WikiPatents - Community Patent Review
Create Free Account  |  License or Sell Your Patent  |  WikiPatents Marketplace  |  WikiPatents Blog
Username:  Password:  
    
Advanced Search
Remote authentication system    

Get related patents on CD
United States Patent6751733   
Link to this pagehttp://www.wikipatents.com/6751733.html
Inventor(s)Nakamura; Hiroshi (Tokyo, JP); Fujii; Teruko (Tokyo, JP); Sadakane; Tetsuo (Tokyo, JP); Baba; Yoshimasa (Tokyo, JP)
AbstractTo obtain a remote authentication system that securely authenticates with protecting biometrics information, which is user's personal information, and is firm on security when performing authentication of a person with the biometrics information, and a remote authentication method. The present invention encrypts biometrics information that is user's personal information, and transfers the biometrics information over a network in such a state that only an authentication server, which the user assigns, can decode the biometrics information. Therefore, it is possible to securely protect user's privacy that is the biometrics information in a style of reflecting user's intention, and to prevent reuse of invalid authentication information since it is possible to confirm the date and time, when the authentication information was generated, by the authentication server. Furthermore, it is possible to keep the security of a system firm since an authenticated side can confirm whether the user is authenticated.
   














 Title Information Submit all comments and votes
 
Patent Text Patent PDF Print Page Summary File History
Plain text PDF images Print Summary File History Custom Search
Inventor     Nakamura; Hiroshi (Tokyo, JP); Fujii; Teruko (Tokyo, JP); Sadakane; Tetsuo (Tokyo, JP); Baba; Yoshimasa (Tokyo, JP)
Owner/Assignee     Mitsubishi Denki Kabushiki Kaisha (Tokyo, JP)
Patent assignment
All assignments
Company News
Publication Date     June 15, 2004
Application Number     09/335,056
PAIR File History     Application Data   Transaction History
Image File Wrapper   Patent Term   Fees
Litigation
Filing Date     June 16, 1999
US Classification     713/182 713/155 713/186
Int'l Classification     H04L 009/32
Examiner     Barron; Gilberto
Assistant Examiner     Lanier; Benjamin E
Attorney/Law Firm     Birch, Stewart, Kolasch & Birch, LLP
Address
Parent Case    
Priority Data     Sep 11, 1998[JP]10-257813
USPTO Field of Search     713/186 713/182 713/155 380/282 380/285
Patent Tags     remote authentication
   
Enter a comma (,) or semicolon (;) between multiple tag words/phrases.
Describe this patent:
 Amusing   
 Clever   
 Complex   
 Efficient   
 Historic   
 Important   
 Innovative   
 Interesting   
 Practical   
 Simple   
[no votes]
Patent WIKI

Share information and news about this patent, including information and news about the technology, inventors, company, ligation and licensing.
 References Submit all comments and votes
 
*references marked with an asterisk below are user-added references
 U.S. References
 
Add a new US reference:  
ReferenceRelevancyCommentsReferenceRelevancyComments
6035402
Vaeth

Mar,2000
[0 after 0 votes]		5978495
Thomopoulos
382/124
Nov,1999
[0 after 0 votes]
5534855
Shockley
340/5.52
Jul,1996
[0 after 0 votes]
 Foreign References
 Other References
 Market Review Submit all comments and votes
   
Market Size
Estimate the gross annual revenues of the relevant market sector:
> $10B
$5B - $10B
$2B - $5B
$500M - $2B
$100M - $500M
$10M - $100M
$1M - $10M
$500K - $1M
$100K - $500K
< $100K
[No votes]
$0
 
$0   $2.5B   $5B   $7.5B   $10B

[0 market size comments]
Market Share
Estimate the percentage of the relevant market sector this invention will capture:
75% - 100%
50% - 74.99%
25% - 49.99%
10 - 24.99%
5 - 9.99%
2 - 4.99%
1 - 1.99%
< 1%
[No votes]
0.0%
 
0%   25%   50%   75%   100%

[0 market share comments]
Reasonable Royalty
What percentage of gross sales should the inventor or assignee be paid?
75% - 100%
50% - 74.99%
25% - 49.99%
10 - 24.99%
5 - 9.99%
2 - 4.99%
1 - 1.99%
< 1%
[No votes]
0.0%
 
