JP2011170779A - Individual authentication device, individual authentication system, and individual authentication method - Google Patents

Abstract

An object of the present invention is to provide a secure closed type network authentication and an authentication method with less burden on the user.
A user H wears a mobile phone 7. In addition, a communication path is secured between the mobile phone 7 and the input devices (mouse and keyboard) 3a and 3b of the personal computer 1 by communication via a human body. In network type authentication, two routes (route using the Internet network and route using the mobile network) are used, and no ID or password is passed to the content route (route A) that requires authentication. , The second route (route B) is used for authentication. In the route A, the server 21 and the accompanying computer 17 are connected via the Internet 15. Authentication processing is performed by the authentication server 27 on a route B different from the route A, and no authentication information passes through the route A.
[Selection] Figure 1

Description

  The present invention relates to a personal authentication technique, and more particularly to a personal authentication system, a personal authentication method, an authentication device, and a computer program, and to authentication through communication.

  Content (software data such as music data, image data, game programs, etc.) based on the premise of not only browsing the web etc. but also personal authentication due to the spread of the Internet, member-based sites, and on the network The use of electronic payments and electronic money on the Internet is increasing rapidly. In addition, there are usage methods that may cause major problems if personal authentication and personal information protection are not sufficient, such as home security using the Internet, and how to secure individuals on the Internet, which is an open network. It is an important issue to secure the safety and to ensure safety.

  There are various methods for ensuring security. The simplest and most commonly used method is authentication using an ID and a password. However, the management of user IDs and passwords has several problems. By using a simple password or a common password, it is breached by brute force, and passwords are stolen via the Internet. Furthermore, personal information may be input at a fake site or the like, and an ID or password may be stolen (including input of a credit card number or the like).

As means for avoiding this, there is a case where authentication is performed and security is increased by using a device (IC card or the like) having an IC chip or the like instead of input by numbers and symbols.
Furthermore, in consideration of user convenience, there has been proposed a method for solving this through communication via the human body, which has been recently researched (see Patent Document 1 below).

  An example published in this document is shown in FIG. According to FIG. 12, authentication by communication via the human body H is executed between the plurality of authentication devices 131, 132, 133 worn by the user, and the plurality of authentication devices 131-133 belong to the same user. Is an authentication start condition with the external device (for example, server) 120. Alternatively, the server 120 verifies that at least two authentication devices worn by the user are authentication devices belonging to the same valid user. Alternatively, the configuration is such that key information or ID is fragmented to generate key information or ID to generate information necessary for authentication with the server.

  The user wears a necklace-type authentication device 131, a wristwatch-type authentication device 132, and a ring-shaped authentication device 133. These authentication devices 131 to 133 have a built-in IC chip, have a function of executing mutual authentication processing using a common key or public key method as encryption, and through a contact point that contacts the human body H Communication can be performed via the human body, and mutual authentication processing can be performed. Thereby, the personal authentication system which enables safe and reliable personal authentication can be provided.

As an authentication method,
1) Authentication processing is performed with the personal computer (PC) 110.
2) There is a method in which the personal computer 110 communicates with the authentication server 120 via a network to perform authentication processing.

  In 1), since authentication is performed when logging in to the personal computer PC 110, another person who does not have these devices 131 cannot impersonate and log in, and there is no fear of leaking information. In other words, the problem that the password has been stolen can be avoided. In 2), since the authentication server authenticates the user without closing the personal computer, the safety is further increased.

  As described above, the authentication method using the IC chip is more secure than the security in which only the ID and password are input from the keyboard. Further, as in this example, by using communication via a human body, there is an advantage that an inconvenience at the time of use of the user can be reduced and an easy-to-use authentication method can be realized.

Japanese Patent Laid-Open No. 2003-060635

WME2009 Workshop03 Overview of Human Body Communication and R & D Trend

However, even if such authentication is used, the following problems remain.
1) Problems such as theft, duplication, and encryption management of IC chip devices.
2) The problem of the burden on the user when purchasing, holding and using an authentication server of an IC chip.

  The problem of 1) is that the IC chip device is a package type authentication device.

  In other words, this is because security is lowered unless it is managed by the user and can always be monitored. Although the security is high, there is a possibility that a copy is made without the user's knowledge.

  For example, in the above authentication method with a personal computer of 1), if this authentication device (necklace type authentication device 131, wristwatch type authentication device 132, ring type authentication device 133) or the like is borrowed or stolen, another person can also authenticate. Will be. Further, even with the authentication server type 2), there is a problem that the security is broken unless the user notices theft or duplication and stops authentication on the server.

  For example, when considering online shopping several times a year for personal use, the frequency of use is low, so even if the authentication device is lost, it becomes slow to notice theft, or in the case of duplication In some cases, you may not even notice until the problem becomes noticeable.

  The second problem is that continuous operation is necessary for these systems to be established as an authentication system, which is costly and requires an IC chip device, which is a burden on the user.

  For both the use of 1) and the use of 2), it is necessary for the user to purchase an authentication device (necklace type authentication device 131, wristwatch type authentication device 132, ring type authentication device 133, etc.). In addition, holding an authentication server also requires a burden (for example, a monthly fee of XX yen), and individual users who only shop online several times a year cannot bear the cost of the authentication server system to increase its security. Have difficulty.

