, for example, the already-used sheet 90 tries to pass through the authentication of the authentication server 60 again.
 また、本実施形態では、認証サーバー60は、彩紋ID92’を鍵として、QRコード91に記載された発行者Qの情報を含むJWTを署名したものであることを認証する。
 かかる構成により、発行者Qの情報が改ざんされている場合にも認証が通らなくなるため、偽装に対してセキュリティが強化される。 Further, in the present embodiment, the authentication server 60 authenticates that the JWT including the information of the issuer Q described in the QR code 91 is signed with the color print ID 92 ′ as a key.
With this configuration, the authentication does not pass even when the information of the issuer Q is falsified, so the security against impersonation is enhanced.
 また本実施形態の相互認証システムは、QRコード91と、彩紋図形92とが一体に形成された認証図柄93と、認証図柄93が印刷されたシート90と、を用いて認証するものである。
 認証サーバー60は、認証図柄93を撮影することでシート90が正当なものであることを確認する。
 かかる構成により、利用者Pは認証図柄93の撮影のみで利用者P宛に届いた郵便物が真正なものであるとの認証を行うことができて、セキュリティ向上と利便性の向上とを両立できる。 Moreover, the mutual authentication system of this embodiment authenticates using the authentication pattern 93 in which the QR code 91 and the color design figure 92 were integrally formed, and the sheet | seat 90 on which the authentication pattern 93 was printed. .
The authentication server 60 confirms that the seat 90 is valid by photographing the authentication symbol 93.
With this configuration, the user P can authenticate that the mail delivered to the user P is genuine only by photographing the authentication symbol 93, thereby achieving both security improvement and convenience improvement. it can.
 また本実施形態では、認証図柄93は、QRコード91と、彩紋図形92とが一体に形成され、彩紋図形92は、QRコード91の周囲を囲繞するように形成される。
 かかる構成により、撮影時に同一の画像内にQRコード91と彩紋図形92とを認識できない場合には認証が失敗するので、全く同一の複製物でない限り認証が通らないので成りすまし等のセキュリティリスクを低減することができる。 Further, in the present embodiment, the authentication symbol 93 is formed integrally with the QR code 91 and the color design figure 92, and the color design figure 92 is formed to surround the QR code 91.
With this configuration, if the QR code 91 and the color pattern 92 can not be recognized in the same image at the time of shooting, the authentication fails, so the authentication does not pass unless it is an identical copy, so security risks such as spoofing etc. It can be reduced.
 本発明の第2の実施形態として、認証サーバー60を用いない形態についても説明する。
 本実施形態では、相互認証システム200は、図9に示すように、データオブジェクトのハッシュを用いてアドレスを決定する、IPFS(InterPlanetary File System)という分散ファイル管理システムを用いた相互認証システムである。 As a second embodiment of the present invention, a mode in which the authentication server 60 is not used will also be described.
In the present embodiment, as shown in FIG. 9, the mutual authentication system 200 is a mutual authentication system using a distributed file management system called InterPlanetary File System (IPFS) that determines an address using a hash of a data object.
 相互認証システム200は、第1の実施形態と同様の構成を有するが認証方式だけが異なっている。
 IPFS方式の分散ファイル管理システムにおいては、利用者Pが登録サーバー50に申請情報Rを記録すると、登録サーバー50が申請情報Rに発行者Qの情報を付加して、登録情報R’を生成する。
 また、トークン発行部52は、かかる登録情報R’に基づいて、第1の実施形態と同様に発行者Qの情報を含んだ形で、彩紋ID92’で署名されたJWTを発行する。
 かかるJWTが生成されると同時に、JWTをハッシュ化したハッシュ値がアドレスとなるから、彩紋ID92’を含んだ登録情報R’を生成することで、彩紋ID92’もしくはQRコード91が分からない限り、当該アドレスにはたどり着けないことになる。 The mutual authentication system 200 has the same configuration as that of the first embodiment but differs only in the authentication method.
