JP6491996B2 - Authentication system - Google Patents

Description

  The present invention relates to an authentication system, and more particularly to an authentication system that prevents an illegal act such as impersonation of an information provider by a third party when providing information to a user via wireless communication.

In recent years, with the increase in users of mobile communication terminals such as smartphones and the expansion of wireless communication provision areas such as Bluetooth (registered trademark) and Wi-Fi, information providing services using these mobile communication terminals and wireless communication Is becoming available everywhere.
As an information providing service, for example, when a user approaches a store carrying a mobile communication terminal, advertisement information of the store is transmitted from the beacon installed in the store to the user's mobile communication terminal. There is something.

As one of the conventional techniques for the information providing service as described above, an electronic advertisement distribution method and system disclosed in Patent Document 1 have been proposed.
In the electronic advertisement distribution method of Patent Document 1, when a customer wireless terminal of a customer (user) is present in a wireless reachable area transmitted from the terminal for store installation, the terminal for store installation is connected via short-range wireless communication. Advertising information to customer wireless terminals.

JP 2003-58770 A

However, when using the electronic advertisement distribution method disclosed in Patent Document 1 above, no countermeasures against unauthorized use of short-range wireless communication are taken. May occur.
For example, information transmitted and received via wireless communication may be intercepted and stolen by a malicious third party.
Further, there is a possibility that a malicious third party impersonates an information distribution side such as a store, performs a disguised broadcast to a customer who should not receive information provision, and provides information not intended by the information provision side.

  The present invention has been made in view of the above problems, and provides an authentication system that can enhance the security of wireless communication to prevent information interception, spoofed broadcasting, and the like and use a safe information providing service. With the goal.

In order to achieve such an object, an authentication system according to the present invention performs authentication when providing a wireless communication device that transmits a wireless signal, a user terminal operated by a user, and provided information, and provides information when authentication is successful. An authentication system configured to provide an authentication server that provides a device ID that is identification information unique to the device when the user performs an operation for obtaining provided information. And a program identification ID for identifying a program for the user terminal to receive the provision of provision information, and operation number information indicating the number of operations for the purpose of obtaining the provision information. Using the ID and the operation count information, the authentication information associated with the provided information and stored in the own device is encrypted to generate a password. A radio signal including a ram identification ID, operation count information, and the generated password is transmitted, and the user terminal stores a program for receiving provision information and a program identification ID of the program. Is received, the program identification ID included in the radio signal is read out, it is determined whether or not the same program identification ID as the program identification ID is stored in the own device, and it is determined that the same program identification ID exists in the own device. In this case, the password, the device ID, and the operation count information included in the wireless signal are extracted and transmitted to the authentication server as a provision information acquisition request, and the authentication server receives the provision information acquisition request from the user terminal. The operation count indicated by the operation count information included in the received acquisition request indicates the operation count information of the wireless communication device managed by the own device. If the number is greater than the number of operations, the received current time is counted to obtain current time information, and the authentication information stored in the own device is obtained based on the device ID included in the provision information acquisition request. Extracted, extracted authentication information, device ID, operation count information, and encrypted using the acquired current time information to generate a password, and included in the generated password and received provision information acquisition request The authentication is performed by comparing and comparing with the password, and when the authentication is successful, the provided information is transmitted to the user terminal.

An authentication system according to the present invention includes a wireless communication device that transmits a radio signal, a user terminal operated by a user, an authentication server that performs authentication when providing the provided information, and provides the provided information when the authentication is successful When the wireless communication device is operated for the purpose of obtaining provided information by a user, the device ID that is identification information unique to the device itself and the user terminal The program identification ID for identifying the program for receiving the provision of the provision information and the operation number information indicating the number of operations for obtaining the provision information are extracted, and the current time information, the device ID, and the number of operations are extracted. Information is used to generate a password by encrypting the authentication information associated with the provided information and stored in the own device, and the extracted device ID, program identification ID, and operation The user terminal transmits a radio signal including the number information and the generated password, and the user terminal stores a program for receiving provision information and a program identification ID of the program. When the program identification ID included in the signal is read out, it is determined whether or not the same program identification ID as the program identification ID is stored in the own device, and when it is determined that the same program identification ID exists in the own device, The password, the device ID, the operation count information, and the program identification ID included in the signal are extracted and transmitted to the authentication server as a provision information acquisition request, and the authentication server receives the provision information acquisition request from the user terminal. The operation count indicated by the operation count information included in the acquired acquisition request indicates the operation count information of the wireless communication device managed by the own device. If the number is greater than the number of operations, the current time is received to obtain current time information, and the authentication information stored in the device based on the program identification ID included in the provision information acquisition request Is extracted using the extracted authentication information, device ID, operation count information, and acquired current time information to generate a password, and is included in the request for acquiring the generated password and received provided information The password is compared with a password to be authenticated, and when the authentication is successful, the provided information is transmitted to the user terminal.

  Further, according to the authentication system of the present invention, when the authentication server receives the provision information acquisition request from a plurality of user terminals within a predetermined time, the authentication server receives the provision information acquisition request received first. The authentication is performed only for.

  Further, according to the authentication system of the present invention, when the authentication server receives the provision information acquisition request from the user terminal, whether or not a predetermined time has elapsed since the provision information acquisition request was previously received from the user terminal. The authentication is performed when a predetermined time elapses.

  Further, according to the authentication system of the present invention, the current time information is acquired based on the current time obtained by converting all the current times included in the predetermined time zone into the same time.

  Also, according to the authentication system of the present invention, when the user terminal receives a radio signal from the radio communication device, the user terminal measures the current position information, and provides the provided information including the measured current position information and the information included in the radio signal. When the acquisition request is transmitted from the user terminal to the authentication server, the authentication server receives from the user terminal the current position information included in the received provision information acquisition request, the installation position of the operated wireless communication device, and Authentication is performed based on the above.

  It should be noted that any combination of the above-described constituent elements, or those obtained by replacing the constituent elements and expressions of the present invention with each other among methods, apparatuses, systems, computer programs, recording media storing computer programs, and the like are also included in the present invention. It is effective as an embodiment of

  According to the authentication system of the present invention, when a predetermined operation is performed, the wireless communication apparatus encrypts authentication information (secret key) stored in the self apparatus in association with the provided information using the current time information. To generate a password (one-time password), transmit a wireless signal including the generated password, and upon receiving the wireless signal, the user terminal sends an acquisition request for provision information including information included in the wireless signal to the authentication server When the transmission request is received from the user terminal, the authentication server generates a password by encrypting the authentication information stored in the own device using the current time information, and the generated password, The password included in the received request to obtain the provided information is compared and verified for authentication, so the security of wireless communication is enhanced to intercept information, forged broadcasts, etc. Preventing, it is possible to provide and use a secure information providing service.