0%   25%   50%   75%   100%

[0 reasonable royalty comments]
Public's "Guesstimation" of Royalty Value
Market SizeN/A[No votes]
xMarket ShareN/A[No votes]
xReasonable RoyaltyN/A[No votes]
N/A

[0 Guesstimation of Royalty Value Comments]
License Availablity
If you are NOT the owner or assignee, answer here:
Yes, license is available for purchase

No, license is not currently available



 [No votes]
[0 license availability comments]
License Availablity
If you ARE the owner or assignee, answer here:
Yes, license is available for purchase

No, license is not currently available



 [No votes]
[0 owner/assignee comments]
Competitive Advantage
Does this invention have a significant competitive advantage over similar technologies?
Yes

No



 [No votes]
Most helpful competitive advantage comment
[No comments]

[0 competitive advantage comments]
Commercial Alternatives
Are there viable commercial alternatives for this invention?
Yes

No



 [No votes]
Most helpful commercial alternative comment
[No comments]

[0 commercial alternatives comments]
 Technical Review Submit all comments and votes
 Claims Submit all comments and votes
 


What is claimed is:

1. A remote authentication system in which an authentication server, an application server, and a user terminal are connected to a network and authenticates a user using the user terminal, wherein the authentication server includes a public key and a secret key each encrypted using a public key encryption method, in which the public key is announced, and the secret key is concealed;

wherein at least one biometrics acquisition apparatus is connected to the user terminal;

wherein the biometrics acquisition apparatus: encrypts user's biometrics information, acquired at the time of authentication, with a common key in a common key encryption method; acquires date and time information, creates a message digest by connecting the date and time information with the common key, and further encrypts the message digest with the common key; acquires the public key of the authentication server, which the user assigns, and encrypts the common key with the public key of the authentication server; and transfers the encrypted biometrics information, the encrypted common key and date and time information, and the encrypted message digest, as authentication information to the user terminal;

wherein the user terminal and the application server transfer the authentication information to the authentication server; and

wherein the authentication server: decodes user's biometrics information with the common key acquired by decoding the authentication information, using the secret key; authenticates the user with the biometrics information; creates and encrypts the result of the authentication and a message digest of the result of the authentication; and transfers the result of the authentication and the message digest of the result to the application server.

2. A remote authentication system in which an authentication server, an application server, and a user terminal are connected to a network and authenticates a user using the user terminal, wherein the authentication server includes a public key and a secret key each encrypted using a public key encryption method, in which the public key is announced, and the secret key is concealed, and at least one biometrics acquisition apparatus is connected to the user terminal;

wherein the biometrics acquisition apparatus: encrypts user's biometrics information, acquired at the time of authentication, with a common key in a common key encryption method; acquires date and time information, creates a message digest by connecting the date and time information with the common key, further encrypts the message digest with the common key; acquires the public key of the authentication server, which the user assigns; encrypts the common key with the public key of the authentication server; and transfers the encrypted biometrics information, the encrypted common key and date and time information, and the encrypted message digest, as authentication information to the user terminal;

wherein the user terminal transfers the authentication information to the authentication server; and

wherein the authentication server: decodes user's biometrics information with the common key acquired by decoding the authentication information, using the secret key; authenticates the user with the biometrics information; creates and encrypts the result of the authentication and a message digest of the result of the authentication with the secret key; and transfers the result of the authentication and the message digest of the result to the user terminal.

3. The remote authentication system according to claim 1, wherein the biometrics acquisition apparatus transfers biometrics information to the user terminal without encrypting the biometrics information at the time of authentication; and

wherein the user terminal: encrypts the user's biometrics information, which is obtained, with a common key in a common key encryption method; acquires a public key of a authentication server that a user assigns; encrypts the common key with the public key of the authentication server; acquires date and time information, creates a message digest by connecting the date and time information with the common key, encrypts the message digest with the common key; and transfers the encrypted biometrics information, the encrypted common key and date and time information, and the encrypted message digest, as authentication information to the user terminal.

4. The remote authentication system according to claim 2, wherein the biometrics acquisition apparatus transfers biometrics information to the user terminal without encrypting the biometrics information at the time of authentication; and

wherein the user terminal: encrypts the user's biometrics information, which is obtained, with a common key in a common key encryption method; acquires a public key of a authentication server that a user assigns; encrypts the common key with the public key of the authentication server; acquires data and time information, creates a message digest by connecting the date and time information with the common key, encrypts the message digest with the common key; and transfers the encrypted biometrics information, the encrypted common key and date and time information, and the encrypted message digest, as authentication information to the user terminal.

