JP2003242116A - Certification device, certification system, server, portable terminal, certification terminal, and method of certification - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a system in which illegal use by copying information is made difficult in principle in collation (certification) conducted for judging if a regular digital ticket is provided or not. <P>SOLUTION: This certification system for tickets or the like is provided with a certification information providing server 40 to provide sale data following ticket sale achievement based on a request from a portable terminal 20, the portable terminal 20 to output the certification information (digital ticket) based on the sale data received from the certification information providing server 40 by conducting data communication with the certification information providing server 40, and a certification terminal 30 to read the certification information outputted to the portable terminal 20, and execute a certification process based on the read certification information. The certification information outputted to this portable terminal 20 is generated to include time data indicating time when the certification information is outputted at the portable terminal 20. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an authentication system or the like, and more particularly to an authentication system or the like that enables authentication of a ticket or the like using a mobile terminal, for example.

[0002]

2. Description of the Related Art In recent years, mobile phones such as mobile phones and PHSs have been used.
On the screen of, the tickets purchased online are displayed using a specific code (one-dimensional code such as barcode or two-dimensional code), and at a concert venue, for example, a predetermined reader (for example, barcode reader, mark) A system has been proposed in which a reader is used to read this specific code and confirm whether or not it is a legitimate ticket. By authenticating (inquiring) the purchase fact using the display provided on the personal-use mobile terminal, compared to the conventional paper-based authentication such as a ticket, the ticket distribution is more complicated. You can save the trouble.

[0003] For example, in Japanese Patent Laid-Open No. 2001-148037, a portable terminal sends a ticket item and a personal identification number to a ticket issuing server, and the ticket issuing server signs a digital ticket including data indicating ticket entry items and a personal identification number. It discloses a technique for performing authentication by converting the two-dimensional code into a two-dimensional code, sending the two-dimensional code to the mobile terminal, and then reading the two-dimensional code displayed on the entrance management device.

As a conventional technique relating to an authentication system, for example, Japanese Patent Laid-Open No. 2001-175904 discloses
At the same time as sending ID information (password) that is changed at regular intervals to the entry / exit management system, this ID information is sent wirelessly to the pager of the user, and authentication is performed based on these identities. ing. Also,
In Japanese Unexamined Patent Application Publication No. 2001-209614, the passwords of both terminals to be authenticated are changed at the same time according to the same rule according to time, and the password sent from the other party and the own password are compared, and they are the same. In the case where the authentication is successful, the technology is approved.

[0005]

In the authentication system using the portable terminal as described above, the code displayed on the display of the portable terminal can be browsed even by a person other than the person who purchased the ticket or the like. Because it is possible,
Can be easily duplicated. As a result, from the viewpoint of security and prevention of counterfeiting, it was difficult to use it for the purpose of purchase authentication for high-value products.

To prevent this forgery, for example, one by one
It is conceivable that a serial number is assigned to each user (one user) and the host manages the serial number so that two or more sheets having the same number cannot be accepted. Also, a method of sending the two-dimensional code to the mobile terminal immediately before performing the authentication and not giving time for copying may be considered. In addition, a method of connecting the mobile terminal, the host, and the confirmation terminal at the time of use, and sending the same two-dimensional code data to the respective terminals for confirmation can be considered. However, in any of these methods, since it is necessary to connect to the host again at the time of use in addition to the time of purchase (at the time of authentication), it is difficult to realize a standalone confirmation terminal, and
Extra costs such as connection work and additional communication costs at the time of use (at the time of authentication) that should be omitted originally occur.

For example, in a service using a mobile phone represented by Japanese Patent Laid-Open No. 2001-148037, as a method of determining that the two-dimensional code displayed on the mobile phone is valid, A. Enter the security code. B. The host calls the mobile phone, and a person confirms the call. C. Make a call from the host to the mobile phone and visually check the host's telephone number displayed there. D. Call the admission control terminal from your mobile phone and check. Such complicated operations and extra operations that involve human labor are required, resulting in an increase in management costs.

A conventional authentication method is disclosed in Japanese Patent Laid-Open No. 2001-2001.
In the technique described in Japanese Patent Publication No. 175904, it is necessary to constantly transmit (communicate) the changed ID information to the pager, and reconnection is required after the time of purchase. Furthermore, JP 20
In the authentication method described in JP-A No. 01-209614, it is necessary to hold a large number of passwords or an algorithm for generating a large number of passwords on both sides, which complicates the processing.

The present invention has been made to solve the above technical problems, and its purpose is to make it difficult in principle to illegally use information by copying it at the time of authentication (inquiry). To provide such a mechanism. Another object is to provide a mechanism in which it is not necessary to connect the mobile terminal and the host in principle, except when purchasing online, and to suppress the occurrence of communication costs and network access concentration. Still another object is to enable offline operation with a plurality of confirmation terminals that are independent of each other.

[0010]

Based on the time data that can be easily shared by both the user side (customer side) and the authentication side, the present invention has a code image that changes from moment to moment. By generating a code image, even if the code image is duplicated at a certain point, the code image at the time of actual use cannot be created and output. That is, the authentication device to which the present invention is applied is a first processor for creating authentication information based on authentication data and time data, and the time data includes a time when the authentication information is created. And a second processor for performing authentication by comparing the time extracted from the authentication information with the time at the time of authentication.

[0011] Here, the second processor includes determining that the authentication has failed when the time difference between the time included in the authentication information and the time at the time of authentication is larger than a predetermined value. The first processor includes encryption processing of the authentication data and the time data to create the authentication information, and the second processor decodes the authentication information to determine the time included in the authentication information. Including getting.