  The present invention has been made in view of the above problems, and an object thereof is to propose a safer network authentication and an authentication method with less user burden.

  According to an aspect of the present invention, a first device connected to a first network and a second device connected to a second network different from the first network are configured, and the first device and the The second device is connected to the second device by proximity communication means, and the second device performs personal authentication processing via the second network, and the second network authentication system (server) sends the authentication result to the second device. There is provided an authentication system characterized in that a process for identifying an individual is performed by the system (server) of the first network by notifying the system (server) of the first network. Thereby, a highly secure authentication system can be easily realized. The first device may be a terminal that performs input / output, and a system that performs processing, data to be recorded, and the like may be placed on the first network. Thereby, it is possible to respond to the cloud computer.

  Further, the present invention is a terminal device used in the authentication system described above, wherein the first device connected to the first device connected to the first network by the near field communication means includes the first device. The terminal device is configured to execute authentication of the device in the first network by the terminal device accessing the authentication system of the second network via the second network. May be.

  In the system for notifying information specific to the system (server) via the network, a first device connected to the first network and a second device connected to a second network different from the first network; The first device and the second device are connected by proximity communication means, and the second device performs an individual authentication process via the second network, and the second network. The authentication system (server) notifies the specific information to the first network system (server) so that the first network system (server) acquires the specific information. An authentication system may be used. A terminal device used in the authentication system, the terminal device connected to the first device connected to the first network by the proximity communication means, and an individual of the first device in the first network When the information is acquired, the terminal device may notify the first network of personal information via the second network. Here, the second device is a portable terminal having a unique identifier. The identifier is a telephone number or a mail address.

  In the first device, a communication unit connected to a network and an operation unit operated by a user are configured separately, the communication unit and the operation unit can be connected by communication means, and the second device is The terminal device may be connected to the first device by communicating with the communication unit or the operation unit. The communication means between the first device or the operation unit connected to the first device and the second device is human body communication via an electric field.

  In addition, the first device and the second device are connected by a proximity communication means, and the second device performs an individual authentication process via the second network, and authenticates the second network. A terminal device used in an authentication system that performs processing for specifying an individual in the system (server) of the first network by the system (server) notifying the authentication result to the system (server) of the first network. The first device and the second device have a communication unit that communicates with a second communication unit different from the first communication unit used in the first and second networks, The communication unit may be a terminal device that performs communication when communication of the first network or communication of the second network is started. When the service via the first device and the network becomes a login state or a personal identification (authentication) necessary state, the communication between the first device and the second device is triggered. To do. Based on the status display process, the CPU of the first device is performing an authentication process using the second device as an output device, and the first device, the second device, and the second device. Communication with the second network is started. Proximity communication between the first device and the second device is started based on a process in which the CPU outputs a login screen on the display unit of the first device. In the login state or the personal identification (authentication) necessary state displayed on the output device, the operation of selecting the authentication means by the portable terminal of the screen menu from the input device is a trigger, and the first device and the second device It is characterized in that proximity communication of devices is performed. An authentication processing time management unit that manages an authentication processing time required for authentication processing for authentication using the second network that is performed in response to an authentication request of the first network, and management of authentication to the management unit And a determination unit that determines whether or not connection is possible based on whether or not the time is within a predetermined time.

  The second device intermittently performs personal authentication processing via the second network, and the second network authentication system (server) returns the authentication result to the first network system (server). It is characterized in that the authentication hold state is maintained by notifying to. In the authentication, in addition to temporal intermittency, the authentication process is intermittently performed based on the number of input signals generated by an input device such as a keyboard or a mouse.

  The terminal device may be characterized in that the unique information described above is input to a second device connected to the second network. It has a recording unit for recording and holding the unique information in the second device connected to the second network. The address in which the unique information is recorded and held in a recording unit of a server connected to the second network, and is called and registered by a signal from the second device via the second network Is sent to the first system (server).

  The authentication required for the accounting process is performed between the second network system (server) and the credit transaction system, and only the accounting process is performed between the first network system and the second network system. Features. Authentication and billing necessary for billing processing are performed by the second network system (server). As the authentication in the second network, the log authenticated through the second network is left in the server of the second network, and the second network side communicates with the content server through the first network. It is characterized by history management of connection and authentication records. It has a recording part which records and holds the result authenticated by the 2nd apparatus connected to the 2nd network.

  According to another aspect of the present invention, there is provided an authentication method in an authentication system including a first device connected to a first network and a second device connected to a second network different from the first network. A step of connecting the first device and the second device by proximity communication means, a step of performing an individual authentication process by the second device via the second network, and A process of specifying an individual in the first network system (server) by the authentication system (server) of the second network notifying the authentication result to the first network system (server); An authentication method characterized by comprising:

  An authentication method in an authentication system including a first device connected to a first network and a second device connected to a second network different from the first network, wherein the second device includes: A step of connecting the first device by proximity communication means, a step of performing an individual authentication process by the second device via the second network, and an authentication system (server) of the second network. A step of notifying an authentication result to the system (server) of the first network, and performing a process of specifying an individual in the system (server) of the first network. good. A program for causing the computer of the second device to execute the authentication method described above may be a computer-readable recording medium for causing the computer of the second device to execute the program. Also good. Further, an integrated circuit including the recording medium, a computer, and a circuit for controlling the proximity communication may be used. The program may be acquired by a transmission medium such as the Internet.