5. The remote authentication system according to claim 1, wherein the user terminal uses biometrics information as a part or all of random numbers for creating the common key when, at the time of authentication, the user terminal creates the common key in a common key encryption method for encrypting the acquired user's biometrics information.

6. The remote authentication system according to claim 2, wherein the user terminal uses biometrics information as a part or all of random numbers for creating the common key when, at the time of authentication, the user terminal creates the common key in a common key encryption method for encrypting the acquired user's biometrics information.

7. The remote authentication system according to claim 3, wherein the user terminal uses biometrics information as a part or all of random numbers for creating the common key when, at the time of authentication, the user terminal creates the common key in a common key encryption method for encrypting the acquired user's biometrics information.

8. The remote authentication system according to claim 4, wherein the user terminal uses biometrics information as a part or all of random numbers for creating the common key when, at the time of authentication, the user terminal creates the common key in a common key encryption method for encrypting the acquired user's biometrics information.

9. The remote authentication system according to claim 1, wherein the biometrics acquisition apparatus includes an authentication unit for authenticating an administrator who administrates the biometrics acquisition apparatus and an authentication unit of an initializer for authenticating the initialization of the biometrics acquisition apparatus; and

wherein the two authentication units perform authentication separately, and performs initialization with authentication of the initializer even if the administrator is not authenticated.

10. The remote authentication system according to claim 2, wherein the biometrics acquisition apparatus includes an authentication unit for authenticating an administrator who administrates the biometrics acquisition apparatus and an authentication unit of an initializer for authenticating the initialization of the biometrics acquisition apparatus; and

wherein the two authentication units perform authentication separately, and performs initialization with authentication of the initializer even if the administrator is not authenticated.

11. The remote authentication system according to claim 3, wherein the biometrics acquisition apparatus includes an authentication unit for authenticating an administrator who administrates the biometrics acquisition apparatus and an authentication unit of an initializer for authenticating the initialization of the biometrics acquisition apparatus; and

wherein the two authentication units perform authentication separately, and performs initialization with authentication of the initializer even if the administrator is not authenticated.

12. The remote authentication system according to claim 4, wherein the biometrics acquisition apparatus includes an authentication unit for authenticating an administrator who administrates the biometrics acquisition apparatus and an authentication unit of an initializer for authenticating the initialization of the biometrics acquisition apparatus; and

wherein the two authentication units perform authentication separately, and performs initialization with authentication of the initializer even if the administrator is not authenticated.

13. The remote authentication system according to claim 1, wherein the authentication server: saves a historic record of a matching rate that is a result of matching biometrics at the time of user authentication; compares a matching rate with an average matching rate at the time of identifying a user as a principal until it is determined by the authentication server at the time of user authentication that the user is not the principal; confirms whether a matching rate at this time is greater than a preset value determined by an administrator; and informs a contact, who is registered beforehand, if a number of failed attempts at authentication, due to the matching rate being greater than a preset value, reaches a fixed value determined by the administrator.

14. The remote authentication system according to claim 2, wherein the authentication server: saves a historic record of matching rate that is a result of matching biometrics at the time of user authentication; compares a matching rate with an average matching rate at the time of identifying a user as a principal until it is determined by the authentication server at the time of user authentication that the user is not the principal; confirms whether a matching rate at this time is greater than a preset value determined by an administrator; and informs a contact, who is registered beforehand, if a number of failed attempts at authentication, due to the matching rate being greater than a preset value, reaches a fixed value determined by the administrator.

15. The remote authentication system according to claim 3, wherein the authentication server: saves a historic record of a matching rate that is a result of matching biometrics at the time of user authentication; compares a matching rate with an average matching rate at the time of identifying a user as a principal until it is determined by the authentication server at the time of user authentication that the user is not the principal; confirms whether a matching rate at this time is greater than a preset value determined by an administrator; and informs a contact, who is registered beforehand, if a number of failed attempts at authentication, due to the matching rate being greater than a preset value, reaches a fixed value determined by the administrator.

