JP2008070923A - Authentication system, authentication method, and terminal - Google Patents

Abstract

An authentication system capable of accurately performing user authentication and detecting the position of a user is provided.
A tag 1 carried by a user and a base station 10 communicating with the tag 1 are provided, and user authentication is performed between the tag 1 and the base station 10. The tag 1 has light emitting means 2 that transmits part or all of information to the base station 10 by light. The base station 10 includes a camera 14 that captures the light from the light emitting means 2, user control using the light captured by the camera 14, and a control means 12 that detects the position of the light emitting means 2 from the captured light. have.
[Selection] Figure 1

Description

  The present invention relates to an authentication system for performing user authentication by communicating between a terminal carried by a user and a base station, an authentication method, and a terminal used in the authentication system.

  In recent years, a technique (RFID) for exchanging information wirelessly from a tag in which ID information is embedded has been used in various fields. As one of them, a system for managing where a user carrying the tag is located in the city has been proposed. In this system, a plurality of base stations are installed in various places in the city, and a user carrying a tag passes near a certain base station, thereby performing wireless communication between the base station and the tag and performing user authentication. The presence of the user is confirmed on the base station side. Further, as another conventional system using such an RFID, there is one described in Patent Document 1, for example.

JP 2005-229485 A

In such a system, user authentication needs to be performed accurately, and particularly when this system is used in the city (outdoors), it is necessary to perform user authentication particularly accurately because there are many passersby. . Furthermore, it is necessary to prevent a malicious person from impersonating the user. In addition, in the case of a conventional system that manages where a user carrying a tag is located in the city, the base station side indicates that there is a user carrying the tag in the peripheral area of the base station. It can be recognized, but it cannot be recognized up to the detailed position where it exists in the surrounding area.
SUMMARY OF THE INVENTION An object of the present invention is to provide an authentication system and an authentication method capable of accurately performing user authentication and detecting the position of the user.

  An authentication system according to the present invention for achieving the object includes a terminal carried by a user and a base station that communicates with the terminal, and performs user authentication between the terminal and the base station. In the system, the terminal includes light emitting means for transmitting part or all of information to the base station using light, and the base station includes a camera for photographing light from the light emitting means, and the camera. Control means for performing user authentication using the photographed light and detecting the position of the light emitting means from the photographed light.

  Then, in the authentication method performed by this authentication system, the terminal transmits part or all of the information to the base station with light, and the base station captures the light from the terminal and captures the captured light. This is done by performing user authentication using the detected light and detecting the position of the terminal from the photographed light.

  The terminal used in the authentication system performs user authentication by communicating with a base station, and performs user authentication with the base station and detects its own position at the base station. In order to achieve this, there is provided light emitting means for transmitting part or all of the information for user authentication to the base station by light.

  According to the authentication system, the authentication method, and the terminal, in the base station, when the camera captures the light from the light emitting means, the control means can perform user authentication with the terminal using the light. In addition, the position of the terminal having the light emitting means can be detected. Since user authentication is performed using light capable of detecting the position of the terminal, the terminal that is the target of user authentication is not erroneously recognized. Therefore, even if the camera captures a plurality of lights, it is possible to specify the position of one terminal to be subjected to user authentication, and thus it is possible to prevent erroneous authentication. Furthermore, since user authentication can be accurately performed between the terminal and the base station, it is possible to prevent a third party from impersonating the user maliciously.

  In the recognition system, the terminal selectively selects a wireless communication unit, a first operation using the light emitting unit during user authentication, and a second operation using only the wireless communication unit during user authentication. It is preferable to have control means for switching. According to this, the control means can selectively switch the authentication operation. That is, when the first operation is selected, user authentication can be performed by using the light of the light emitting means, the position of the terminal can be detected, and the position information of the terminal can be provided to the base station side. . When the second operation is selected, user authentication is enabled using only wireless communication means, terminal position detection is disabled, and terminal position information is not provided to the base station side.