An authentication system to which the present invention is applied is a server for providing authentication data, and a portable terminal for creating authentication information based on the authentication data and time data received from the server. , The time data includes the time when the authentication information is created, and the mobile terminal and the authentication terminal for performing authentication by matching the time extracted from the authentication information received from this mobile terminal with the time at the time of authentication. Including.

Here, the mobile terminal includes an output unit for outputting the created authentication information, and the authentication terminal includes an input unit for inputting the authentication information output from the output unit of the mobile terminal. The output unit of the mobile terminal includes a transmission unit for transmitting the authentication information, and the input unit of the authentication terminal is
It includes a receiving unit for receiving the authentication information transmitted from the output unit of the mobile terminal. Further, the portable terminal includes a writing unit for writing the authentication information in the storage medium connected to the output unit, and the authentication terminal includes a reading unit for reading the authentication information in the storage medium connected to the input unit. .
Furthermore, the output unit of the mobile terminal includes a display unit for displaying the authentication information as an image, and the input unit of the authentication terminal includes an image reader for reading an image displayed on the display unit of the mobile terminal. Includes changing according to the time data included in the authentication information. Also,
The mobile terminal includes calibrating the time when the authentication information is created based on the time information received from the server, and the collating unit includes creating the authentication information based on the time after the calibration. Further, the authentication terminal includes calibrating the time at the time of authentication based on the time information received from the server, and the matching unit includes matching based on the time after calibration. Furthermore, the mobile terminal includes encryption processing of the authentication data and time data to create authentication information, and the authentication terminal decrypts the authentication information and obtains the time included in this authentication information from the authentication information. Including that.

On the other hand, the server to which the present invention is applied includes a processor for creating authentication data in response to an authentication request, authentication data, an encryption key for encrypting this authentication data, and A memory for storing a program for encrypting the authentication data by using the encryption key to create the authentication information, the authentication data, the program, and a transmission means for transmitting the encryption key. including.
Here, this program includes creating the authentication information using the authentication data and the time data at the time of creating the authentication information. Further, the memory stores a program for decoding the created authentication information and obtaining the time of creation.

A portable terminal to which the present invention is applied is a memory for storing authentication data and a processor for creating authentication information based on the authentication data and time data, the time data being the authentication information. And a processor that includes the time at which to create. Further, the memory includes storing an encryption key for encrypting the authentication data, and the processor encrypts the authentication data using the encryption key to create authentication information. Including.
Further, it further includes a transmitting unit for transmitting the authentication information, an output unit for outputting the authentication information, and a writing unit for writing the authentication information in a storage medium connected to the output unit. Further, it includes a display unit for displaying the authentication information as an image, and this image includes changing depending on the time data included in the authentication information. The processor also includes calibrating the time when the authentication information is created based on the time information received from the outside.

The present invention is an authentication terminal for performing authentication based on authentication information including time information, for extracting time information from the authentication information, and collating the extracted time information with the time information at the time of authentication. Including the processor. Here, the processor includes determining that the authentication has failed when the time difference between the time extracted from the authentication information and the time at the time of authentication is larger than a predetermined value. Further, this authentication information includes authentication information that has been encrypted using the encryption key, and this processor uses the encryption key to
It includes decrypting the encrypted authentication information to obtain time information. Further, it includes a memory for storing the authentication information, the encryption key and the time information.

On the other hand, the present invention is a method for performing authentication based on the authentication information, which comprises the steps of preparing authentication data, obtaining time information, and creating authentication information based on the authentication data and time information. The time information includes a step of including the time when the authentication information is created, and a step of collating the time extracted from the authentication information with the time of the authentication.

Further, the step of preparing the encryption key includes the step of creating the authentication information by encrypting the authentication data and the time information using the encryption key. Including. The step of collating includes decoding the authentication information and obtaining the time from the authentication information. Further, the step of obtaining the time information includes the step of obtaining the reference time information, and the step of creating the authentication information includes the step of calibrating the time when the authentication information is created based on the reference time information and the time after the calibration. Creating authentication information based on. Furthermore, this collating step includes the step of calibrating the time at the time of authentication based on the reference time information, and the step of collating based on the time after calibration.

[0019]

BEST MODE FOR CARRYING OUT THE INVENTION The present invention will be described below in detail based on the embodiments shown in the accompanying drawings. FIG. 1 is a diagram showing the overall configuration of an authentication system to which this embodiment is applied. As shown in this figure, the authentication system according to the present embodiment includes, for example, a content provider 10 that provides content to be sold such as ticket information, and an authentication information providing server 40 (provided by the content provider 10 via a network such as the Internet. Access to the host) to obtain sales data associated with the purchase of tickets and to output the authentication information (for example, a digital ticket) to the portable terminal 20 as the first processor, concert halls, etc. The authentication terminal 30 is provided as a second processor that accesses the authentication information providing server 40 via a network such as the Internet and executes authentication. In the present embodiment, two-dimensional information for authentication (inquiry), which is a substitute for a ticket, is displayed on the display of the mobile terminal 20 that purchased the tickets, and the two-dimensional information is displayed by the reader of the authentication terminal 30. By reading the two-dimensional information, it is possible to authenticate (reference) tickets and the like.

