Nothing Special   »   [go: up one dir, main page]

WO2013118302A1 - Authentication management system, authentication management method, and authentication management program - Google Patents

Authentication management system, authentication management method, and authentication management program Download PDF

Info

Publication number
WO2013118302A1
WO2013118302A1 PCT/JP2012/053179 JP2012053179W WO2013118302A1 WO 2013118302 A1 WO2013118302 A1 WO 2013118302A1 JP 2012053179 W JP2012053179 W JP 2012053179W WO 2013118302 A1 WO2013118302 A1 WO 2013118302A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user
identification information
image
function
Prior art date
Application number
PCT/JP2012/053179
Other languages
French (fr)
Japanese (ja)
Inventor
祐寛 井上
仁 國米
Original Assignee
株式会社クレスコ
株式会社ニーモニックセキュリティ
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社クレスコ, 株式会社ニーモニックセキュリティ filed Critical 株式会社クレスコ
Priority to PCT/JP2012/053179 priority Critical patent/WO2013118302A1/en
Publication of WO2013118302A1 publication Critical patent/WO2013118302A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/36User authentication by graphic or iconic representation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to an authentication management system, an authentication management method, and an authentication management program.
  • the present invention relates to an authentication management system, an authentication management method, and an authentication management program using a password.
  • a disposable data string is generated with a predetermined logic on a small terminal for displaying a password called a token distributed to a user or a mobile phone, and the user visually recognizes the data string and the terminal
  • the authentication server side sends the data string to be verified against the authentication data string generated by the same logic or the disposable data string generated by the authentication server to the mobile phone etc. If you enter above, the authentication server will check both.
  • a personal authentication data recording medium in which a large number of similar verification data is recorded is used, and the correct data is selected and specified from the large number of similar verification data in the personal memory, so that the identity of another person A technique for preventing authentication is proposed in Patent Document 1.
  • Patent Document 2 proposes a technique related to an authentication method that uses both personal information consisting of at least one unit of information and non-personal information consisting of at least one unit of information that is unknown to the principal.
  • the one-time password authentication method using tokens and mobile phones described above is effective for eavesdropping / voyeurism / spyware stealing, etc.
  • What is proved by the password is the authenticity of the token or the mobile phone, and there is a problem that it does not contribute at all to determine whether it is a legitimate user or an attacker who holds it .
  • the authentication method using images is effective for guessing attacks, etc., and uses images based on the user's memory, so it is easy to remember and the management load is reduced, but it can be used for detection and theft by eavesdropping, voyeurism, spyware, etc. There was a problem that it was vulnerable.
  • An object of the present invention is to provide an authentication management system, an authentication management method, and an authentication management program that reduce the burden of managing passwords by using images and maintain a high security level by using disposable passwords. .
  • the authentication management system of the present invention receives a connection device having a communication function used by a user and a connection request from the connection device, and acquires unique user identification information assigned to each user.
  • the correspondence data storage unit that temporarily holds the correspondence between the identification image and the random data generated by the user and the plurality of generated identification images are selected via the connection device, and the assigned data is It has a user authentication unit that authenticates the user by inputting it and deletes the assignment of the identification image and random data after the authentication is completed, and allows single sign-on to the system Those with an authentication device having that function.
  • the “authentication device” further assigns unique user identification information for each connection device or each user of the connection device when registering an authentication image in advance. It may be provided with a user identification information issuing unit that links and manages the registered identification image for authentication and user identification information.
  • the “authentication device” is a computer or a server, and “user identification information” that operates as various functional units by the CPU executing programs recorded in the ROM based on various inputs.
  • a unique identifier indicating a user or a connection device. For example, user login information. Further, the “user identification information” may be used when the authentication device makes a user connection request.
  • Identity image refers to an image used by a user for authentication. For example, it may be an image registered in advance by the user for his / her authentication, and may serve as a password. In addition, the “identification image” may be familiar to the user, such as a photograph or a picture.
  • the correspondence between the identification image and the random data refers to the connection between the identification image generated by the identification information generation unit and the data.
  • the correspondence relationship is not only associated with the internal processing of the authentication device, but also associated with the user so that the user can visually recognize it when displayed on the connection device.
  • the correspondence may be performed by superimposing data having a correspondence relationship on the identification image.
  • the “connection device” has a communication function with an authentication device, and has a communication function between a portable terminal having an image display function for image authentication and an authentication device, and for password authentication. Or an electronic terminal having an input function. Further, the connection device may include an image display function for image authentication, an input function for password authentication, and a terminal having a different communication line for image authentication and password authentication. Good.
  • Mobile terminal is a device having a communication function and a screen display function.
  • a mobile phone a PDA, a portable computer, and the like can be given.
  • “Electronic terminal” is a device having a communication function and a data input function.
  • a computer a tablet PC, a smart phone, a credit terminal, ATM, an entrance management terminal, a kiosk terminal, etc. are mentioned.
  • the “user identification information issuing unit” bundles login information to a plurality of systems and basic software into one user identification information, and discloses only the user identification information to the user. You may do.
  • Base software refers to software called an operating system for controlling a computer and making an application available.
  • Login information refers to what the user presents to the system for authentication when using the system or operation system. For example, login ID, a password, etc. are mentioned.
  • the “identification information generation unit” generates an identification image including an identification image for authentication registered in advance based on the user identification information, and displays all authentication images displayed by the authentication device. Random data may be reassigned to each image.
  • the “correspondence relationship storage unit” stores a correspondence relationship between the authentication image displayed on the connection device and the random data assigned by the identification information generation unit. May be.
  • the “user authentication unit” uses the data input as the password and the authentication image associated with the data from the correspondence stored in the correspondence storage unit. It is also possible to check whether the authentication image registered in advance by the user having the user identification information is correctly selected by checking the user identification information. After the authentication is completed, the correspondence storage unit may be instructed to delete the correspondence between the authentication image displayed to the authenticated user and the random data.
  • a connection device connection request used by a user and having a communication function is received, unique user identification information assigned to each user is obtained, and the obtained user is obtained.
  • a plurality of identification images for authentication are generated, random data is assigned to the plurality of identification images, and the correspondence between the identification image and the random data generated by the identification information generation unit is temporarily stored.
  • the plurality of generated identification images are selected via the connection device, and the assigned data is input to authenticate the user.
  • the function to delete the assignment with data and to allow single sign-on to the system is realized.
  • the computer receives a connection device connection request having a communication function used by a user, and obtains unique user identification information assigned to each user, and Based on the acquired user identification information, a plurality of authentication identification images are generated, a function of assigning random data to the plurality of identification images, and the identification image generated by the identification information generation unit and a random A function of temporarily holding a correspondence relationship with data, and a function of authenticating a user by selecting the plurality of generated identification images and inputting assigned data via the connection device And the function to delete the assignment of the identification image and random data after the authentication is completed, and the function to allow single sign-on to the system It is intended to.
  • An authentication management system, an authentication management method, and an authentication management program temporarily hold a correspondence between an identification image and random data, and store a plurality of identification images generated via the connection device.
  • the user By selecting and inputting the assigned data, the user can be authenticated, and after the authentication is completed, the assignment of the identification image and the random data can be deleted, and single sign-on can be permitted to the system. Thereby, the authenticity of the user is ensured, and a high security level can be maintained against detection / theft by eavesdropping / voyeurism / spyware by using a disposable password.
  • the authentication management system, the authentication management method, and the authentication management program according to the present invention provide a plurality of systems and basic software to one user identification information when a user registers an authentication image in advance. By bundling login information, the user can use a plurality of systems by recognizing the identification image, and the management load of the password can be reduced.
  • the chart which showed the processing flow of the authentication apparatus and the apparatus for connection in embodiment of this invention The chart which showed the processing flow of the user identification information grant part in embodiment of this invention
  • the chart which showed the processing flow of the user information confirmation part in embodiment of this invention The chart which showed the processing flow of the discernment information generation part in the embodiment of the present invention
  • storage part in embodiment of this invention The chart which showed the processing flow of the user authentication part in the embodiment of the present invention
  • FIG. 1 is a system configuration diagram showing a first embodiment of an authentication management system of the present invention.
  • connection device 200 having a communication function and the user of the connection device or the user of the connection device when registering the authentication image in advance in the first embodiment.
  • Unique user identification information is assigned to the user identification information issuance unit 101 for performing management by linking the registered identification image for authentication with the user identification information, and accepting a connection request from the connection device 200 and using it.
  • a user information confirmation unit 102 that acquires unique user identification information assigned to each person, and generates a plurality of identification images for authentication based on the acquired user identification information, and the plurality of identification images
  • An identification information generation unit 103 that assigns random data to the correspondence information
  • a correspondence relationship storage unit 104 that temporarily holds a correspondence relationship between the identification image and the random data generated by the identification information generation unit
  • the authentication device 100, the portable terminal 210, and the electronic terminal 220 are connected through a wired or wireless network.
  • the authentication device 100 is a computer or a server, and operates as various functional units when the CPU executes a program recorded in the ROM based on various inputs.
  • connection device 200 performs communication between the authentication device and the mobile terminal 210 including the communication unit 211 that performs communication with the authentication device 100 and the screen display unit 212 that includes a screen display function. It is comprised from the electronic terminal 220 comprised from the communication part 221 and the input part 222 provided with an input function.
  • the mobile terminal 210 is a device having a communication function and a screen display function, and may be a mobile phone, a PDA, a portable computer, or the like.
  • the electronic terminal 220 is a device having a communication function and a data input function, and may be a computer, a tablet PC, a smartphone, a credit terminal, an ATM, an entry management terminal, a kiosk terminal, or the like.
  • the user identification information issuing unit 101 performs user registration and user identification information delivery. By requiring pre-registration of a plurality of identification images at the time of user registration, the password can be complicated depending on the selection order and the number of selections of the identification images.
  • basic software refers to software called an operating system for controlling a computer and making an application available.
  • login information refers to what the user presents to the system for authentication when using the system or operation system. For example, login ID, a password, etc. are mentioned.
  • the user identification information here refers to a unique identifier indicating a user or a connection device.
  • user login information For example, user login information.
  • the user identification information may be used when the authentication device makes a user connection request.
  • the user information confirmation unit 102 serves as a reception window when a user presents user identification information and requests connection.
  • the identification information generation unit 103 assigns random data to the identification image received from the user information confirmation unit 102.
  • the random data referred to here is data that can be input by an input function of the input unit 222 such as alphanumeric characters and symbols.
  • a plurality of data may be assigned to one identification image.
  • the identification image is an image used by the user for authentication.
  • it may be an image registered in advance by the user for his / her authentication, and may serve as a password.
  • the identification image may be familiar to the user, such as a photograph or a picture.
  • the correspondence between the identification image and random data refers to the connection between the identification image generated by the identification information generation unit and the data.
  • the correspondence relationship is not only associated with the internal processing of the authentication device, but also associated with the user so that the user can visually recognize it when displayed on the connection device.
  • the correspondence may be performed by superimposing data having a correspondence relationship on the identification image.
  • the identification information generation unit 103 generates an identification image display screen I1 as shown in FIG. 10 from data obtained by superimposing random data on the identification image, and displays the identification image display screen I1 on the screen display unit 212.
  • the identification image display screen I1 is obtained by superimposing random data on the identification image. The user can view the screen and visually recognize the data registered and assigned to the identification image.
  • the user visually recognizes random data superimposed on an identification image registered in advance from the displayed data, and inputs the data on the password input screen I2 as shown in FIG.
  • the password input screen I2 has a user identification information input field and a password input field.
  • the user inputs the data visually recognized from the identification image display screen I1 as a password in the password input field of this screen.
  • the correspondence relationship storage unit 104 temporarily stores the correspondence relationship generated by the identification information generation unit 103. Further, it has a deletion function, and the correspondence used for authentication can be deleted under the instruction of the user authentication unit 105. The deleted correspondence is not used for subsequent authentication.