Further, in the base station, the control means detects the movement of the light emitting means by continuously operating the camera, and the base station displays an image near the terminal based on the detection of the movement. It is preferable to have display means for projecting. According to this, since the base station can detect the movement of the light emitting means (terminal), the display means can display the video by following the moving terminal.
Further, in this case, the terminal has storage means for storing user information of a user who carries the terminal, and the base station receives the user information and uses the display means based on the user information. It is preferable to take a picture. In this case, an image that matches the user information can be displayed in the vicinity of the terminal.

  In the authentication system, the terminal includes a storage unit that stores user information of a user who carries the terminal, and a control unit that transmits the user information when user authentication is established with the base station. It is preferable to have. According to this, when user authentication is established, user information can be shown to the base station side.

  According to the present invention, in the base station, the camera captures the light from the light emitting means, so that the control means can accurately perform user authentication with the terminal using the light, and the light emitting means. It is possible to detect the position of a terminal having

Embodiments of the present invention will be described below with reference to the drawings.
FIG. 1 is a block diagram showing an embodiment of an authentication system of the present invention. This authentication system includes a terminal 1 carried by a user and a base station 10 that performs wireless communication with the terminal 1. The terminal 1 includes a storage unit 6 that stores various types of user information (user information). The terminal 1 is a wireless IC tag 1 (hereinafter referred to as a tag) that is an information transmitting / receiving unit that can transmit and receive the user information. It consists of). A plurality of base stations 10 are installed in various places in the city, and can be installed in facilities such as vending machines and utility poles, for example. Each base station 10 is connected to a server 11 via a network, and the server 11 manages each base station 10 and the tag 1. That is, the administrator who manages this system owns the server 11, the administrator installs the base station 10, and the user who has registered as a member of this system owns the tag 1. And this authentication system communicates between a user's tag 1 and the base station 10, and performs user authentication in order to provide various services with respect to the user who has the tag 1. FIG.

  The overall configuration of the tag 1 will be described. The tag 1 includes a control unit 3 composed of an IC, a storage unit 6 composed of a memory, a wireless communication unit 4 used for communicating with the base station 10, a light emitting unit 2 that emits light (optical signal), and a tag 1 is provided with input means 5 for inputting information. The wireless communication unit 4 communicates with the base station 10 by transmitting and receiving radio waves (RF). The light emitting means 2 can be, for example, an infrared LED that emits infrared rays (hereinafter, described as near infrared rays). The control unit 3 controls the operations of the wireless communication unit 4 and the light emitting unit 2. The input unit 5 can be operated by a user or an administrator to input user information to the storage unit 6 or to set the tag 1.

  The overall configuration of the base station 10 will be described. The base station 10 includes a control unit 12 composed of a microcomputer having a memory and a CPU, a wireless communication unit 13 used for communicating with the tag 1, a camera 14 for capturing video, a display unit 15 composed of a projector, and the like. have. The wireless communication means 13 communicates with the wireless communication means 4 of the tag 1 by transmitting and receiving radio waves. Since the camera 14 can capture an image, it can capture light (such as near infrared rays) from the light emitting means 2 of the tag 1. And this base station 10 transmits various information to the server 11 via a network, or receives the information from the server 11.

  The light emitting means 2 of the tag 1 transmits part or all of the information to the base station 10 with light (near infrared rays). That is, the light emitting unit 2 functions as a communication unit different from the wireless communication unit 4. In the base station 10, the camera 14 captures the light emitted from the light emitting means 2, and the control means 12 performs user authentication using this light and detects the position of the light emitting means 2 from the photographed light. Do. The position of the light emitting means 2 detected by the control means 12 is the position of the light emitting means 2 on the image taken by the camera 14. The user authentication and the detection of the position of the light emitting means 2 may be performed inside the control means 12, or the control means 12 may be an authentication server (not shown) connected via a network, a calculation means (FIG. (Not shown), and this authentication server and calculation means may be used.