It is a figure which shows the structure of the authentication system in the 1st Embodiment of this invention. It is a figure which shows the structure of the radio | wireless communication apparatus in the 1st Embodiment of this invention. It is a figure which shows the various information stored in the information storage part of the radio | wireless communication apparatus in the 1st Embodiment of this invention. It is a figure which shows an example of the external appearance of the radio | wireless communication apparatus in the 1st Embodiment of this invention. It is a figure which shows the structure of the authentication server in the 1st Embodiment of this invention. It is a figure which shows the information which the information storage part of the authentication server in the 1st Embodiment of this invention stores. It is a figure which shows an example of the data structure managed in provision information DB in the 1st Embodiment of this invention. It is a figure which shows an example of the data structure managed in authentication DB in the 1st Embodiment of this invention. It is a figure which shows the structure of the user terminal in the 1st Embodiment of this invention. It is a sequence chart which shows the flow of provision operation | movement of the provision information by the authentication system in the 1st Embodiment of this invention. It is a sequence chart which shows the flow of provision operation | movement of the provision information by the authentication system in the 1st Embodiment of this invention. It is a figure which shows an example of the time measuring method by the authentication system in the 1st Embodiment of this invention. It is a figure which shows the information which the information storage part of the authentication server in the 2nd Embodiment of this invention stores. It is a figure which shows an example of the data structure managed in provision information DB in the 2nd Embodiment of this invention. It is a figure which shows an example of the data structure managed in the reception time DB in the 2nd Embodiment of this invention. It is a sequence chart which shows the flow of provision operation | movement of the provision information by the authentication system in the 2nd Embodiment of this invention. It is a figure which shows the information which the information storage part of the authentication server in the 3rd Embodiment of this invention stores. It is a figure which shows an example of the data structure managed in apparatus position DB in the 3rd Embodiment of this invention. It is a sequence chart which shows the flow of provision operation | movement of the provision information by the authentication system in the 3rd Embodiment of this invention. It is a sequence chart which shows the flow of provision operation | movement of the provision information by the authentication system in the 3rd Embodiment of this invention. It is a figure which shows the various information stored in the information storage part of the radio | wireless communication apparatus in the 4th Embodiment of this invention. It is a figure which shows the information which the information storage part of the authentication server in the 4th Embodiment of this invention stores. It is a figure which shows an example of the data structure managed in authentication DB in the 4th Embodiment of this invention. It is a figure which shows an example of the data structure managed in the operation frequency DB in the 4th Embodiment of this invention. It is a sequence chart which shows the flow of provision operation | movement of the provision information by the authentication system in the 4th Embodiment of this invention. It is a sequence chart which shows the flow of provision operation | movement of the provision information by the authentication system in the 4th Embodiment of this invention.

<First Embodiment>
(Outline of the first embodiment)
In the first embodiment of the present invention, the user receives and displays information (hereinafter referred to as “provided information”) on the product etc. from the authentication server 20 using the user terminal 30, and the content of the information Confirm.
In each area such as a store or facility, one or more wireless communication devices 10 having a short-range wireless communication function are installed.
When a user carries his / her user terminal 30 and operates a button or the like provided on the wireless communication device 10, the user starts short-range wireless communication with the wireless communication device 10 and is necessary for obtaining provided information. A one-time password or the like is received from the wireless communication device 10.
When the user terminal 30 transmits the one-time password or the like received from the wireless communication device 10 to the authentication server 20, the authentication server 20 performs authentication based on the one-time password or the like, and when the authentication is successful, the wireless communication device 10 Send the provided information to.

The provided information is, for example, information related to products, services, stores, facilities, and the like, and the content corresponds to each wireless communication device 10.
For example, when the wireless communication device 10 is installed near a display place of a product with a store, the user terminal 30 may use the one-time password received from the wireless communication device 10 to obtain information about the product (in the manual). Information, advertisement information, etc.).
Therefore, when a user visits a store or facility and operates the wireless communication apparatus 10 provided in the store or facility, the store or facility itself, a product sold at the store or facility, or a service provided The provided information related to the product can be acquired, and the product can be easily understood. In addition, the store or facility side can expect an effective advertising effect.

(Configuration of the first embodiment)
(1) Overall Configuration of Authentication System FIG. 1 is a diagram showing a configuration of an authentication system according to the first embodiment of the present invention.
As shown in the figure, the authentication system is installed in a store or facility, and when the button is pressed, the wireless communication device 10 transmits a one-time password necessary for obtaining provided information via wireless short-range communication. In addition, short-distance wireless communication is possible with the wireless communication device 10, and the user terminal 30 that receives and displays the provision information associated with the wireless communication device 10 and the one-time password are authenticated, In the case of successful authentication, the authentication server 20 is configured to transmit the provision information associated with the wireless communication device 10 to the user terminal 30 via the network.
Hereinafter, the configuration of each component device 10, 20, and 30 of the authentication system will be described in detail.

(2) Configuration of Radio Communication Device 10 FIG. 2 is a diagram showing a configuration of the radio communication device 10 according to the first embodiment of the present invention.
As shown in the figure, a control unit 11 configured by a CPU or the like and controlling the entire wireless communication device 10, an information storage unit 12 for storing various information necessary for a user to obtain provided information, and short-range wireless communication The communication unit 13 that transmits the various information to the user terminal 30, the display unit 14 that displays the state (usable / unusable) of the wireless communication device 10, a button for instructing the start of short-range wireless communication, and the like And an operation unit 15 provided with.

FIG. 3 is a diagram illustrating various types of information stored in the information storage unit 12 of the wireless communication device 10 according to the first embodiment of the present invention.
As shown in the figure, the information storage unit 12 encrypts the secret key 121, which is authentication information associated with each wireless communication device 10 and is kept secret, and the secret key. A one-time password generation program 122 that executes a process for generating a password, a unique device ID 123 that identifies the wireless communication device 10, and a unique UUID 124 (Universally Unique Identifier) that identifies a program that provides the provided information providing service And are stored.
The control unit 11 of the wireless communication device 10 has a timekeeping function. Based on the current time information indicating the current time measured by the timekeeping function and the secret key, a one-time password is generated using a one-time password generation program. Is generated.