  • the user authentication unit 105 authenticates the user from the password input by the user or the selected identification image.
  • the single sign-on function or the password manager function can be activated to permit batch login to a plurality of systems.
  • the user may make a connection request to the user confirmation unit 102 via the electronic terminal 220.
  • the user confirmation unit 102 may request the user to send a message indicating that he / she does not have the portable terminal 210.
  • the user information confirmation unit 102 acquires the user identification information from the electronic terminal 220, and the user identification information issuance unit 101 in advance based on the user identification information.
  • the registered identification image and user identification information are transmitted to the identification information generation unit.
  • the identification information generation unit 103 assigns random data to the identification image received from the user information confirmation unit 102, and makes the user select whether to perform authentication by selecting an image.
  • an identification image display screen I1 as shown in FIG. 10 is generated from data obtained by superimposing random data on the identification image and displayed on the electronic terminal 220.
  • the user authentication unit 105 directly selects an image without displaying the password input screen I2 on the input unit 222 of the electronic terminal 220.
  • the password input screen I2 is displayed, and the user visually recognizes random data superimposed on the identification image registered in advance from the displayed data. The password is entered on the password input screen I2.
  • click, tap, keyboard input, reading speech recognition, or the like can be used as the selection method.
  • the user authentication unit 105 authenticates the user from the selected identification image or input password. When performing user authentication along this route, the user authentication unit 105 may restrict access when permitting connection. When the authentication is completed, the user authentication unit 105 deletes the correspondence relationship between the identification image and the random data temporarily stored for use in authentication in the correspondence relationship storage unit 104.
  • the user When using the authentication management system according to the present invention, the user first accesses the authentication device and registers the identification image in the user identification information issuing unit 101 (flow 1). When the identification image is registered, user identification information is issued from the user identification information issuing unit 101 (flow 2). At this time, the issued user identification information and identification image are stored (flow 3).
  • the user who has received the delivery of the user identification information from the authentication management system issues a connection request from the mobile terminal 210 or the electronic terminal 220 to the authentication device (flow 4).
  • a process when an access is made from the mobile terminal 210 will be described as an example.
  • the user who made the connection request presents the user identification information to the user information confirmation unit 102 (flow 5).
  • the presented user identification information is notified to the identification information generation 103 (flow 6), and the identification information generation unit 103 displays an identification image using an image including the registered identification information and random data corresponding to each image.
  • a screen I1 is generated and presented.
  • the presented identification image display screen I1 is displayed on the screen display unit 212 of the mobile terminal 210 (flow 7).
  • the correspondence relationship between the identification image and the random data used at this time is temporarily held in the correspondence relationship storage unit (flow 8).
  • the user visually recognizes the data superimposed on the identification image registered in advance (flow 9), and the password input screen displayed on the electronic terminal 220
  • the password is input to I2 (flow 10).
  • the input password data is used by the user authentication unit 105 to identify the identification image (flow 11).
  • the user authentication is performed from the identified identification image and the user identification information presented in flow 2 (flow 120), and if the authentication is successful, access is permitted (flow 13). At this time, the correspondence relationship held in the flow 8 is deleted in the correspondence relationship storage unit 104 and is not used for subsequent authentications.
  • the user identification information issuing unit 101 accepts registration of an identification image when an unregistered user connects using the connection device 200 (STEP 1), and issues unique user identification information for each user. (STEP 2), the user identification information and the identification image are stored (STEP 3).
  • both personal information consisting of at least one unit of information that the person who is authenticating and registering is familiar and non-personal information consisting of at least one unit of information that the person is not familiar with are registered in advance for personal authentication.
  • a technique of registering and forming registration information Japanese Patent Laid-Open No. 2003-228553 may be used.
  • the user information confirmation unit 102 acquires the presented user identification information (STEP 7), and the user in advance based on the user identification information.
  • the user identification information registered by the identification information issuing unit 101 is transmitted to the identification information generating unit 103 (STEP 8). If there is no connection request from the user, the processing is not performed until the connection request is made, and the process continues waiting (STEP 6; NO).
  • the identification information generation unit 103 does not perform processing until it receives an instruction from the user confirmation unit 102 (STEP 9; NO).
  • the user identification information of the user who has made the connection request is received and an instruction to generate an identification image is received (STEP 9; YES).
  • the identification information generation unit 103 is registered in advance for personal authentication, and is an identification image that is personal information consisting of at least one unit of familiar information, and at least one unit of information that the individual does not recognize
  • An image is generated from an identification image that is non-personal information (STEP 10), random data is assigned to all the generated images (STEP 11), and the correspondence between the identification image and the random data is correlated.
  • the data is transmitted to the storage unit 104 and instructed to be stored (STEP 12).
  • the random data assigned in STEP 11 is superimposed on each identification image to generate an identification image display screen I1 as shown in FIG. 10, and then the connection device 200 that has made the connection request is the mobile terminal 210 or the electronic device.
  • the terminal 220 is confirmed (STEP 13) and displayed on the terminal that has made the connection request (STEP 14).
  • connection request source is the electronic terminal 220
  • it is confirmed whether the electronic terminal has two communication circuits (STEP 16).
  • the user selects authentication by image (STEP 17). YES), the user authentication unit 105 is notified so as to authenticate with the identification image (STEP 18).
  • the processing procedure in the correspondence storage unit 104 will be described with reference to the flowchart of FIG.
  • the correspondence relationship storage unit 104 is in a standby state without performing any processing until a recording instruction is received from the identification information generation unit 103 (STEP 19; NO).
  • the correspondence relationship between the identification image and random data generated by the identification information generation unit 103 is temporarily recorded (STEP 20).
  • the deletion is executed (STEP 22). Further, when there is no deletion instruction, deletion is performed from the identification information generation unit 103 after a certain time.
  • the user visually recognizes the data superimposed on the identification image, which is personal information consisting of at least one unit of information that is registered in advance for personal authentication, and inputs it to the password input screen. It is also possible to input a PIN or a stored password.
  • the user authentication unit 105 receives the data input by the user (STEP 25)
  • the user authentication unit 105 inquires the correspondence relationship storage unit 104 (STEP 26), refers to the correspondence relationship between the identification image and the random data, and inputs the data.
  • the selected identification image is determined (STEP 27).
  • the identified identification image and the identification image registered in advance in the user identification information issuing unit 101 are matched (STEP 28), and if they match, the access to the system that requested the connection is permitted and the recorded correspondence
  • the correspondence storage unit is instructed to delete the relationship (STEP 29).
  • the single sign-on function may be activated to allow connection to other systems in a lump. If the selected identification image does not match the pre-registered identification image, the user authentication unit 105 may request the user to input the password again (STEP 28).
  • the user authentication unit 105 instructs the user to directly select an image from the displayed identification image display screen (STEP 30). ).
  • the user authentication unit 105 may request the user to input the password again (STEP 32; NO).
  • FIG. 2 is a system configuration diagram showing a second embodiment of the authentication management system of the present invention.
  • connection device 200 having a communication function used by a user and the user of the connection device or the connection device when registering an authentication image in advance.
  • Unique user identification information is assigned to the user identification information issuance unit 101 for performing management by linking the registered identification image for authentication with the user identification information, and accepting a connection request from the connection device 200 and using it.
  • a user information confirmation unit 102 for acquiring unique user identification information assigned to each person, and generating a plurality of identification images for authentication based on the acquired user identification information.
  • An identification information generation unit 103 for assigning random data to The correspondence information storage unit 104 that temporarily holds the correspondence relationship between the identification image and the random data generated by the identification information generation unit, and the plurality of identification images generated via the connection device are selected.
  • the authentication apparatus 100 includes a user authentication unit 105 that authenticates a user by inputting the assigned data and deletes the assignment between the identification image and the random data after the authentication is completed.
  • the connection device 200 includes a communication unit 211 that performs communication with the authentication device 100, a communication unit 221, a screen display unit 212 that includes a screen display function, and an input unit 222 that includes an input function.
  • An electronic terminal 230 is included.
  • the communication unit 211 and the communication unit 212 included in the electronic terminal 230 are physically or logically different communication circuits, and communication on each circuit is not mixed.
  • the authentication device 100 and the electronic terminal 230 are connected through a wired or wireless network.
  • the electronic terminal 230 includes the communication unit 211, the screen display unit 212, the communication unit 221, and the input unit 222 that the portable terminal 210 and the electronic terminal 220 in the first embodiment have in one terminal.
  • the communication unit 211 the screen display unit 212, the communication unit 221, and the input unit 222 that the portable terminal 210 and the electronic terminal 220 in the first embodiment have in one terminal.
  • Each having the same functions as those of the first embodiment, and the registration processing in the user identification information issuing unit 101 and the user information confirmation unit that the portable terminal 210 performed in the first embodiment.
  • the connection request to 102 and the identification image display screen I1 are displayed.
  • the authentication device 100 has a function equivalent to that of the first embodiment, and in the first embodiment, the communication circuit 211 and the screen display unit 212 included in the mobile terminal 210 are provided in the second embodiment. In the first embodiment, the communication circuit 221 and the input unit 222 included in the electronic terminal 220 are treated as those included in the electronic terminal 230 in the second embodiment. The process is the same.
  • FIG. 3 is a system configuration diagram showing a third embodiment of the authentication management system of the present invention.
  • the connection device 200 having a communication function used by a user and the user of the connection device or the connection device when the authentication image is registered in advance.
  • Unique user identification information is assigned to the user identification information issuance unit 101 for performing management by linking the registered identification image for authentication with the user identification information, and accepting a connection request from the connection device 200 and using it.
  • a user information confirmation unit 102 for acquiring unique user identification information assigned to each person, and generating a plurality of identification images for authentication based on the acquired user identification information.
  • An identification information generation unit 103 that assigns random data to the data, and a correspondence relationship storage unit 104 that temporarily holds the correspondence between the identification image and the random data generated by the identification information generation unit.
  • the user is authenticated by selecting a plurality of generated identification images and inputting the assigned data via the authentication device 111 and the connection device 200, and after the authentication is completed,
  • the service providing apparatus 110 includes a user authentication unit 105 that deletes assignment with random data.
  • 3rd Embodiment isolate separates the function of the user authentication part 105 with which the authentication apparatus 111 was provided in 1st Embodiment, and is set as the service provision apparatus 110.
  • FIG. 3rd Embodiment isolate separates the function of the user authentication part 105 with which the authentication apparatus 111 was provided in 1st Embodiment, and is set as the service provision apparatus 110.
  • the authentication device 111, the service providing device 110, the portable terminal 210, and the electronic terminal 220 are connected through a wired or wireless network.
  • the connection device 200 includes a communication unit 211 that performs communication with the authentication device 100 and a mobile terminal 210 that includes a screen display unit 212 having a screen display function, and communication that performs communication with the authentication device. It is comprised from the electronic terminal 220 comprised from the part 221 and the input part 222 provided with an input function.
  • the authentication device 111 and the service providing device 110 are computers or servers, and operate as various functional units when the CPU executes programs recorded in the ROM based on various inputs.
  • connection device 200, the portable terminal 210, and the electronic terminal 220 have functions equivalent to those of the first embodiment.
  • user identification information is provided to the authentication device 111.
  • the unit 101, the user confirmation unit 102, the identification information generation unit 103, and the correspondence relationship storage unit 104 are also included in the authentication device 111 in the third embodiment, and the service authentication device 105 is included in the user authentication unit 105.
  • the processing between the functions is the same.
  • An authentication management system, an authentication management method, and an authentication management program temporarily hold a correspondence between an identification image and random data, and store a plurality of identification images generated via the connection device.
  • the user By selecting and inputting the assigned data, the user can be authenticated, and after the authentication is completed, the assignment of the identification image and the random data can be deleted, and single sign-on can be permitted to the system. Thereby, the authenticity of the user is ensured, and a high security level can be maintained against detection / theft by eavesdropping / voyeurism / spyware by using a disposable password.
  • the authentication management system, the authentication management method, and the authentication management program according to the present invention provide a plurality of systems and basic software to one user identification information when a user registers an authentication image in advance. By bundling login information, the user can use a plurality of systems by recognizing the identification image, and the management load of the password can be reduced.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)