  The user authentication process performed by the authentication system having such a configuration will be specifically described. FIG. 2 is an explanatory diagram showing an embodiment of service provision performed by the authentication system. In FIG. 2, the base station 10 is installed on a utility pole in the city, and users U1 and U2 pass through the vicinity. FIG. 3 is a flowchart for explaining the mutual authentication process performed between the tag 1 side and the base station 10 side. Hereinafter, user authentication between the tag 1 carried by the user U1 and the base station 10 and provision of services for the user U1 will be described in detail with reference to FIG. 1, FIG. 2, and FIG.

  The base station 10 always transmits encrypted ID information (step S1 in FIG. 3). This ID information is set in advance with the tag 1 of the user U1. This ID information is transmitted from the wireless communication means 13 of the base station 10. Then, when the tag 1 of the user U1 enters the communicable area of the base station 10, the tag 1 receives the ID information. By confirming that the received ID information matches the ID information set on the tag 1 side, the tag 1 recognizes the presence of the base station 10 (step S2), and returns a presence information reply. Perform (step S3). The reply information includes ID information of the tag 1 and is transmitted from the wireless communication means 4 of the tag 1. The base station 10 receives the ID information of the tag 1. By confirming that this ID information matches the ID information of the user U1 set on the base station 10 side (the control means 12 or the server 11), the base station 10 side is the user U1 (tag 1). Is recognized (step S4).

  When this confirmation is performed, the base station 10 side starts authentication processing with the tag 1 by the challenge response method. That is, the control means 12 of the base station 10 generates encryption key information (challenge), and the wireless communication means 13 transmits this encryption key information (step S5). The encryption key information includes a random value set by the control means 12 and a predetermined key value (password). Then, the wireless communication means 4 of the tag 1 receives this encryption key information, and the control means 3 performs an arithmetic process to generate processing information (response) (step S6). Note that the tag 1 side (control means 3 or storage means 6) has a predetermined key value (password), and generates processing information (response) using this (step S6). Then, this processing information is transmitted to the base station 10 (step S7).

Then, the base station 10 collates the processing information returned from the tag 1 with the information on the base station 10 side (step S8), and passes authentication if both match (step S9). By performing this authentication, processing for providing a service for the user U1 is started on the base station 10 side (step S11).
As described above, since the encrypted ID information is constantly transmitted from the base station 10 and the tag 1 that receives the ID information reacts, the power consumption of the tag 1 can be suppressed, and the battery consumption of the tag 1 can be suppressed. . Furthermore, since unnecessary transmission is not performed from the tag 1 side, it is preferable in terms of security. Further, the challenge response method may be used for the presence recognition of the base station 10 on the tag 1 side (step S2) and the return of the presence information (step S3).
In the authentication process, since the encryption key information is changed with a random value each time, the value of the generated process information is also different each time. This makes it difficult for a third party to impersonate this authentication system. The authentication method may be other methods besides the challenge response.

In this authentication system, when the tag 1 side transmits the processing information to the base station 10 side, part or all of the processing information is transmitted to the base station 10 using light (near infrared) using the light emitting means 2. Sending to. Specifically, the control unit 3 of the tag 1 encodes the calculated value of the processing information, and causes the light emitting unit 2 to emit light using the processing information as a light blinking pattern. Then, the camera 14 of the base station 10 captures this light, and based on this, the control means 12 performs the user authentication process and also processes the image by the camera 14. That is, the light emitted from the light emitting means 2 is used for position detection and also serves as an optical signal for user authentication. Note that all of the processing information may be transmitted from the light emitting means 2 in a light blinking pattern, or a part of the processing information may be transmitted in a light blinking pattern. When a part of the information is transmitted in the light blinking pattern, the remaining processing information is transmitted by the wireless communication unit 4 of the tag 1 and received by the wireless communication unit 13 of the base station 10.
In addition, when a part of the processing information is transmitted in the light flashing pattern, a malicious third party determines which part of the processing information transmitted from the tag 1 to the base station 10 is an optical signal. Since it is unknown, it is preferable in terms of security.