FIG. 2 is a block diagram showing the configuration of the content provider 10. The content provider 10 is connected to a network, and is an authentication terminal 30 provided at a customer's mobile terminal 20 and at a reception at a performance place.
In addition to the authentication information providing server 40 that provides information to
As a database (memory) connected to an internal network such as a LAN, a product information database (DB) 1 that stores product information such as various tickets with product codes attached.
1. Customer information database (DB) 12 that provides individual data to these customers and new customers together with information of customers who have traded in the past, encryption key provided to mobile terminal 20 that is a customer when selling products Is stored in the encryption key storage unit 13, and a processing program storage unit 14 in which a processing program transmitted to the mobile terminal 20 as a program for executing the authentication method of the present embodiment is stored together with the product information.
Is equipped with. These product information DB 11 and customer information D
B12, the encryption key storage unit 13, and the processing program storage unit 14 are provided in the content provider 10 together with the authentication information providing server 40, and apart from the authentication information providing server 40, they are provided in a predetermined manner by another product providing manufacturer. There is also a mode provided in the system. In such a case, the information of each database is transmitted to the authentication information providing server 40 via the external network. still,
The "commodity" used here naturally includes various services such as admission tickets for various events. The same applies hereinafter.

The authentication information providing server 40 is a customer (user).
Customer communication unit 4 for communicating with the mobile terminal 20 which is
1. A sales process execution unit 42 that executes various processes for providing information regarding authentication to the mobile terminal 20 as well as a process for a purchase request from the mobile terminal 20, and communication with an authentication terminal 30 provided in each store or venue. The in-store communication unit 43 that performs the above-described process, and the in-store processing unit 44 that performs various processes required when providing information to the authentication terminal 30. In addition, an internal clock 45 that provides its own time data (time, time), that is, the reference time that is the reference of this system (may be calibrated with the standard time obtained from a standard time server or atomic clock). A sales information registration section 46 for registering the sales information made by the sales processing execution section 42,
A sales record storage unit 47 is provided for storing sales records made by the sales process execution unit 42, past sales records, and the like. The customer-to-customer communication section 41 and the in-store-communication section 43 are an internet network via a gateway that is an interface device (program) for network interconnection, a firewall that protects the internal network from unauthorized access, and a HUB that is a node (relay point). It is connected to the.
The in-store communication unit 43 transmits the reference time obtained from the internal clock 45 for the authentication terminal 30 to adjust the time, to the authentication terminal 30, together with the record of the executed sales process. Further, various information stored in the sales information registration unit 46 and the sales record storage unit 47 is stored in an external storage device such as a hard disk drive provided in the authentication information providing server 40.

FIG. 3 is a block diagram showing the configuration of the mobile terminal 20. This mobile terminal 20 is a mobile phone or PH.
S, PDA (Personal Digital Assistant), Pocket P
Typical examples are C and notebook PCs. The functional blocks of the mobile terminal 20 to which the present embodiment is applied include, for example, a user input unit 21 for inputting desired purchase information of a ticket or the like by a user (customer), a code display request, and the like when purchasing a ticket or the like. Communication with the purchase processing unit 22 that executes user information encryption processing and the authentication information providing server 40 that is the host side, that is, transmission of a purchase request such as a ticket, purchase result, processing program, host side (server side) ) The server communication unit 23 for receiving the time information and the like, and the reception processing unit 24 for receiving the purchase result and the like from the authentication information providing server 40. In addition, a processing program storage unit 25 that stores the received processing program, a purchase information storage unit 26 that stores the received encryption key, sales data (product code + individual data), and the like. , Time) output clock (internal clock)
27, a processing program execution unit 28 that executes the processing program stored in the processing program storage unit 25, and an authentication information display unit 29 that displays the authentication information, which is an object of authentication, such as a two-dimensional code, on the display. The present embodiment is characterized in that the authentication information such as the two-dimensional code displayed on the authentication information display unit 29 has a pattern that changes depending on the time of display. It is also characterized in that the pattern is unpredictable by encrypting the original data. In terms of hardware configuration, the purchase processing unit 22, the reception processing unit 24, and the processing program execution unit 28 include a control unit (CP) (not shown).
(U, processor) executes (processes) based on the basic control program and the processing program stored in the memory.

FIG. 4 is a block diagram showing the configuration of the authentication terminal 30. Authentication terminal 30 to which this embodiment is applied
The authentication information reading unit 31 and the authentication information reading unit 31 that read the authentication information (for example, a two-dimensional code) displayed on the display by the authentication information display unit 29 of the mobile terminal 20 with a reader (bar code reader, mark reader) or the like. From the authentication information read from the memory and stored in a memory (not shown), for example, an attribute code (for example, a product code) that is predetermined code information
To the network that receives the encryption key from the authentication information providing server 40 in advance or based on this code information while transmitting the code information (for example, the product code) extracted from the read processing unit 32 that extracts the The connected communication unit 33, the encrypted data decryption unit 34 that decrypts the encrypted data based on the encryption key received by the communication unit 33 and stored in the memory (not shown), and the result decrypted by the encrypted data decryption unit 34 An authentication processing unit 35 that executes an authentication process based on the above, a clock 36 that outputs time data (time, time) as an internal clock of the authentication terminal 30, and an individual product related to a sale product such as a ticket obtained from the communication unit 33. An individual data storage unit 37 for storing data is provided. The authentication processing unit 35 stores the clock information obtained from the clock 36 and the memory decrypted by the encrypted data decryption unit 34.
The time information stored in (not shown) and the individual data obtained from the individual data storage unit 37 are compared with the decrypted result to confirm whether or not the user is the correct user (customer).
Here, it is possible to store the combination of the commodity code, which is the attribute code, and the encryption key in the encryption key storage unit 38 in advance. Further, the individual data can also be stored in the individual data storage unit 37 in advance. Further, the clock 36 is adjusted by the internal clock 45 of the authentication information providing server 40 connected via the network, and outputs the adjusted time. Here, the reading processing unit 32, the encrypted data decoding unit 34, and the authentication processing unit 35.
Although it was described that it was configured by hardware, the same function can be realized by software or by combining both. The encryption key storage unit 38 and the individual data storage unit 37 are preferably encrypted so that they cannot be easily read from the outside from the viewpoint of security.