Abstract

An authentication management system, an authentication management method, and an authentication management program according to the present invention allow a user to view a one-time password by selecting an identification image that the user had registered in advance. As a result, the authentication management system, the authentication management method, and the authentication management program ensure the authenticity of the user, reduce the burden of password management by having the user recognize the identification image, and maintain a high level of security with the use of a one-time password.

Description

認証管理システム及び認証管理方法並びに認証管理プログラムAuthentication management system, authentication management method, and authentication management program
本発明は、認証管理システム及び認証管理方法並びに認証管理プログラムに関するものである。特に、パスワードを用いた認証管理システム及び認証管理方法並びに認証管理プログラムに関するものである 。
The present invention relates to an authentication management system, an authentication management method, and an authentication management program. In particular, the present invention relates to an authentication management system, an authentication management method, and an authentication management program using a password.
 従来のユーザ認証方式では、汎用性と利便性の高さから、数字や文字・記号により表されたパスワードが多く用いられている。このような認証方式の場合、できるだけ長く、不規則なデータの羅列を用いたものがセキュリティレベルの高いパスワードとなるが、広く一般的に利用されているパスワードは、誕生日や自分の名前等、利用者にとって覚えやすく簡易なものが多い。このようなパスワードは、悪意のある第三者である攻撃者にパスワードを容易に想像されやすく、簡単に破られてしまう。また、ユーザが、パスワードを定期的に変更せず、複数システムで同一のパスワードを利用した場合や、盗聴や盗撮・スパイウェアなどによる窃取等により、ひとたびパスワードが漏えいした場合において、被害が拡大するおそれがある。 In conventional user authentication methods, passwords represented by numbers, letters and symbols are often used because of their versatility and convenience. In the case of such an authentication method, a password with a high security level is as long as possible and uses a list of irregular data, but widely used passwords such as birthdays and their names, There are many simple and easy to remember for users. Such a password can be easily imagined and easily broken by an attacker who is a malicious third party. Also, if the user does not change the password regularly and uses the same password in multiple systems, or if the password is leaked due to eavesdropping, voyeurism / spyware, etc., the damage may spread once There is.
 しかし、長く複雑なパスワードを求めたり、頻繁なパスワードの変更を必要とすると、セキュリティレベルは向上する一方で、パスワードの暗記が困難であったり、パスワードの管理負荷が増加し、利便性が低下してしまうという問題があった。
これらの問題の解決のために、ワンタイムパスワードによる認証方式のような、各種認証方式が用いられている。
例えば、ワンタイムパスワードによる認証方式において、所定のロジックによって認証の度に異なるデータ列を発生させ、当該データ列を利用者に視認させ、使い捨てのパスワードとして入力を求めるものがある。 However, if a long and complex password is required or frequent password changes are required, the security level is improved, but it is difficult to memorize the password, the password management load increases, and convenience is reduced. There was a problem that.
In order to solve these problems, various authentication methods such as a one-time password authentication method are used.
For example, in an authentication method using a one-time password, there is a method in which a different data string is generated every time authentication is performed according to a predetermined logic, the data string is visually recognized by a user, and an input is requested as a disposable password.
 当該認証方式には、利用者に配布されるトークンと呼ばれるパスワード表示用の小型端末や携帯電話上で所定のロジックに伴って使い捨てデータ列を発生させ、利用者がそのデータ列を視認して端末上で入力すると、認証サーバ側で同一ロジックにより生成される認証データ列と照合するものや、認証サーバで生成した使い捨てデータ列を携帯電話等に送出し、そのデータ列を視認した利用者が端末上で入力すると、認証サーバが両者を照合するものなどがある。 In the authentication method, a disposable data string is generated with a predetermined logic on a small terminal for displaying a password called a token distributed to a user or a mobile phone, and the user visually recognizes the data string and the terminal When input above, the authentication server side sends the data string to be verified against the authentication data string generated by the same logic or the disposable data string generated by the authentication server to the mobile phone etc. If you enter above, the authentication server will check both.
 また、本人認証方式として、多数の類似した照合データを記録した、本人認証データ記録媒体を使用し、かつ、多数の類似した照合データより正データを本人記憶により選択指示することで、他人による本人認証を阻止する技術が、特許文献1に提案されている。 In addition, as a personal authentication method, a personal authentication data recording medium in which a large number of similar verification data is recorded is used, and the correct data is selected and specified from the large number of similar verification data in the personal memory, so that the identity of another person A technique for preventing authentication is proposed in Patent Document 1.
 また、画像による認証方式として、認証時に提示される複数の画像中に含まれる利用者の登録画像を選択することで認証されるといった、利用者の記憶に基づくようなものがあり、本人の見覚えのある少なくとも1単位情報よりなる本人情報と、本人に見覚えない少なくとも1単位情報よりなる非本人情報との双方を利用した認証方式に関する技術が、特許文献2に提案されている。 In addition, as an authentication method based on images, there is a method based on a user's memory, such as authentication by selecting a registered image of a user included in a plurality of images presented at the time of authentication. Patent Document 2 proposes a technique related to an authentication method that uses both personal information consisting of at least one unit of information and non-personal information consisting of at least one unit of information that is unknown to the principal.
特開2002-197065号公報Japanese Patent Laid-Open No. 2002-197065 特開2003-228553号公報JP 2003-228553 A
 例えば、上述したトークンや携帯電話等を用いたワンタイムパスワードによる認証方式は、認証の度に有効なパスワードが異なるので、盗聴・盗撮・スパイウェアによる窃取等に対しては有効であるが、ワンタイムパスワードにより証明されているのはトークンないし携帯電話の真正性であって、それを保持しているのが正規利用者なのか攻撃者であるのかの判定には一切寄与しない、という問題があった。 For example, the one-time password authentication method using tokens and mobile phones described above is effective for eavesdropping / voyeurism / spyware stealing, etc. What is proved by the password is the authenticity of the token or the mobile phone, and there is a problem that it does not contribute at all to determine whether it is a legitimate user or an attacker who holds it .
 また、画像による認証方式は、推測攻撃等には有効であり、利用者の記憶に基づく画像を利用するため、覚えやすく管理負荷は低減されるが、盗聴・盗撮・スパイウェアなどによる探知・窃取に対しては脆弱である、という問題があった。 Also, the authentication method using images is effective for guessing attacks, etc., and uses images based on the user's memory, so it is easy to remember and the management load is reduced, but it can be used for detection and theft by eavesdropping, voyeurism, spyware, etc. There was a problem that it was vulnerable.
 本発明は、上記事情に鑑み、利用者自身が事前に登録した識別画像を、当該利用者が視認することにより使い捨てのパスワードを発生させることで、利用者の真正性を保証し、認証に識別画像を用いることでパスワードの管理負荷を低減させ、かつ使い捨てのパスワードを用いることで高いセキュリティレベルを維持した、認証管理システム及び認証管理方法並びに認証管理プログラムを提供することを目的とするものである。 In view of the above circumstances, the present invention guarantees the authenticity of a user and identifies it for authentication by generating a disposable password when the user visually recognizes an identification image registered in advance by the user. An object of the present invention is to provide an authentication management system, an authentication management method, and an authentication management program that reduce the burden of managing passwords by using images and maintain a high security level by using disposable passwords. .
 本発明の認証管理システムは、利用者により用いられる、通信機能を有する接続用装置と、該接続用装置からの接続要求を受け付け、利用者ごとに割り当てられた一意の利用者識別情報を取得する利用者情報確認部と、取得された利用者識別情報に基づいて、認証用の複数の識別画像を生成し、該複数の識別画像にランダムなデータを割り当てる識別情報生成部と、識別情報生成部が生成した、識別画像とランダムなデータとの対応関係を一時的に保持する、対応関係記憶部と、接続用装置を介して、生成された複数の識別画像を選択させ、割り当てられたデータを入力させることにより、利用者を認証し、認証完了後識別画像とランダムなデータとの割り当てを削除する利用者認証部を有し、システムに対してシングルサインオンを許可する機能を有する認証装置を備えたものである。 The authentication management system of the present invention receives a connection device having a communication function used by a user and a connection request from the connection device, and acquires unique user identification information assigned to each user. A user information confirmation unit, an identification information generation unit that generates a plurality of identification images for authentication based on the acquired user identification information, and assigns random data to the plurality of identification images; and an identification information generation unit The correspondence data storage unit that temporarily holds the correspondence between the identification image and the random data generated by the user and the plurality of generated identification images are selected via the connection device, and the assigned data is It has a user authentication unit that authenticates the user by inputting it and deletes the assignment of the identification image and random data after the authentication is completed, and allows single sign-on to the system Those with an authentication device having that function.
 また、本発明の認証管理システムにおいて「認証装置」は、更に、認証用の画像を事前に登録する際に、接続用装置あるいは接続用装置の利用者ごとに一意な利用者識別情報を割り当て、登録された認証用の識別画像と利用者識別情報を結び付け管理を行う利用者識別情報交付部を備えたものであってもよい。 Further, in the authentication management system of the present invention, the “authentication device” further assigns unique user identification information for each connection device or each user of the connection device when registering an authentication image in advance. It may be provided with a user identification information issuing unit that links and manages the registered identification image for authentication and user identification information.
 本発明の認証管理システムにおいて「認証装置」は、コンピュータまたはサーバであり、各種入力に基づきCPUがROMに記録されたプログラムを実行することで各種機能部として動作する
 「利用者識別情報」とは、利用者または接続用装置を示す固有の識別子をいう。例えば、利用者のログイン情報などのことである。また、「利用者識別情報」は、認証装置が、利用者の接続要求を行う際に用いるものであってもよい。 In the authentication management system of the present invention, the “authentication device” is a computer or a server, and “user identification information” that operates as various functional units by the CPU executing programs recorded in the ROM based on various inputs. A unique identifier indicating a user or a connection device. For example, user login information. Further, the “user identification information” may be used when the authentication device makes a user connection request.
 「識別画像」とは、利用者が認証のために用いる画像をいう。例えば、利用者が自身の認証用に事前に登録した画像であって、パスワードの役割を果たすものであってもよい。また、「識別画像」は、写真や絵など、利用者にとって馴染み深いものであってもよい。 “Identification image” refers to an image used by a user for authentication. For example, it may be an image registered in advance by the user for his / her authentication, and may serve as a password. In addition, the “identification image” may be familiar to the user, such as a photograph or a picture.
 「識別画像とランダムなデータとの対応関係」とは、識別情報生成部によって生成された識別画像とデータとの結びつきをいう。該対応関係は、認証装置の内部処理的に対応づけられるだけでなく、接続用装置上に表示される際にも、利用者が視認できるように対応づけがなされる。例えば、識別画像上に対応関係を持つデータを重畳するなどの方法で対応づけてもよい。 “The correspondence between the identification image and the random data” refers to the connection between the identification image generated by the identification information generation unit and the data. The correspondence relationship is not only associated with the internal processing of the authentication device, but also associated with the user so that the user can visually recognize it when displayed on the connection device. For example, the correspondence may be performed by superimposing data having a correspondence relationship on the identification image.
 本発明の認証管理システムにおいて、「接続用装置」は、認証装置との通信機能を有し、画像認証用に画像表示機能を有する携帯端末と、認証装置との通信機能を有しパスワード認証用に入力機能を有する電子端末からなるものであってもよい。また、接続用装置は、画像認証用に画像表示機能を有し、パスワード認証用に入力機能を有し、画像認証用とパスワード認証用にそれぞれ異なる通信回線を有する端末からなるものであってもよい。 In the authentication management system of the present invention, the “connection device” has a communication function with an authentication device, and has a communication function between a portable terminal having an image display function for image authentication and an authentication device, and for password authentication. Or an electronic terminal having an input function. Further, the connection device may include an image display function for image authentication, an input function for password authentication, and a terminal having a different communication line for image authentication and password authentication. Good.
 「携帯端末」は、通信機能と画面表示機能を備える機器である。例えば、携帯電話、PDA、携帯型コンピュータ等が挙げられる。 “Mobile terminal” is a device having a communication function and a screen display function. For example, a mobile phone, a PDA, a portable computer, and the like can be given.
 「電子端末」は、通信機能とデータ入力機能を備える機器である。例えば、コンピュータ、タブレットPC、スマートフォン、クレジット端末、ATM、入室管理端末、キオスク端末等が挙げられる。 “Electronic terminal” is a device having a communication function and a data input function. For example, a computer, a tablet PC, a smart phone, a credit terminal, ATM, an entrance management terminal, a kiosk terminal, etc. are mentioned.
 本発明の認証管理システムにおいて、「利用者識別情報交付部」は、1つの利用者識別情報に複数のシステム及び基本ソフトウェアへのログイン情報を束ね、利用者識別情報のみを利用者に対して開示するものであってもよい。 In the authentication management system of the present invention, the “user identification information issuing unit” bundles login information to a plurality of systems and basic software into one user identification information, and discloses only the user identification information to the user. You may do.
 「基本ソフトウェア」とは、コンピュータを制御し、アプリケーションを利用可能にするためのオペレーティングシステムと呼ばれるソフトウェアのことをいう。 “Basic software” refers to software called an operating system for controlling a computer and making an application available.
 「ログイン情報」とは、システムやオペレーションシステムを利用する際に、利用者が該システムに対して認証用に提示するものをいう。例えば、ログインID、パスワードなどが挙げられる。 “Login information” refers to what the user presents to the system for authentication when using the system or operation system. For example, login ID, a password, etc. are mentioned.
 本発明の認証管理システムにおいて、「識別情報生成部」は、利用者識別情報に基づいて、事前に登録した認証用の識別画像を含む識別画像を生成し、認証装置が表示する全ての認証用の画像に、ランダムなデータを毎回割り当て直すものであってもよい。 In the authentication management system of the present invention, the “identification information generation unit” generates an identification image including an identification image for authentication registered in advance based on the user identification information, and displays all authentication images displayed by the authentication device. Random data may be reassigned to each image.
 本発明の認証管理システムにおいて、「対応関係記憶部」は、接続用装置に対して表示した認証用の画像と識別情報生成部が割り当てたランダムなデータとの、対応関係を記憶するものであってもよい。 In the authentication management system of the present invention, the “correspondence relationship storage unit” stores a correspondence relationship between the authentication image displayed on the connection device and the random data assigned by the identification information generation unit. May be.
 本発明の認証管理システムにおいて、「利用者認証部」は、パスワードとして入力されたデータを、対応関係記憶部にて記憶されている対応関係から、データに紐づいている認証用の画像と利用者識別情報を照らし合わせ、当該利用者識別情報を有する利用者が事前に登録した認証用の画像を正しく選択しているか確認することも可能である。認証の完了後に対応関係記憶部に対して、認証が完了した利用者に表示した認証用の画像とランダムなデータとの対応関係の削除を指示するものであってもよい。 In the authentication management system of the present invention, the “user authentication unit” uses the data input as the password and the authentication image associated with the data from the correspondence stored in the correspondence storage unit. It is also possible to check whether the authentication image registered in advance by the user having the user identification information is correctly selected by checking the user identification information. After the authentication is completed, the correspondence storage unit may be instructed to delete the correspondence between the authentication image displayed to the authenticated user and the random data.