  The image processing performed by the control means 12 of the base station 10 will be described. From the blinking position of the light emitting means 2 photographed by the camera 14, the control means 12 performs image processing to detect the position of the light emitting means 2 (step S10). That is, the coordinates of the light emitting means 2 on the image taken by the camera 14 are obtained. Further, in this process, since the camera 14 is fixed with respect to the ground (road) being photographed, the position of the light emitting means 2 (light emission position) on the image of the camera 14 is changed to the actual ground (road). The three-dimensional coordinates of the light emitting means 2 can also be detected. In addition, conventionally known means can be applied as means for detecting the coordinates from the position of the light emitting means 2 in the image taken by the camera 14.

As described above, the authentication method performed by the authentication system of the present invention is such that the light emitting means 2 of the tag 1 carried by the user U1 transmits part or all of the information transmitted to the base station 10 as light. The station 10 captures the light from the tag 1, performs user authentication using the captured light, and detects the position of the light emitting means 2, that is, the position of the tag 1 from the captured light.
Therefore, another user U2 exists near the user U1, the light emitting means 2a of the tag 1a of this other user U2 emits light, and the camera 14 of the base station 10 emits light emitting means 2, of both users U1, U2. Even if the light of 2a is captured, the base station 10 performs user authentication with the tag 1 of the user U1 using the light capable of detecting the position of the tag 1 of the user U1. It is possible to prevent the U1 tag 1 from being mistakenly recognized as the user U2 tag 1a. Similarly, it is possible to prevent the tag 1a of the user U2 from being mistakenly recognized as the tag 1 of the user U1. It also has the effect of preventing a third party from impersonating the user maliciously. Thus, even if there are a plurality of tags that perform user authentication in the communicable area of one base station 10, user authentication is accurately performed with each tag, and the position of the user authenticated tag Can be accurately identified.

  Thereby, as a service that can be provided by this authentication system, a service for managing where the user U1 carrying the tag 1 is located in the city is possible. Specifically, a “watching service (crime prevention service)” that can track the whereabouts and whereabouts of a child becomes possible. In this case, when the child who is the user U1 carries the tag 1 and the child having the tag 1 enters the communicable area of each base station 10, user authentication is performed, and an image of the child is displayed by the camera 12. Acquire and further identify the position of the child in the image. These pieces of information can be transmitted to another person (for example, the guardian of this child) via the network.

Further, in this service, by using an image from the camera 12, it is possible to visually distinguish between the original user U1 having the tag 1 and the person who has picked up the tag 1. Further, since the specific position of the user U1 is known, for example, even if the user U1 is buried in a plurality of passers-by, or the image of the camera 14 is unclear and difficult to discriminate, Since the position can be specified as coordinates, it is easy to determine the presence position of the user U1.
Furthermore, since the position of the user U1 can be specified, even if an image of another person other than the user U1 is captured by the camera 14, only the user U1 is displayed in the image captured by the camera 14 by the processing of the control unit 12. You can leave others masked. This processing can be performed by means of conventionally known image processing, and can add a mosaic to the other person in the image or erase the other person. Thereby, the privacy with respect to others is protected.

  Further, as shown in FIG. 4, the authentication system can provide a plurality of services to the user U1 by using one tag 1 of the user U1. For example, in addition to the “watching service”, there are a “video providing service” and a “financial institution information providing service” that provide a predetermined video to the user U1 who has been authenticated.

Further, this authentication system selectively switches the processing operation at the time of user authentication according to the use / type of each service. That is, the storage unit 6 of the tag 1 stores a program for performing the first operation using the light emitting unit 2 at the time of user authentication and a program for performing the second operation using only the wireless communication unit 4 at the time of user authentication. Furthermore, it stores which operation is to be performed for each of the plurality of services. Based on the information stored in the storage means 6, the control means 3 selectively switches between the first operation and the second operation according to each service.
In addition, even if the tag 1 enters the communicable area of the base station 10, this authentication system can also prevent user authentication without providing the ID information of the user's tag 1. Specifically, the storage unit 6 of the tag 1 further stores a program for performing a third operation that does not transmit ID information for user authentication, and the user performs the third operation at the input unit 5 of the tag 1. By performing the input operation to select, the control means 3 selects the third operation and does not provide the ID information.