FIG. 4 is a diagram illustrating an example of the appearance of the wireless communication device 10 according to the first embodiment of the present invention.
In the example shown in the figure, the wireless communication device 10 has a tag shape, and is tied to a product displayed in a store by a strap 19.
In this example, the display unit 14 is configured by an LED or the like, and represents the state of the wireless communication device 10.
The operation unit 15 has a button shape. When the user is interested in a product associated with the wireless communication device 10, for example, a wireless signal is transmitted by pressing the button, and the user terminal Provision information about the product is provided at 30.
As described above, the wireless communication device 10 may be disposed so as to be physically associated with the product like a tag, or may be disposed at a store or facility apart from the product. .
In addition to the above example, for example, the wireless communication device 10 may be installed in a place where a user can easily visit, a place where a service is provided, such as a reception or entrance of a store or facility.

(3) Configuration of Authentication Server 20 The authentication server 20 is a server device managed by the store side, facility side, or other information management company that provides the provided information, and manages or distributes the provided information etc. And authenticate based on a one-time password.

FIG. 5 is a diagram showing a configuration of the authentication server 20 in the first embodiment of the present invention.
As shown in the figure, the authentication server 20 includes a CPU and the like, and controls the entire server, an information storage unit 22 that stores provided information and an authentication database, and the user terminal 30 via the network 100. And a communication unit 23 that transmits and receives information.
The control unit 21 has a timekeeping function, and when receiving a provision information acquisition request from the user terminal 30, it counts the reception time.

FIG. 6 is a diagram illustrating information stored in the information storage unit 22 of the authentication server 20 according to the first embodiment of this invention.
As shown in the figure, the information storage unit 22 includes the provision information 221 that is information related to a store, a facility, a product, a service, or the like associated with each wireless communication device 10 and a unique information that identifies each provision information. Providing information DB (database) 222 in which the providing information ID is associated with the device ID of the wireless communication device 10, the secret key stored in each wireless communication device 10, and the stored wireless communication device 10 One-time password generation program for executing processing for generating a one-time password based on a secret key and an authentication DB (database) 223 used for authentication when providing provided information to a user 224 are stored.
For example, the provision information 221 includes product description information associated with the wireless communication device 10, usage method information or advertisement information, information on a store or facility where the wireless communication device 10 is installed (the store or facility). Or the contents of services provided at the store or facility, information on advertisements, or the like.
Each provision information 221 is prepared for each wireless communication device 10 in principle, and a unique provision information ID for identifying each provision information 221 is associated with each provision information 221.
The one-time password generation program 224 stored in the information storage unit 22 of the authentication server 20 executes a process similar to the one-time password generation program 122 stored in the information storage unit 12 of the wireless communication device 10. It is.

FIG. 7 is a diagram illustrating an example of a data configuration managed in the provision information DB 222 according to the first embodiment of this invention.
In the example shown in the figure, the provided information IDs “0001”, “0002”, “0003”,... Are associated with the device IDs “B0001”, “B0012”, “B0013”,. It is shown.
Therefore, for example, when the wireless communication device 10 with the device ID “B0001” is operated by the user, if the authentication is successful, the provision information 221 with the provision information ID “0001” associated with the device ID “B0001”. Is transmitted from the authentication server 20 to the user terminal 30.

FIG. 8 is a diagram illustrating an example of a data configuration managed in the authentication DB 223 according to the first embodiment of this invention.
In the example shown in the figure, the device IDs “B0001”, “B0002”, “B0003”... Are associated with the secret keys “156542”, “980031”, “642980”,. It is shown.
That is, the secret keys “156542”, “980031”, “642980”,... Are stored in the information storage unit 12 of each wireless communication device 10 with the device IDs “B0001”, “B0002”, “B0003”. Each is shown to be stored.

(4) Configuration of User Terminal 30 The user terminal 30 is an information processing apparatus operated by a user who receives provision information 221.
For example, the user receives provision of the provision information 221 from the authentication server 20 by operating the wireless communication device 10 installed in association with a product, a store, a facility, etc., and purchases the product or the store And the use of services related to facilities.
For example, the user terminal 30 is a smartphone, a tablet terminal, a mobile phone, a PDA, a PHS, a notebook PC, or the like.

FIG. 9 is a diagram illustrating a configuration of the user terminal 30 according to the first embodiment of the present invention.
As shown in the figure, the user terminal 30 includes a CPU or the like, and controls the entire user terminal 30; an information storage unit 32 that stores various types of information such as a user ID of a user who operates the user terminal 30; While transmitting / receiving information to / from the authentication server 20 via the network 100 such as the Internet, the communication unit 33 that performs short-range wireless communication with the wireless communication device 10 and various types of information such as provided information 221 are displayed. And a display unit 34 that includes various keys and buttons, and an operation unit 35 that inputs various types of information.
In addition, the display unit 34 and the operation unit 35 may be integrally configured to form a touch panel.

Further, in the user terminal 30, an application (software) for the user to receive the provision information 221 in the present embodiment is stored in the information storage unit 32, and is implemented so that the application can be executed.
The application includes a unique UUID 124 for identifying the application, and is stored in the information storage unit 32.

The information storage unit 32 of the user terminal 30 stores a unique user terminal ID for identifying each user terminal 30 for identifying the own device.
When the user terminal 30 transmits an acquisition request for the provision information 221 to the authentication server 20, the user terminal 30 includes the user terminal ID in the acquisition request.

(Operation of the first embodiment)
(1) Providing Operation of Provided Information 221 by Authentication System FIGS. 10 and 11 are sequence charts showing the flow of the providing operation of the provided information 221 by the authentication system in the first embodiment of the present invention.
Hereinafter, the providing operation of the providing information 221 will be described in detail with reference to FIG.

Hereinafter, as an example, it is assumed that a user visits a store that sells clothes and considers the purchase of each product displayed and sold at the store. In addition, each wireless communication device 10 is associated with each product displayed and sold at the store, as shown in the example of FIG.
The provided information 221 is, for example, product information such as price, size, and color variations of each product, coordinate information indicating a combination of the product and other clothes.