 本発明の認証管理方法において、利用者により用いられる、通信機能を有する接続用装置接続要求を受け付け、前記利用者ごとに割り当てられた一意の利用者識別情報を取得し、前記取得された利用者識別情報に基づいて、認証用の複数の識別画像を生成し、該複数の識別画像にランダムなデータを割り当て、前記識別情報生成部が生成した、識別画像とランダムなデータとの対応関係を一時的に保持し、前記接続用装置を介して、前記生成された複数の識別画像を選択させ、割り当てられたデータを入力させることにより、利用者を認証し、認証完了後、識別画像とランダムなデータとの割り当てを削除し、システムに対してシングルサインオンを許可する機能を実現するものである。 In the authentication management method of the present invention, a connection device connection request used by a user and having a communication function is received, unique user identification information assigned to each user is obtained, and the obtained user is obtained. Based on the identification information, a plurality of identification images for authentication are generated, random data is assigned to the plurality of identification images, and the correspondence between the identification image and the random data generated by the identification information generation unit is temporarily stored. The plurality of generated identification images are selected via the connection device, and the assigned data is input to authenticate the user. The function to delete the assignment with data and to allow single sign-on to the system is realized.
 本発明の認証管理プログラムにおいて、コンピュータに、利用者により用いられる、通信機能を有する接続用装置接続要求を受け付け、前記利用者ごとに割り当てられた一意の利用者識別情報を取得する機能と、前記取得された利用者識別情報に基づいて、認証用の複数の識別画像を生成し、該複数の識別画像にランダムなデータを割り当てる機能と、前記識別情報生成部が生成した、識別画像とランダムなデータとの対応関係を一時的に保持する機能と、前記接続用装置を介して、前記生成された複数の識別画像を選択させ、割り当てられたデータを入力させることにより、利用者を認証する機能と、認証完了後、識別画像とランダムなデータとの割り当てを削除する機能と、システムに対してシングルサインオンを許可する機能を実現させるものである。 In the authentication management program of the present invention, the computer receives a connection device connection request having a communication function used by a user, and obtains unique user identification information assigned to each user, and Based on the acquired user identification information, a plurality of authentication identification images are generated, a function of assigning random data to the plurality of identification images, and the identification image generated by the identification information generation unit and a random A function of temporarily holding a correspondence relationship with data, and a function of authenticating a user by selecting the plurality of generated identification images and inputting assigned data via the connection device And the function to delete the assignment of the identification image and random data after the authentication is completed, and the function to allow single sign-on to the system It is intended to.
 本発明に係る認証管理システム及び認証管理方法並びに認証管理プログラムは、識別画像とランダムなデータとの対応関係を一時的に保持し、前記接続用装置を介して、生成された複数の識別画像を選択させ、割り当てられたデータを入力させることにより、利用者を認証し、認証完了後、識別画像とランダムなデータとの割り当てを削除し、システムに対してシングルサインオンを許可することができる。これにより、利用者の真正性を保証し、かつ使い捨てのパスワードを用いることで盗聴・盗撮・スパイウェアなどによる探知・窃取に対しても高いセキュリティレベルを維持することができる。 An authentication management system, an authentication management method, and an authentication management program according to the present invention temporarily hold a correspondence between an identification image and random data, and store a plurality of identification images generated via the connection device. By selecting and inputting the assigned data, the user can be authenticated, and after the authentication is completed, the assignment of the identification image and the random data can be deleted, and single sign-on can be permitted to the system. Thereby, the authenticity of the user is ensured, and a high security level can be maintained against detection / theft by eavesdropping / voyeurism / spyware by using a disposable password.
 また、本発明に係る、認証管理システム及び認証管理方法並びに認証管理プログラムは、利用者が認証用の画像を事前に登録する際において、1つの利用者識別情報に複数のシステム及び基本ソフトウェアへのログイン情報を束ねることで、利用者は識別画像の再認により複数システムを利用することが可能なり、パスワードの管理負荷を低減することができる。 The authentication management system, the authentication management method, and the authentication management program according to the present invention provide a plurality of systems and basic software to one user identification information when a user registers an authentication image in advance. By bundling login information, the user can use a plurality of systems by recognizing the identification image, and the management load of the password can be reduced.
 上述した互いの効果を相互に担保しあうことによって、利用者の負担の軽減を図り、包括的なセキュリティ並びに可用性と汎用性の高い認証システムを実現することができる。 相互 By mutually securing the above-mentioned mutual effects, it is possible to reduce the burden on the user and realize a comprehensive security, high availability and versatile authentication system.
本発明の第1の実施形態における認証装置及び接続用装置を示す図The figure which shows the authentication apparatus and the apparatus for a connection in the 1st Embodiment of this invention. 本発明の第2の実施形態における認証装置及び接続用装置を示す図The figure which shows the authentication apparatus and the apparatus for connection in the 2nd Embodiment of this invention. 本発明の第3の実施形態における認証装置及び接続用装置を示す図The figure which shows the authentication apparatus and the apparatus for connection in the 3rd Embodiment of this invention. 本発明の実施形態における認証装置及び接続用装置の処理フローを示したチャートThe chart which showed the processing flow of the authentication apparatus and the apparatus for connection in embodiment of this invention 本発明の実施形態における利用者識別情報交付部の処理フローを示したチャートThe chart which showed the processing flow of the user identification information grant part in embodiment of this invention 本発明の実施形態における利用者情報確認部の処理フローを示したチャートThe chart which showed the processing flow of the user information confirmation part in embodiment of this invention 本発明の実施形態における識別情報生成部の処理フローを示したチャートThe chart which showed the processing flow of the discernment information generation part in the embodiment of the present invention 本発明の実施形態における対応関係記憶部の処理フローを示したチャートThe chart which showed the processing flow of the correspondence memory | storage part in embodiment of this invention 本発明の実施形態における利用者認証部の処理フローを示したチャートThe chart which showed the processing flow of the user authentication part in the embodiment of the present invention 本発明の実施形態における識別画像表示画面の例Example of identification image display screen in the embodiment of the present invention 本発明の実施形態におけるパスワード入力画面の例Example of password input screen in the embodiment of the present invention
 本発明の第1の実施形態となる認証管理システムについて、図面を参照しつつ、説明する。図1は、本発明の認証管理システムの第1の実施形態を示したシステム構成図である。 The authentication management system according to the first embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a system configuration diagram showing a first embodiment of an authentication management system of the present invention.
 本発明は、第1の実施形態において、利用者により用いられる、通信機能を有する接続用装置200と、認証用の画像を事前に登録する際に、接続用装置あるいは接続用装置の利用者ごとに一意な利用者識別情報を割り当て、登録された認証用の識別画像と利用者識別情報を結び付け管理を行う利用者識別情報交付部101と、該接続用装置200からの接続要求を受け付け、利用者ごとに割り当てられた一意な利用者識別情報を取得する利用者情報確認部102と、取得された利用者識別情報に基づいて、認証用の複数の識別画像を生成し、該複数の識別画像にランダムなデータを割り当てる識別情報生成部103と、識別情報生成部が生成した、識別画像とランダムなデータとの対応関係を一時的に保持する、対応関係記憶部104と、接続用装置を介して、生成された複数の識別画像を選択させ、割り当てられたデータを入力させることにより、利用者を認証し、認証完了後、識別画像とランダムなデータとの割り当てを削除する利用者認証部105と、から構成される認証装置100から構成される。 In the first embodiment, the connection device 200 having a communication function and the user of the connection device or the user of the connection device when registering the authentication image in advance in the first embodiment. Unique user identification information is assigned to the user identification information issuance unit 101 for performing management by linking the registered identification image for authentication with the user identification information, and accepting a connection request from the connection device 200 and using it. A user information confirmation unit 102 that acquires unique user identification information assigned to each person, and generates a plurality of identification images for authentication based on the acquired user identification information, and the plurality of identification images An identification information generation unit 103 that assigns random data to the correspondence information, and a correspondence relationship storage unit 104 that temporarily holds a correspondence relationship between the identification image and the random data generated by the identification information generation unit, By selecting a plurality of generated identification images and inputting the assigned data through the connection device, the user is authenticated, and after the authentication is completed, the assignment of the identification image and random data is deleted. A user authentication unit 105, and an authentication device 100.
 認証装置100と、携帯端末210と電子端末220は、有線または無線のネットワークを通じて接続している。 The authentication device 100, the portable terminal 210, and the electronic terminal 220 are connected through a wired or wireless network.
 認証装置100は、コンピュータまたはサーバであり、各種入力に基づきCPUがROMに記録されたプログラムを実行することで、各種機能部として動作する。 The authentication device 100 is a computer or a server, and operates as various functional units when the CPU executes a program recorded in the ROM based on various inputs.
 接続用装置200は、第1の実施形態において、認証装置100との通信を行う通信部211と画面表示機能を備える画面表示部212から構成される携帯端末210と、認証装置との通信を行う通信部221と、入力機能を備える入力部222から構成される電子端末220から構成される。 In the first embodiment, the connection device 200 performs communication between the authentication device and the mobile terminal 210 including the communication unit 211 that performs communication with the authentication device 100 and the screen display unit 212 that includes a screen display function. It is comprised from the electronic terminal 220 comprised from the communication part 221 and the input part 222 provided with an input function.
 携帯端末210は、通信機能と画面表示機能を備える機器であり、携帯電話、PDA、携帯型コンピュータ等であってもよい。 The mobile terminal 210 is a device having a communication function and a screen display function, and may be a mobile phone, a PDA, a portable computer, or the like.
 電子端末220は、通信機能とデータ入力機能を備える機器であり、コンピュータ、タブレットPC、スマートフォン、クレジット端末、ATM、入室管理端末、キオスク端末等であってもよい。 The electronic terminal 220 is a device having a communication function and a data input function, and may be a computer, a tablet PC, a smartphone, a credit terminal, an ATM, an entry management terminal, a kiosk terminal, or the like.
 利用者識別情報交付部101は、利用者の登録と利用者識別情報の交付を行うものである。利用者登録時に、複数の識別画像の事前登録を求めることで、識別画像の選択順や選択回数によってもパスワードを複雑にすることが可能である。 The user identification information issuing unit 101 performs user registration and user identification information delivery. By requiring pre-registration of a plurality of identification images at the time of user registration, the password can be complicated depending on the selection order and the number of selections of the identification images.
 また、1つの利用者識別情報に複数のシステム及び基本ソフトウェアへのログイン情報を束ね、利用者識別情報のみを利用者に対して開示することも可能である。 Also, it is possible to bundle login information to a plurality of systems and basic software into one user identification information and disclose only the user identification information to the user.
 ここでいう、基本ソフトウェアは、コンピュータを制御し、アプリケーションを利用可能にするためのオペレーティングシステムと呼ばれるソフトウェアのことをいう。 Here, basic software refers to software called an operating system for controlling a computer and making an application available.
 また、ログイン情報は、システムやオペレーションシステムを利用する際に、利用者が該システムに対して認証用に提示するものをいう。例えば、ログインID、パスワードなどが挙げられる。 Also, login information refers to what the user presents to the system for authentication when using the system or operation system. For example, login ID, a password, etc. are mentioned.
 さらに、ここでいう、利用者識別情報は、利用者または接続用装置を示す固有の識別子をいう。例えば、利用者のログイン情報などのことである。また、利用者識別情報は、認証装置が、利用者の接続要求を行う際に用いるものであってもよい。 Furthermore, the user identification information here refers to a unique identifier indicating a user or a connection device. For example, user login information. Further, the user identification information may be used when the authentication device makes a user connection request.
 利用者情報確認部102は、利用者が、利用者識別情報を提示して接続を要求した際に、受付窓口としての役割を果たすものである。 The user information confirmation unit 102 serves as a reception window when a user presents user identification information and requests connection.
 識別情報生成部103は利用者情報確認部102から受信した識別画像にランダムなデータの割り当てを行うものである。ここでいう、ランダムなデータとは、英数字、記号等、入力部222の備える入力機能による入力可能なものである。1つの識別画像に対して割り当てるデータは複数個であってもよい。 The identification information generation unit 103 assigns random data to the identification image received from the user information confirmation unit 102. The random data referred to here is data that can be input by an input function of the input unit 222 such as alphanumeric characters and symbols. A plurality of data may be assigned to one identification image.
 識別画像は、利用者が認証のために用いる画像をいう。例えば、利用者が自身の認証用に事前に登録した画像であって、パスワードの役割を果たすものであってもよい。また、識別画像は、写真や絵など、利用者にとって馴染み深いものであってもよい。 The identification image is an image used by the user for authentication. For example, it may be an image registered in advance by the user for his / her authentication, and may serve as a password. The identification image may be familiar to the user, such as a photograph or a picture.
 識別画像とランダムなデータとの対応関係は、識別情報生成部によって生成された識別画像とデータとの結びつきをいう。該対応関係は、認証装置の内部処理的に対応づけられるだけでなく、接続用装置上に表示される際にも、利用者が視認できるように対応づけがなされる。例えば、識別画像上に対応関係を持つデータを重畳するなどの方法で対応づけてもよい。 The correspondence between the identification image and random data refers to the connection between the identification image generated by the identification information generation unit and the data. The correspondence relationship is not only associated with the internal processing of the authentication device, but also associated with the user so that the user can visually recognize it when displayed on the connection device. For example, the correspondence may be performed by superimposing data having a correspondence relationship on the identification image.
 さらに識別情報生成部103は、識別画像上にランダムなデータを重畳したデータから、図10に示すような識別画像表示画面I1を生成し、画面表示部212に表示させる。
識別画像表示画面I1は、識別画像にランダムなデータを重畳したものである。利用者は当該画面を見て、自身が登録して識別画像に割り当てられたデータを視認することができる。 Further, the identification information generation unit 103 generates an identification image display screen I1 as shown in FIG. 10 from data obtained by superimposing random data on the identification image, and displays the identification image display screen I1 on the screen display unit 212.
The identification image display screen I1 is obtained by superimposing random data on the identification image. The user can view the screen and visually recognize the data registered and assigned to the identification image.
 利用者は表示されたデータから事前に登録した識別画像の上に重畳されているランダムなデータを視認し、入力部222に表示されている図11に示すようなパスワード入力画面I2に入力する。パスワード入力画面I2は、利用者識別情報入力欄とパスワード入力欄を持つ。利用者は、識別画像表示画面I1から視認したデータを、本画面のパスワード入力欄にパスワードとして入力を行う。 The user visually recognizes random data superimposed on an identification image registered in advance from the displayed data, and inputs the data on the password input screen I2 as shown in FIG. The password input screen I2 has a user identification information input field and a password input field. The user inputs the data visually recognized from the identification image display screen I1 as a password in the password input field of this screen.