Next, the processing of the authentication system to which this embodiment is applied will be described by taking ticket sales as an example. FIG. 5 is a flowchart showing the ticket selling process performed by the authentication information providing server 40. In the authentication information providing server 40, first, in accordance with the connection request from the mobile terminal 20, the customer communication unit 41 shown in FIG. 2 establishes a session having a logical connection relationship for communication (step 101). Next, the screen is changed to the ticket sales screen, and authentication is executed by SSL (Secure Sockets Layer) which is a protocol that realizes encryption and authentication functions at the socket level (step 102). After that, the sales processing execution unit 42 executes a series of ticket sales processing based on the sales information registered in the sales information registration unit 46 (step 103). After the series of processing in this step 103 is executed, as a purchase result, together with the ticket information, the encryption key, the sales data (the product code and the individual data (user number, etc.)), and the authentication information read from the internal clock 46. The reference time on the side of the providing server 40 and the processing program are transmitted to the mobile terminal 20 via the customer communication unit 41.
(Step 104). Thereafter, the executed ticket sales record is stored in the database, that is, the sales record storage unit 47 (step 105), and the ticket sales process performed by the authentication information providing server 40 is completed.

FIGS. 6A and 6B show the authentication information providing server 4
9 is a flowchart showing processing by a processing program provided from 0, stored in the mobile terminal 20, and executed. This processing program is downloaded to the mobile terminal 20 from the authentication information providing server 40 at the time of ticket sales, for example, and is stored in the processing program storage unit 25 shown in FIG. Further, as shown in FIG. 6B, in the processing program, the processing program execution unit 28 executes the processing of displaying the authentication information when the ticket is displayed. In addition, this processing program, before actually purchasing tickets etc.
It may be installed in the mobile terminal 20 in advance.

Here, first, when the ticket is purchased, the difference value from the time on the server side is calculated. In FIG. 6A, the server side reference time information stored in the authentication information providing server 40 is acquired (step 201). Next, the time of the mobile terminal 20 is acquired from the clock (internal clock) 27 (step 202). In general, since it is predicted that the reference time of the authentication information providing server 40 and the time of the mobile terminal 20 are different, the difference value between these times is calculated and stored in the purchase information storage unit 26 (step 2
03), the initial registration process ends. Although not shown in the flowchart, this difference value is stored in the purchase information storage unit 26. The server 40 calculates the difference value at this time.
Alternatively, the resulting data may be transmitted to the mobile terminal 20 and stored in the purchase information storage unit 26.

After that, when a ticket display instruction is given, that is, when the ticket is used, the processing shown in FIG. 6B is executed. This process is performed based on a user (customer) ticket display instruction from the user input unit 21 at a performance place such as a concert hall that requires authentication after a predetermined period has elapsed since the ticket was purchased. To be executed. In the processing program, the current time is acquired from the clock (internal clock) 27 when a ticket display instruction is given.
(Step 211), the difference value stored in the purchase information storage unit 26 is added to the acquired time to correct it, and 2
The time information for creating the dimension code is used (step 212). As a result, the time difference in the initial state is corrected. Then, in the individual data (user number) obtained at the time of ticket purchase and stored in the purchase information storage unit 26,
The purchase information storage unit 2 received at the time of ticket purchase with the time information created in step 212 added
Encryption is performed using the encryption key stored in 6 and the encryption key addition code generated by a random number or the like each time to generate encrypted data (step 213). Then, the encrypted data plus the plaintext product code and the encryption key addition code is converted into a two-dimensional code, which is displayed on the display of the mobile terminal 20 as authentication information (step 214).

FIG. 7 is a flowchart showing the flow of the authentication processing performed by the authentication terminal 30. Authentication terminal 30
The authentication information reading unit 31 of the portable terminal 2 uses a reader.
The two-dimensional code displayed on the display of 0 is read (step 301), and the reading processing unit 32 reads this two-dimensional code.
The plaintext product code and the encryption key addition code are extracted from the dimension code (step 302). Communication unit 33
Connects to the authentication information providing server 40 via a network such as the Internet or a dedicated line, and receives an encryption key from the server using the product code as an index (step 303). The encrypted data decryption unit 34 decrypts the encrypted data in the two-dimensional code using the encryption key and the encryption key addition code, and extracts individual data and time data (step 304). It should be noted that the encryption key addition code is added to make copying more difficult, and there is essentially no change even without it.

The authentication processing unit 35 considers the allowable time (for example, 3 minutes) obtained from the authentication information providing server 40 and stored in the individual data storage unit 37, and the extracted time data and the clock of the authentication terminal 30. A comparison is made with the authentication time obtained from 36 (step 305). Here, it is considered that the authentication terminal 30 is usually online with the authentication information providing server 40 in most cases, and in this case, the time of the clock 36 is calibrated one by one and coincides with the reference time. . Further, when the standard time obtained from an atomic clock, a radio clock, or the like is used as the reference time, it is not necessary to perform special processing for matching with the authentication information providing server 40. Then, this compared time is an allowable time (for example, 3
If it is within (minutes), the process proceeds to the next step, and if it exceeds the permissible time (when it is larger than a predetermined value), the admission is not accepted because the authentication has failed (step 306). ). The deviation of the time information at the time of reading the ticket is delayed or advanced by the clock 27 which is the internal clock of the mobile terminal 20 from the time the ticket is purchased to the time the ticket is displayed, and the timing displayed on the mobile terminal 20 and the authentication terminal. It is the sum of the time difference until reading at 30.