For example, in the “watching service”, the tag 1 is set to perform the first operation. Thereby, while performing user authentication, the information about a user's position can be provided to the base station 10 side, and the location and whereabouts of the user U1 can be managed based on this information.
However, in other services, information about the user's location may be unnecessary. For example, in the case of a service in which only information not related to the position of the user is exchanged between the user and the base station 10 side. Specifically, it is the “financial institution information providing service”. In this service, the tag 1 is set to perform the second operation. As a result, user authentication is performed by radio waves between the tag 1 and the base station 10 using the wireless communication means 4 and 13, but information on the user's position is not provided to the base station 10.
Furthermore, when the user is performing an input operation for selecting the third operation in the input unit 5 of the tag 1, the ID information is not provided from the tag 1 and user authentication is not performed. As a result, it is possible to perform privacy control that does not provide the presence of the user or the position information of the user to the base station 10 side.

  FIG. 5 is an explanatory diagram for explaining information stored in the storage means 6 of the tag 1. The storage means 6 stores a plurality of services (“watching service”, “video providing service”, “financial institution information providing service”), user information, and setting information on whether or not to provide user information in each service. ing. Further, as shown in FIG. 5, the above-described user location information is also set and stored in the storage unit 6 as shown in FIG. 5. For each service, the user performs an input operation for switching to the third operation at the input unit 5 of the tag 1, thereby providing ID information (or providing ID information and other information) from “OK” to “ Setting to change to “No” can be made.

Based on the information in the storage means 6, the control means 3 of the tag 1 stores the information in the storage means 6 when user authentication is established with the base station 10 according to each of a plurality of services. The user information is controlled to be selectively transmitted. For example, for the “watching service”, when user authentication is established, as user information related to the service from the tag 1, in addition to the user location information, for example, a name, age, address, user image by the camera 12, Furthermore, a user's passing time and the like are provided to the base station 10 and the server 11. For the “video providing service”, when user authentication is established, as user information related to the service from the tag 1, in addition to the user location information, for example, name, age, hobby, property, family structure, etc. Is provided to the base station 10 and the server 11. Similarly, with respect to the “financial institution information providing service”, when user authentication is established, user location information is not provided from the tag 1, and user information related to the service (for example, asset status information) is stored in the base station. 10 side provided. It should be noted that one or both of the wireless communication unit 4 and the light emitting unit 2 can be used for transmitting these pieces of information. Thus, according to the type of service that the user is provided, the control means 3 can select the user information and show it to the base station 10 side, and limit the disclosure of the user information according to the type of service. And privacy of users is protected. That is, the control means 3 can perform privacy control.
Note that the control unit 3 of the tag 1 controls to transmit the user information stored in the storage unit 6 when user authentication is established with the base station 10. Only information (identification number information) may be used. In this case, this ID information is stored in the storage means 6 and other user information is stored in another server (for example, the server 11 in FIG. 1) connected to the network (see FIG. 1), and the base station 10 The other user information may be extracted via the network (see FIG. 1) using the ID information received from the tag 1 as a key.

The operation of providing the “video providing service” using the authentication system of the present invention is as follows. When the tag 1 carried by the user U1 enters the communicable area of the predetermined base station 10 and user authentication is established using the ID for “video providing service”, the tag 1 relates to the “video providing service”. As the user information, information about the user's position, name, age, hobby, property, and family structure is provided to the base station 10 side.
In the base station 10, the control unit 12 detects the movement of the light emitting unit 2 of the tag 1 by continuously operating the camera 14. That is, as described above, since the position of the tag 1 can be detected from the video of the camera 14 on the base station 10 side, the movement of the tag 1 can be detected by performing the position detection of the tag 1 a plurality of times. it can. Based on the detection of the movement, the display means (projector) 15 of the base station 10 displays the image while moving the image in the vicinity of the tag 1.