 対応関係記憶部104は、識別情報生成部103が生成した対応関係を一時的に保存しておくものである。また、削除機能を有し、認証に利用した対応関係は利用者認証部105の指示のもと削除を行うことも可能である。削除された対応関係は次回以降の認証には用いられない。 The correspondence relationship storage unit 104 temporarily stores the correspondence relationship generated by the identification information generation unit 103. Further, it has a deletion function, and the correspondence used for authentication can be deleted under the instruction of the user authentication unit 105. The deleted correspondence is not used for subsequent authentication.
 利用者認証部105は、利用者が入力したパスワード、あるいは選択した識別画像から利用者の認証を行うものである。また、認証完了後、シングルサインオン機能またはパスワードマネージャ機能を起動させ、複数のシステムへの一括ログインを許可することもできる。 The user authentication unit 105 authenticates the user from the password input by the user or the selected identification image. In addition, after the authentication is completed, the single sign-on function or the password manager function can be activated to permit batch login to a plurality of systems.
 第1の実施形態において、利用者が電子端末220を介して利用者確認部102へ接続要求を行ってもよい。その際、利用者確認部102は利用者に対して、携帯端末210を不所持である旨のメッセージ送信を求めてもよい。 In the first embodiment, the user may make a connection request to the user confirmation unit 102 via the electronic terminal 220. At that time, the user confirmation unit 102 may request the user to send a message indicating that he / she does not have the portable terminal 210.
 電子端末220からの接続要求を受信した場合、利用者情報確認部102は、電子端末220から利用者識別情報を取得し、該利用者識別情報に基づいて事前に利用者識別情報交付部101で登録した識別画像と利用者識別情報を、識別情報生成部に送信する。 When the connection request from the electronic terminal 220 is received, the user information confirmation unit 102 acquires the user identification information from the electronic terminal 220, and the user identification information issuance unit 101 in advance based on the user identification information. The registered identification image and user identification information are transmitted to the identification information generation unit.
 識別情報生成部103は、利用者情報確認部102から受信した識別画像にランダムなデータの割り当てを行い、画像の選択による認証を行うか利用者に選択させる。 The identification information generation unit 103 assigns random data to the identification image received from the user information confirmation unit 102, and makes the user select whether to perform authentication by selecting an image.
 接続要求元が電子端末220である場合、識別画像上にランダムなデータを重畳したデータから図10に示すような識別画像表示画面I1を生成し、電子端末220に表示させる。利用者が画像による認証を選択した場合、利用者認証部105は、電子端末220の入力部222にパスワード入力画面I2は表示させず、直接画像を選択させる。利用者が画像による認証を選択しなかった場合には、パスワード入力画面I2を表示させ、利用者は表示されたデータから事前に登録した識別画像の上に重畳されているランダムなデータを視認し、パスワード入力画面I2に入力する。 When the connection request source is the electronic terminal 220, an identification image display screen I1 as shown in FIG. 10 is generated from data obtained by superimposing random data on the identification image and displayed on the electronic terminal 220. When the user selects authentication based on an image, the user authentication unit 105 directly selects an image without displaying the password input screen I2 on the input unit 222 of the electronic terminal 220. When the user does not select authentication by image, the password input screen I2 is displayed, and the user visually recognizes random data superimposed on the identification image registered in advance from the displayed data. The password is entered on the password input screen I2.
 利用者が電子端末220上で直接画像を選択する場合、選択する方法として、クリック、タップ、キーボード入力、読み上げ音声認識等を用いることも可能である。 When the user selects an image directly on the electronic terminal 220, click, tap, keyboard input, reading speech recognition, or the like can be used as the selection method.
 利用者認証部105は選択された識別画像あるいは入力されたパスワードから利用者の認証を行う。本経路での利用者認証を行う場合、利用者認証部105は接続を許可する際に、アクセス制限かけてもよい。認証が完了すると、利用者認証部105は対応関係記憶部104において、認証に使用するため一時的に保存されていた、識別画像とランダムなデータとの対応関係の削除を実行する。 The user authentication unit 105 authenticates the user from the selected identification image or input password. When performing user authentication along this route, the user authentication unit 105 may restrict access when permitting connection. When the authentication is completed, the user authentication unit 105 deletes the correspondence relationship between the identification image and the random data temporarily stored for use in authentication in the correspondence relationship storage unit 104.
 第1の実施形態において、利用者が、本発明に係る認証管理システムを利用する場合の処理の手順を図4のフローチャートを用いて説明する。 In the first embodiment, the processing procedure when the user uses the authentication management system according to the present invention will be described with reference to the flowchart of FIG.
 利用者は、本発明である認証管理システムを利用する際、まず認証装置にアクセスし、識別画像の登録を、利用者識別情報交付部101にて行う(フロー1)。識別画像を登録すると、該利用者識別情報交付部101から、利用者識別情報の交付を受ける(フロー2)。この時、交付された利用者識別情報と識別画像は保存される(フロー3)。 When using the authentication management system according to the present invention, the user first accesses the authentication device and registers the identification image in the user identification information issuing unit 101 (flow 1). When the identification image is registered, user identification information is issued from the user identification information issuing unit 101 (flow 2). At this time, the issued user identification information and identification image are stored (flow 3).
 認証管理システムから利用者識別情報の交付を受理済みの利用者は携帯端末210、あるいは電子端末220から認証装置へと接続要求を出す(フロー4)。ここでは、携帯端末210からアクセスを行った際の処理を例にとって説明する。 The user who has received the delivery of the user identification information from the authentication management system issues a connection request from the mobile terminal 210 or the electronic terminal 220 to the authentication device (flow 4). Here, a process when an access is made from the mobile terminal 210 will be described as an example.
 接続要求を行った利用者は利用者識別情報を利用者情報確認部102に対して提示を行う(フロー5)。提示した利用者識別情報は、識別情報生成103に通知され(フロー6)、該識別情報生成部103において、登録した識別情報を含む画像と各画像に対応するランダムなデータを用いて識別画像表示画面I1が生成され、提示される。 The user who made the connection request presents the user identification information to the user information confirmation unit 102 (flow 5). The presented user identification information is notified to the identification information generation 103 (flow 6), and the identification information generation unit 103 displays an identification image using an image including the registered identification information and random data corresponding to each image. A screen I1 is generated and presented.
 提示された識別画像表示画面I1は、携帯端末210の画面表示部212にて表示される(フロー7)。このとき用いられた、識別画像とランダムなデータとの対応関係は、対応関係記憶部で一時的に保持される(フロー8)。 The presented identification image display screen I1 is displayed on the screen display unit 212 of the mobile terminal 210 (flow 7). The correspondence relationship between the identification image and the random data used at this time is temporarily held in the correspondence relationship storage unit (flow 8).
 利用者は携帯端末210に表示された識別画像表示画面I1から、事前に自身が登録した識別画像上に重畳されたデータを視認し(フロー9)、電子端末220上に表示されたパスワード入力画面I2に、パスワードとして入力する(フロー10)。入力されたパスワードであるデータは、利用者認証部105において、識別画像の割り出しに用いられる(フロー11)。 From the identification image display screen I1 displayed on the mobile terminal 210, the user visually recognizes the data superimposed on the identification image registered in advance (flow 9), and the password input screen displayed on the electronic terminal 220 The password is input to I2 (flow 10). The input password data is used by the user authentication unit 105 to identify the identification image (flow 11).
 割り出された識別画像とフロー2で提示された利用者識別情報から、本人認証が行われ(フロー120)、認証に成功した場合、アクセスが許可される(フロー13)。このとき、フロー8において保持された対応関係は、対応関係記憶部104において削除され、次回以降の認証には用いられない。 The user authentication is performed from the identified identification image and the user identification information presented in flow 2 (flow 120), and if the authentication is successful, access is permitted (flow 13). At this time, the correspondence relationship held in the flow 8 is deleted in the correspondence relationship storage unit 104 and is not used for subsequent authentications.
 次に、各機能ブロックにおける処理を、図を用いて詳細に説明する。 Next, processing in each functional block will be described in detail with reference to the drawings.
 利用者識別情報交付部101での利用者登録と利用者識別情報交付手順について図5のフローチャートを用いて詳細に説明する。利用者識別情報交付部101では、未登録の利用者が接続用装置200を利用して接続した際に、識別画像の登録を受け付け(STEP1)、利用者毎に一意の利用者識別情報を交付し(STEP2)、該利用者識別情報と該識別画像を保存する(STEP3)。 User registration and user identification information delivery procedure in the user identification information delivery unit 101 will be described in detail with reference to the flowchart of FIG. The user identification information issuing unit 101 accepts registration of an identification image when an unregistered user connects using the connection device 200 (STEP 1), and issues unique user identification information for each user. (STEP 2), the user identification information and the identification image are stored (STEP 3).
 識別画像の登録には、例えば、認証登録する本人の見覚えある少なくとも1単位情報よりなる本人情報と、本人の見覚えない少なくとも1単位情報よりなる非本人情報と、の双方を、本人認証用に予め登録して、登録情報を形成する(特開2003-228553)技術を用いてもよい。 For registration of an identification image, for example, both personal information consisting of at least one unit of information that the person who is authenticating and registering is familiar and non-personal information consisting of at least one unit of information that the person is not familiar with are registered in advance for personal authentication. A technique of registering and forming registration information (Japanese Patent Laid-Open No. 2003-228553) may be used.
 また、利用者認証部105から問い合わせがあった際には(STEP4;YES)、提示された利用者識別情報から登録された識別画像を照会し、認証結果を通知する(STEP5)。利用者認証部105から問い合わせがなかった場合は、処理を行わず終了する(STEP4;NO)。 Also, when there is an inquiry from the user authentication unit 105 (STEP 4; YES), the registered identification image is inquired from the presented user identification information and the authentication result is notified (STEP 5). If there is no inquiry from the user authentication unit 105, the process ends without performing any processing (STEP 4; NO).
 利用者情報確認部102での処理を図6のフローチャートを用いて詳細に説明する。
利用者からの接続要求があった場合(STEP6;YES)、利用者情報確認部102では、提示された利用者識別情報を取得し(STEP7)、該利用者識別情報に基づいて事前に利用者識別情報交付部101で登録した利用者識別情報を、識別情報生成部103に送信する(STEP8)。利用者からの接続要求がなかった場合には、接続要求があるまで処理は行わず、待ち続ける(STEP6;NO)。 The process in the user information confirmation unit 102 will be described in detail with reference to the flowchart of FIG.
When there is a connection request from the user (STEP 6; YES), the user information confirmation unit 102 acquires the presented user identification information (STEP 7), and the user in advance based on the user identification information. The user identification information registered by the identification information issuing unit 101 is transmitted to the identification information generating unit 103 (STEP 8). If there is no connection request from the user, the processing is not performed until the connection request is made, and the process continues waiting (STEP 6; NO).
 識別情報生成部103における識別画像へのランダムなデータの割り当て処理を図7のフローチャートを用いて詳細に説明する。識別情報生成部103は、利用者確認部102からの指示があるまで処理を行わず待ち続ける(STEP9;NO)。利用者情報確認部102から指示があった場合、接続要求を行った利用者の利用者識別情報を受信し、識別画像の生成の指示を受ける(STEP9;YES)。 The process of assigning random data to the identification image in the identification information generation unit 103 will be described in detail with reference to the flowchart of FIG. The identification information generation unit 103 does not perform processing until it receives an instruction from the user confirmation unit 102 (STEP 9; NO). When there is an instruction from the user information confirmation unit 102, the user identification information of the user who has made the connection request is received and an instruction to generate an identification image is received (STEP 9; YES).
 識別情報生成部103は、該利用者識別情報をもとに、本人認証用に予め登録された、見覚えある少なくとも1単位情報よりなる本人情報である識別画像と、本人の見覚えない少なくとも1単位情報よりなる非本人情報である識別画像から画像の生成を行い(STEP10)、生成したすべての画像に対してランダムなデータを割当て(STEP11)、識別画像と該ランダムなデータとの対応関係を対応関係記憶部104に送信し、記憶するよう指示をする(STEP12)。 Based on the user identification information, the identification information generation unit 103 is registered in advance for personal authentication, and is an identification image that is personal information consisting of at least one unit of familiar information, and at least one unit of information that the individual does not recognize An image is generated from an identification image that is non-personal information (STEP 10), random data is assigned to all the generated images (STEP 11), and the correspondence between the identification image and the random data is correlated. The data is transmitted to the storage unit 104 and instructed to be stored (STEP 12).
 その後、STEP11で割り当てたランダムなデータを各識別画像上に重畳し、図10に示されるような識別画像表示画面I1を生成した後、接続要求を行った接続用装置200が携帯端末210か電子端末220かを確認(STEP13)し、接続要求を行った端末上に表示する(STEP14)。 Thereafter, the random data assigned in STEP 11 is superimposed on each identification image to generate an identification image display screen I1 as shown in FIG. 10, and then the connection device 200 that has made the connection request is the mobile terminal 210 or the electronic device. The terminal 220 is confirmed (STEP 13) and displayed on the terminal that has made the connection request (STEP 14).
 接続要求元が電子端末220であった場合、電子端末が2つの通信回路を有するか確認し(STEP16)、2つの通信回路を有しない場合で、利用者が画像による認証を選択した場合(STEP17;YES)、利用者認証部105に対し、識別画像による認証を行う様、通知を行う(STEP18)。 When the connection request source is the electronic terminal 220, it is confirmed whether the electronic terminal has two communication circuits (STEP 16). When the user does not have two communication circuits, the user selects authentication by image (STEP 17). YES), the user authentication unit 105 is notified so as to authenticate with the identification image (STEP 18).
 対応関係記憶部104での処理手順を、図8のフローチャートを用いて説明する。対応関係記憶部104では、識別情報生成部103から、記録の指示があるまで処理を行わず待ち状態にいる(STEP19;NO)。 The processing procedure in the correspondence storage unit 104 will be described with reference to the flowchart of FIG. The correspondence relationship storage unit 104 is in a standby state without performing any processing until a recording instruction is received from the identification information generation unit 103 (STEP 19; NO).
 識別情報生成部103からの指示があった場合(STEP19;YES)、該識別情報生成部103で生成された、識別画像とランダムなデータとの対応関係を一時的に記録する(STEP20)。また、利用者認証部105から、記録した対応関係の削除指示を受けた場合には(STEP21)、削除を実行する(STEP22)。また、削除指示がない場合には、一定時間後に識別情報生成部103から削除を行う。 When there is an instruction from the identification information generation unit 103 (STEP 19; YES), the correspondence relationship between the identification image and random data generated by the identification information generation unit 103 is temporarily recorded (STEP 20). When receiving an instruction to delete the recorded correspondence from the user authentication unit 105 (STEP 21), the deletion is executed (STEP 22). Further, when there is no deletion instruction, deletion is performed from the identification information generation unit 103 after a certain time.