  The user visits the store with the user terminal 30 and operates the operation unit 15 of the wireless communication apparatus 10 associated with the product of interest to request acquisition of the provision information 221 about the product (step S101). ). At this time, specifically, for example, the user presses a button constituting the operation unit 15.

Then, the control unit 11 of the wireless communication device 10 measures the current time and acquires current time information based on the measured current time (step S102).
At this time, the control unit 11 extracts the secret key 121 stored in the information storage unit 12 (step S103), and based on the extracted secret key 121 and the acquired current time information, A one-time password is generated by the password generation program 122 (step S104).
Here, the current time information is handled as, for example, information of a numeric string.
A method for generating a one-time password, which is a new numeric string, from the secret key 121, which is two numeric strings, and the current time information is not limited to a specific method, and any conventional method may be used. Can do.
However, when the combination of the secret key 121 and the current time information is the same, the same one-time password is always generated.

  Then, the control unit 11 extracts the device ID 123 and UUID 124 stored in the information storage unit 12 (step S105), and transmits a radio signal including the extracted device ID 123 and UUID 124 and the generated one-time password. Transmission is performed by short-range wireless communication (step S106).

Here, by adjusting the radio field intensity of the radio signal including the apparatus ID transmitted by the radio communication apparatus 10 and adjusting the radio field intensity recognized among the radio signals received by the user terminal 30, within a certain distance from the own apparatus. Only the device (user terminal 30) located can be configured to be able to receive the wireless signal.
Therefore, even when a plurality of users carrying the user terminal 30 are visiting a store or facility, only the user terminal 30 of the user who operates the operation unit 15 of the wireless communication device 10 receives the wireless signal. Can do.

When the user terminal 30 receives the radio signal from the radio communication device 10, the user terminal 30 reads the UUID 124 included in the received radio signal, and whether the UUID that is the same as the UUID 124 included in the radio signal is stored in the information storage unit 32. It is determined whether or not (step S107).
Here, when it is determined that the same UUID as the UUID 124 of the wireless signal is not stored in the information storage unit 32 (step S107 / No), an application for receiving provision of the provision information 221 is installed in the user terminal 30. The operation is terminated because it cannot be received.

On the other hand, when it is determined that the same UUID as the UUID 124 of the wireless signal is stored in the information storage unit 32 (Yes in step S107), an application for receiving provision of the provision information 221 is installed in the user terminal 30. And you will be able to receive that offer.
Next, the control unit 31 extracts the one-time password and the device ID 123 from the wireless signal received from the wireless communication device 10 (step S108), and uses the extracted information as an acquisition request for the provision information 221. Via the authentication server 20 (step S109).

When the authentication server 20 receives the acquisition request (one-time password and device ID) for the provision information 221 from the user terminal 30, the control unit 21 of the authentication server 20 counts the current time and indicates the current time. Current time information is acquired (step S110).
Next, the control unit 21 of the authentication server 20 refers to the authentication DB 223 and extracts a secret key associated with the device ID included in the received acquisition request (step S111).

  Next, the control unit 21 generates a one-time password by the one-time password generation program 224 based on the secret key extracted from the authentication DB 223 and the acquired current time information (step S112).

Next, the control unit 21 compares the generated one-time password with the one-time password received from the user terminal 30, and determines whether or not the two one-time passwords match (step S113).
If the control unit 21 determines that the one-time passwords do not match (step S113 / No), the control unit 21 recognizes that the authentication has failed and the user of the user terminal 30 that has transmitted the acquisition request for the provision information 221 The authentication server 20 determines that the user is not actually operating the wireless communication device 10 and ends the operation without providing the provision information 221.

On the other hand, when the control unit 21 determines that the one-time passwords match (step S113 / Yes), the control unit 21 recognizes that the authentication is successful and the user of the user terminal 30 that has transmitted the acquisition request for the provision information 221 actually It is determined that the user has operated the wireless communication device 10.
Next, the control unit 21 of the authentication server 20 refers to the provision information DB 222, extracts the provision information ID associated with the device ID received from the user terminal 30, and obtains the provision information 221 of the provision information ID. Extracted from the information storage unit 22 (step S114).
The authentication server 20 transmits the extracted provision information 221 to the user terminal 30 (step S115).

When receiving the provision information 221 from the authentication server 20, the user terminal 30 displays it on the display unit 34 (step S116).
The user views the provision information 221 displayed on the display unit 34 and considers the purchase of the product displayed in front of him.

(2) Acquisition operation of current time information As described above, the control unit 11 of the wireless communication device 10 and the control unit 21 of the authentication server 20 measure the current time, and acquire the current time information indicating the measured current time. To do.
Then, the control unit 21 of the authentication server 20 is generated based on the one-time password generated based on the current time information acquired by the control unit 11 of the wireless communication apparatus 10 and the current time information acquired by the control unit 21 itself. The two current time information must indicate the same time because authentication is performed by comparing the one-time password with the one-time password, and when the two one-time passwords match, the authentication is recognized as successful.
However, in actuality, a little time may elapse after the wireless communication device 10 acquires the current time information until the authentication server 20 acquires the current time information.
When there is a difference in timing between the two current times, the identity of the two current time information (matching at the time of authentication) is compensated as follows.

In the present embodiment, the control units 11 and 21 convert all the current times included in the measured time range T of the predetermined current time into the earliest current time in the range T, and based on the converted current time Get current time information.
Specific examples will be described below.

FIG. 12 is a diagram illustrating an example of a clocking method by the authentication system according to the first embodiment of this invention.
In this figure, the horizontal axis indicates the actual current time, and the vertical axis indicates the current time information acquired by the control unit 11 of the wireless communication apparatus 10 and the control unit 21 of the authentication server 20 based on the actual current time. It's time.
In the example of this figure, when the actual current time is between “15: 5: 14” and “15: 5: 14”, the control units 11 and 21 have the current time “15: 5: 00”. The current time information indicating is acquired.
In addition, at a predetermined time before the current time “15: 4: 59”, current time information indicating that the current time is “15: 4: 45” is acquired, and the current time is “15: 5: 15”. At a predetermined time after “,” the control units 11 and 21 acquire current time information indicating that the current time is “15: 5: 15”.