When the above allowable time is displayed on the portable terminal 20 at the moment when it is read by the authentication terminal 30, the error may be the error of the internal clock (mainly the clock 27 of the portable terminal 20). it can. Further, when the strictness is required due to a high-priced ticket or the like, this allowable time can be set to a narrow time width or arbitrarily set by the authentication terminal 30. When the time difference is large, the fact is displayed on the display of the authentication terminal 30, and the mobile terminal 2
It is also possible to prompt to perform redisplay at 0. In addition, the authentication information providing server 4 that hosts the mobile terminal 20
There is also a method of resetting the correction value by connecting to 0 and fetching the host time. Even in such a case, the data to be sent is only time data, and a complicated authentication process or the like is unnecessary. Further, depending on the function of the mobile terminal 20, it is possible to create and execute a program that repeats display at regular intervals. In this case, for example, automatically every 1 second,
It is also possible to continue displaying the two-dimensional code incorporating the changing time. In such a case, it is possible to set the allowable time width to be extremely small, so that the act of copying becomes more difficult.

Here, the authorized user (customer) (the user who purchased the ticket (customer)) who was not admitted due to the display timing being too early before the reception at the event venue, at this point, again executes the processing program. By redisplaying using
If it is within the allowable time, it is possible to move to the next step. A fake person (a person who copied the two-dimensional code) who does not know how to create the authentication information (who does not have the original data and the encryption key) cannot redisplay within the allowable time by the processing program. Therefore, admission is not permitted. When the time is within the allowable time in step 306, the authentication processing unit 35 determines the information in the ticket sales record obtained from the authentication information providing server 40 and stored in the individual data storage unit 37, and the extracted individual data. Are compared (step 307). As a result of this comparison, if the information in the ticket sales record and the extracted individual data match, entry is permitted, and if they do not match, entry is not permitted (step 308). Although not shown in this flow chart, in order to prevent the same person from re-entering using the same authentication information, if entry is permitted, a record of entry has been made in the user data, and at the required time Management such as sending to the server side and updating the original data shall be performed.

In the above flow chart, step 3
In 03, the case where the encryption key is received on the spot from the authentication information providing server 40 by using the plaintext product code as an index has been described as an example. The encryption key storage unit 3 that receives the relationship from the authentication information providing server 40 and is stored
In some cases, the encryption key can be obtained from 8. Also, step 3
The information of the allowable time and the ticket sales record used in 05 and step 307 are set in advance in the authentication information providing server 40 in consideration of, for example, speeding up of processing at the event performance place.
It is preferable that the individual data is stored in the individual data storage unit 37 after being downloaded from.

Next, the mechanism of the two-dimensional code displayed on the display of the portable terminal 20 and read by the authentication information reading unit 31 of the authentication terminal 30 will be described with reference to FIGS. 8A to 8C are diagrams showing examples of the two-dimensional code displayed on the display of the mobile terminal 20. As the actual data, for example, the encryption key (CK): 581, the encryption key addition code (KM): 2, the product code (PN): 326, the user number (UN): 10112, the display time (TM): 04062134. And Here, the encryption key addition code (KM)
Is a random number from 0 to 9 every time the mobile terminal 20 is displayed.
User number that is generated by the processing program of
(UN) is a unique number assigned to each purchasing user (customer). Furthermore, in the above example, the time
(TM) indicates 21:34 on April 6th.

Assuming that the display is made at 21:34 on April 6, Data A1 showing the values of the user number (UN) and the display time (TM), the product code (PN) and the encryption key. Data A2 indicating the value of the additional code (KM) is shown as follows. Data A1 = 1011204062134 (UN + TM) Data A2 = 3262 (PN + KM) Here, as an example, the encryption algorithm is DES Single 8
Use Byte (64 Bits). First, a key (581) obtained by combining the data A1 with the encryption key CK and the encryption key addition code KM.
Encrypt using 2). Encrypted Data C1 = z + zTJJslrqBedrO17w == Let C2 be the addition of Data A2 to this C1. C2 = 3262z + zTJJslrqBedrO17w == This is 2 using CP code which is a kind of two-dimensional code.
When converted into a dimension code, code 1 as shown in FIG. 8A is obtained. Here, the error collection rate (Error
correction rate) is set to 30%.

Next, the same data, one minute later, on April 6, 21st
If it is displayed at 35 minutes and the encryption key addition code (KM) generated each time is 7, Data A1 = 1011204062135 (UN + TM) Data A2 = 3267 (PN + KM) First, Data A1 is used as an encryption key (CK). Encryption is performed using the key (5817) that is a combination of the encryption key addition code (KM). Encrypted Data C1 = g4yFjKCjADogKgXbog == Let C2 be the addition of Data A2 to this C1. C2 = 3267g4yFjKCjADogKgXbog == If this is two-dimensionally coded using the CP code, FIG.
The code 2 as shown in (b) is obtained.

Further, the same data is given at 16:17 on April 8th.
If it is displayed in minutes, and the encryption key addition code (KM) is 4, Data A1 = 1011204081617 (UN + TM) Data A2 = 3264 (PN + KM) First, Data A1 is the encryption key (CK) and the encryption key addition code ( KM) and the encrypted key (5814). Encrypted Data C1 = z9xruololqHdhQBggw == Let C2 be the addition of Data A2 to this C1. C2 = 3264z9xruololqHdhQBggw == When this is two-dimensionally coded using a CP code, FIG.
The code 3 as shown in (c) is obtained.