In the IPFS distributed file management system, when the user P records the application information R in the registration server 50, the registration server 50 adds the information of the issuer Q to the application information R to generate registration information R '. .
Further, the token issuing unit 52 issues the JWT signed with the color print ID 92 'in the form including the information of the issuer Q similarly to the first embodiment based on the registration information R'.
Since such a JWT is generated at the same time as the hash value obtained by hashing the JWT becomes an address, the generation of the registration information R ′ including the color print ID 92 ′ makes it impossible to know the color print ID 92 ′ or the QR code 91 As long as the address is not reached.
 利用者Pがアプリ102を用いて彩紋図形92とQRコード91とを撮影すると、まずQRコード91が読み込まれて、第1の実施形態と同様にJWTがハッシュ化されたhashコードが生成される。
 かかるhashコードは、トークン発行部52が発行したJWTの本体のアドレスそのものであるから、アプリ102は、かかるJWTのアドレスへ接続してJWT本体をダウンロードすることができる。 When the user P shoots the color pattern 92 and the QR code 91 using the application 102, the QR code 91 is first read, and a hash code having a hashed JWT is generated as in the first embodiment. Ru.
Since the hash code is the address of the main body of the JWT issued by the token issuing unit 52, the application 102 can connect to the address of the JWT to download the JWT main body.
 相互認証システム200は、画像データ94から彩紋ID92’を復号するとともに、QRコード91の指定するアドレスに置いてあるJWT本体を当該彩紋ID92’で署名したものと、当該アドレスとが一致するかどうかを判断する。
 一致する場合には、携帯端末にかかるアドレスにおいてあるJWT本体を送信し、一致しない場合には認証が為されなかった旨をアプリ102に表示する。
 係る判断は、第1の実施形態におけるステップS120と同様の行為であり、相互認証システム200自体が認証手段としての機能を有することとなる。
 このような方法により、JWTが生成されると同時に外部からは類推不可能なアドレスに登録情報R’が格納され、当該アドレスにアクセス可能なのは、シート90を所持する利用者Pのみであるため、利用者Pが正当なユーザーであることを認証できる。 The mutual authentication system 200 decodes the color print ID 92 ′ from the image data 94, and the one obtained by signing the JWT main body placed at the address specified by the QR code 91 with the color print ID 92 ′ matches the address. Determine if it is.
When they match, the JWT main body at the address concerned is transmitted to the portable terminal, and when it does not match, it is displayed on the application 102 that the authentication has not been performed.
Such determination is an action similar to step S120 in the first embodiment, and the mutual authentication system 200 itself has a function as an authentication unit.
By such a method, the registration information R ′ is stored at an address that can not be analogized from the outside simultaneously with the generation of the JWT, and only the user P possessing the sheet 90 can access the address, It can be authenticated that the user P is a valid user.
 なお、本実施形態では、かかる認証手段を、IPFSのファイルシステム自体が行っているが、ハッシュによってアドレスが決定され、彩紋IDに相当するID情報によって署名される仕組みでさえあればよい。具体的には例えばブロックチェーン等の分散台帳システムであっても、同様の認証システムが成立する(、ブロックチェーンのIPFS実装については、非特許文献1を参照)。 In this embodiment, such an authentication means is performed by the IPFS file system itself, but it is sufficient if the address is determined by the hash and the signature is made by the ID information corresponding to the color print ID. Specifically, even in the case of a distributed ledger system such as a block chain, for example, a similar authentication system is established (see Non-Patent Document 1 for the IPFS implementation of the block chain).