 利用者認証部105における認証処理の手順を、図9のフローチャートを用いて説明する。識別情報生成部103から画像による認証の通知の有無を確認し、通知がなかった場合(STEP23;YES)、電子端末220に図11に示すようなパスワード入力画面を表示させる(STEP24)。 The procedure of authentication processing in the user authentication unit 105 will be described with reference to the flowchart of FIG. Whether or not there is an authentication notification by image from the identification information generation unit 103 is confirmed. If there is no notification (STEP 23; YES), a password input screen as shown in FIG. 11 is displayed on the electronic terminal 220 (STEP 24).
 利用者は予め本人認証用に登録した見覚えある少なくとも1単位情報よりなる本人情報である識別画像上に重畳されたデータを視認し、該パスワード入力画面に入力する。また、PINあるいは記憶しているパスワードを入力することも可能である。利用者認証部105は、利用者が入力したデータを受信すると(STEP25)、対応関係記憶部104に問い合わせ(STEP26)、識別画像とランダムなデータとの対応関係を参照し、入力されたデータから選択された識別画像を割り出す(STEP27)。 The user visually recognizes the data superimposed on the identification image, which is personal information consisting of at least one unit of information that is registered in advance for personal authentication, and inputs it to the password input screen. It is also possible to input a PIN or a stored password. When the user authentication unit 105 receives the data input by the user (STEP 25), the user authentication unit 105 inquires the correspondence relationship storage unit 104 (STEP 26), refers to the correspondence relationship between the identification image and the random data, and inputs the data. The selected identification image is determined (STEP 27).
 割り出された識別画像と、利用者識別情報交付部101に事前に登録された識別画像を突き合わせ(STEP28)、一致する場合接続要求のあったシステムへのアクセスを許可し、記録されていた対応関係の削除を対応関係記憶部に指示する(STEP29)。この際、シングルサインオン機能を起動させ、他システムへの接続も一括で許可してもよい。また、選択された識別画像が事前登録した識別画像と不一致の場合、利用者認証部105は利用者に対し、再度パスワードの入力を求めてもよい(STEP28)。 The identified identification image and the identification image registered in advance in the user identification information issuing unit 101 are matched (STEP 28), and if they match, the access to the system that requested the connection is permitted and the recorded correspondence The correspondence storage unit is instructed to delete the relationship (STEP 29). At this time, the single sign-on function may be activated to allow connection to other systems in a lump. If the selected identification image does not match the pre-registered identification image, the user authentication unit 105 may request the user to input the password again (STEP 28).
 識別情報生成部103から画像による認証の指示があった場合(STEP23;NO)、利用者認証部105では、表示した識別画像表示画面上から直接画像を選択するよう利用者に指示を出す(STEP30)。 When there is an authentication instruction using an image from the identification information generation unit 103 (STEP 23; NO), the user authentication unit 105 instructs the user to directly select an image from the displayed identification image display screen (STEP 30). ).
 利用者はクリック、タップ、キーボード入力、読み上げ音声認識等の方法によって画像の選択を行う。選択された識別画像が、事前に登録されたものか照合し(STEP31)、一致した場合(STEP32;YES)、接続があったシステムへのアクセスを許可し、記録されていた対応関係の削除を対応関係記憶部に指示する。この際、該経路により認証された利用者に対して、アクセス制限をかけてもよい(STEP33)。 User selects images by methods such as click, tap, keyboard input, and speech recognition. Whether the selected identification image is registered in advance (STEP 31), and if it matches (STEP 32; YES), permit access to the connected system and delete the recorded correspondence. Instruct the correspondence storage unit. At this time, access restriction may be applied to the user who is authenticated by the route (STEP 33).
 また、選択された識別画像が事前登録した識別画像と不一致の場合、利用者認証部105は利用者に対し、再度パスワードの入力を求めてもよい(STEP32;NO)。 Also, when the selected identification image does not match the pre-registered identification image, the user authentication unit 105 may request the user to input the password again (STEP 32; NO).
 図2は、本発明の認証管理システムの第2の実施形態を示したシステム構成図である。 FIG. 2 is a system configuration diagram showing a second embodiment of the authentication management system of the present invention.
 本発明は、第2の実施形態において、利用者により用いられる、通信機能を有する接続用装置200と、認証用の画像を事前に登録する際に、接続用装置あるいは接続用装置の利用者ごとに一意な利用者識別情報を割り当て、登録された認証用の識別画像と利用者識別情報を結び付け管理を行う利用者識別情報交付部101と、該接続用装置200からの接続要求を受け付け、利用者ごとに割り当てられた一意の利用者識別情報を取得する利用者情報確認部102と、取得された利用者識別情報に基づいて、認証用の複数の識別画像を生成し、該複数の識別画像にランダムなデータを割り当てる識別情報生成部103と、
識別情報生成部が生成した、識別画像とランダムなデータとの対応関係を一時的に保持する、対応関係記憶部104と、接続用装置を介して、生成された複数の識別画像を選択させ、割り当てられたデータを入力させることにより、利用者を認証し、認証完了後、識別画像とランダムなデータとの割り当てを削除する利用者認証部105とから構成される認証装置100から構成される。 In the second embodiment, the connection device 200 having a communication function used by a user and the user of the connection device or the connection device when registering an authentication image in advance. Unique user identification information is assigned to the user identification information issuance unit 101 for performing management by linking the registered identification image for authentication with the user identification information, and accepting a connection request from the connection device 200 and using it. A user information confirmation unit 102 for acquiring unique user identification information assigned to each person, and generating a plurality of identification images for authentication based on the acquired user identification information. An identification information generation unit 103 for assigning random data to
The correspondence information storage unit 104 that temporarily holds the correspondence relationship between the identification image and the random data generated by the identification information generation unit, and the plurality of identification images generated via the connection device are selected. The authentication apparatus 100 includes a user authentication unit 105 that authenticates a user by inputting the assigned data and deletes the assignment between the identification image and the random data after the authentication is completed.
 接続用装置200は、第2の実施形態において、認証装置100との通信を行う通信部211と通信部221、画面表示機能を備える画面表示部212と入力機能を備える入力部222から構成される電子端末230から構成される。 In the second embodiment, the connection device 200 includes a communication unit 211 that performs communication with the authentication device 100, a communication unit 221, a screen display unit 212 that includes a screen display function, and an input unit 222 that includes an input function. An electronic terminal 230 is included.
 また、電子端末230が有する通信部211と通信部212は物理的または論理的に異なる通信回路であり、各回路上の通信は混在しないものである。 In addition, the communication unit 211 and the communication unit 212 included in the electronic terminal 230 are physically or logically different communication circuits, and communication on each circuit is not mixed.
 認証装置100と、電子端末230は、有線または無線のネットワークを通じて接続している。 The authentication device 100 and the electronic terminal 230 are connected through a wired or wireless network.
 第2の実施形態において、電子端末230は、第1の実施形態における携帯端末210と電子端末220の有していた通信部211、画面表示部212、通信部221、入力部222を一端末内に有し、それぞれ第1の実施形態の場合と同じ機能を有し、第1の実施形態では携帯端末210が行っていた、利用者識別情報交付部101での登録処理、利用者情報確認部102への接続要求、識別画像表示画面I1の表示を行う。 In the second embodiment, the electronic terminal 230 includes the communication unit 211, the screen display unit 212, the communication unit 221, and the input unit 222 that the portable terminal 210 and the electronic terminal 220 in the first embodiment have in one terminal. Each having the same functions as those of the first embodiment, and the registration processing in the user identification information issuing unit 101 and the user information confirmation unit that the portable terminal 210 performed in the first embodiment. The connection request to 102 and the identification image display screen I1 are displayed.
 第2の実施形態において、認証装置100は、第1の実施形態と同等の機能を持ち、第1の実施形態においては携帯端末210が備える通信回路211と画面表示部212を第2の実施形態では電子端末230が備えるものとして、また、第1の実施形態においては電子端末220が備える通信回路221と入力部222を第2の実施形態では電子端末230が備えるものとして扱い、各機能間における処理は同一である。 In the second embodiment, the authentication device 100 has a function equivalent to that of the first embodiment, and in the first embodiment, the communication circuit 211 and the screen display unit 212 included in the mobile terminal 210 are provided in the second embodiment. In the first embodiment, the communication circuit 221 and the input unit 222 included in the electronic terminal 220 are treated as those included in the electronic terminal 230 in the second embodiment. The process is the same.
 図3は、本発明の認証管理システムの第3の実施形態を示したシステム構成図である。
 本発明は、第3の実施形態において、利用者により用いられる、通信機能を有する接続用装置200と、認証用の画像を事前に登録する際に、接続用装置あるいは接続用装置の利用者ごとに一意な利用者識別情報を割り当て、登録された認証用の識別画像と利用者識別情報を結び付け管理を行う利用者識別情報交付部101と、該接続用装置200からの接続要求を受け付け、利用者ごとに割り当てられた一意の利用者識別情報を取得する利用者情報確認部102と、取得された利用者識別情報に基づいて、認証用の複数の識別画像を生成し、該複数の識別画像にランダムなデータを割り当てる識別情報生成部103と、識別情報生成部が生成した、識別画像とランダムなデータとの対応関係を一時的に保持する、対応関係記憶部104とから構成される認証装置111と、接続用装置200を介して、生成された複数の識別画像を選択させ、割り当てられたデータを入力させることにより、利用者を認証し、認証完了後、識別画像とランダムなデータとの割り当てを削除する利用者認証部105から構成されるサービス提供装置110から構成される。 FIG. 3 is a system configuration diagram showing a third embodiment of the authentication management system of the present invention.
In the third embodiment, the connection device 200 having a communication function used by a user and the user of the connection device or the connection device when the authentication image is registered in advance. Unique user identification information is assigned to the user identification information issuance unit 101 for performing management by linking the registered identification image for authentication with the user identification information, and accepting a connection request from the connection device 200 and using it. A user information confirmation unit 102 for acquiring unique user identification information assigned to each person, and generating a plurality of identification images for authentication based on the acquired user identification information. An identification information generation unit 103 that assigns random data to the data, and a correspondence relationship storage unit 104 that temporarily holds the correspondence between the identification image and the random data generated by the identification information generation unit. The user is authenticated by selecting a plurality of generated identification images and inputting the assigned data via the authentication device 111 and the connection device 200, and after the authentication is completed, The service providing apparatus 110 includes a user authentication unit 105 that deletes assignment with random data.
 第3の実施形態は、第1の実施形態において、認証装置111が備えていた、利用者認証部105の機能を分離し、サービス提供装置110としたものである。 3rd Embodiment isolate | separates the function of the user authentication part 105 with which the authentication apparatus 111 was provided in 1st Embodiment, and is set as the service provision apparatus 110. FIG.
 認証装置111及びサービス提供装置110及び携帯端末210、並びに電子端末220は有線または無線のネットワークを通じて接続している。 The authentication device 111, the service providing device 110, the portable terminal 210, and the electronic terminal 220 are connected through a wired or wireless network.
 接続用装置200は、第3の実施形態において、認証装置100との通信を行う通信部211と画面表示機能を備える画面表示部212から構成される携帯端末210、認証装置との通信を行う通信部221と、入力機能を備える入力部222から構成される電子端末220から構成される。 In the third embodiment, the connection device 200 includes a communication unit 211 that performs communication with the authentication device 100 and a mobile terminal 210 that includes a screen display unit 212 having a screen display function, and communication that performs communication with the authentication device. It is comprised from the electronic terminal 220 comprised from the part 221 and the input part 222 provided with an input function.
 認証装置111及びサービス提供装置110は、コンピュータまたはサーバであり、各種入力に基づきCPUがROMに記録されたプログラムを実行することで各種機能部として動作する。 The authentication device 111 and the service providing device 110 are computers or servers, and operate as various functional units when the CPU executes programs recorded in the ROM based on various inputs.
 第3の実施形態において、接続用装置200及び携帯端末210並びに電子端末220は、第1の実施形態と同等の機能を持ち、第1の実施形態においては認証装置111が備える利用者識別情報交付部101と利用者確認部102と識別情報生成部103と対応関係記憶部104は第3の実施形態においても同じく認証装置111が備えるものとして、利用者認証部105についてはサービス提供装置110が備えるものとして扱い、各機能間における処理は同一である。 In the third embodiment, the connection device 200, the portable terminal 210, and the electronic terminal 220 have functions equivalent to those of the first embodiment. In the first embodiment, user identification information is provided to the authentication device 111. The unit 101, the user confirmation unit 102, the identification information generation unit 103, and the correspondence relationship storage unit 104 are also included in the authentication device 111 in the third embodiment, and the service authentication device 105 is included in the user authentication unit 105. The processing between the functions is the same.
 本発明に係る認証管理システム及び認証管理方法並びに認証管理プログラムは、識別画像とランダムなデータとの対応関係を一時的に保持し、前記接続用装置を介して、生成された複数の識別画像を選択させ、割り当てられたデータを入力させることにより、利用者を認証し、認証完了後、識別画像とランダムなデータとの割り当てを削除し、システムに対してシングルサインオンを許可することができる。これにより、利用者の真正性を保証し、かつ使い捨てのパスワードを用いることで盗聴・盗撮・スパイウェアなどによる探知・窃取に対しても高いセキュリティレベルを維持することができる。 An authentication management system, an authentication management method, and an authentication management program according to the present invention temporarily hold a correspondence between an identification image and random data, and store a plurality of identification images generated via the connection device. By selecting and inputting the assigned data, the user can be authenticated, and after the authentication is completed, the assignment of the identification image and the random data can be deleted, and single sign-on can be permitted to the system. Thereby, the authenticity of the user is ensured, and a high security level can be maintained against detection / theft by eavesdropping / voyeurism / spyware by using a disposable password.
 また、本発明に係る、認証管理システム及び認証管理方法並びに認証管理プログラムは、利用者が認証用の画像を事前に登録する際において、1つの利用者識別情報に複数のシステム及び基本ソフトウェアへのログイン情報を束ねることで、利用者は識別画像の再認により複数システムを利用することが可能なり、パスワードの管理負荷を低減することができる。 The authentication management system, the authentication management method, and the authentication management program according to the present invention provide a plurality of systems and basic software to one user identification information when a user registers an authentication image in advance. By bundling login information, the user can use a plurality of systems by recognizing the identification image, and the management load of the password can be reduced.
 上記の互いの効果を相互に担保しあうことによって、利用者の負担の軽減を図りながら在来の解決手段に比して格段に高い包括的なセキュリティならびに可用性と実用性に富んだ認証管理システムを実現することができる。 An authentication management system with comprehensive security and availability and practicality that is much higher than conventional solutions while reducing the burden on users by mutually securing the above mutual effects. Can be realized.
100      認証装置
101      利用者識別情報交付部
102      利用者情報確認部
103      識別情報生成部
104      対応関係記憶部
105      利用者認証部
110      サービス提供装置
200      接続用装置
210      携帯端末
211      通信部
212      画面表示部
220      電子端末
221      通信部
222      入力部
230      電子端末 DESCRIPTION OF SYMBOLS 100 Authentication apparatus 101 User identification information issuing part 102 User information confirmation part 103 Identification information generation part 104 Correspondence relationship memory | storage part 105 User authentication part 110 Service provision apparatus 200 Connection apparatus 210 Portable terminal 211 Communication part 212 Screen display part 220 Electronic terminal 221 Communication unit 222 Input unit 230 Electronic terminal