For example, in the example of FIG. 12 above, when the user operates the operation unit 15 of the wireless communication device 10, the control unit 11 of the wireless communication device 10 actually measures the current time at “15:50:00”. In this case, the current time information indicating the current time of “15: 5: 00” is acquired.
On the other hand, even if the control unit 21 of the authentication server 20 actually measures the current time at “15: 5: 02” by the same operation of the user, the current “15: 5: 00” Obtain current time information indicating the time.
As a result, a minute time elapses between the time measured by the control unit 11 of the wireless communication apparatus 10 and the time measured by the control unit 21 of the authentication server 20. Even when a slight deviation occurs in the current time, the two control units 11 and 21 can acquire the current time information indicating the same current time. As a result, the authentication server 20 Appropriate authentication can be performed when comparing and collating one-time passwords.

  As described above, in the present embodiment, the current time included in the predetermined current time range T (15: 5: 00-7: 59) is the earliest current time in the range T (15: 5). The current time information is included in the current time information, but may be converted to another current time (for example, 15: 6: 00) as long as the time is within the range T.

In addition, it is preferable to set the said range T to such an extent that the shift | offset | difference of the timing timing of the control parts 11 and 21 is eliminated.
For example, if the range T is set too wide, such as one hour, a request for obtaining the provision information 221 is illegally performed by a malicious third party who intercepts a wireless signal between the wireless communication device 10 and the user terminal 30. Since the possibility increases, it is important to set the range T to an appropriate range in consideration of this point.

(Summary of the first embodiment)
As described above, according to the authentication system in the first embodiment of the present invention, when providing the provided information 221 in response to an acquisition request from the user terminal 30, the authentication server 20 The received one-time password and the one-time password generated by itself are compared and collated, and the provision information 221 is provided only when the authentication is successful, so that a high level of security can be ensured. The user terminal of the user who operated the wireless communication device 10 without providing the provision information 221 to a device that intercepted the radio signal transmitted to the user terminal 30 and illegally requested acquisition of the provision information 221 The provision information 221 can be provided only to 30.
That is, even if a malicious third party who illegally intercepts a wireless signal steals the device ID and the one-time password from the wireless signal, the provided information 221 is invalidated as time passes. An illegal acquisition request cannot be made.
Further, even if the malicious third party tries to illegally generate a one-time password, the secret key 121 that is the basis thereof is not included in the wireless signal and cannot be intercepted. Even after all, it is not possible to make an unauthorized acquisition request for the provided information 221.
As a result, the malicious third party can prevent an illegal act such as the provision information 221 being transmitted to the user terminal 30 of the user who is not operating the wireless communication device 10 by using the device ID that has been stolen. be able to.

In principle, one secret key 121 is associated with one wireless communication apparatus 10, but a plurality of secret keys 121 may be associated with each other and stored in the information storage unit 12.
In this case, the extracted secret key 121 differs depending on the operation method of the operation unit 15. For example, when the operation unit 15 is provided with two buttons, the secret key 121 extracted may be different depending on the pressed button. Further, when the button of the operation unit 15 is pressed for a short time, a different secret key 121 may be extracted depending on when the button is pressed for a long time.

<Second Embodiment>
(Outline of the second embodiment)
According to the first embodiment described above, the authentication server 20 performs authentication when receiving an acquisition request for the provision information 221 from the user terminal 30, and if the authentication is successful, the authentication server 20 uses the provision information 221 for the user terminal 30. Send to and provide.
In the second embodiment of the present invention, when the authentication server 20 receives a one-time password or the like for the same device ID from a plurality of different user terminals 30 within a predetermined time, the one-time password or the like received first Only the authentication and the provision information 221 are provided.
As described above, the authentication server 20 provides an unauthorized one-time password or the like by providing only one user terminal 30 among a plurality of user terminals 30 that have requested acquisition of the provision information 221 within a predetermined time. It is possible to effectively eliminate the trouble that a large number of users receive provision of provision information 221 that is not desired at one time by a request for provision of provision information 221 from a device that performs eavesdropping and unauthorized transmission, etc. It becomes.
Further, in the present embodiment, the authentication server 20 can increase the advertisement effect as expected by adjusting the timing of repeatedly providing the same provided information 221 to the same user terminal 30.
Hereinafter, unless otherwise specified, the authentication system according to the second embodiment of the present invention will be described as being the same as the authentication system according to the first embodiment.

(Configuration of Second Embodiment)
(1) Configuration of Authentication Server 20 FIG. 13 is a diagram showing information stored in the information storage unit 22 of the authentication server 20 in the second embodiment of the present invention.
As shown in the figure, the information storage unit 22 is provided with the provision information 221 as in the first embodiment.
The provision information DB 222, the authentication DB 223, and the one-time password generation program 224 are stored.
In the present embodiment, in addition to each of the components 221 to 224, a reception history database (DB) 225 for managing a reception history of an acquisition request for the provision information 221 from each user terminal 30 is stored.

The provision information DB 222 is a database that manages which provision information 221 is provided by operating which wireless communication device 10 is operated.
Also, in the provision information DB 222, each provision information 221 is managed by an item “provision time” indicating an interval at which the provision information can be provided to the same user.

FIG. 14 is a diagram illustrating an example of a data configuration managed in the provision information DB 222 according to the second embodiment of this invention.
In the example shown in the figure, in the provision information DB 222, the device IDs “B0001”, “B0012”, “B0013”... And the earliest determination time “10 seconds”, “10 seconds”, “5 seconds”. The provision time to the same user “24 hours later”, “1 week later”, “no restriction”, and so on are provided in the provided information IDs “0001”, “0002”, “0003”,. It is shown that they are associated with each other.
Therefore, for example, when the wireless communication device 10 with the device ID “B0001” is operated by the user, if the authentication is successful, the provision information 221 with the provision information ID “0001” associated with the device ID “B0001”. Is transmitted from the authentication server 20 to the user terminal 30.
In addition, requests for obtaining the provided information 221 from a plurality of user terminals 30 are sent to the authentication server 20 within the “first determination time” (for example, “10 seconds” in the case of the provided information 221 with the provided information ID “0001”). If there is, the authentication server 20 provides the provision information 221 only to the user terminal 30 that has made the acquisition request received first.
Further, when the authentication server 20 provides the provision information 221 with the provision information ID “0001” to the user terminal 30 of a certain user, if “24 hours” have not elapsed since the provision time, the authentication server 20 The same provision information 221 is not provided.
For example, in the case where the provided information 221 is a discount / free coupon, etc., if one user obtains many times in a short period of time, the advertising effect of providing the provided information 221 is the discount / free portion that the store bears. It may not be worth the price. In such a case, as described above, the authentication server 20 adjusts the appropriate provision timing of the provision information 221 by providing a restriction such as “24 hours” in the provision time in the provision information DB 222.

