1. Field of the Invention
The present invention relates to an authentication executing device, a portable device for authentication, and an authentication method for certifying a user""s identity through the check of biometrics, that is, his or her physical features such as fingerprints that can be measured, thereby to allow the operation executable only by the user himself or herself.
2. Description of the Related Art
The operations executable only by a user himself or herself in an information processing system, for example, in a personal computer (hereinafter, referred to as a PC) include a log-in operation of the identified user, electronic commerce of dealing with a person in confirmation of the person""s identity, and further file encryption and decryption.
In the conventional technique, a user""s input of a password certifies that a person trying to do the above operation is the authorized user. In this case, a person asking for a permission has a trouble to register his or her predetermined password in advance, and if the password should be stolen, another user will make fraudulent use of the PC, acting like the authorized user.
In order to solve the problem, a method of using biometrics such as fingerprints, instead of a password, has been proposed. Below the description will be made with reference to FIG. 7, by way of example, in the case of using fingerprints as the biometrics.
In the conventional technique, a fingerprint sensor 10 is connected to a PC; feature information for matching extracted from the user""s fingerprint data is stored in a user inherent information storing unit 13 within the PC; when some fingerprint is provided by a user""s input, a fingerprint feature extracting unit 11 extracts the feature information from the fingerprint; a fingerprint checking unit 12 judges whether the feature of the fingerprint is in accord with the stored data; only when they are of one accord, the user is certified as the authorized user and a user inherent operation executing unit 17 performs the user identification operation.
In this form, since the input image and feature information of the fingerprint is processed within a system performing authentication, there is a risk that the feature information may be stolen by tampering the program when the system is not under the control of a user. In order to solve the problem, there has been a method of holding the fingerprint feature information stored in the user inherent information storing unit 13 in FIG. 7, on a portable terminal carried by a user, under the control of the user, more specifically, on an information terminal such as an electronic notepad, or on the medium, for example, an IC card, and transferring the content thereof to a PC to check the data. Even in this way, however, when a fingerprint sensor is connected to a PC in poor management, there is a possibility of tampering a program for controlling fingerprint input, so as to act like an authorized user, as if the authorized user had entered the fingerprint through the finger sensor, by using the fingerprint image of the other person being copied and stored, or the fraudulent fingerprint image.
On the other hand, the above portable terminal that can be carried by a user has the advantage that the user""s identity can be checked at any place. However, it is troublesome to insert the terminal into a PC, or connect the terminal to a PC by a cable in order to do authentication operation. There is a method of using infrared rays, radio waves, sound waves, or the like in a non-contact way, so to exchange data therebetween. These signals, however, are easily intercepted, and there is the possibility that the other person, receiving the data signal, makes use of it again so as to act like the authorized user.
An object of the present invention is to provide an authentication method and system with high security, free from a trouble of remembering a password and a risk of the other person using a PC by acting like the authorized user, capable of connecting a terminal with the PC by infrared rays, radio waves, or sound waves, taking the portability into consideration, with no possibility of stealing the fingerprint data and making fraudulent use of a message.
According to the first aspect of the invention, an authentication method using biometrics identification, comprising the following steps of
identifying a user by biometrics entered from a portable authentication terminal,
when the user has been registered previously, establishing communication between the authentication terminal and an authentication executing device independent of the authentication terminal, and calculating a common secret key for use in transmission of an authentication message,
encrypting the authentication message including the user""s inherent information based on the secret key in the authentication terminal,
sending the encrypted authentication message from the authentication terminal to the authentication executing device, and
decrypting the authentication message based on the calculated secret key in the authentication executing device, thereby executing an operation depending on the user inherent information included in the message.
In the preferred construction, the communication message is transmitted in one of non-contact typed communications, for example, via infrared rays, radio waves, and sound waves.
In another preferred construction, the user inherent information included in the authentication message includes such secret information as cannot be read out without identification of an authorized user from the biometrics in the authentication terminal.
In another preferred construction, an operation to be executed by the authentication executing device depending on the user inherent information is non-executable operation without identification of an authorized user from the biometrics in the authentication terminal, and therefore a function of authenticating that a person having registered the biometrics previously carries and uses the authentication terminal, is provided.