  As described above, according to the authentication technique of the present invention, the information device connected to the first route, and the second route with high security represented by a mobile phone network different from the first route, By connecting the information device connected to the second route, the information device connected to the first route, and the information device connected to the second route by the short-range communication means, Even in such an open environment network, highly secure authentication can be realized.

  In addition, since mobile terminals such as mobile phones are the window for all authentication, authentication and billing histories can be kept on mobile terminals or mobile network servers, and users can easily check their histories at any time. By being able to do so, it becomes possible to manage including past connections, and safety can be further improved including transactions.

It is the schematic which shows one structural example of the authentication technique by the 1st Embodiment of this invention. FIG. 2 is a functional block diagram of a system configuration corresponding to FIG. 1. FIG. 2 is a sequence diagram when logging into a network or a personal computer in the system corresponding to FIG. 1. It is a sequence diagram at the time of net surfing in the system corresponding to FIG. It is a sequence diagram at the time of Internet shopping in the system corresponding to FIG. In FIG. 5, it is a sequence diagram which shows the exchange including a credit company. It is a sequence diagram of online shopping with billing. It is a figure which shows the example which applied the authentication system by this Embodiment to cloud computing. It is the schematic which shows one structural example of the authentication technique by the 2nd Embodiment of this invention. FIG. 10 is a functional block diagram of a system configuration corresponding to FIG. 9. FIG. 10 is a sequence diagram when logging into a network or a personal computer in the system corresponding to FIG. 9. It is a figure which shows an example of the authentication system using the IC device and human body communication by a prior art example.

  Hereinafter, an authentication technique according to an embodiment of the present invention will be described with reference to the drawings.

(First embodiment)
FIG. 1 is a diagram showing a schematic configuration example of a personal authentication system according to the first embodiment of the present invention, and corresponds to FIG. As shown in FIG. 1, a user H wears a mobile phone (mobile terminal) 7 (wearable terminal). Further, the input devices (mouse and keyboard) 3a (mouse) and 3b (keyboard) of the mobile phone 7 and the personal computer PC1 are referred to as communication via a human body (H) (human body proximity communication. In the future, BAC (Body Area Communication) ), Hereinafter referred to as “BAC”). Examples of basic timing of the authentication process include the following three examples.

1) At logon
2) At the time of authentication corresponding to ID and password on the Internet 3) At the time of processing related to billing (equivalent to entering credit card number)

  In each of these authentication processes, the present embodiment describes a case where the mobile phone and the mobile phone network execute the authentication process. In other words, in the conventional package type authentication device, authentication is performed by only one route (usually a route using the Internet network). On the other hand, in the network type authentication technique according to the present embodiment, a content route (route A) that uses two routes (route using the Internet network and route using the mobile network) and that requires authentication. ) Does not pass any ID or password, and is authenticated by the second route (route B). In the route A, the server 21 and the accompanying computer 17 are connected via the Internet 15.

  In other words, in the conventional network, only the route A in FIG. 1 is connected, and all communication needs to be closed here. Therefore, both the content route and the authentication route pass through this route. It was processed in this.

  On the other hand, the present embodiment is characterized in that authentication processing is performed by the authentication server 27 in a route B different from the route A, and no authentication information passes through the route A.

  In addition, each mobile phone is assigned a unique number, and protection measures against spoofing are taken in order to charge the mobile phone securely. Therefore, if it is identified by a mobile phone, it is guaranteed to be different from other devices, and the security (equipment with a unique number assigned to each unit, such as a built-in SIM card) is extremely high. There are features.

FIG. 2 is a functional block diagram showing a configuration example of the authentication system corresponding to FIG. The same components as those in FIG. 1 are denoted by the same reference numerals, and the description thereof is omitted. The PC 1 includes, for example, a CPU (control unit) 1a, a memory (storage unit) 1b, a communication interface 1c, a BAC communication unit, and input units 3a and 3b. The mobile phone 7 includes a CPU 7-1, a memory 7-2, an input unit 7-3, a mobile communication unit 7-4, a BAC communication unit, and a SIM card 7-5. BAC communication is performed between the BAC communication unit of the PC 1 and the BAC communication of the mobile phone 7. Reference numeral 11 is provided with a gateway 11 for connecting to the Internet from the communication interface unit 1c. The points having route A and route B are the same as in FIG.
The above three authentication processes will be described in detail below.

1) At Logon As an example of logon, a personal computer (PC) will be described as an example, but authentication can be similarly performed when an individual is authenticated in entrance / exit management or the like. FIG. 3 is a sequence diagram when logging into a network or a personal computer in the system corresponding to FIG. The PC 1 is normally in a logon waiting state, and in conventional authentication, when a user name is input or selected in Windows (registered trademark), the screen is changed to a password input screen. If you know the password on this password entry screen, other people can log on. In the case of entrance management, if you know the password, you can unlock the door.