16. The remote authentication system according to claim 4, wherein the authentication server: saves a historic record of a matching rate that is a result of matching biometrics at the time of user authentication; compares a matching rate with an average matching rate at the time of identifying a user as a principal until it is determined by the authentication server at the time of user authentication that the user is not the principal; confirms whether a matching rate at this time is greater than a preset value determined by an administrator; and informs a contact, who is registered beforehand, if a number of failed attempts to authentication, due to the matching rate being greater than a preset value, reaches a fixed value determined by the administrator.

17. The remote authentication system according to claim 1, wherein the authentication server: saves historic records of matching rates that are results of matching biometrics at the time of user authentication; compares a matching rate with a matching rate at the time of identifying a user as a principal until at the time of user authentication if the authentication server identifies the user as the principal; makes the user authentication unsuccessful if the two matching rates are the same rates and a message digest of biometrics information is not saved, performs a message digest calculation of biometrics information if the user authentication is unsuccessful, saves the message digest of biometrics information with the matching rate; saves a message digest of biometrics information with a matching rate as a pair by calculating the message digest of biometrics information at this time if the two matching rates are the same and a message digest is saved, compares the message digest of biometrics information at this time with the message digest of biometrics information at the same matching rate previously obtained, identifies the user as a principal if both message digests are different from each other; does not identify the user as a principal if a pair of a matching rate and a message digest at this time completely coincides with a pair of a matching rate and a message digest previously obtained; and informs a contact, who is registered beforehand, if a number of instances in which the pair of the matching rate and message digest at this time coincides with the pair of the matching rate and message digest previously obtained reaches a value equal to or more than a fixed value which is determined by an administrator.

18. The remote authentication system according to claim 2, wherein the authentication server: saves historic records of matching rates that are results of matching biometrics at the time of user authentication; compares a matching rate with a matching rate at the time of identifying a user as a principal until at the time of user authentication if the authentication server identifies the user as the principal; makes the user authentication unsuccessful if the two matching rates are the same rates and a message digest of biometrics information is not saved, performs a message digest calculation of biometrics information if the user authentication is unsuccessful, saves the message digest of biometrics information with the matching rate; saves a message digest of biometrics information with a matching rate as a pair by calculating the message digest of biometrics information at this time if the two matching rates are the same and a message digest is saved, compares the message digest of biometrics information at this time with the message digest of biometrics information at the same matching rate previously obtained, identifies the user as a principal if both message digests are different from each other; does not identify the user as a principal if a pair of a matching rate and a message digest at this time completely coincides with a pair of a matching rate and a message digest previously obtained; and informs a contact, who is registered beforehand, if a number of instances in which the pair of the matching rate and message digest at this time coincides with the pair of the matching rate and message digest previously obtained reaches a value equal to or more than a fixed value which is determined by an administrator.

19. The remote authentication system according to claim 3, wherein the authentication server: saves historic records of matching rates that are results of matching biometrics at the time of user authentication; compares a matching rate with a matching rate at the time of identifying a user as a principal until at the time of user authentication if the authentication server identifies the user as the principal; makes the user authentication unsuccessful if the two matching rates are the same rates and a message digest of biometrics information is not saved, performs a message digest calculation of biometrics information if the user authentication is unsuccessful, saves the message digest of biometrics information with the matching rate; saves a message digest of biometrics information with a matching rate as a pair by calculating the message digest of biometrics information at this time if the two matching rates are the same and a message digest is saved, compares the message digest of biometrics information at this time with the message digest of biometrics information at the same matching rate previously obtained, identifies the user as a principal if both message digests are different from each other; does not identify the user as a principal if a pair of a matching rate and a message digest at this time completely coincides with a pair of a matching rate and a message digest previously obtained; and informs a contact, who is registered beforehand, if a number of instances in which the pair of the matching rate and message digest at this time coincides with the pair of the matching rate and message digest previously obtained reaches a value equal to or more than a fixed value which is determined by an administrator.

