JP2006172307A - User identification method and system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To allow a user to access a desired web site without concern for an ID or a password. <P>SOLUTION: This user identification system is provided with a client device 111, a management server 121, an information providing server 131, an electronic authentication station 141, and the Internet 101. The user trying to acquire information from a desired information providing server 131 registers as a user by using the client device 111, and predetermined information for user identification is stored in an IC card 112 created by the authentication station 141. In this way, the user can access the desired web site when he/she mounts the IC card 112 to the client device 111. The IC card 112 has an identification confirmation code management application area 113 serving as a user identification information storage part and a user identification information determination part, a PKI key pair certificate storage area 114, and a signature plug-in software area 115. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a user identification method and system, and more particularly to a user identification method and system for identifying a user who accesses a website.

  Conventionally, various websites transmit various information or provide services to client terminals via the Internet. However, in certain websites, users are registered in advance when providing information. In order to confirm this, there is a system in which a user's ID and password are input by a user via a client terminal, access is determined by determining whether or not the ID and the registered ID match. In order to receive provision of information from a website of such a system, in the conventional user identification method, the user registers information such as an ID in advance on the website to be provided and receives the provision of information. In such a case, when an input of ID or the like is prompted on the screen, it is necessary to input using an input device such as a keyboard, and these operations must be performed for each website.

  In order to reduce such complexity, a single portal site is created, and the user accesses the portal site and logs in once to use a website linked to the portal site. A system that can do this has been proposed. In addition, there is a rule that unifies log-in with one common ID for websites, and once a user registers an ID, etc., the user can access various websites using that ID alone. Has been proposed (see, for example, Patent Document 1).

JP 2003-58503 A

  However, since the conventional user identification method is unified with one ID per user, there is no need for the user to store an ID or password for each website, but the company operating each website It is necessary to set and operate certain rules, and considering the consistency of the systems that each company has in the past, such arrangements can only be made between very limited companies, so in the end users have multiple There is a problem of having to have an ID and password.

  In addition to this, there is a problem that even if the ID is unified, the user must manually enter the ID whenever accessing the website.

  The present invention has been made in view of such problems, and includes server identification information from a server to be accessed, provided with user identification information storage means that stores user identification information for each website in association with the client terminal. The user can access the desired website without being aware of the ID, password, etc. by performing the user identification process by determining the corresponding user identification information by sending it to the server An object is to provide an identification method and system.

  In order to achieve the above object, the user identification system according to the present invention includes a user identification information database for storing user identification information for a pre-registered user and a network. When receiving a service request requesting provision of a predetermined service, identification information transmitting means for transmitting server identification information, and when receiving user identification information corresponding to the transmitted server identification information, the user received in the user identification information database An information providing server including user identifying means for determining whether or not the identification information exists, user identification information storing means for storing the user identification information in association with each information providing server, and the information providing server via the network The identification information receiving means for receiving the server identification information and the received server identification information A user identification information determination unit that identifies an information provision server that provides a specific service, reads user identification information for the identified information provision server from a user identification information storage unit, and the read user identification information is an information provision server And a client device including user identification information transmitting means for transmitting to the client.

  According to a second aspect of the present invention, in the user identification system according to the first aspect, the network is SSL-encrypted, and the user identification information means is transmitted from the information providing server when starting the SSL-encrypted communication. The information included in the server certificate is used as server identification information.

  According to a third aspect of the present invention, in the user identification system according to the first or second aspect, the client device includes an IC card having a user identification information storage unit and a user identification determination unit.

  According to a fourth aspect of the present invention, in the user identification system according to the first, second, or third aspect, a server registration database in which the information providing server is registered in advance and an information provision registration request from the client device to the information providing server are received. Then, the information provision registration request and the client device are stored in the server registration database, and further includes a management server including a registration request accepting means for transmitting to the information provision server, and the information provision server receives the information provision registration request and the client device. User identification information corresponding to the client device is determined and transmitted, and the client device stores the transmitted user identification information in a user identification information storage unit.

  According to a fifth aspect of the present invention, in the user identification system according to any one of the first to fourth aspects, the client device includes a signature data storage unit that stores preset signature data and a certification request from the information providing server. And signature data transmission means for transmitting the signature data to the information providing server when receiving the message.