  The present embodiment is characterized in that authentication using a mobile network is performed instead of authentication with a password. Instead of displaying the password input screen, the PC 1 exchanges signals with the mobile phone 7 using the BAC.

  “BAC” has been researched and developed in recent years and is also called BAN (Body Area Network), WBAN (Wireless Body Area Network), Body-Centric Wireless Communication, etc. in a broad sense, near field communication, It means various types of communication in the vicinity of the human body, including wireless communication through space and wide-area wireless communication such as UWB (Non-Patent Document 1). As one of them, in the communication method using an electric field, communication is performed using electric field coupling, and it is not necessary to directly contact a mobile phone or the like with the skin, and communication can be performed only by putting it in a pocket. It is possible, and communication takes place between a mobile phone in a pocket and a personal computer.

  In such communication, only the vicinity of the mobile phone is a communication area, and it does not leak to the neighbor like a wireless LAN, and only the person who touches the keyboard and mouse (3) of the PC 1 (L1, L2) This communication can be established. The cellular phone 7 uses this BAC as a trigger (L3), communicates with the cellular phone authentication server 27 using the cellular phone network (L4), sends the authentication result to the network server 21 (L5), and authenticates to the PC 1 By performing the notification (L6), the authentication process ends. That is, the network server 21 indicates the end of authentication on the screen of the PC (1) (L6) and logs in.

  In the above method, the mobile phone 7 functions as a network type authentication device, and the mobile phone network is used as a second network different from the first network. As described above, each mobile phone 7 is originally authenticated and managed reliably, and it is difficult to make a copy. Further, since the mobile phone company always identifies the individual, it can function as an authentication device with extremely high personality. Of course, it is also possible to use a password and mobile authentication together for further security.

As for BAC, it is not necessary to always communicate between the PC 1 and the mobile phone 7, and when the logon screen is displayed or when the ID / password input mode is selected with an input device such as a mouse or a keyboard. Communication may be performed using this as a trigger.
That is, the BAC unit which is hardware is activated in cooperation with the processing of the personal computer.
By limiting the communication time in this way, there are advantages that the power consumption of the device can be reduced and unnecessary unnecessary radiation can be reduced.

2) At the time of authentication equivalent to ID and password on the Internet In this embodiment, you want to enter after specifying an individual to a specific service of various content companies, such as logging in to a membership system site or home security FIG. 4 is a sequence diagram in that case.

  In current network communication systems such as the Internet, authentication processing is often performed using an ID (individual or mail address) and a password. However, such a method itself is low in terms of security, and depending on the user, some users may use a PC storage function for ID input, plain passwords, and cases where passwords are reused. There is a problem that it is often used in a low state. In addition, in wireless LAN, power line communication, etc., there is a risk that the ID, password, etc. input may be intercepted and wiretapped by wiretapping.

  In this embodiment, ID and password notification and authentication are performed through a mobile network, so that a system in which information such as IDs and passwords does not easily flow through an Internet network (such as a wireless LAN) where information is easily leaked is constructed. It is.

  The user surfs the network server 21 using the PC 1 (L11), and checks whether the network server 21 is a member of the PC 1 (L12). Mobile phone authentication is selected from the input device 3 to the PC 1 (L13), and the mobile phone authentication is notified from the PC 1 to the network server 21 (L14). Information for connection is transmitted from the network server 21 to the PC 1 (L15). Next, when the user selects “mobile phone authentication” on the input screen of content or the like that requires membership confirmation, communication is performed between the PC 1 and the mobile phone 7 by near-body communication (BAC) (L16). Information exchanged includes information about the content company to be connected, temporary ID until connection termination, etc., which is authenticated by the authentication server 27 and notified to the content server, and information necessary for establishing authentication by the content server. It is.

  The mobile phone 7 communicates with the mobile authentication server 27 using the mobile phone network as the second route (L17), sends the authentication result to the network server 21 of the content company (L28), and notifies the PC 1 of the authentication. Authentication is terminated by sending (L19).

  Here, you can include the server information (address etc.) of the content company in the above information and go to the connection based on it, but you can also send it based on the server information that the mobile company has, In this case, the risk of being connected to a fake site (a site trying to steal personal information etc. with the same layout as the real one) can be avoided.

  The content company indicates the end of authentication on the PC screen and can log in to the member site.

  In this method, since the mobile phone 7 functions as a network type authentication device, only the person who wears and holds the mobile phone 7 can log in to the service. This makes it impossible to log in by stealing an ID or password. In addition, since ID and password information do not flow at all in an open network such as an Internet network or a wireless LAN where encryption is easily broken, wiretapping is difficult.

  In addition, the network server grasps the situation at the time of communication between the mobile phone 7 and the personal computer-network server, and authentication is not established unless authentication processing with the mobile authentication server 27 is performed within a certain time (for example, within several seconds) after the authentication request. If a rule such as this is made, authentication can be established more safely. This is also a closed type feature.