In another preferred construction, the user inherent information included in the authentication message includes individual information that cannot be read out without identification of an authorized user from the biometrics in the authentication terminal, and using the individual information, the authentication executing device executes the operation depending on the information of a user employing the authentication function.
In another preferred construction, the operation performed by the authentication executing device depending on the user inherent information includes file encryption and decryption, and a secret key for use in this encryption and decryption is to be stored in such a way that the secret key cannot be read out without identification of an authorized user from the biometrics in the authentication terminal.
According to the second aspect of the invention, a portable terminal for authentication using biometrics identification, comprises
biometrics image input means for receiving a user""s biometrics image,
biometrics feature extracting means for extracting biometrics feature for matching from the input biometrics image,
user inherent information storing means for storing the biometrics feature and inherent information of the user in pairs,
secret key agreeing means for deciding a key for use in encryption of an authentication message between the authentication executing device and the portable terminal,
biometrics image checking means for comparing the biometrics image extracted from the user""s input biometrics image with the biometrics feature stored in the user inherent information storing means, judging whether the user having entered the biometrics image this time is a registered user or not, and when this user is a registered user, supplying the inherent information stored in pairs with the biometrics image in the user inherent information storing means,
authentication message encrypting means for encrypting the user""s inherent information by the decided secret key, and
communication message sending means for sending a communication message to the authentication executing device.
In the preferred construction, the user inherent information storing means stores the biometrics features and inherent information for a plurality of users, and the biometrics image checking means estimates score indicating similarity of the biometrics images, and judges that the user having entered the biometrics image this time is a registered user when the score is higher than a threshold.
In another preferred construction, the user inherent information storing means stores the biometrics features and inherent information for a plurality of users, and the secret key agreeing means creates any random number, sends the random number to the authentication executing device, and calculates the key by use of a secret formula based on the same random number.
In another preferred construction, the biometrics image checking means estimates score indicating similarity of the biometrics images, and judges that the user having entered the biometrics image this time is a registered user when the score is higher than a threshold, and the secret key agreeing means creates any random number, sends the random number to the authentication executing device, and calculates the key by use of a secret formula based on the same random number.
In another preferred construction, the user inherent information storing means stores the biometrics features and inherent information for a plurality of users, and the secret key agreeing means performs mutual authentication together with the authentication executing device according to a predetermined protocol and countersign prior to deciding the key.
In another preferred construction, the biometrics image checking means estimates score indicating similarity of the biometrics images, and judges that the user having entered the biometrics image this time is a registered user when the score is higher than a threshold, and the secret key agreeing means performs mutual authentication together with the authentication executing device according to a predetermined protocol and countersign prior to deciding the key.
In another preferred construction, the user inherent information storing means stores the biometrics features and inherent information for a plurality of users, and the secret key agreeing means creates any random number, sends the created random number to the authentication executing device, receives the created random number from the authentication executing device, and creates the key by use of the both random numbers.
In another preferred construction, the biometrics image checking means estimates score indicating similarity of the biometrics images, and judges that the user having entered the biometrics image this time is a registered user when the score is higher than a threshold, and the secret key agreeing means creates any random number, sends the created random number to the authentication executing device, receives the created random number from the authentication executing device, and creates the key by use of the both random numbers.
In another preferred construction, the portable terminal communicates with the authentication executing device by one of non-contact typed communications, for example, via infrared rays, radio waves, and sound waves.
In another preferred construction, the portable terminal communicates with the authentication executing device through another terminal.