Claims (11)

  1.  利用者により用いられる、通信機能を有する接続用装置と、
    該接続用装置からの接続要求を受け付け、前記利用者ごとに割り当てられた一意の利用者識別情報を取得する利用者情報確認部と、
    前記取得された利用者識別情報に基づいて、認証用の複数の識別画像を生成し、該複数の識別画像にランダムなデータを割り当てる識別情報生成部と、
    前記識別情報生成部が生成した、識別画像とランダムなデータとの対応関係を一時的に保持する、対応関係記憶部と、
    前記接続用装置を介して、前記生成された複数の識別画像を選択させ、割り当てられたデータを入力させることにより、利用者を認証し、認証完了後、識別画像とランダムなデータとの割り当てを削除する利用者認証部と、
    システムに対してシングルサインオンを許可する機能を有する認証装置を備える認証管理システム。     A connection device having a communication function used by a user;
    A user information confirmation unit that receives a connection request from the connection device and acquires unique user identification information assigned to each user;
    Based on the acquired user identification information, an identification information generation unit that generates a plurality of identification images for authentication and assigns random data to the plurality of identification images;
    A correspondence relationship storage unit that temporarily generates a correspondence relationship between the identification image and random data generated by the identification information generation unit;
    The user is authenticated by selecting the generated plurality of identification images and inputting the assigned data via the connection device, and after the authentication is completed, the identification image and random data are assigned. A user authentication section to be deleted;
    An authentication management system including an authentication device having a function of permitting single sign-on to the system.
  2. 前記認証装置は、更に、認証用の画像を事前に登録する際に、前記接続用装置あるいは接続用装置の利用者ごとに一意な利用者識別情報を割り当て、前記登録された認証用の識別画像と利用者識別情報を結び付け管理を行う利用者識別情報交付部を備えるものであることを特徴とする請求項1記載の認証管理システム。 The authentication device further assigns unique user identification information for each connection device or each user of the connection device when the authentication image is registered in advance, and the registered authentication identification image. The authentication management system according to claim 1, further comprising a user identification information issuing unit that performs management by linking the user identification information with the user identification information.
  3.  前記利用者識別情報交付部は、1つの利用者識別情報に複数のシステム及び基本ソフトウェアへのログイン情報を束ね、前記利用者識別情報のみを利用者に対して開示するものであることを特徴とする請求項2記載の認証管理システム。 The user identification information issuing unit bundles login information to a plurality of systems and basic software into one user identification information, and discloses only the user identification information to the user. The authentication management system according to claim 2.
  4.  前記識別情報生成部は、前記利用者識別情報に基づいて、事前に登録した認証用の画像を含む認証用の画像を表示する機能を有し、前記認証装置が表示する全ての認証用の画像に、ランダムなデータを割り当てる機能を有するものであることを特徴とする請求項1から3いずれか1項記載の認証管理システム。 The identification information generating unit has a function of displaying an authentication image including an authentication image registered in advance based on the user identification information, and all the authentication images displayed by the authentication device. 4. The authentication management system according to claim 1, wherein the authentication management system has a function of allocating random data.
  5.  前記対応関係記憶部は、接続要求を行った前記接続用装置の利用者識別情報と接続用装置に対して表示した認証用の画像と前記識別情報生成部が割り当てたランダムなデータとの対応関係を記憶する機能を有するものであることを特徴とする請求項1から4いずれか1項記載の認証管理システム。 The correspondence storage unit is a correspondence relationship between user identification information of the connection device that has made a connection request, an authentication image displayed for the connection device, and random data assigned by the identification information generation unit. 5. The authentication management system according to claim 1, wherein the authentication management system has a function of storing the password.
  6.  前記利用者認証部は、パスワードとして入力されたデータを前記対応関係記憶部にて記憶されている対応関係と突き合わせ、データに紐づいている認証用の画像と利用者識別情報を照らし合わせ、当該利用者識別情報を有する利用者が事前に登録した認証用の画像を正しく選択しているか確認する機能と、前記認証の完了後に前記対応関係記憶部に対して、認証が完了した利用者に表示した認証用の画像とランダムなデータとの対応関係の削除を指示する機能とを有するものであることを特徴とする請求項1から5いずれか1項記載の認証管理システム。 The user authentication unit matches the data input as a password with the correspondence stored in the correspondence storage unit, compares the authentication image associated with the data with the user identification information, and A function for confirming whether an authentication image registered in advance by a user having user identification information is correctly selected, and displayed to a user who has been authenticated against the correspondence storage unit after the authentication is completed 6. The authentication management system according to claim 1, wherein the authentication management system has a function of instructing deletion of a correspondence relationship between the authentication image and random data.
  7.  前記接続用装置は、前記認証装置との通信機能を有し、前記認証用の画像を表示する機能を有する携帯端末と、前記認証装置との通信機能を有しパスワード認証用に入力機能を有する電子端末からなるものであることを特徴とする請求項1から6いずれか1項記載の認証管理システム。 The connection device has a communication function with the authentication device, and has a communication function with the portable device having a function of displaying the authentication image and the authentication device, and has an input function for password authentication. The authentication management system according to claim 1, comprising an electronic terminal.
  8.  前記接続用装置は、前記画像認証用に画像表示機能を有し、前記パスワード認証用に入力機能を有し、前記画像認証用と前記パスワード認証用にそれぞれ異なる通信回線を有する端末からなるものであることを特徴とする、請求項7記載の認証管理システム。 The connection device includes a terminal having an image display function for the image authentication, an input function for the password authentication, and having different communication lines for the image authentication and the password authentication. The authentication management system according to claim 7, wherein the authentication management system is provided.
  9.  前記認証装置は、前記利用者認証部において認証用の画像を直接選択させることで認証を行う機能を有し、パスワードによる認証を行わなかった利用者に対して、アクセス権を制限する機能を有するものであることを特徴とする請求項1から8いずれか1項に記載の認証管理システム。 The authentication device has a function of performing authentication by directly selecting an authentication image in the user authentication unit, and has a function of restricting access rights to a user who has not performed password authentication. The authentication management system according to claim 1, wherein the authentication management system is one.
  10. 利用者により用いられる、通信機能を有する接続用装置接続要求を受け付け、 
    前記利用者ごとに割り当てられた一意の利用者識別情報を取得し、
    前記取得された利用者識別情報に基づいて、認証用の複数の識別画像を生成し、該複数の識別画像にランダムなデータを割り当て、
    前記識別情報生成部が生成した、識別画像とランダムなデータとの対応関係を一時的に保持し、
    前記接続用装置を介して、前記生成された複数の識別画像を選択させ、割り当てられたデータを入力させることにより、利用者を認証し、認証完了後、識別画像とランダムなデータとの割り当てを削除し、システムに対してシングルサインオンを許可する認証管理方法。     Accepting a connection device connection request having a communication function used by a user,
    Obtaining unique user identification information assigned to each user;
    Based on the acquired user identification information, generate a plurality of identification images for authentication, assign random data to the plurality of identification images,
    Temporarily holding the correspondence between the identification image and random data generated by the identification information generation unit,
    The user is authenticated by selecting the generated plurality of identification images and inputting the assigned data via the connection device, and after the authentication is completed, the identification image and random data are assigned. Authentication management method to delete and allow single sign-on to the system.
  11. コンピュータに、利用者により用いられる、通信機能を有する接続用装置接続要求を受け付け、前記利用者ごとに割り当てられた一意の利用者識別情報を取得する機能と、
    前記取得された利用者識別情報に基づいて、認証用の複数の識別画像を生成し、該複数の識別画像にランダムなデータを割り当てる機能と、
    前記識別情報生成部が生成した、識別画像とランダムなデータとの対応関係を一時的に保持する機能と、
    前記接続用装置を介して、前記生成された複数の識別画像を選択させ、割り当てられたデータを入力させることにより、利用者を認証し認証完了後、識別画像とランダムなデータとの割り当てを削除する機能と、
    システムに対してシングルサインオンを許可する機能を実現させる認証管理プログラム。     A function of accepting a connection device connection request used by a user and having a communication function in a computer, and obtaining unique user identification information assigned to each user;
    A function of generating a plurality of identification images for authentication based on the acquired user identification information, and assigning random data to the plurality of identification images;
    A function for temporarily holding the correspondence between the identification image and random data generated by the identification information generation unit;
    By selecting the generated plurality of identification images via the connection device and inputting the assigned data, the user is authenticated, and after the authentication is completed, the assignment of the identification image and random data is deleted. Function to
    An authentication management program that realizes the function that allows single sign-on to the system.
PCT/JP2012/053179 2012-02-10 2012-02-10 Authentication management system, authentication management method, and authentication management program WO2013118302A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2012/053179 WO2013118302A1 (en) 2012-02-10 2012-02-10 Authentication management system, authentication management method, and authentication management program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2012/053179 WO2013118302A1 (en) 2012-02-10 2012-02-10 Authentication management system, authentication management method, and authentication management program