  In addition, since the user can perform secure authentication with the mobile phone 7, even when using another person's personal computer at an Internet cafe or on the go, he / she does not have to type in the personal computer itself like a conventional ID and password. There is no worry of them remaining in the cache or storage area. Of course, there is an advantage that there is no need to forget the password and there is no need to change the ID and password for each member site of various content companies.

  For future home security, etc., if you want to look at surveillance cameras placed at home from a computer on the go, you may be able to log in from a personal computer that is not privately owned in various places. Individual identification is important.

  In addition, since it is network type authentication, a log authenticated through a mobile phone can be left in a mobile server, and connection with various content companies and authentication records can be managed. As a result, every mobile phone number (including SIM number etc.) contains all records, so browsing is easy when security is a concern.

  Of course, all the history can be left in the mobile phone, and the user's past authentication status can be known by looking at the login and billing history of the mobile phone.

  Of course, it is also possible to use a password and mobile authentication together in order to further increase security.

3) During processing related to billing (equivalent to entering a credit card number)
Here, in the present embodiment, a case where a billing process occurs in addition to authentication will be described with reference to FIG. For example, this is the case when shopping via the Internet. In the embodiment of the present invention, authentication and billing processing are performed through a mobile network.

  In this connection, the important authentications are the purchaser identification and the authentication related to the billing process. Conventionally, the user has input personal information (address, name, phone number, etc.) from the keyboard or the like on the shopping screen, but in this embodiment, when “mobile phone authentication” is selected on the personal information input screen, the personal computer Communication is performed between the mobile phone and the mobile phone via a human body or by communication near the human body (Body Area Communication). This information includes information necessary for establishing authentication from the mobile network, such as information on the content company to be connected and a temporary ID until the connection is terminated.

  The mobile phone 7 communicates with the mobile authentication server 27 using the mobile phone network as the second route, sends the authentication result to the network server 21 of the content company, ends the authentication, and sends the personal information to the server Communicate between.

  This authentication is similar to 2) above, but in the case of online shopping, personal information such as an address is exchanged. This personal information can also be transmitted from the mobile phone 7 via the second route, but since the mobile phone server originally has the address of the mobile phone holder, etc., the second route does not pass such information at all. It is also possible to process from the recorded data. The content company receives the information from the portable authentication server 27 and obtains the personal information of the purchaser.

  Next, it is necessary to pay the purchase cost. For example, the case of paying with a credit card will be described with reference to FIG. In the conventional connection, credit card information is input from a PC screen. In this embodiment, credit card information or the like is not via the first route but via the second route.

  The description will be given with reference to FIG. First, the PC 1 accesses the network server 21 and surfs the network, for example (L21). For example, the network server 21 presents a shopping screen to the PC 1 (L22). When there is a favorite product, the user looking at the PC 1 presses the product purchase button (L23). The network server 21 prompts for input of personal information (L24). Mobile phone authentication is selected from the input device 3 of the PC 1 to the PC 1 (L25). In other words, when the user selects “via mobile phone” on the payment screen, communication is performed between the personal computer (PC1) and the mobile phone 7 via the human body or by communication near the human body (Body Area Communication) (L26 to L28). ). This information includes information necessary for establishing authentication of the approval process from the mobile network, such as information on the content company to be connected and a temporary ID until the connection is terminated.

  The mobile phone 7 communicates with the mobile authentication server 27 using the mobile phone network as the second route (L29), and the credit card information (notification of personal information) held in the mobile phone 7 is the content company. To the network server 21 (L30).

  The credit card information may be input from the mobile phone 7 or may be information recorded in the mobile phone 7 or may be recorded in the mobile authentication server 27 without actually flowing through the second route. You may use your credit card information.

  The network server 21 issues a confirmation notification to the PC 1 (L31), and then issues a settlement processing request (L32). When the mobile phone authentication is selected from the input device 3 (L33), the PC 1 notifies the network server 21 of the mobile phone authentication (L34). The network server 21 notifies the payment information to the PC 1 (L35), and notifies this to the authentication server 27 using the mobile network by BAC (L36-L38). The authentication server 27 notifies the credit information to the network server 21 (L39), and notifies the PC 1 of the completion of confirmation (L40).

  In this method, since the mobile phone 7 processes the accounting process using the second route, there is no need to input a credit card number. As a result, there is no worry of entering a credit card number on a fake website like a fake website (phishing).

  The accounting process itself is linked to the communication process between the mobile server and the content server. For example, the “Amazon” (registered trademark) accounting process is based on mutual authentication between the mobile server and the “Amazon” server system. Since it is processed, it is not transferred to a fake site.

  Next, in FIG. 6, instead of notifying the network server (content server) 21 of credit information, authentication with the credit card company CC is also performed on the mobile authentication server 27 side (L41, L42). Information such as the credit card number itself does not go to the network server (content server) 21, and only the purchase price at that time is approved between the mobile phone 7 and the content server 21. Actual credit processing is performed between the mobile phone company and the credit company CC. As a result, credit information is not leaked in the event of an emergency.