  7. The client apparatus according to claim 6, wherein a service request means for transmitting a service request for requesting provision of a predetermined service to the information providing server via the network, and an identification information receiving means for receiving server identification information from the information providing server. User identification information storage means for storing the information providing server and user identification information used for user identification when receiving predetermined information from the information providing server in association with the received server identification information, and server identification information A user identification information determination unit that determines an information providing server that provides a predetermined service, reads out the determined user identification information for the information providing server from a user identification information storage unit, and the read out user identification information as an information providing server And a user identification information transmitting means for transmitting to.

  The user identification method according to claim 7 includes a step of transmitting a service request for requesting provision of a predetermined service to the information providing server via the network by the service requesting unit, and an information providing server by the identification information receiving unit. User identification information storage means for associating a step of receiving server identification information, an information providing server based on the received server identification information, and user identification information used for user identification when receiving predetermined information from the information providing server The user identification information storing step for storing the information and the user identification information determination means determine an information providing server that provides a predetermined service based on the server identification information, and determine the user identification information for the information providing server as the user identification information. A step of reading from the storage means, and a step of reading by the user identification information transmitting means. Characterized by comprising a step of sending user identification information to the information providing server.

  The program according to claim 8, wherein the service request means transmits a service request for requesting provision of a predetermined service to the information providing server via the network, and the identification information receiving means performs server identification from the information providing server. The step of receiving information, the information providing server based on the received server identification information, and the user identification information used for user identification when receiving predetermined information from the information providing server are associated and stored in the user identification information storage means The user identification information storage step and the user identification information determination means determine the information providing server that provides a predetermined service based on the server identification information, and the determined user identification information for the information providing server is determined from the user identification information storage means. The step of reading and the user read by the user identification information transmitting means And a step of sending another information to the information providing server to the client computer.

  As described above, according to the present invention, when a service request for requesting provision of a predetermined service is received via a network, identification information transmitting means for transmitting server identification information and corresponding to the transmitted server identification information When the user identification information is received, an information providing server including user identification means for determining whether or not the received user identification information exists in the user identification information database, and the user identification information is stored in association with each information providing server. A user identification information storage means, an identification information receiving means for receiving server identification information from the information providing server via the network, and an information providing server for providing a predetermined service based on the received server identification information. User identification information determination for reading user identification information for information providing server from user identification information storage means And a client device including user identification information transmitting means for transmitting the read user identification information to the information providing server, so that the user can access a desired website without being aware of an ID, password, or the like. It becomes possible to access.

(First embodiment)
Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

(IC card issuance and user registration processing)
FIG. 1 is a block diagram showing an embodiment of processing such as user identification information issuance according to the present invention. The user identification system of this embodiment includes a client device 111, a management server 121, an information providing server 131, an electronic certificate authority 141, and the Internet 101. In this embodiment, when the certificate authority 141 creates the IC card 112 based on the user's application and the user who wants to receive the service performs user registration with the desired information providing server 131 using the client device 111. Generally, predetermined information for performing user identification unique to the information providing server and the user is set. Thereafter, the predetermined information is received by the client device 111 and then stored in a predetermined area of the IC card 112 created in advance. Through the above processing, the user can access the desired website by attaching the IC card 112 to the client device 111. As will be described in detail later, the IC card 112 includes a user identification information management application area 113, a PKI key pair certificate storage area 114, and a signature plug-in software area 115, which are a user identification information storage unit and a user identification information determination unit. .

  In the identity verification code management application area 113, software for extracting user identification information is written when an IC card is created by the certificate authority 141, but usually only minimum information is written in the area for storing user identification information. The PKI key pair certificate storage area 114 and the signature plug-in software area 115 are software that is pre-installed at the time of creating an IC card for signature processing on a website, that is, a signature plug-in that is a signature data transmission means This is an area for storing software. By having such a signature function in addition to the user identification function, the effectiveness of the system of this embodiment is further enhanced. In this embodiment, the client apparatus using the IC card 112 has been described. However, the present invention is not limited to this, and any medium having the same function can be used, and only predetermined information is stored in the medium. In addition, the necessary software can be arranged and used in the client device.

  The management server 121 is normally provided in an organization that coordinates a system such as a financial institution, and is used particularly when an IC card is issued or when user information is registered and user identification information is set in a predetermined website. . In other words, an IC card application can be made via the management server 121, and a website registration application can also be made via the management server 121. In order to realize such a function, the information in each information providing server is stored in the database in the management server 121, and user registration and other information are also stored. It should be noted that such a function can be configured to be performed by any of the information providing servers 131.