 また、本発明の変形例として、彩紋図形92とQRコード91とを用いたポイント付与システムについても説明する。なお、以降の説明において、第1の実施形態と重複する部分については、同一の符号を付して説明を省略する。 In addition, as a modified example of the present invention, a point giving system using the color design graphic 92 and the QR code 91 will be described. In the following description, the same parts as those in the first embodiment will be assigned the same reference numerals and descriptions thereof will be omitted.
 ポイント付与システム300は、第1の実施形態と同様に、QRコード91と、彩紋図形92とが一体に印刷されたシート90を用いる認証システムである。
 ポイント付与システム300は、登録情報R’を用いてJWT等のトークンを発行するトークン発行部52と、彩紋発行サーバー80と、認証サーバー60と、を有している。 The point provision system 300 is an authentication system using a sheet 90 on which a QR code 91 and a color design graphic 92 are integrally printed, as in the first embodiment.
The point grant system 300 includes a token issuing unit 52 that issues a token such as JWT using the registration information R ′, a color print issue server 80, and an authentication server 60.
 なお、本変形例においては、登録情報R’は例えば、売れた店舗や品物、値段等の情報により作成された商品情報であり、彩紋ID92’を含んでいる。 In the present modification, the registration information R 'is, for example, product information created based on information such as a sold store or item, a price, etc., and includes a color print ID 92'.
 彩紋発行サーバー80は、彩紋ID92’のそれぞれによって異なる固有の彩紋図形を形成する彩紋形成手段81と、登録情報R’に基づいて第1の二次元コードを発行する二次元コード生成手段82とを有している。 The color print issuing server 80 generates a color print forming means 81 that forms a unique color print figure different for each color print ID 92 ', and generates a two-dimensional code that issues a first two-dimensional code based on the registration information R'. And means 82.
 ポイント付与システム300は、利用者Pが店舗あるいはネットショップ等で買い物をしたときに、利用者Pに送付されるレシート等の納品書としてのシート90を送付する。 The point grant system 300 sends a sheet 90 as a delivery note such as a receipt sent to the user P when the user P purchases at a store or a net shop.
 このようなポイント付与システムにおいては、従来、例えば商品にポイントコードが記載された印刷物を同封して、利用者Pにかかるポイントコードを入力させるものが知られている。
 また、店頭販売においては、利用者Pが予め所持していたポイントカードを提示するものも知られている。
 一方で、こういったポイントコードでは、入力の手間がかかることや、ポイントカードを所持していなければならず利用者Pの利便性が低いといった欠点がある。
 また、このとき本人認証を行わないとすれば、偽造や成りすましによるポイントの不正取得に対して何も対処できないため、現実的ではない。
 また他方、本人認証を厳密に行おうとすると、利用者Pは、認証の為だけに本来しなくても良いはずの個人情報の入力を要求されることとなり、セキュリティリスクが却って高まってしまうという問題もあった。 Among such point grant systems, it is known that, for example, a printed matter in which a point code is described is enclosed in a product and the user P is caused to input the point code.
In addition, in the over-the-counter sales, there is also known one that presents a point card held by the user P in advance.
On the other hand, such a point code has the disadvantage that it takes time and effort to input and that the convenience of the user P is low because the point card must be possessed.
Also, if identity authentication is not performed at this time, it is not realistic because it can not cope with unauthorized acquisition of points by forgery or impersonation.
On the other hand, if the identity authentication is to be strictly carried out, the user P is required to input personal information which should not necessarily be necessary only for authentication, and the security risk is rather increased. There was also.
 そこで、本実施形態のポイント付与システム300では、納品書にQRコード91と、彩紋図形92とが一体に印刷されたシート90を用いることで、アプリ102を用いた撮影のみで認証が完了するような相互認証システムの提供を目的とする。 Therefore, in the point giving system 300 according to the present embodiment, authentication is completed only by photographing using the application 102 by using the sheet 90 on which the QR code 91 and the color design graphic 92 are integrally printed in the delivery note. Aims to provide such a mutual authentication system.