  Furthermore, as shown in FIG. 7, it is possible to charge as a mobile phone fee without using a credit card company. Even today, mobile phone content such as i-mode content (registered trademark) is collected by a mobile phone company and processed together with mobile phone charges (L43). Alternatively, the settlement may be performed with a mobile account (L38). In this method, the actual content is bought and sold on the Internet, not on the mobile phone, but can be collected on behalf of the billing authentication process.

  As described above, apart from the first route, a second route with high security such as a mobile phone network is prepared, and information that requires the most safety, such as authentication, personal information, and information related to billing, is as follows. By using the second route, secure communication is possible. Also, unlike the IC card type that is not sold, the authentication validity of the mobile phone is communicated each time and is confirmed by the mobile server. No mistakes such as authentication occur.

  In the above embodiment, as examples of each communication route, the first route is an open optical fiber Internet network capable of transmitting a large capacity, and the second route is a closed mobile phone network using licensed band radio. Of course, the first route and the second route do not have to be limited to this, and security can be increased by performing authentication between the two routes.

As another example, public wireless LAN network and mobile phone network LAN network and mobile phone network in offices etc.
ADSL Internet network and broadband access network (WiMAX)
Etc. are also conceivable. In other words, the essential effect of this patent will not be lost if it can be configured with two different networks and a BAC connecting them.

  The first route and the second route indicate different networks. For example, the mobile phone network as the second network is connected to the femtocell at home, and the provider of the first route Like the Internet network, it may be connected to the mobile phone company's server through the optical fiber that comes to the home, but between the femtocell and the mobile phone company network, the mobile phone network Is considered to be within the scope of this patent.

  In addition, as a characteristic property of mobile phones, each user owns one unit, pays a contract fee every month, has strong security, and originally has an authentication server. By utilizing, the user does not need to subscribe to a new service for the authentication server and IC device as in the conventional example, and the burden on the user can be kept low. In addition, considering the profits of mobile phone companies for authentication, billing, and agency collection, users can also build as part of mobile services, which is a heavy burden for online shopping several times a year. It can solve the problem of doing.

  In addition, mobile phones are carried almost every day, and if they are stolen, they will immediately notice, and if they are stolen, they will be able to stop the authentication service at the same time, or contact the mobile phone company to stop the authentication function. The server can be notified, and therefore the theft can be handled faster than the individual authentication IC chip device.

  In the description of the embodiment, the body area communication using an electric field is used for delivery of two routes. However, there are a current method and a radio method as the BAC, and the effect of this patent is considered. Since the effect can be exerted by connecting two different types of networks by different communication means, this connection is broadly defined as BAC, as well as proximity communication including wired, optical communication, and contact / contactless communication. Can serve the purpose.

  Authentication can also be used in combination with the conventional type (ID and password), and authentication can be completed by confirming both authentications.

In the above, the three authentication processes are shown in Fig. 3-7, but this is a basic flow. In actual communication, some processes are included or different processes. However, if the authentication is equivalent to the first route and the second route, the present invention can be applied without changing the essence of this patent.
In the above example, the authentication process is shown only at the time of login and at the time of billing. However, by communicating with the PC 1 and the mobile phone via the BAC periodically (every few minutes, etc.) Even if the logged-in user is absent, it can be avoided that the logged-in state continues.

  Further, although an example in which a human inputs as a user has been shown, this may be a device (digital home appliance, car, etc.). For example, recently, there is a car navigation system and other functions with a communication function that uses a mobile phone network, but using them, the parking system and route A of Route A can be used for parking admission management and parking fee billing. The same effect can be achieved by using B's mobile phone network.

  As another example, FIG. 8 shows a configuration example of an authentication system according to another usage pattern.

  In recent years, a system called cloud computing has appeared, and FIG. 8 is a diagram showing an example in which the authentication system according to the present embodiment is applied to cloud computing.

In cloud computing, the personal computer 1 operated by the user H is basically a terminal that performs input / output, and a system for processing, data to be recorded, and the like are placed on the Internet NT.
The configuration of FIG. 8 is basically the same as the configuration of FIG. 1, but not only the route B is used for authentication of a specific authentication server 27 but also at the time of arithmetic processing, access to a recording medium, etc. Since the system located on the network NT is accessed, authentication using the route B can be used for authentication of the cloud system (NT) without being closed to one server and system, and secure cloud computing. Is possible.

(Second Embodiment)
The authentication technique according to the second embodiment of the present invention will be described below with reference to the drawings. FIG. 9 is a diagram illustrating a configuration example of the authentication system according to the second embodiment. As shown in FIG. 9, the user H wears a mobile phone (mobile terminal) 7 (wearable terminal). The mobile phone 7 and the input devices (mouse and keyboard) 3a (mouse) and 3b (keyboard) of the personal computer PC1 are in a state where a communication path is secured by communication via the human body (H). Examples of basic timing of the authentication process include the following three examples.

  In the present embodiment, communication via the human body H is not directly connected to the device of the route A (TV 61 in FIG. 9), but is connected to the device (remote controller RC or game controller) connected to the route A by infrared rays, Bluetooth, or the like. This is an example in which a mobile phone communicates with BAC.