FIG. 15 is a diagram illustrating an example of a data configuration managed in the reception history DB 225 according to the second embodiment of this invention.
As shown in the figure, the reception history DB 225 indicates the time when the authentication server 20 receives the acquisition request for the provision information 221 and the user terminal ID of the user terminal 30 that is the transmission source of the provision information of the provision information 221. Management is performed for each device ID.
The control unit 21 of the authentication server 20 refers to the reception history DB 225 to determine from which user terminal 30 when the acquisition request for the provision information 221 is received, and the latest provision request for the provision information 221 related to each wireless communication device 10. It is possible to recognize which one is (when the latest time is, how long has passed since the latest time), and the like.

The control unit 21 of the authentication server 20 does not elapse until a predetermined time (first determination time) set in the provision information DB 222 has elapsed since the reception time of the acquisition request for the latest provision information 221 written in the reception history DB 225. The acquisition request for the provision information 221 received at that time is not handled effectively and the request is not responded.
On the contrary, after a predetermined time (first determination time) has elapsed, the acquisition request for the provision information 221 received at that time is handled effectively, and the provision information 221 is provided in response to the request.

In addition, the control unit 21 of the authentication server 20 determines a predetermined time (providing time for the same user) set in the provision information DB 222 in advance from the reception time of the acquisition request for the provision information 221 from a certain user written in the reception history DB 225. ) The same provision information 221 is not provided until the time has elapsed.
On the contrary, after a predetermined time (providing time for the same user) has elapsed, the acquisition request for the provision information 221 received at that time is handled effectively, and the provision information 221 is provided in response to the request.

(Operation of Second Embodiment)
FIG. 16 is a sequence chart showing a flow of an operation of providing the provision information 221 by the authentication system according to the second embodiment of the present invention.
Hereinafter, the providing operation of the providing information 221 will be described in detail with reference to FIG.

Hereinafter, as an example, it is assumed that a user visits a store that sells clothes and considers the purchase of each product displayed and sold at the store. In addition, each wireless communication device 10 is associated with each product displayed and sold at the store, as shown in the example of FIG.
The provided information 221 is, for example, product information such as price, size, and color variations of each product, coordinate information indicating a combination of the product and other clothes.

  Operations from when the user operates the wireless communication device 10 in this embodiment until the user terminal 30 transmits an acquisition request for the provided information 221 to the authentication server 20 are the same as in steps S101 to S110 of the first embodiment. Since it is the same as the operation, the description is omitted.

  When receiving the acquisition request (one-time password, device ID, and user terminal ID of the user terminal 30) of the provision information 221 from the user terminal 30, the authentication server 20 measures the received time (step S201).

Next, the control unit 21 of the authentication server 20 refers to the reception history DB 225, and the predetermined time (set in the provision information DB 222 in advance from the latest reception time of the acquisition request for the provision information 221 related to the received device ID) ( It is determined whether or not the earliest determination time has elapsed (step S202).
If the authentication server 20 determines that the predetermined time (first determination time) has not elapsed since the latest reception time (step S202 / No), the authentication server 20 concentrates within the predetermined time (first determination time). Since the acquisition request for the provision information 221 is received from a plurality of user terminals 30 and the acquisition request for the provision information 221 received this time is recognized not to be the first one, the acquisition request for this time is invalidated, authentication processing, etc. The operation is terminated without executing.

  On the other hand, if the authentication server 20 determines that a predetermined time (first determination time) has elapsed from the latest reception time (step S202 / Yes), a plurality of authentication servers 20 within the predetermined time (first determination time). Since the acquisition request for the provision information 221 has not been received from the user terminal 30, the authentication server 20 proceeds with the authentication process for the acquisition request for the provision information 221 received this time.

  Next, the control unit 21 refers to the reception history DB 225 and extracts the latest reception history when the acquisition request is received from the received user terminal ID for the provision information 221 associated with the device ID 123. (Step S203).

  Next, the control unit 21 refers to the provision information DB 222 and extracts information on “provision time to the user” associated with the device ID 123 (step S204).

Then, the control unit 21 compares the time of the latest reception history of the acquisition request of the provision information 221 from the extracted user terminal 30 with the information of the extracted “provision time to user”, and From the latest reception time of the acquisition request for the provision information 221 from the user terminal 30, it is determined whether or not the time indicated in the “provision time to the user” has already elapsed (step S205).
Here, when the control unit 21 determines that it has not yet elapsed (step S205 / No), the control unit 21 determines that an appropriate time has not yet arrived to provide the provision information 221 to the user. Then, the operation ends without providing the provision information 221.

  On the other hand, when the control unit 21 determines that the time has already elapsed (step S205 / Yes), the control unit 21 determines that an appropriate time has arrived to provide the user with the provision information 221. Proceed with the authentication process.

  Next, the control unit 21 of the authentication server 20 writes the received time and the received user terminal ID in the received history DB 225 as a received history in association with each other (step S206).

  Since the subsequent authentication processing and the provision operation of the provision information 221 (steps S207 to S212) are the same as the respective operations (steps S111 to S116) of the first embodiment, the description thereof is omitted.

(Summary of the second embodiment)
As described above, according to the second embodiment of the present invention, when the authentication server 20 requests acquisition of the provision information 221 from a plurality of user terminals 30 within a predetermined time, the authentication server 20 first Since the authentication process is executed only for the received one-time password, etc., and the provision information 221 is provided, a malicious third party illegally intercepts a wireless signal between the wireless communication device 10 and the user terminal 30, It is possible to prevent the provision information 221 from being transmitted to the user terminal 30 that has not requested acquisition of the provision information 221.

  Further, according to the second embodiment of the present invention, the authentication server 20 acquires the same provision information 221 from the same user terminal 30 when receiving an acquisition request for the provision information 221 from a certain user terminal 30. Since the provision information 221 is provided only when a predetermined time has elapsed since the request was received, authentication can be performed so that the provision information 221 can be provided at an appropriate timing.