 シート90を利用者Pがアプリ102を用いて撮影すると、アプリ102はQRコード91を読み取って、認証サーバー60へ撮影された画像データ94を送信する。
 認証サーバー60は、QRコード91と彩紋ID92’とが正当な組み合わせであるかどうかを、第1の実施形態のステップS101~S120に従って認証する。
 かかる構成によれば、ネットショッピングで予めポイントカードなどの情報を入力させることなく、商品を受け取った本人だけにポイントを付与することができるから、利便性が向上する。 When the user P captures the sheet 90 using the application 102, the application 102 reads the QR code 91 and transmits the captured image data 94 to the authentication server 60.
The authentication server 60 authenticates in accordance with steps S101 to S120 of the first embodiment whether or not the QR code 91 and the color print ID 92 ′ are a valid combination.
According to such a configuration, it is possible to give points only to the person who has received the product without inputting information such as a point card in advance through the Internet shopping, so the convenience is improved.
 また、QRコード91にJWTを用いているから、発行者Qの偽装や、有効期限の改ざんも難しく、セキュリティリスクを低減することができる。
 また、携帯端末にインストールされたアプリ102を用いているので、付与されたポイントをアプリ102と紐づけて管理すればよいため、個人情報の入力が不要となり、利用者Pの利便性を向上させつつも、不要な個人情報の入力というセキュリティリスクを低減することができる。 Further, since the JWT is used for the QR code 91, it is difficult to disguise the issuer Q and falsify the expiration date, and the security risk can be reduced.
In addition, since the application 102 installed in the portable terminal is used, it is sufficient to link and manage the granted points with the application 102, so that the input of personal information becomes unnecessary, and the convenience of the user P is improved. At the same time, it is possible to reduce the security risk of entering unnecessary personal information.
 以上本発明の好ましい実施の形態について説明したが、本発明はかかる特定の実施形態に限定されるものではなく、上述の説明で特に限定していない限り、特許請求の範囲に記載された本発明の趣旨の範囲内において、種々の変形・変更が可能である。 Although the preferred embodiments of the present invention have been described above, the present invention is not limited to such specific embodiments, and the present invention described in the appended claims unless otherwise specified in the above description. Various modifications and changes are possible within the scope of the present invention.
 本発明の実施の形態に記載された効果は、本発明から生じる最も好適な効果を列挙したに過ぎず、本発明による効果は、本発明の実施の形態に記載されたものに限定されるものではない。 The effects described in the embodiments of the present invention only list the most preferable effects resulting from the present invention, and the effects according to the present invention are limited to those described in the embodiments of the present invention is not.
50   登録サーバー
60   認証手段(認証サーバー)
80   彩紋発行サーバー
81   彩紋形成手段
82   二次元コード生成手段
90   記録媒体(シート)
91   第1の二次元コード(QRコード)
92   彩紋図形
92’  ID情報(彩紋ID)
93   認証図柄
100  相互認証システム
200  相互認証システム
300  相互認証システム(ポイント付与システム)
R    申請情報
R’   登録情報(発行者情報を含む) 50 Registration Server 60 Authentication Method (Authentication Server)
80 color print issuing server 81 color print forming means 82 two-dimensional code generation means 90 recording medium (sheet)
91 1st two-dimensional code (QR code)
92 color pattern 92 'ID information (color pattern ID)
93 Authentication design 100 Mutual authentication system 200 Mutual authentication system 300 Mutual authentication system (Point grant system)
R application information R 'registration information (including issuer information)