  The information providing server 131 is a server owned by a company that intends to provide information to a user in order to provide the information. The information providing server 131 transmits various information to the client device by various databases or provides a service. Various types of software provide useful processing. The user identification process in the information providing server 131 in this embodiment is also performed by the same method as this process. The certificate authority 141 issues an IC card by any method known in this technical field, and performs other processing.

  FIG. 2 is a diagram showing a processing flow of IC card issuance and user identification information registration according to this embodiment. As shown in FIG. 2, the customer makes an application through the client device 111, the application information is delivered to the electronic certificate authority 141 through the management server 121 in the bank, and an IC card is issued. When the IC card is issued, the customer requests registration to a desired website. In this case, the registration request is sent to the company operating the desired website via the client device 111 and the management server 121. A personal identification code, which is user identification information, is issued and stored in a predetermined area in the IC card. Such processing is performed for each information providing server 131. Normally, different user identification information is information for identifying each information providing server, such as a public key issued from the electronic certificate authority 141 to the information providing server 131. It is stored in association with the information.

  As described above, the IC card is issued, registered on the desired website, and the personal identification code for accessing the website is stored in the IC card, so that the user is not conscious as described later. The identity is confirmed and access becomes possible. In this embodiment, information from the client device 111 is passed via the management server 121. However, the information is not limited to this, and the information is directly sent to the information providing server 131 owned by the electronic certificate authority 141 or the website operating company. As a matter of course, the present invention can be implemented by combining various processes such as setting a personal identification code in advance when an IC card is issued for a predetermined website.

(User identification processing)
Next, an embodiment of the user identification process of the present invention will be described with reference to FIGS. FIG. 3 is a block diagram showing an embodiment of the user identification process according to the present invention. Basically, since this processing is centered on the processing of the client device 111 and the information providing server 131, the management server 121 that mediates the registration processing is not used, but the other components are the same, The system according to this embodiment includes a client device 111, a website 131, and an electronic certificate authority 141. However, since each component performs a process different from that at the time of registration, the individual configuration will be described below with reference to FIGS.

  FIG. 4 is a block diagram illustrating an example of the configuration of the client device 111 according to the present embodiment. In addition to the IC card 112 shown in FIGS. 1 and 3, a server identification information reception unit 401, a user identification information transmission unit 402, a service request unit 403, an information acquisition unit 404, and a user interface unit 405 are provided. 1 and 3, the IC card 112 is shown to include a PKI key pair certificate storage area 114 and a signature plug-in software area 115. FIG. 4 mainly describes user identification processing. Therefore, these configurations that are not directly related are not particularly shown, and instead, the user identification information storage unit 411 is explicitly shown in the user identification information determination unit 113. In this embodiment, the components for executing the processing are arranged as described above. However, the present invention is not limited to this, and it is possible for those skilled in the art to arbitrarily combine or divide each component. it is obvious.

  The server identification information receiving unit 401 performs a server identification information receiving process for identifying the website from the website 131 when accessing or logging in to the website 131 from the client device 111, and obtains the server identification information. The information is sent to the user identification information determination unit 113. In the present invention, since the user identification information is automatically sent by the client device 111, it is necessary to first recognize which website is being accessed, and the information providing server 131 that constitutes the website sends the client device 111 its own information. Server identification information indicating a website can be provided. Provision of server identification information is usually transmitted via a network, but those skilled in the art can understand that transmission timing, transmission protocol, and the like can be performed by various methods known in the art. Will.

  Here, in this embodiment, when performing SSL communication with the client device 111 as server identification information, a server certificate transmitted by the server is always used. That is, when the client device 111 normally accesses a website, that is, logs in to the information providing server 131, SSL (Secure Socket Layer) communication is established to ensure the security of the communication. Since the server certificate is transmitted from the providing server 131 to the client device 111, it is now possible to log in using information described in the server certificate, for example, unique information such as a public key issued from the electronic certificate authority 141 to the information providing server 131. The information providing server to be specified is specified. In the present embodiment, a public key is used because it is effective in that a desired information providing server can be uniquely specified from servers all over the world.

  The user identification information determination unit 113 searches the user identification information storage unit 411 based on the server identification information received from the server identification information reception unit 401, and confirms the identity that is the user identification information set for this server. The code is extracted and sent to the user identification information transmission unit 402. If the user identification information corresponding to the received server identification information does not exist, it is determined that the website is normally unregistered and a predetermined process is performed, but the above-described registration process and the like may be further performed. .