20. The remote authentication system according to claim 4, wherein the authentication server: saves historic records of matching rates that are results of matching biometrics at the time of user authentication; compares a matching rate with a matching rate at the time of identifying a user as a principal until at the time of user authentication if the authentication server identifies the user as the principal; makes the user authentication unsuccessful if the two matching rates are the same rates and a message digest of biometrics information is not saved, performs a message digest calculation of biometrics information if the user authentication is unsuccessful, saves the message digest of biometrics information with the matching rate; saves a message digest of biometrics information with a matching rate as a pair by calculating the message digest of biometrics information at this time if the two matching rates are the same and a message digest is saved, compares the message digest of biometrics information at this time with the message digest of biometrics information at the same matching rate previously obtained, identifies the user as a principal if both message digests are different from each other; does not identify the user as a principal if a pair of a matching rate and a message digest at this time completely coincides with a pair of a matching rate and a message digest previously obtained; and informs a contact, who is registered beforehand, if a number of instances in which the pair of the matching rate and message digest at this time coincides with the pair of the matching rate and message digest previously obtained reaches a value equal to or more than a fixed value which is determined by an administrator.
 Description Submit all comments and votes
 


BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a remote authentication system identifying a person with biometrics.

2. Description of the Related Art

Heretofore, so as to perform security protection in an information processing system connected to a network, it is necessary to identify a person and to judge approval or disapproval of access of the person, that is, to perform authentication. In addition, in cash dispensers of banks and the like, authentication for identifying a person and accessing the person's transaction information, and authentication for entrance into and exit from confidential research sites, membership clubs, and the like, which have high confidentiality, are performed.

Identification of a person and authorization of the person's qualification, that is, authentication is performed with a magnetic card, an IC card, which are positioned similarly to an identification card and the like, and the person's memory such as a password, and combination of them. There are problems that the authentication cannot be performed because the password is forgotten, and the magnetic card and IC card are lost or broken, and another person, who is not the principal, is authenticated with masquerading by burglary and leakage of password information.

In addition, as one of means for authenticating a user over a network, there is a digital signature for indirectly authenticating the user by authenticating a message created by the user. In the digital signature, first, a message sender attaches a cryptogram that is encrypted from a message digest, into which an original message is compressed, with the sender's cryptographic key to the message. A message receiver confirms that the message is one, which the sender himself/herself sent, and that the message is not tampered, by creating a message digest from the message received, decoding the message digest from the cryptogram, which is attached, with the sender's decoding key, and confirming coincidence of these two message digests.

In addition, in the above-described encryption method, there are a common key encryption method, using the same key for a cryptographic key and a decoding key, and a public key encryption method using different keys for the cryptographic key and decoding key. In the public key encryption method, when one key is set as a secret key and is kept safely and another key is officially announced as a public key, the cryptogram encrypted with the public key cannot be decoded into the original message if a receiver has not the secret key, and hence the sender can transfer the message in such a form that only the receiver, who is desired by the sender, can decode, and the cryptogram encrypted with the secret key can be decoded with the public key into the original message, and hence the receiver can authenticates that the message is one from the sender herself/himself having the secret key.

Heretofore, although, in RFC1421 and RFC1422 (PEM: Privacy Enhancement for Internet Electronic Mail) that are registered in RFC (Request For Comment) of IETF (Internet Engineering Task Force), the digital signature and message encryption are performed with the public key encryption method and common key encryption method, there is a problem that it is necessary to administrate the secret key on the sender's hands since the sender uses the own secret key, for example, to safely keep the secret key with saving the secret key in a floppy disk, a magnetic card, and an IC card.

On the other hand, in the authentication with biometrics information, which is a person's biological characteristic such as finger print information, palm print information, handwriting information, and retina information, it is difficult to perform masquerade and is unnecessary to administrate the information of the secret key so long as the user himself/herself presents, and it is possible to resolve the complexness of keeping a baggage and the threat of loss at the time of the authentication of a person and the complexness of memory at the time of the authentication of a password with the magnetic card and IC card. Nevertheless, there are problems that, if the authentication with the biometrics information is necessary in a wide range, the equipment for performing the centralized administration and authentication of the biometrics information is necessary, and that it is necessary to keep security with concealing the user's biometrics information at the time of transferring the biometrics information to the equipment, performing the authentication, from the viewpoint of protection of privacy.

Furthermore, in general, random numbers are for creating a cryptographic key in a system creating the cryptographic key used for concealing the biometrics information. Nevertheless, there is also a problem that it is important to eliminate the tendency of the random numbers so as to make it difficult to break the cryptographic key.