  Specifically, as shown in FIG. 2, the image S1 is displayed (projected) from the display unit 15 on the wall surface in the vicinity of the user U1. Furthermore, based on the detection of the movement of the tag 1, the video S1 is made to follow the movement of the user U1. This video S1 is based on user information (hobbies, belongings, family structure, etc.) related to the “video providing service” transmitted from the tag 1 side and received by the base station 10 side. The video S1 is automatically selected based on the user information from the database of the server 11 (see FIG. 1) connected to the base station 10, and is transmitted from the server 11 to the base station 10 via the network. It is the transmitted information. Specifically, the video S1 is a video of advertising information such as a company or a product, a video of road guidance information, or a video of tourist guidance information.

  As a result, as shown in FIG. 2, the video S <b> 1 having contents that match the user information such as hobbies, possessions, and family structures stored in each tag 1 is displayed in the vicinity of the tag 1 (user U <b> 1). Can do. Furthermore, even if there are a plurality of users U1 and U2, different videos S1 and S2 corresponding to each user can be provided due to the difference in user information of each user. In this way, it is possible to provide dynamic information that an image including information according to user needs moves.

As described above, according to the present invention, since user authentication can be performed between the tag 1 and the base station 10 using the light capable of detecting the position of the tag 1, user authentication can be performed. The target tag 1 is not erroneously recognized. Furthermore, since user authentication can be accurately performed between the tag 1 and the base station 10, it is possible to prevent a third party from impersonating the user maliciously, and to prevent a denial attack (DoS: Denial of Service). ), For example, an authentication system having resistance against obstructing attacks such as lighting and blinking at a plurality of locations can be obtained.
Further, the present invention is not limited to the illustrated form, and other forms may be employed within the scope of the present invention, and the light emitting means 2 of the tag 1 may utilize other than near infrared rays. Further, the display means 10 of the base station 10 may use a liquid crystal display or a plasma display in addition to the video projection format.

It is a block diagram which shows one Embodiment of the authentication system of this invention. It is explanatory drawing which shows one Embodiment of the provision of the service performed by the authentication system of this invention. It is a flowchart explaining the process of the user authentication performed between the tag side and the base station side. It is explanatory drawing of the information provision system which provides a service with respect to a user by the authentication system of this invention. It is explanatory drawing explaining the information memorize | stored in the memory | storage means of a tag.

Explanation of symbols

1 Tag (terminal)
1a Tag (terminal)
2 light emitting means 2a light emitting means 3 control means 4 wireless communication means 6 storage means 10 base station 11 server 12 control means 13 wireless communication means 14 camera 15 display means

Claims (7)

An authentication system comprising a terminal carried by a user and a base station communicating with the terminal, and performing user authentication between the terminal and the base station,
The terminal has light emitting means for transmitting a part or all of information to the base station with light,
The base station includes a camera that captures light from the light emitting means, and a control means that performs user authentication using the light captured by the camera and detects the position of the light emitting means from the captured light. An authentication system characterized by   The terminal has wireless communication means and control means for selectively switching between a first operation using the light emitting means during user authentication and a second operation using only the wireless communication means during user authentication. The authentication system according to claim 1. In the base station, the control means detects the movement of the light emitting means by causing the camera to continue functioning,
The authentication system according to claim 1, wherein the base station has display means for displaying an image in the vicinity of the terminal based on the detection of the movement. The terminal has storage means for storing user information of a user carrying the terminal,
The authentication system according to claim 3, wherein the base station receives the user information and copies an image by the display unit based on the user information.   The terminal includes storage means for storing user information of a user who carries the terminal, and control means for transmitting the user information when user authentication is established with the base station. Item 5. The authentication system according to any one of Items 1 to 4. An authentication method for performing user authentication between a terminal carried by a user and a base station,
The terminal transmits part or all of the information to the base station using light,
The base station photographs light from the terminal, performs user authentication using the photographed light, and detects the position of the terminal from the photographed light. A terminal that performs user authentication by communicating with a base station,
Light emitting means for transmitting part or all of information for user authentication to the base station by light in order to perform user authentication with the base station and detect the position of the base station in the base station A terminal characterized by having.

Images