This two-dimensional code is displayed on the display of the mobile terminal 20 such as a mobile phone, and is read by the authentication information reading section 31 which is the two-dimensional code reader of the authentication terminal 30 which is the entrance ticket confirmation terminal. To be For example, the code 3 shown in FIG. 8C is read to restore the data. Restoration Data = 3264z9xruololqHdhQBggw == From this Data, the plaintext product code PN = 326 and the encryption key addition code KM = 4 are extracted.

Then, the encryption key CK = 581 corresponding to the product code PN = 326 is obtained from the encryption key list obtained from the host (authentication information providing server 40) in advance, and the encryption key KM = 4 is added to it. The remaining data is decrypted using (5814). Cipher Data = z9xruololqHdhQBggw == Cipher Key = 5814 Decryption Data = 1011204081617 From this, the user number (UN) and the time (TM) at the time of display can be obtained. UN = 10112 TM = 04081617 At 16:17 on April 8th, it is confirmed that the clock 36 of the authentication terminal 30 matches, and the user number (UN number stored in the individual data storage unit 37 stored in the authentication terminal 30 (UN ) Can be confirmed as the correct ticket when a match is confirmed. Here, if the error of each clock (27, 36) is taken into consideration, it is possible to incorporate a mechanism for allowing the error, for example, OK is set if within ± 3 minutes. The encryption part may be omitted or simplified in consideration of the necessity of the copy protection strength and the processing capability of the mobile terminal 20. For example, the duplication prevention function can be sufficiently realized by changing the order of the date and time data and other data according to a simple rule, or converting them by a mapping method or the like.

As described above in detail, in the present embodiment, a code image that changes moment by moment is generated based on time data that can be easily shared by both the user side and the authentication side. Even if the code image at the point of time is duplicated, by providing a mechanism that cannot create and display the code image at the time of actual use, it provides a mechanism in which illegal use of the duplicated code is impossible in principle. ing. That is, in the present embodiment, in this way, no matter how much encryption is performed, the data is visible, that is, the code information such as the one-dimensional barcode or the two-dimensional code that can be easily copied is displayed. The pattern changes from time to time and the regularity of the change cannot be detected by encryption, so that future patterns are unpredictable. Further, according to the present embodiment, the mobile terminal 2 is not used at the time of the first online purchase.
0 and the authentication information providing server 40, which is a host, do not need to be connected, and a plurality of independent authentication terminals 30 can be operated, and an offline operation is also possible. Furthermore, this authentication information providing server 40
Can establish a secure communication session with the authentication terminal 30 to securely send the encryption key to the authentication terminal 30.

Here, for example, a method in which the host authenticates each time it is used and issues a unique code is conceivable. However, this method requires a call charge each time.
In addition, the load on the network and the load on the host also increase.
In addition, for example, when checking tickets at entertainment venues, communication is concentrated in a certain short time. However, in this embodiment, for example, a pattern of a two-dimensional code to be displayed.
By adding the characteristic that (array or figure) changes in an unpredictable form, it is not possible to display the same code when there is no original data and encryption key, and it is possible to reduce the load on the host, An excellent anti-duplication function can be provided. That is, it is necessary to display the authentication information on the determined mobile terminal 20 even for the resale prevention measure which is a problem with the current ticket, and it is easy to copy the authentication information to the mobile phone or the like owned by another person. Cannot be done, and can be an effective means to prevent resale. In addition, since the authentication is performed using the time data, it is possible to easily set the expiration date and the expiration period of the displayed ticket by using this mechanism.

In the present embodiment, the allowable time width can be set freely in consideration of the convenience of the user (customer), the price of the ticket, and the like. The above-mentioned allowable time of, for example, 3 minutes is, for example, in the case of admission management in a movie theater, when the line is crowded and the queue is displayed, the user who is displaying in advance.
Assuming that there are many (customers), you can change the settings on the spot for a long time. The determination of the allowable time is obtained from the authentication information providing server 40 as an appropriate value, and the authentication terminal 30
In addition to the case where the authentication terminal 3 is stored in the individual data storage unit 37 of FIG.
It is also possible for 0 to be set arbitrarily. According to the present embodiment, even if the authentication information is duplicated, it is possible to determine how many minutes before the copy can be used because the setting of the allowable time width is not known. Since this is not possible, a deterrent effect on replication can be obtained.

As described above, the present embodiment has been described in detail by taking ticket sales as an example. However, the present invention is not limited to this, and can be applied to any case where authentication is performed based on authentication information. That is, for example, it is also applied when the authentication information of the present embodiment is attached to a document, drawing, data or the like that is electronically created and the authenticity of the document or the like is verified by checking the attached authentication information. It is possible. Further, it can also be applied to the case where both parties confirm the identities by using the authentication method or the like in the present embodiment in the scene of an important transaction that actually involves the exchange of money. Furthermore, by setting the allowable time for authentication determination in this embodiment to be relatively long, the authentication system in this embodiment is used for entry / exit restrictions and article transaction (exchange) restrictions within a certain period of time. be able to.