In addition, an apparatus acquiring biometrics should be properly administrated from the viewpoint of protection of users' privacy, and it is necessary to authenticate an administrator. Nevertheless, there is a problem that, since another person cannot act for the administrator if the authentication of this administrator was performed with biometrics, another person can never perform the access to the biometrics acquisition apparatus including initialization. Furthermore, there is a problem that even a valid administrator can never perform the access to the biometrics acquisition apparatus including initialization if the biometrics used for the authentication is largely changed or lost by suffering damage in an accident in case of the valid administrator.

Moreover, in general, a system performing user authentication is required to find an invalid authentication, for example, as for a cash card in a bank, there is means for making a cash card unusable if authentication with a preset number of times of password inputs is unsuccessful. Also, a user authentication system with the biometrics is required to find an invalid authentication. Nevertheless, a condition of biometrics is different for every person, for example, in a system authenticating a person with finger print matching, a minimum matching rate identifying a person as the principal is determined, but a person whose finger is rough or worn gets a low matching rate even if the person can obtain the best biometrics information at the time, and a failure probability of the authentication itself increases if the matching rate decreases due to minor failure such as insufficient contact at the time of acquiring the finger print. Therefore, there is a problem that it cannot be equally performed for all the persons that it is judged to be an unsuccessful authentication within only the preset number of times.

SUMMARY OF THE INVENTION

The present invention is provided to solve the above problems. An object of the present invention is to provide a remote authentication system which securely authenticates by utilizing biometrics information, which is the user's personal information, and is firm on security when performing authentication of a person with the biometrics information, and a remote authentication method.

In a remote authentication system, in which an authentication server, an application server, and a user terminal are connected to a network respectively, and which authenticates a user using the user terminal, a remote authentication system according to a first invention is a system, wherein the authentication server has a pair of a public key and a secret key in a public key encryption method, announces the public key, and conceals the secret key; wherein at least one kind or a plural kind of biometrics acquisition apparatus is connected to the user terminal; wherein the biometrics acquisition apparatus: encrypts user's biometrics information, acquired at the time of authentication, with a common key in a common key encryption method; acquires date and time information, creates a message digest with connecting the date and time information with the common key, and further encrypts the message digest with the common key; acquires the public key of the authentication server, which the user assigns, and encrypts the common key with the public key of the authentication server; and transfers the biometrics information encrypted, the common key and date and time information, which is encrypted, and the message digest encrypted with connecting the date and time information with the common key, as authentication information to the user terminal; and wherein the user terminal and application server transfer the authentication information to the authentication server, and the authentication server: decodes user's biometrics information with the common key acquired by decoding the authentication information, which is transferred, with the secret key; authenticates the user with the biometrics information; and encrypts result of authentication and a message digest of the result of the authentication with the secret key and transfers both to the application server.

In addition, in a remote authentication system, in which an authentication server and a user terminal are connected to a network respectively, and which authenticates a user using the user terminal, a remote authentication system according to a second invention is a system, wherein the authentication server has a pair of a public key and a secret key in a public key encryption method, announces the public key, and conceals the secret key; wherein at least one kind or a plural kind of biometrics acquisition apparatus is connected to the user terminal; wherein the biometrics acquisition apparatus: encrypts user's biometrics information, acquired at the time of authentication, with a common key in a common key encryption method; acquires date and time information, creates a message digest with connecting the date and time information with the common key, further encrypts the message digest with the common key; acquires the public key of the authentication server, which the user assigns, and encrypts the common key with the public key of the authentication server; and transfers the biometrics information encrypted, the common key and date and time information, which is encrypted, and the message digest encrypted with connecting the date and time information with the common key, as authentication information to the user terminal; wherein the user terminal transfers the authentication information to the authentication server; and wherein the authentication server: decodes user's biometrics information with the common key acquired by decoding the authentication information, which is transferred, with the secret key; authenticates the user with the biometrics information; and encrypts result of authentication and a message digest of the result of the authentication and transfers both to the user terminal.

In addition, a remote authentication system is a system, wherein a biometrics acquisition apparatus: transfers biometrics information to a user terminal without encrypting the biometrics information at the time of authentication; encrypts the user's biometrics information, which the user terminal obtains, with a common key in a common key encryption method; acquires date and time information, creates a message digest with connecting the date and time information with the common key, encrypts the message digest with the common key; acquires a public key of an authentication server, which the user assigns; encrypts the common key with the public key of the authentication server; and transfers the biometrics information encrypted, the common key and date and time information, which is encrypted, and the message digest encrypted with connecting the date and time information with the common key, as authentication information.