  The user identification information transmission unit 402 transmits the user identification information to the information providing server 131 and enables subsequent processing on the server.

  The service request unit 403 performs processing for transmitting a request to the website and providing user information, and the information acquisition unit 404 performs processing for receiving information from various servers. The user interface unit 405 receives input from the user as a client device, and performs processing such as providing information from the server and information from the client device to the user.

  FIG. 5 is a block diagram showing an example of the configuration of the information providing server 131 of this embodiment. The information providing server 131 of this embodiment includes an identification information transmitting unit 501, a user identifying unit 502, an information providing unit 503, and a customer database 504 that is a user identification information database.

  When receiving an access or login request from the client apparatus 111, the identification information transmitting unit 501 transmits its own server identification information to the client apparatus that has requested it. In the present embodiment, as described above, the information in the server certificate is used as the server identification information, which is transmitted to the client device when the SSL communication is established. Therefore, the identification information transmission unit 501 It is included in the module that processes communication. However, as described above, when server identification information is not used, it goes without saying that it can be provided alone as a component.

  The user identification unit 502 receives user identification information from the client device 111, searches the customer database 504 using the received user identification information, and identifies whether the request is from a properly registered user. The customer database 504 stores user identification information set at the time of registration together with customer information.

  When the information providing unit 503 is identified as a valid user as a result of the processing as described above, the information providing unit 503 provides various information as an information providing server to the client device. Here, in this embodiment, since the feature is in the stage before information provision, that is, user identification, only providing information to the client device 111 among various functions of the information provision server 131 is described. However, it goes without saying that the information providing server 131 can exchange any information with the client device 111 as a server for providing a website.

  FIG. 6 is a block diagram illustrating an example of the configuration of the management server 121 according to the present embodiment. As described above, the management server 121 performs a certain management function by issuing an IC card, registering each website user, and the like. For this reason, the information of the company which operates a website and its user is managed. The management server 121 itself is not essential for carrying out the present invention, but it can be understood by those skilled in the art that it plays an important role in carrying out smoothly. In order to fulfill such a function, the management server 121 includes a registration request receiving unit 601 and a server registration database.

  The registration request accepting unit 601 accepts an IC card issuance request and a user registration request from the client device 111, and if it is an IC card issuance request, sends it to the electronic certificate authority 141 and sends the information to the customer database in the server registration database 602. Store. In the case of user registration, the information is passed to the information providing server that provides the desired website in the user registration request, and the information is stored in the database as in the case of the IC card.

  FIG. 7 is a diagram showing a flow of user identification processing according to the present embodiment. As shown in FIG. 7, when the customer tries to access the information providing server 131 via the client device 111, server identification information is transmitted from the information providing server 131, and a predetermined in the IC card corresponding to the received server identification information is stored. The personal identification code stored in the area is identified and transmitted to the information providing server 131. If the correct identity verification code is received, the information providing server 131 can assume that the user has been successfully identified (logged in) and can be subsequently accessed from the client device.

  As described above, even when login is required when accessing a desired website by attaching an IC card storing the identity verification code and management application to the client device, the user is not aware of this and is not aware of this. Can be accessed. Here, in this embodiment, information in an IC card, a server certificate, or the like is used, but the present invention is not limited to this, and any other media or server identification information can be used. For example, the management server 121 can manage the unique identification information of each information providing server 131 and use it as the server identification information.

(Electronic signature processing)
After logging in to the desired server as described above, the client can receive the service provided by this server. However, when receiving a service that requires identity verification, such as commerce, the client is identified by an electronic signature or the like. We must prove that there is. In the present embodiment, as shown in FIG. 7, an electronic signature is automatically performed based on information stored in advance in the IC card 112.

  Hereinafter, the electronic signature processing will be described with reference to FIG. When the user logs in from the client device 111, the information providing server 131 transmits a command to display the signature target data to the client device 111. In the client device 111, data is displayed and signature plug-in software in the IC card 112 is activated, and a PKI key pair stored in the IC card 112 in advance is read and transmitted to the information providing server 131. The

  The information providing server 131 that has received the signature data of the electronic signature performs authentication based on the received data, stores the signature data if it is valid, provides a service, and returns an error to the client device 111 if it is not valid. And so on.

  In this embodiment, digital signature processing is performed using signature data and signature plug-in software included in the IC card 112, but similar processing is performed by storing such information in some other electronic media area. Those skilled in the art will understand that can be performed.