  In FIG. 9, the TV 61 communicates with its remote controller RC. The remote controller RC communicates with the mobile phone 7, and the TV 61 communicates with the gateway 11 via a wireless LAN or wired connection. The components are summarized below.

a) Component 1: Device connected to route A (TV 61 in FIG. 9)
b) Component 2: Device connected to route B (cell phone 7 in FIG. 9)
c) Component 3: Device connected to the device of route A through a different communication path and connected to route B via communication (BAC) via human body H (in the figure, remote control RC of TV TV 61)
Consists of.

  According to such a configuration, the TV can be connected to the Internet for business transactions, or a paid game can be downloaded and paid content can be purchased using a game machine that can be connected to the Internet. In this case, the basic concept and the authentication procedure are the same as those in the first embodiment of FIG. 1, except that the user touches not the keyboard or TV screen but the remote controller or controller.

  Therefore, communication via the human body is performed between a mobile phone and a remote controller (controller), and devices connected to the remote controller via the Internet are connected by communication means (infrared rays, Bluetooth wireless, etc.) between the devices.

  As a further advantage of this configuration, authentication by a mobile phone can be eliminated from an increase in the risk of eavesdropping or the like due to a plurality of wireless connections between devices.

  The TV 61 may be used together with family members and friends rather than being used alone as in the personal computer PC1, but personal authentication can be performed regardless of the number of users by mobile phone authentication. In addition, it is not desirable for family members and friends to see the authentication ID and password, and it is not necessary to type in the ID and password before everyone is looking at the conventional TV screen, which increases safety. it can.

  FIG. 10 is a functional block diagram showing the configuration of FIG. As shown in FIG. 10, the TV 61 has a CPU 61a, a memory 61b, a display unit 61c, and an interface 61d. The interface 61 d is connected to the remote controller 73, and the remote controller 73 is connected to the mobile phone 7 via the medium 71.

  In addition, it has been proposed to use the mobile phone 7 itself as a remote control RC of the television 61 using the infrared communication function of the mobile phone 7. In this case, it is considered that the mobile phone 7 and the controller are integrated. be able to.

  FIG. 11 is a sequence diagram showing an operation example in the system shown in FIGS. The remote controller 73 performs a remote control input L81 to the TV 61. The TV 61 issues an authentication request to the remote controller 73 (L82). The remote controller 73 communicates with the mobile phone 7 by BAC communication (L83), requests authentication of the mobile authentication server 27 using the mobile network (L84), and the authentication server 27 sends to the network server 21. Authentication processing is then performed (L85). The network server 21 sends an authentication notification to the TV 61 (L86).

  In this way, BAC is performed between a mobile phone and a remote controller (controller), and devices connected to the remote controller via the Internet are connected by communication means (infrared rays, Bluetooth wireless, etc.) between the devices.

  Here, although shown only at the time of login, the same processing can be performed for member authentication, billing processing, and the like as in FIG. 4-7.

As described above, in the authentication system according to the embodiment of the present invention, the second route with high security represented by the mobile phone network, the information device connected to the second route, and the first route By connecting information devices connected to the network using short-range communication means, highly secure authentication can be realized even in an open environment network such as the Internet.
In addition, since mobile terminals such as mobile phones are the contact point for all authentication, authentication and billing histories can be kept on mobile terminals or mobile network servers, and users can easily check their histories at any time. By managing including past connections, it is possible to further improve safety including transactions.

  In the above-described embodiment, the configuration, processing process, and the like illustrated in the accompanying drawings are not limited to these, and can be changed as appropriate within the scope of the effects of the present invention. is there. In addition, various modifications can be made without departing from the scope of the object of the present invention.

  In addition, a program for realizing the functions described in the present embodiment is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into a computer system and executed to execute processing of each unit. May be performed. The “computer system” here includes an OS and hardware such as peripheral devices.

  Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW system is used.

  The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Furthermore, the “computer-readable recording medium” dynamically holds a program for a short time like a communication line when transmitting a program via a network such as the Internet or a communication line such as a telephone line. In this case, a volatile memory in a computer system serving as a server or a client in that case, and a program that holds a program for a certain period of time are also included. The program may be a program for realizing a part of the above-described functions, or may be a program that can realize the above-described functions in combination with a program already recorded in a computer system.

  Further, a processor such as a chip for executing processing also enters the present invention.

  The present invention can be used for an authentication system.

H ... User 1 ... Personal computer PC, 3a ... Input device (mouse and keyboard), 3b ... Keyboard, 5 ... Display unit, 7 ... Mobile phone (mobile terminal), 11 ... Gateway, 15 ... Internet (network), 17 ... Computer, 21 ... server, 23 ... base station, 27 ... mobile authentication server.