Further, in this embodiment, an example is shown in which the authentication information is converted into image data (for example, bar code, character string, figure, pattern, etc.) and displayed on the display of the portable terminal 20 as the first processor. Needless to say, it is not limited to this. For example, data obtained by adding an attribute code to encrypted data formed based on individual data and time data is converted to light including electromagnetic waves, radio waves, sound waves, vibration, infrared light, and the like and output to the mobile terminal 20. Providing output means, the data signal output from this output means is received by the light receiving (input) means such as light provided in the authentication terminal 30 as the second processor, and information (data) is propagated. It can also be configured as follows. Further, as another embodiment, the mobile terminal 20 is provided with a storage means for storing data in which an attribute code is added to the encrypted data formed based on the individual data and the time data, and the storage means allows the user to store the data. Data is stored in a storage medium such as an owned IC card or magnetic card, and the data stored in the storage medium is used as the authentication terminal 3
It is also possible to propagate the data by reading it with a non-contact type or a contact type card reader of 0. By not displaying the image data on the display of the mobile terminal 20 as described above, it is possible to completely prevent unauthorized use by copying the image.

As described above, according to this embodiment, the following effects can be obtained. (1) The authentication information itself is highly confidential because it is created by encrypting the time (time) data in which the authentication information changes in seconds. (2) Since the authentication is performed by comparing the time when the authentication information is created (displayed) extracted from the authentication information with the time at the time of authentication, the authentication information is created (displayed) at the time of authentication. It is possible to almost completely prevent unauthorized use due to duplication of the authentication information between the time of authentication and the time of authentication. (3) Since the allowable time for judging whether or not authentication is possible can be set arbitrarily, by changing the allowable time according to the authentication target (authentication importance level), the strictness of authentication (reliability ) Can be changed. That is, by shortening the allowable time, it is possible to make the authentication stricter, and by setting the allowable time, etc., as the possible time for entering and leaving, it is possible to control the entrance and exit restrictions, etc. by using the authentication. Becomes (4) By using a wired or wireless communication line (network), all procedures such as ticket issuing, printing, sending, and authentication can be computerized, and the efficiency of a series of authentication procedures and low cost Can be realized.

[0045]

As described above, according to the present invention,
Inquiries that are made when determining whether a ticket is a legitimate ticket, for example
At the time of (authentication), it is possible to provide a mechanism in which illegal use by duplication of information is difficult in principle.

[Brief description of drawings]

FIG. 1 is a diagram showing an overall configuration of an authentication system to which this embodiment is applied.

FIG. 2 is a block diagram showing a configuration of a content provider.

FIG. 3 is a block diagram showing a configuration of a mobile terminal.

FIG. 4 is a block diagram showing a configuration of an authentication terminal.

FIG. 5 is a flowchart showing a process performed by the authentication information providing server.

FIG. 6 is a flowchart showing processing by a processing program provided by the authentication information providing server, stored in a mobile terminal, and executed.

FIG. 7 is a flowchart showing a flow of an authentication process performed by the authentication terminal.

8A to 8C are diagrams showing an example of a two-dimensional code displayed on the display of the mobile terminal.

[Explanation of symbols]

10 ... Content provider, 11 ... Product information database (DB), 12 ... Customer information database (DB), 13
... encryption key storage unit, 14 ... processing program storage unit, 2
0 ... Mobile terminal, 21 ... User input section, 22 ... Purchase processing section, 23 ... Server communication section, 24 ... Reception processing section, 25 ...
Processing program storage unit, 26 ... Purchase information storage unit, 27 ...
Clock (internal clock), 28 ... Processing program execution unit, 29 ...
Authentication information display unit, 30 ... Authentication terminal, 31 ... Authentication information reading unit, 32 ... Read processing unit, 33 ... Communication unit, 34 ... Encrypted data decrypting unit, 35 ... Authentication processing unit, 36 ... Clock, 37 ... Individual data storage Part 38 ... Encryption key storage unit 40 ... Authentication information providing server 41 ... Customer communication unit 42 ... Sales processing execution unit 43 ... Store communication unit 44 ... Store processing unit 45
… Internal clock, 46… Sales information registration section, 47… Sales record storage section

─────────────────────────────────────────────────── ─── Continuation of front page (51) Int.Cl. ⁷ Identification code FI theme code (reference) G06K 7/00 G06K 7/00 U 17/00 17/00 T 19/07 H04L 9/00 675D H04L 9 / 32 G06K 19/00 J (71) Applicant 391035902 K.R.D. Corporation Stock Company 2-42-6 Komatsubara, Zama City, Kanagawa Prefecture (72) Inventor Tsutomu Sawa 1623 1423 Shimotsuruma, Yamato City, Kanagawa Prefecture Japan AI・ BM Co., Ltd. Yamato Works (72) Inventor Mari Ara 1623 Shimotsuruma, Yamato City, Kanagawa 14 Japan AI Co., Ltd. Yamato Works (72) Inventor Hirotaka Takenoshita Yamato City, Kanagawa Prefecture 1623 Tsuruma 14 Japan ABM Co., Ltd. Yamato Works (72) Inventor Hirohide Komatsu 2-42-6 Komatsubara, Zama City, Kanagawa Prefecture KEY D CORPORATION CORPORATION Internal F-term (reference) 5B035 AA13 BA01 BB09 CA01 CA06 CA29 5B058 CA24 KA02 KA04 KA31 KA32 KA35 5B072 BB00 CC01 CC21 CC24 DD01 MM01 5B085 AE04 BA06 BG07 5J104 PAA08 GA03 MA03

Claims (33)