According to the third aspect of the invention, an authentication system for performing authentication using biometrics identification, comprises
a portable terminal and an authentication executing device,
the portable terminal includes biometrics image input means for a user""s receiving biometrics image,
biometrics feature extracting means for extracting biometrics feature for matching from the input biometrics image,
user inherent information storing means for storing the biometrics feature and inherent information of the user in pairs,
secret key agreeing means for deciding a key for use in encryption of an authentication message between the authentication executing device and the portable terminal,
biometrics image checking means for comparing the biometrics image extracted from the user""s input biometrics image with the biometrics feature stored in the user inherent information storing means, judging whether the user having entered the biometrics image this time is a registered user or not, and when this user is a registered user, supplying the inherent information stored in pairs with the biometrics image in the user inherent information storing means,
authentication message encrypting means for encrypting the user""s inherent information by use of the decided secret key, and
communication message sending means for sending a communication message to the authentication executing device,
the authentication executing device including:
secret key agreeing means for deciding a key for use in encryption of an authentication message between the portable terminal and the authentication executing device,
communication message receiving means for receiving a communication message sent from the portable terminal,
authentication message decrypting means for decrypting the communication message by use of the decided secret key, and
user inherent operation executing means for executing the user inherent operation based on the inherent information decrypted from the communication message.
In the preferred construction, the user inherent information storing means of the portable terminal stores the biometrics features and inherent information for a plurality of users, and the biometrics image checking means estimates score indicating similarity of the biometrics images, and judges that the user having entered the biometrics image this time is a registered user when the score is higher than a threshold.
In another preferred construction, the user inherent information storing means of the portable terminal stores the biometrics features and inherent information for a plurality of users, and the secret key agreeing means creates any random number, sends the random number to the authentication executing device, and calculates the key by use of a secret formula based on the same random number.
In another preferred construction, the biometrics image checking means of the portable terminal estimates score indicating similarity of the biometrics images, and judges that the user having entered the biometrics image this time is a registered user when the score is higher than a threshold, and the secret key agreeing means creates any random number, sends the random number to the authentication executing device, and calculates the key by use of a secret formula based on the same random number.
In another preferred construction, the secret key agreeing means of the authentication executing device calculates the key by use of the same secret formula as that of the portable terminal based on the random number sent from the portable terminal.
In another preferred construction, the secret key agreeing means of the authentication executing device receives the random number from the portable terminal, creates any random number, and creates the key by use of the both random numbers.
According to another aspect of the invention, a computer readable memory storing an authentication program for making a computer perform authentication using biometrics identification,
the authentication program comprising
a biometrics image input step for a user""s receiving biometrics image,
a biometrics feature extracting step for extracting biometrics feature for matching from the input biometrics image,
a secret key agreeing step for deciding a key for use in encryption of an authentication message between the authentication executing device and the portable terminal,
a biometrics image checking step for comparing the biometrics image extracted from the user""s input biometrics image with the biometrics feature stored in the user inherent information storing means for storing a pair of the biometrics features and inherent information of the user, judging whether the user having entered the biometrics image this time is a registered user or not, and when this user is a registered user, supplying the inherent information stored in pairs with the biometrics image in the user inherent information storing means,
an authentication message encrypting step for encrypting the user""s inherent information by use of the decided secret key, and
a communication message sending step for sending a communication message to the authentication executing device.
In the preferred construction, the biometrics image checking step of the authentication program estimates score indicating similarity of the biometrics images, and judges that the user having entered the biometrics image this time is a registered user when the score is higher than a threshold, and the secret key agreeing step of the authentication program creates any random number, sends the random number to the authentication executing device, and calculates the key by use of a secret formula based on the same random number.
In another preferred construction, the computer readable memory storing an authentication executing program of the authentication executing device,
the authentication executing program making a computer perform
a secret key agreeing step for deciding a key for use in encryption of an authentication message between the authentication program and the authentication executing program,
a communication message receiving step for receiving a communication message sent from the authentication program,
an authentication message decrypting step for decrypting the communication message by use of the decided secret key, and
a user inherent operation executing step for executing the user inherent operation based on the inherent information decrypted from the communication message.
In another preferred construction, the secret key agreeing step of the authentication executing program calculates the key by use of the same secret formula as that of the portable terminal based on the random number sent from the portable terminal.
In another preferred construction, the secret key agreeing step of the authentication executing program receives the random number from the authentication program, creates any random number, and creates the key by use of the both random numbers.
Other objects, features and advantages of the present invention will become clear from the detailed description given herebelow.