Furthermore, a remote authentication system according to a fourth invention uses biometrics information as a part or all of random numbers for creating a common key in a common key encryption method for encrypting the user's biometrics information acquired, at the time of authentication.

A remote authentication system according to a fifth invention is a system, wherein a biometrics acquisition apparatus includes: an authentication unit of an administrator administrating the biometrics acquisition apparatus; and an authentication unit of an initializer initializing the biometrics acquisition apparatus, wherein the two authentication units perform authentication separately, and can perform only the initialization with authentication of the initializer.

A remote authentication system according to a sixth invention is a system, wherein an authentication server: saves historic records of matching rates that are results of matching biometrics at the time of user authentication; compares a matching rate with an average matching rate at the time of identifying a user as a principal until the previous occasion if the authentication server does not identify the user as the principal at the time of user authentication; confirms whether the matching rate at this time changes more largely than a preset value determined by an administrator; and informs a contact, who is registered beforehand, if a number of failed times due to changes more largely than the fixed value reaches a fixed value determined by the administrator.

A remote authentication system according to a seventh invention is a system, wherein an authentication server: saves historic records of matching rates that are results of matching biometrics at the time of user authentication; compares a matching rate with a matching rate at the time of identifying a user as a principal until the previous occasion at the time of user authentication if the authentication server identifies the user as the principal; makes the user authentication unsuccessful if the two matching rates are the same rates and a message digest of biometrics information is not saved, performs message digest calculation of biometrics information at this time, saves the message digest of biometrics information with the matching rate; saves a message digest of biometrics information at this time with a matching rate as a pair with calculating the message digest of biometrics information at this time if the two matching rates are the same and a message digest is saved, compares the message digest of biometrics information at this time with the message digest of biometrics information at the same matching rate in the past, identifies the user as a principal if both message digests are different from each other; does not identify the user as a principal if a pair of a matching rate and a message digest at this time completely coincides with a pair of a matching rate and a message digest in the past; and informs a contact, who is registered beforehand, if a number of cases that the pair of the matching rate and message digest at this time completely coincides with the pair of the matching rate and message digest in the past reaches a value equal to or larger than a fixed value which is determined by an administrator.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing the configuration of a first embodiment of an Web system where a remote authentication system according to the present invention is applied;

FIG. 2 is a timing chart for explaining the processing of authentication in the Web system in FIG. 1;

FIG. 3 is a block diagram showing the configuration of a second embodiment of a database retrieval system where a remote authentication system according to the present invention is applied;

FIG. 4 is a timing chart for explaining the processing of authentication in the database retrieval system in FIG. 3;

FIG. 5 is a block diagram showing the configuration of a third embodiment of an Web system where a remote authentication system according to the present invention is applied;

FIG. 6 is a timing chart for explaining the processing of authentication in the Web system in FIG. 5;

FIG. 7 is a block diagram showing the configuration of a fourth embodiment at the time of administration of a finger print acquisition apparatus where a remote authentication system according to the present invention is applied;

FIG. 8 is a block diagram showing the configuration of a fifth embodiment of an authentication server where a remote authentication system according to the present invention is applied.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

Hereinafter, embodiments of the present invention will be described with reference to drawings.

Embodiment 1

FIG. 1 shows the configuration of a Web system 1 where the present invention is applied. Over a network 2, an authentication server 3, an Web server 4 that is an application server, and a user terminal 5 are connected, and a biometrics acquisition apparatus 6 is connected to the user terminal 5. In this Web system 1, if a user accesses the Web server 4 through the user terminal 5, the Web server 4 receives user's personal authentication from the authentication server 3, and according to the result, the Web server 4 performs access control to the user.

The authentication server 3 is a computer system (hereinafter, this is shown as a system having a CPU, memory, a disk, communication control, and the like) such as a personal computer and a workstation that are composed of an authentication controller 3A, an encryption processing unit 3C, and an authentication information database 3B, and announces one key in a public key method as a public key and conceals another key as a secret key.