[Claims] 1. A first processor for creating authentication information based on authentication data and time data, wherein the time data includes a time when the authentication information is created, and An authentication device including: a second processor for performing authentication by comparing the time extracted from the authentication information with the time at the time of the authentication. 2. The second processor includes determining that the authentication has failed when a time difference between the time included in the authentication information and the time at the time of authentication is larger than a predetermined value. The authentication device according to claim 1. 3. The authentication device according to claim 1, wherein the first processor includes an encryption process for the authentication data and the time data to create the authentication information. 4. The authentication apparatus according to claim 3, wherein the second processor includes decrypting the authentication information to obtain a time included in the authentication information. 5. A server for providing authentication data, and a mobile terminal for creating authentication information based on the authentication data and time data received from the server,
The time data includes the time at which the authentication information is created, and the authentication for performing authentication by collating the time extracted from the authentication information received from the mobile terminal with the time at the authentication time with the mobile terminal. An authentication system that includes a terminal and. 6. The authentication terminal includes determining that the authentication has failed when a time difference between the time extracted from the authentication information and the time of the authentication is larger than a predetermined value. Item 5 authentication system. 7. The mobile terminal includes an output unit for outputting the generated authentication information, and the authentication terminal has an input unit for inputting the authentication information output from the output unit of the mobile terminal. 6. Including
Authentication system. 8. The output unit of the mobile terminal includes a transmission unit for transmitting the authentication information, and the input unit of the authentication terminal receives the authentication information transmitted from the output unit of the mobile terminal. Including a receiver for
The authentication system according to claim 7. 9. The portable terminal includes a writing unit for writing the authentication information in a storage medium connected to the output unit, and the authentication terminal includes the authentication from the storage medium connected to the input unit. 8. The authentication system of claim 7, including reading means for reading information. 10. The output unit of the mobile terminal includes a display unit for displaying the authentication information as an image, and the input unit of the authentication terminal reads the image displayed on the display unit of the mobile terminal. 8. The authentication system according to claim 7, further comprising an image reader, wherein the image includes changing according to time data included in the authentication information. 11. The portable terminal includes calibrating a time when the authentication information is created based on time information received from the server, and the collating unit creates the authentication information based on the time after the calibration. 5. Including
Authentication system. 12. The authentication terminal includes calibrating the time at the time of authentication based on time information received from the server, and the collating unit includes performing collation based on the time after the calibration. The authentication system according to claim 11. 13. The authentication system according to claim 5, wherein the mobile terminal includes encryption processing of the authentication data and the time data to create the authentication information. 14. The authentication system according to claim 13, wherein the authentication terminal includes decoding the authentication information and obtaining the time included in the authentication information from the authentication information. 15. A processor for creating authentication data in response to an authentication request, the authentication data, an encryption key for encrypting the authentication data, and the authentication using the encryption key. A server including a memory for storing a program for encrypting authentication data to create authentication information, the authentication data, the program, and a transmission unit for transmitting the encryption key. . 16. The server according to claim 15, wherein the program includes creating the authentication information by using the authentication data and time data when the authentication information is created. 17. The server according to claim 15, wherein the memory stores a program for decoding the created authentication information and obtaining the time of creation. 18. A memory for storing authentication data, and a processor for creating authentication information based on the authentication data and time data, wherein the time data is a time when the authentication information is created. A mobile terminal including a processor and a. 19. The memory includes an encryption key for encrypting the authentication data, and the processor encrypts the authentication data using the encryption key. The mobile terminal according to claim 18, further comprising: creating authentication information by using the authentication information. 20. The mobile terminal according to claim 18, further comprising a transmission unit for transmitting the authentication information. 21. The mobile terminal according to claim 18, further comprising: an output unit for outputting the authentication information, and a writing unit for writing the authentication information in a storage medium connected to the output unit. 22. The mobile terminal according to claim 18, further comprising a display unit for displaying the authentication information as an image, wherein the image changes in accordance with time data included in the authentication information. 23. The mobile terminal according to claim 18, wherein the processor calibrates a time when the authentication information is created based on time information received from the outside. 24. An authentication terminal for performing authentication based on authentication information including time information, wherein the time information is extracted from the authentication information, and the extracted time information is collated with the time information at the time of the authentication. An authentication terminal including a processor for performing the authentication. 25. The processor includes determining that the authentication has failed when a time difference between the time extracted from the authentication information and the time of the authentication is larger than a predetermined value. 24 authentication terminals. 26. The authentication information includes authentication information encrypted by using an encryption key, and the processor decrypts the encrypted authentication information by using the encryption key. The authentication terminal according to claim 24, comprising obtaining the time information. 27. The authentication terminal according to claim 26, further comprising a memory for storing the authentication information, the encryption key, and the time information. 28. A method of performing authentication based on authentication information, the step of preparing authentication data, the step of obtaining time information, the step of creating authentication information based on the authentication data and the time information. An authentication method comprising: the time information including a time when the authentication information is created; and a step of matching the time extracted from the authentication information with the time at the authentication time. 29. The collation step includes a step of determining that the authentication has failed when a time difference between the time extracted from the authentication information and the time at the authentication time is larger than a predetermined value. The authentication method according to claim 28. 30. The method further comprises the step of preparing an encryption key, wherein the step of creating the authentication information encrypts the authentication data and the time information using the encryption key to perform the authentication information. 29. The step of creating
Authentication method. 31. The authentication method according to claim 30, wherein the collating step includes a step of decoding the authentication information and obtaining the time from the authentication information. 32. The step of obtaining the time information comprises:
Including the step of obtaining reference time information, the step of creating the authentication information, the step of calibrating the time when the authentication information was created based on the reference time information, and the authentication information based on the time after the calibration 29. The method of claim 28, further comprising: 33. The authentication according to claim 32, wherein the step of collating includes the step of calibrating the time at the time of authentication based on the reference time information, and the step of collating based on the time after the calibration. Method.