  As described above, according to the present embodiment, not only can a user log in to a desired site, but also a user needs to prove his / her identity, the electronic signature process is automatically performed, and the user performs troublesome operations. Various services can be received without any problems.

It is a block diagram which shows one Embodiment of processes, such as user identification information issue concerning this invention. It is a figure which shows the processing flow of IC card issue of this embodiment, and user identification information registration. It is a block diagram which shows one Embodiment of the user identification process concerning this invention. It is a block diagram which shows an example of a structure of the client apparatus of this embodiment. It is a block diagram which shows an example of a structure of the information provision server of this embodiment. It is a block diagram which shows an example of a structure of the management server of this embodiment. It is a figure which shows the flow of the user identification process of this embodiment.

Explanation of symbols

101 Internet 111 Client device 112 IC card 113 Identity verification code management application area 114 PKI key pair certificate storage area 115 Signature plug-in software area 121 Management server 131 Information providing server 141 Electronic certificate authority 401 Server identification information receiving unit 402 User identification information Transmission unit 403 Service request unit 404 Information acquisition unit 405 User interface unit 501 Identification information transmission unit 502 User identification unit 503 Information provision unit 504 Database 601 Registration request reception unit 602 Server registration database

Claims (8)

A user identification information database for storing user identification information for a pre-registered user; an identification information transmitting means for transmitting server identification information upon receiving a service request for requesting provision of a predetermined service via the network; An information providing server including user identification means for determining whether or not the received user identification information exists in the user identification information database upon receiving user identification information corresponding to the server identification information; User identification information storage means for storing user identification information in association with each other, identification information receiving means for receiving server identification information from the information providing server via a network, and the predetermined service based on the received server identification information. The information providing server to be provided is specified, and the specified information providing server is specified. A client apparatus comprising: user identification information determining means for reading out user identification information for a server from the user identification information storage means; and user identification information transmitting means for transmitting the read user identification information to the information providing server; A user identification system comprising:   The network is SSL-encrypted, and the user identification information means uses information contained in a server certificate sent from the information providing server when starting SSL-encrypted communication as the server identification information. The user identification system according to claim 1.   The user identification system according to claim 1 or 2, wherein the client device includes an IC card having the user identification information storage unit and the user identification determination unit. When a server registration database in which an information providing server is registered in advance and an information provision registration request from the client device to the information providing server are received, the information provision registration request and the client device are stored in the server registration database, and the information providing server A management server including a registration request accepting means for transmitting to the server, the information providing server, upon receiving the information provision registration request and the client device, determines and transmits user identification information corresponding to the client device; The user identification system according to claim 1, wherein the client device stores the transmitted user identification information in the user identification information storage unit.   The client device further includes signature data storage means for storing preset signature data, and signature data transmission means for transmitting the signature data to the information providing server upon receiving a certification request from the information providing server. The user identification system according to any one of claims 1 to 4, wherein Service request means for transmitting a service request for requesting provision of a predetermined service to the information providing server via the network;
Identification information receiving means for receiving server identification information from the information providing server;
User identification information storage means for storing the information providing server and user identification information used in user identification when receiving the predetermined information from the information providing server in association with the received server identification information;
A user identification information determining unit that determines an information providing server that provides the predetermined service based on the server identification information, and reads the determined user identification information for the information providing server from the user identification information storage unit;
A client device comprising: user identification information transmitting means for transmitting the read user identification information to the information providing server. Transmitting a service request for requesting provision of a predetermined service via the network to the information providing server by the service request unit;
Receiving server identification information from the information providing server by identification information receiving means;
User identification that stores the information providing server in association with the information providing server and user identification information used in user identification when receiving the predetermined information from the information providing server in association with the received server identification information. An information storage step;
A step of determining an information providing server that provides the predetermined service based on the server identification information, and reading the determined user identification information for the information providing server from the user identification information storage unit;
And a step of transmitting the user identification information read by the user identification information transmitting means to the information providing server. Transmitting a service request for requesting provision of a predetermined service via the network to the information providing server by the service request unit;
Receiving server identification information from the information providing server by identification information receiving means;
User identification that stores the information providing server in association with the information providing server and user identification information used in user identification when receiving the predetermined information from the information providing server in association with the received server identification information. An information storage step;
A step of determining an information providing server that provides the predetermined service based on the server identification information, and reading the determined user identification information for the information providing server from the user identification information storage unit;
A program for causing a client computer to execute the step of transmitting the user identification information read by the user identification information transmitting means to the information providing server.

Images