In addition, the Web server 4 is a computer system such as a personal computer and a workstation where a Web server database 4A, an encryption processing unit 4D, an authentication request unit 4B, and an application of a Web server software 4C (hereinafter, software is written as S/W) that is an application requiring personal authentication operate.

In addition, the user terminal 5 is a computer system such as a personal computer and a workstation where a browser 5A displaying information of the Web server terminal 4, and authentication information acquisition S/W 5B operate. Furthermore, a biometrics acquisition apparatus 6 is connected to the user terminal 5. The biometrics acquisition apparatus 6 represents a finger print acquisition apparatus 7 and a palm print acquisition apparatus 8 that acquire finger print of a human body and palm print information with image processing as biometrics information, a character recognition tablet 9 acquiring handwriting information, which a user draws, as biometrics information, a retina acquisition apparatus 10 acquiring retina information of a human body as the biometrics information with eyeground (fundus) scanning and the like, and the like.

Here, a case that the finger print acquisition apparatus 7 is used as the biometrics acquisition apparatus 6 will be described as an example. In addition, the biometrics information acquired by the biometrics acquisition apparatus 6 such as the finger print acquisition apparatus 7 can be image data, image data that is not processed such as electrostatic data, and characteristic point data obtained by extracting characteristics from image data. The finger print acquisition apparatus 7 is composed of a finger print information acquisition unit 7A acquiring finger print information with image processing and the like and transferring the finger print information to the user terminal, an encryption processing unit 7B encrypting the finger print information, and a public key acquisition unit 7C acquiring a public key of the authentication server 3.

Next, operation will be described.

A flow of authentication processing in the Web system 1 like this is shown in FIG. 2.

First, a case (SP5) that a user accesses information in the Web server database 4A, which has high confidentiality, in the Web server 4 with the browser 5A that is an application operating in the user terminal 5 will be described. The Web server S/W 4C, which is an application performing access control of the information having high confidentiality, is required to perform the user authentication so as to judge whether the user has an access authority.

The authentication information acquisition S/W 4C in the user terminal 5 acquires the finger print information, which is biometrics information necessary for the authentication, from the finger print acquisition apparatus 7 (SP6). At this time, the S/W 4C may operate with cooperating with other S/W (software such as a driver acquiring the authentication information).

The finger print information acquisition unit 7A in the finger print acquisition apparatus 7, which is instructed to acquire the finger print information by the authentication information acquisition S/W 5B in the user terminal 5, acquires the finger print information from the user (SP1). Although the encryption processing unit 7B encrypts this finger print information since this finger print information is user's inherent personal information, first, the encryption processing unit 7B creates a common key in the common key method for encrypting this finger print information, and encrypts the finger print information with this common key. At the same time, the encryption processing unit 7B acquires date and time information, creates a message digest with connecting the date and time information with the common key, and further encrypts the message digest with the common key (SP2).

The public key acquisition unit 7C in the finger print acquisition apparatus 7 acquires a public key of the authentication server from user's instruction such as a floppy disk, a magnetic card, an IC card, or key entry. Alternatively, if the finger print acquisition apparatus 7 is properly administrated, the public key of the authentication server 3 is fixedly saved in the public key acquisition unit 7C in the finger print acquisition apparatus 7, and hence the user may use the public key after recognizing the public key. Next, the encryption processing unit 7B encrypts the common key with the public key of the authentication server 3 (SP3).

Then, the finger print acquisition unit 7A transfers the finger print information encrypted, the date and time information, the message digest with connecting the date and time information with the common key that is encrypted, and the encrypted common key as the authentication information to the authentication information acquisition S/W 5B in the user terminal 5 (SP4).

The authentication information acquisition S/W 5B in the user terminal 5 transfers the authentication information, which is acquired, to the Web server 4 through the browser 5A. At this time, the browser 5A transfers the authentication information with adding a user ID such as a user name and a mail address, which the browser 5A acquires separately (SP7).

The authentication request unit 4B in the Web server 4 transfers the authentication information, which the authentication request unit 4B acquires through the Web server S/W 4C, to the authentication controller 3A in the authentication server 3 (SP9).

The authentication controller 3A in the authentication server 3 makes the encryption processing unit 3C decode the authentication information transferred, and performs the user authentication. At this time, the encryption processing unit 3C compares the message digest created f