<Third Embodiment>
(Outline of the third embodiment)
According to the first embodiment described above, the authentication server 20 performs authentication when receiving an acquisition request for the provision information 221 from the user terminal 30, and if the authentication is successful, the authentication server 20 uses the provision information 221 for the user terminal 30. Send to and provide.
In the third embodiment of the present invention, when the authentication server 20 receives the acquisition request for the provision information 221 from the user terminal 30, the current location information of the user terminal 30 included in the acquisition request and the acquisition request The wireless communication apparatus 10 corresponding to the apparatus ID included in the same is compared with the installation position of the wireless communication apparatus 10 to determine whether or not the two positions are separated by a predetermined distance or more.
If the authentication server 20 determines that the wireless communication device 10 is not more than a predetermined distance away, it can be said that the operation of the wireless communication device 10 has not been performed by the user of the user terminal 30, and therefore the request for obtaining the provision information 221 is illegal. Therefore, it does not respond to the acquisition request.
Hereinafter, unless otherwise specified, the description will proceed assuming that the authentication system according to the third embodiment of the present invention is the same as the authentication system according to the first embodiment.

(Configuration of the third embodiment)
(1) Configuration of User Terminal 30 In the third embodiment of the present invention, the control unit 31 of the user terminal 30 has a function of acquiring current position information of the own device (user terminal 30).
For this position information search function, any conventional method can be applied. For example, the position information search function may use a GPS function or base station information of a mobile communication network.
When the user terminal 30 transmits an acquisition request for the provision information 221 including a one-time password or the like to the authentication server 20, the user terminal 30 also transmits to the authentication server 20 including the current position information of the own device.

(2) Configuration of Authentication Server 20 FIG. 17 is a diagram showing information stored in the information storage unit 22 of the authentication server 20 in the third embodiment of the present invention.
As shown in the figure, the information storage unit 22 of the authentication server 20 stores the provision information 221, the provision information DB 222, the authentication DB 223, and the one-time password generation program 224, as in the first embodiment. .
In the present embodiment, in addition to each of the components 221 to 224, an apparatus location database (DB) 226 is further stored.

FIG. 18 is a diagram illustrating an example of a data configuration managed in the device location DB 226 according to the third embodiment of this invention.
As shown in the figure, in the apparatus position DB 226, the authentication server 20 manages information on the installation position (installation position information) of each wireless communication apparatus 10.
In the example of the figure, the installation position information is expressed by latitude (northern latitude) and longitude (east longitude), but may be another expression method such as a combination of a distance from a reference point and a direction.

  When the acquisition request of the provision information 221 including the current position information and the device ID of the authentication server 20 and the user terminal 30 is received from the user terminal 30, the installation position associated with the received device ID with reference to the device position DB 226 The information and the received current position information of the user terminal 30 are compared and collated, and if both positions are not separated by a predetermined distance or more, it is determined that the request for obtaining the correct provision information 221 is obtained, and authentication based on the subsequent one-time password Proceed to

(Operation of the third embodiment)
19 and 20 are sequence charts showing the flow of the operation of providing the provision information 221 by the authentication system according to the third embodiment of the present invention.
Hereinafter, the providing operation of the providing information 221 will be described in detail with reference to FIG.

Hereinafter, as an example, it is assumed that a user visits a store that sells clothes and considers the purchase of each product displayed and sold at the store. In addition, each wireless communication device 10 is associated with each product displayed and sold at the store, as shown in the example of FIG.
The provided information 221 is, for example, product information such as price, size, and color variations of each product, coordinate information indicating a combination of the product and other clothes.

  The operation from when the user operates the wireless communication apparatus 10 in this embodiment until the user terminal 30 confirms that the UUID is stored in the information storage unit 32 is the same as that in step S101 of the first embodiment. Since the operation is the same as that of S107, the description thereof is omitted.

When the control unit 31 of the user terminal 30 determines that the same UUID as the UUID 124 of the radio signal is stored in the information storage unit 32, the control unit 31 acquires the current position information of the own device (user terminal 30) (step S301).
The current position information may be expressed by, for example, latitude and longitude, or may be another expression method such as a combination of a distance from a reference point and a direction, and is not limited to these.

  Next, the control unit 31 extracts the one-time password and the device ID 123 from the wireless signal received from the wireless communication device 10 (step S302), and provides the extracted information and the acquired current location information as the provided information 221. Is sent to the authentication server 20 via the network 100 (step S303).

  When the authentication server 20 receives an acquisition request for the provision information 221 (one-time password, device ID, and current location information acquired by the user terminal 30) from the user terminal 30, the control unit 21 measures the received current time. The current time information is acquired (step S304).

  Next, the control unit 21 refers to the device position DB 226 and extracts installation position information associated with the device ID included in the received acquisition request (step S305).

  Next, the control unit 21 of the authentication server 20 compares and compares the extracted installation position information with the received current position information, and determines whether or not both positions indicated by both position information are within a predetermined distance. Is determined (step S306).

Here, when the control unit 21 determines that both positions are separated by a predetermined distance or more (step S306 / No), the control unit 21 has transmitted a request for obtaining the provision information 221 with the user who has operated the wireless communication device 10. It is determined that the user of the user terminal 30 is a different person, and the acquisition request is recognized as illegal.
For example, when the installation position of the corresponding wireless communication device 10 is Sapporo in Hokkaido and the current position of the user terminal 30 is Shibuya-ku, Tokyo, the user of the user terminal 30 operates the wireless communication device 10. Since this is physically impossible, it is determined that the acquisition request for the provision information 221 is illegal.
At this time, the authentication server 20 terminates the operation of the one-time password received this time without executing the authentication process or the like.

On the other hand, when the control unit 21 determines that the distance between the two positions is less than the predetermined distance (step S306 / Yes), the control unit 21 has transmitted a request for obtaining the provision information 221 with the user who has operated the wireless communication device 10. It is determined that the user of the user terminal 30 is the same person, and the acquisition request is recognized as valid.
Since the subsequent authentication processing and the provision operation of the provision information 221 (steps S307 to S312) are the same as the operations (steps S111 to S116) in the first embodiment of the present invention, the description thereof is omitted.