Claims (29)

A first device connected to a first network and a second device connected to a second network different from the first network;
The first device and the second device are connected by proximity communication means, and the second device performs personal authentication processing via the second network, and the second network authentication system ( An authentication system, wherein a server identifies a person in the first network system (server) by notifying an authentication result to the first network system (server).   The authentication system according to claim 1, wherein the first device is a terminal that performs input / output, and a system that performs processing, data to be recorded, and the like are placed on the first network. A terminal device used in the authentication system according to claim 1 or 2,
In the terminal device connected by the proximity communication means to the first device connected to the first network, the terminal device authenticates the first device in the first network. The terminal device is executed by accessing the authentication system of the second network via the network. In a system that notifies system (server) specific information via the network,
A first device connected to a first network and a second device connected to a second network different from the first network are configured, and the first device and the second device are close proximity communication means. And the second device performs personal authentication processing via the second network, and the second network authentication system (server) transmits the unique information to the first network system (server). ) To acquire specific information in the system (server) of the first network. A terminal device used in the authentication system according to claim 4,
In the terminal device connected to the first device connected to the first network by the proximity communication means, the terminal device acquires the personal information in the first network of the first device. A terminal device that notifies personal information to the first network via the network.   The authentication system according to claim 1 or 2, wherein the second device is a portable terminal having a unique identifier.   The authentication system according to claim 1 or 2, wherein the identifier is a telephone number or a mail address.   In the first device, a communication unit connected to a network and an operation unit operated by a user are configured separately, the communication unit and the operation unit can be connected by communication means, and the second device is The terminal device according to claim 3, wherein the terminal device is connected to the first device by communicating with the communication unit or the operation unit.   The terminal device according to claim 8, wherein a communication unit between the first device or the operation unit connected to the first device and the second device is human body communication via an electric field. The first device and the second device are connected by proximity communication means, and the second device performs personal authentication processing via the second network, and the second network authentication system ( The server device is a terminal device used in an authentication system that performs processing for identifying an individual in the first network system (server) by notifying the first network system (server) of the authentication result. ,
The first device and the second device have a communication unit that communicates with a second communication unit different from the first communication unit used in the first and second networks,
The terminal device according to claim 3, wherein the communication unit performs communication when communication of the first network or communication of the second network is started.   When the service via the first device and the network becomes a login state or a personal identification (authentication) necessary state, the communication between the first device and the second device is triggered. The terminal device according to any one of claims 3, 5, 8 to 10.   Based on the status display process, the CPU of the first device is performing an authentication process using the second device as an output device, and the first device, the second device, and the second device. The terminal device according to claim 11, wherein communication with the second network is started.   The proximity communication between the first device and the second device is started based on a process in which a CPU outputs a login screen to the display unit of the first device. Terminal device.   In the login state or the personal identification (authentication) necessary state displayed on the output device, the operation of selecting the authentication means by the portable terminal of the screen menu from the input device is a trigger, and the first device and the second device The terminal device according to claim 12, wherein proximity communication of devices is performed.   An authentication processing time management unit that manages an authentication processing time required for authentication processing for authentication using the second network that is performed in response to an authentication request of the first network, and management of authentication to the management unit The terminal device according to claim 3, further comprising: a determination unit that determines whether or not connection is possible based on whether or not the time is within a predetermined time period.   The second device intermittently performs personal authentication processing via the second network, and the second network authentication system (server) returns the authentication result to the first network system (server). The terminal device according to claim 3, wherein the authentication holding state is maintained by notifying to the terminal device.   The terminal device according to claim 16, wherein in the authentication, the authentication process is intermittently performed based on the number of times of input signal generation of an input device such as a keyboard or a mouse in addition to temporal intermittency.   6. The terminal device according to claim 4, wherein the specific information according to claim 4 is input to a second device connected to the second network.   5. The authentication system according to claim 4, further comprising a recording unit that records and holds the unique information in the second device connected to the second network.   The unique information is recorded and held in a recording unit of a server connected to the second network, and is called and registered by a signal from the second device via the second network. 5. The authentication system according to claim 4, wherein necessary information such as an address is sent to the first system (server).   The authentication required for the accounting process is performed between the second network system (server) and the credit transaction system, and only the accounting process is performed between the first network system and the second network system. The authentication system according to claim 1 or 2, characterized in that   3. The authentication system according to claim 1, wherein authentication and billing necessary for billing processing are performed by the system (server) of the second network.   In the second network, as the authentication, the log authenticated through the second network is left in the server of the second network, and the content server through the first network on the second network side The authentication system according to claim 1, wherein history management of connection and authentication records is performed.   9. The terminal device according to claim 3, further comprising a recording unit that records and holds a result of authentication by a second device connected to the second network. An authentication method in an authentication system comprising a first device connected to a first network and a second device connected to a second network different from the first network,
Connecting the first device and the second device by proximity communication means;
Performing a personal authentication process by the second device via the second network;
The second network authentication system (server) notifies an authentication result to the first network system (server), thereby performing a process of specifying an individual in the first network system (server). And an authentication method characterized by comprising: An authentication method in an authentication system comprising a first device connected to a first network and a second device connected to a second network different from the first network,
Connecting the first device to the second device by proximity communication means;
Performing a personal authentication process by the second device via the second network;
The second network authentication system (server) notifies an authentication result to the first network system (server), thereby performing a process of specifying an individual in the first network system (server). And an authentication method characterized by comprising:   27. A program for causing a computer of the second device to execute the authentication method according to claim 26.   A computer-readable recording medium for causing a computer of the second device to execute the program according to claim 27.   An integrated circuit comprising the recording medium according to claim 28, a computer, and a circuit for controlling the near field communication.

Images