Claims (11)

  1.  発行者情報を含んだ二次元コードと、
     利用者が申請した当該利用者自身の情報を含む申請情報と、
     前記申請情報と紐づけられて、複数の文字列を組み合わせて構成されるID情報と、
     を用いて、発行者と利用者とが正当であることを互いに認証するための相互認証システムであって、
     前記ID情報のそれぞれによって異なる固有の彩紋図形を形成する彩紋形成手段と、
     各文字列に対応した基本彩紋図形の組み合わせパターンを用いて前記彩紋図形から前記ID情報を復号する彩紋判別手段と、
     前記彩紋判別手段によって復号された前記ID情報が、前記二次元コードに含まれた前記発行者情報と対応するものであるか否かを判別する認証手段と、を有することを特徴とする相互認証システム。     A two-dimensional code containing issuer information,
    Application information including the user's own information applied by the user, and
    ID information associated with the application information and configured by combining a plurality of character strings;
    A mutual authentication system for mutually authenticating that an issuer and a user are valid using
    Color-print forming means for forming unique color-patterns that differ depending on each of the ID information;
    Color-print discrimination means for decoding the ID information from the color-arrangement figure using a combination pattern of basic color-arrangement figures corresponding to each character string;
    An authentication unit that determines whether the ID information decoded by the color design determination unit corresponds to the issuer information included in the two-dimensional code. Authentication system.
  2.  請求項1に記載の相互認証システムにおいて、
     前記二次元コードとしてQRコードを用いることを特徴とする相互認証システム。     In the mutual authentication system according to claim 1,
    A mutual authentication system characterized by using a QR code as the two-dimensional code.
  3.  請求項2に記載の相互認証システムにおいて、
     前記QRコードは、発行者情報を含んだトークンに基づいて形成されることを特徴とする相互認証システム。     In the mutual authentication system according to claim 2,
    The mutual authentication system, wherein the QR code is formed based on a token including issuer information.
  4.  請求項3に記載の相互認証システムであって、
     前記トークンには読み取り回数を制限する回数制御機能を付加したことを特徴とする相互認証システム。     The mutual authentication system according to claim 3, wherein
    A mutual authentication system characterized in that a number control function for limiting the number of readings is added to the token.
  5.  請求項3または4に記載の相互認証システムであって、
     前記認証手段は、前記ID情報を鍵として、前記二次元コードに記載された前記発行者情報を含む前記トークンを署名したものであることを確認して認証する特徴とする相互認証システム。     The mutual authentication system according to claim 3 or 4, wherein
    The mutual authentication system characterized in that the authentication means confirms that the token including the issuer information described in the two-dimensional code is signed using the ID information as a key.
  6.  請求項5に記載の相互認証システムであって、
     前記認証手段として、前記トークンが前記ID情報によって署名されることでアドレスが決定する分散ファイル管理システムを用いることを特徴とする相互認証システム。     The mutual authentication system according to claim 5, wherein
    A mutual authentication system characterized by using a distributed file management system in which an address is determined by the token being signed by the ID information as the authentication means.
  7.  請求項1乃至6の何れか1つに記載の相互認証システムであって、
     前記彩紋形成手段は、前記ID情報を構成する各文字列に対応する基本彩紋図形の組み合わせパターンを重ね合わせて前記彩紋図形を形成することを特徴とする相互認証システム。     The mutual authentication system according to any one of claims 1 to 6, wherein
    The mutual authentication system, wherein the color print forming means forms a color print pattern by superposing combination patterns of basic color print patterns corresponding to respective character strings constituting the ID information.
  8.  請求項1乃至7の何れか1つに記載の相互認証システムであって、
     前記二次元コードと、前記彩紋図形とが一体に形成された認証用画像と、当該画像が印刷された記録媒体と、を用い、
     前記認証手段は、前記認証用画像を撮影することで前記記録媒体が正当なものであることを確認する相互認証システム。     The mutual authentication system according to any one of claims 1 to 7, wherein
    Using an authentication image in which the two-dimensional code and the color pattern are integrally formed, and a recording medium on which the image is printed,
    The mutual authentication system, wherein the authentication unit confirms that the recording medium is valid by photographing the authentication image.
  9.  請求項8に記載の相互認証システムにおいて用いられる認証用画像であって、
     当該認証用画像は、前記二次元コードと、前記彩紋図形とが一体に形成され、
     前記彩紋図形は、前記二次元コードの周囲を囲繞するように形成されることを特徴とする認証用画像。     An authentication image used in the mutual authentication system according to claim 8, wherein
    In the authentication image, the two-dimensional code and the color pattern are integrally formed.
    The authentication image characterized in that the color pattern is formed so as to surround the two-dimensional code.
  10.  請求項9に記載の認証用画像を印刷された記録媒体。 A recording medium on which the authentication image according to claim 9 is printed.
  11.  請求項1乃至8の何れか1つに記載の相互認証システムであって、
     前記認証手段は、少なくとも前記二次元コードと、前記彩紋図形の一部とを同一の画面で撮影された認証用画像を用いて認証を行うことを特徴とする相互認証システム。     The mutual authentication system according to any one of claims 1 to 8, wherein
    The mutual authentication system characterized in that the authentication means authenticates at least the two-dimensional code and a part of the color pattern using an authentication image photographed on the same screen.
PCT/JP2018/028555 2017-07-31 2018-07-31 Mutual authentication system, authentication image, and recording medium WO2019026873A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2019534519A JPWO2019026873A1 (en) 2017-07-31 2018-07-31 Mutual authentication system, authentication images and recording media