Publications (1)

Publication Number Publication Date
WO2013118302A1 true WO2013118302A1 (en) 2013-08-15

Family

ID=48947103

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2012/053179 WO2013118302A1 (en) 2012-02-10 2012-02-10 Authentication management system, authentication management method, and authentication management program

Country Status (1)

Country Link
WO (1) WO2013118302A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104113437A (en) * 2014-07-12 2014-10-22 浙商银行股份有限公司 An account transfer machine remote management method based on dynamic passwords
KR20160126986A (en) * 2014-11-07 2016-11-02 바이두 온라인 네트웍 테크놀러지 (베이징) 캄파니 리미티드 Voice print verification method and apparatus, storage medium and device
CN107528692A (en) * 2016-06-16 2017-12-29 Abb瑞士股份有限公司 The safe and effective registration of industrial intelligent electronic installation
CN116228508A (en) * 2023-05-10 2023-06-06 深圳奥联信息安全技术有限公司 Password generation and authentication system and method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001283121A (en) * 2000-03-28 2001-10-12 Nec Corp Server device and client device and communication line shopping system using them
JP2006163825A (en) * 2004-12-07 2006-06-22 Sojitz Systems Corp Personal identification system
JP2008257701A (en) * 2007-03-12 2008-10-23 Yahoo Japan Corp Authentication system
JP2011192154A (en) * 2010-03-16 2011-09-29 Hitachi Solutions Ltd Usb storage device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001283121A (en) * 2000-03-28 2001-10-12 Nec Corp Server device and client device and communication line shopping system using them
JP2006163825A (en) * 2004-12-07 2006-06-22 Sojitz Systems Corp Personal identification system
JP2008257701A (en) * 2007-03-12 2008-10-23 Yahoo Japan Corp Authentication system
JP2011192154A (en) * 2010-03-16 2011-09-29 Hitachi Solutions Ltd Usb storage device

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104113437A (en) * 2014-07-12 2014-10-22 浙商银行股份有限公司 An account transfer machine remote management method based on dynamic passwords
KR20160126986A (en) * 2014-11-07 2016-11-02 바이두 온라인 네트웍 테크놀러지 (베이징) 캄파니 리미티드 Voice print verification method and apparatus, storage medium and device
JP2017507422A (en) * 2014-11-07 2017-03-16 バイドゥ オンライン ネットワーク テクノロジー (ベイジン) カンパニー リミテッド Voiceprint verification method, apparatus, storage medium and equipment
US10277589B2 (en) 2014-11-07 2019-04-30 Baidu Online Network Technology (Beijing) Co., Ltd. Voiceprint verification method, apparatus, storage medium and device
KR102002889B1 (en) * 2014-11-07 2019-07-23 바이두 온라인 네트웍 테크놀러지 (베이징) 캄파니 리미티드 Voice print verification method and apparatus, storage medium and device
CN107528692A (en) * 2016-06-16 2017-12-29 Abb瑞士股份有限公司 The safe and effective registration of industrial intelligent electronic installation
CN107528692B (en) * 2016-06-16 2022-10-28 日立能源瑞士股份公司 Method and system for registering intelligent electronic device with certification authority
CN116228508A (en) * 2023-05-10 2023-06-06 深圳奥联信息安全技术有限公司 Password generation and authentication system and method

Similar Documents

Publication Publication Date Title
US11405380B2 (en) Systems and methods for using imaging to authenticate online users
US10205711B2 (en) Multi-user strong authentication token
CN107690788B (en) Identification and/or authentication system and method
US9679123B2 (en) Password authentication system and password authentication method using consecutive password authentication
CN110149328B (en) Interface authentication method, device, equipment and computer readable storage medium
US10848304B2 (en) Public-private key pair protected password manager
JP6468013B2 (en) Authentication system, service providing apparatus, authentication apparatus, authentication method, and program
KR101451359B1 (en) User account recovery
KR102482104B1 (en) Identification and/or authentication system and method
US8868918B2 (en) Authentication method
US9697346B2 (en) Method and apparatus for identifying and associating devices using visual recognition
JP2006209697A (en) Individual authentication system, and authentication device and individual authentication method used for the individual authentication system
US20140359299A1 (en) Method for Determination of User's Identity
WO2013118302A1 (en) Authentication management system, authentication management method, and authentication management program
JP5536511B2 (en) Authentication device, authentication system, authentication program, and authentication method for personal authentication using a mobile phone
KR101980828B1 (en) Authentication method and apparatus for sharing login ID
US20160021102A1 (en) Method and device for authenticating persons
JP6370350B2 (en) Authentication system, method, and program
JP7536175B6 (en) Mobile app login and device registration
EP4187842A1 (en) Method and system for user authentication
KR102168098B1 (en) A secure password authentication protocol using digitalseal
Fujita et al. Design and Implementation of a multi-factor web authentication system with MyNumberCard and WebUSB
CN118786428A (en) Information access switching
JP2008512765A (en) Authentication system and method based on random partial digital path recognition
AU2010361584B2 (en) User account recovery

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12867805

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12867805

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP