1. Field of the Invention
The present invention relates to an authentication system and an authentication method for authenticating that a user is the proper person by using an authentication symbol string such as a credit card number or the like, when he is performing, for example, payment by credit card or logging on to a server or the like.
2. Description of the Related Art
When a user has performed payment by credit card at a internet shop over the internet, it has been necessary for the user to input via a PC (personal computer) information such as his own credit card number, the period of validity of the credit card (which is used for authentication), the name of the cardholder, and so on.
Due to this, this information such as the credit card number of the user, the period of validity of the card, the name of the cardholder and so on comes to be transmitted to the server of the internet shop via the internet, so that there has been a problem of leakage of this information from the internet or from the server of the internet shop.
By contrast, in the Published Japanese Translation No. 2005-521181 of the PCT International Publication (Patent Reference #1), there is also a per se known technique of inputting a portion of the credit card number and attribute information such as the name of the user, his date of birth, or the like, and of performing authentication on the basis of this information.
Furthermore, in the Published Japanese Translation No. 2002-522775 of the PCT International Publication (Patent Reference #2), there is a per se known technique of separating the information into first data and second data, and of ensuring that all of the information is not stored upon any single device, by storing the first data upon a client system while storing the second data upon a remote server.
Moreover, in the Japanese Laid-Open Patent Publication 2003-13229 (Patent Reference #3), a per se known technique has been disclosed of preventing the leakage of information over a communication path by separating electronic information, which is a product, into several portions, and by transmitting the portions via different paths at different times.
Yet further, in the Japanese Laid-Open Patent Publication 2007-41957 (Patent Reference #4), there is a per se known technique of separating credit card information into two portions, and of storing one portion of this separated information upon a user terminal while storing the other portion thereof in an information device of an storage center, so that, during payment, the settlement center acquires the separated information portion which is stored in the user terminal and the separated information portion which is stored in the storage center information device, and restores the credit card by combining these two portions, so as to be able to perform credit approval and settlement processing.
With, for example, the technique of Patent Reference #1, although there is no leakage of the entire credit card number, since the authentication is not performed using the entire credit card number, there is a possibility that the authentication will not be sufficient. Moreover there is also the problem that, if the user of the PC is infected with a virus, then there is also a possibility that information which has been inputted via the keyboard may undesirably be transmitted to the exterior by the virus and thereby suffer leakage, and, in this case, a portion of the credit card number which has been inputted and other information which may be used for authentication may leak out, so that improper authentication may subsequently be performed using that information. Moreover, according to the technique of Patent Reference #2, although each of the devices individually cannot leak out all of the information, there is still the problem that, if the client system is used by a third party whose intent is nefarious, then he may obtain authentication in a similar manner to the legitimate user, which is undesirable.
Furthermore, with the technique of Patent Reference #3, while this is able to prevent leakage upon the communication path, since the electronic information itself is present within the device upon the transmission side, it is not possible to prevent it undesirably leaking out from this device upon the transmission side. Moreover, with the technique of Patent Reference #4, although there can be no leakage of the entire credit card information from either the user terminal or the storage center information device, it is necessary to store a separated portion of the credit card information upon the storage center information device, so that the user is not able to be completely confident, since the storage center is not an absolutely trustworthy institution. Moreover, if the user terminal is used by an ill-intentioned third party, then there is the problem that he may be authenticated in a similar manner to a legitimate user.
The present invention has been conceived in consideration of the problems described above, and its object is to provide a technique which can appropriately prevent leakage of an authentication symbol string such as, for example, a credit card number, while also appropriately authenticating a user who is the right person.