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2017147624A JP2020190761A (en) 2017-07-31 2017-07-31 Mutual authentication system, image for authentication and recording medium
JP2017-147624 2017-07-31

Publications (1)

Publication Number Publication Date
WO2019026873A1 true WO2019026873A1 (en) 2019-02-07

Family

ID=65232716

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/028555 WO2019026873A1 (en) 2017-07-31 2018-07-31 Mutual authentication system, authentication image, and recording medium

Country Status (2)

Country Link
JP (2) JP2020190761A (en)
WO (1) WO2019026873A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113643023A (en) * 2020-04-27 2021-11-12 朴喜荣 Payment method using one-time payment security code based on color pixel code
CN113971452A (en) * 2020-09-18 2022-01-25 谷歌有限责任公司 Platform for registering and processing visual codes

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006106677A1 (en) * 2005-03-30 2006-10-12 National Printing Bureau, Incorporated Administrative Agency Printed matter, method and device for detecting such printed matter, and authentication method and device
JP2007049584A (en) * 2005-08-12 2007-02-22 Casio Comput Co Ltd Advertisement support system and program
JP2013004025A (en) * 2011-06-21 2013-01-07 Kobayashi Create Co Ltd Optical reading business form and its authenticity determination method
JP2015201022A (en) * 2014-04-08 2015-11-12 株式会社デンソーウェーブ fraud detection system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006106677A1 (en) * 2005-03-30 2006-10-12 National Printing Bureau, Incorporated Administrative Agency Printed matter, method and device for detecting such printed matter, and authentication method and device
JP2007049584A (en) * 2005-08-12 2007-02-22 Casio Comput Co Ltd Advertisement support system and program
JP2013004025A (en) * 2011-06-21 2013-01-07 Kobayashi Create Co Ltd Optical reading business form and its authenticity determination method
JP2015201022A (en) * 2014-04-08 2015-11-12 株式会社デンソーウェーブ fraud detection system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113643023A (en) * 2020-04-27 2021-11-12 朴喜荣 Payment method using one-time payment security code based on color pixel code
CN113971452A (en) * 2020-09-18 2022-01-25 谷歌有限责任公司 Platform for registering and processing visual codes
JP2022051558A (en) * 2020-09-18 2022-03-31 グーグル エルエルシー Platform for registering and processing visual encoding
US11836553B2 (en) 2020-09-18 2023-12-05 Google Llc Platform for registering and processing visual encodings
US11977953B2 (en) 2020-09-18 2024-05-07 Google Llc Platform for registering and processing visual encodings
JP7486464B2 (en) 2020-09-18 2024-05-17 グーグル エルエルシー A platform for registering and processing visual coding

Also Published As

Publication number Publication date
JP2020190761A (en) 2020-11-26
JPWO2019026873A1 (en) 2020-12-17

Similar Documents

Publication Publication Date Title
CN106452756B (en) Can the safe Quick Response Code construction verification method of off-line verification and device
CN103679457B (en) Method of payment, the paying server and payment system for performing the method for payment
CN101897165B (en) Method of authentication of users in data processing systems
US10320807B2 (en) Systems and methods relating to the authenticity and verification of photographic identity documents
US20220417739A1 (en) Secure data communication
KR101103098B1 (en) Authentication Of an Object Using Signature Encoded In a Number Of Data Portions
US10115264B2 (en) Encrypted electronic gaming ticket
EP2026266A1 (en) Method and apparatus for performing delegated transactions
TW201810113A (en) Document authentication system
CA2426447A1 (en) Self-authentication of value documents using digital signatures
JP6489464B2 (en) Optical code, information transmission method, and authentication method
JP2015525386A (en) Payment device, payment system, and payment method
WO2019026873A1 (en) Mutual authentication system, authentication image, and recording medium
US20090077382A1 (en) Method for the preparation of a chip card for electronic signature services
Eldefrawy et al. Banknote Validation through an Embedded RFID Chip and an NFC‐Enabled Smartphone
JP4800825B2 (en) Encryption communication method
CN104980275A (en) Two-dimension code-based digital signature authentication scheme allowing proxy signing
CN112840595B (en) System and method for binding information to a tangible object
CN1633665A (en) Method of sending and validating documents
JP2010079515A (en) Authentication system, key for use in the same, authentication method, and program
US20220038293A1 (en) Optical code creation program, optical code reading authentication program, optical code authentication system, payment system, printed article production method, and optical code authentication method
KR20170121737A (en) Method for Providing Non-Facing Certification by using Camera
WO2013190266A1 (en) Method and system for authenticating messages
KR101198391B1 (en) System for providing, authenticating and reading reliable barcode
WO2013168261A1 (en) Method and system for authenticating id pattern with camera

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18841518

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2019534519

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 26/05/2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18841518

Country of ref document: EP

Kind code of ref document: A1