(Summary of the third embodiment)
As described above, according to the third embodiment of the present invention, the authentication server 20 sets the location of the wireless communication device 10 operated by the user and the user terminal 30 of the user who seems to have performed the operation. If both positions are separated by a predetermined distance or more compared to the current position, the user of the user terminal 30 that has requested acquisition of the provision information 221 is impersonating the user who operated the wireless communication device 10. And the request for obtaining the provision information 221 is rejected.
Therefore, it becomes possible to prevent the provision of unauthorized provision information 221 by a malicious third party who intercepts a wireless signal between the wireless communication device 10 and the user terminal 30 in advance.

<Fourth embodiment>
(Outline of the fourth embodiment)
In the first to third embodiments described above, authentication is performed using a one-time password generated using current time information.
On the other hand, in the authentication system in the fourth embodiment of the present invention described below, authentication is performed based on the number of times the wireless communication device 10 has been operated.
Hereinafter, unless otherwise specified, the authentication system according to the fourth embodiment of the present invention is described as being the same as the authentication system according to the first embodiment.

(Configuration in the fourth embodiment)
(1) Overall configuration of authentication system An authentication system according to the fourth embodiment of the present invention includes:
Similar to the first embodiment,
The wireless communication device 10 includes a user terminal 30 and an authentication server 20.
Hereinafter, the configuration of each component device 10, 20, and 30 of the authentication system will be described in detail.

(2) Configuration of Radio Communication Device 10 As in the first embodiment, the radio communication device 10 according to the fourth embodiment of the present invention includes a control unit 11, an information storage unit 12, a communication unit 13, and the like. The display unit 14 and the operation unit 15 are configured.

FIG. 21 is a diagram illustrating various pieces of information stored in the information storage unit 12 of the wireless communication device 10 according to the fourth embodiment of the present invention.
As shown in the figure, the information storage unit 12 includes a secret key 121 that is authentication information and is kept secret to the outside, a unique device ID 123 that identifies the wireless communication device 10, and
A unique UUID 124 (Universally Unique Identifier) for identifying a program for providing the provision service of the provision information, operation number information 125 indicating the total number of operations of the operation unit 15 of the wireless communication apparatus 10 up to the present, and the secret key , A device password generation program 126 that executes processing for generating a device password that is one of the passwords based on the device ID and the operation count information, and the device ID 123, the operation count information 125, and the device password are encrypted. An encryption program 127 that makes it difficult to steal information is stored.

The control unit 11 of the wireless communication device 10 has a function of counting the number of operations, and the device password generation program 126 is executed based on the operation number information counted by the counting function, the secret key 121, and the device ID 123. To generate a device password.
Further, the control unit 11 encrypts the generated device password, the device ID 123, and the operation count information 125 using the encryption program 127, and the communication unit 13 transmits the encrypted information to the radio signal. To the outside of the wireless communication device 10.

In the first embodiment, the secret key 121 is authentication information unique to each wireless communication device 10, but in this embodiment, the secret key 121 is common among a plurality of wireless communication devices 10. May be held as authentication information.
In the present embodiment, a plurality of types of UUIDs 124 of software that can use the provision service of the provision information 221 are set. Also, a plurality of types of secret keys 121 are prepared corresponding to the UUIDs 124.
In the information storage unit 12 of each wireless communication device 10, one UUID 124 among the plurality of UUIDs 124 is stored, and one secret key 121 corresponding to the stored UUID 124 is stored.

(3) Configuration of Authentication Server 20 The authentication server 20 is a server device managed by the store side, facility side, or other information management company that provides the provided information, and manages or distributes the provided information etc. And at the time of distribution, authentication is performed.

  The authentication server 20 according to the fourth embodiment of the present invention includes a control unit 21, an information storage unit 22, and a communication unit 23, as in the first embodiment.

FIG. 22 is a diagram illustrating information stored in the information storage unit 22 of the authentication server 20 according to the fourth embodiment of the present invention.
As shown in the figure, the information storage unit 22 includes provision information 221 that is information related to a store, a facility, a product, a service, or the like associated with each wireless communication device 10, and a unique provision that identifies each provision information. The provided information DB (database) 222 in which the information ID and the device ID of the wireless communication device 10 are associated with each other, the device position database (DB) 226 that manages information on the installation position of each wireless communication device 10, and the secret A device password generation program 227 that executes processing for generating a device password that is one of passwords based on the key, device ID, and operation count information, and decryption that decrypts each piece of information encrypted by the encryption program 127. Program 228, each UUID 124, and a secret key 121 assigned to each UUID 124 An authentication database (DB) 229 managed in association with each other, an operation number database (DB) 230 for managing each device ID 123 and the operation frequency information of the wireless communication device 10 of each device ID 123 in association with each other are stored. To do.

  The device position DB 226 is a database similar to the device position DB 226 in the third embodiment, and manages the device ID and the installation position information in association with each other.

  The device password generation program 227 stored in the information storage unit 22 of the authentication server 20 is a program that executes the same processing as the device password generation program 126 stored in the information storage unit 12 of the wireless communication device 10.

As described above, the wireless communication device 10 stores the encryption program 127 that is different for each UUID 124 stored in the information storage unit 12 in the information storage unit 12 in the same manner.
The decryption program 228 is prepared for each encryption program 127 for each UUID 124 in order to decrypt the information encrypted by the plurality of types of encryption programs 127. The authentication program 228 is stored in the information storage unit 22 of the authentication server 20.

FIG. 23 is a diagram illustrating an example of a data configuration managed in the authentication DB 229 according to the fourth embodiment of this invention.
The example shown in the figure indicates that UUIDs “xxxxxxxx”, “xxxx02”, “xxxx03”,... Are associated with secret keys “156542”, “980031”, “642980”,. Has been.
That is, the secret key “156542”, “980031”, “642980”,... It is shown that each is stored.

FIG. 24 is a diagram illustrating an example of a data configuration managed in the operation count DB 230 according to the fourth embodiment of this invention.
In the example shown in the figure, the operation ID information “302”, “154”, “369”,... Are associated with the device IDs “B0001”, “B0002”, “B0003”. It is shown.
That is, the wireless communication devices 10 with device IDs “B0001”, “B0002”, “B0003”,... -It is shown that it is being operated.

(4) Configuration of User Terminal 30 The user terminal 30 is an information processing apparatus operated by a user who receives provision information 221.
As in the first embodiment, the user terminal 30 according to the fourth embodiment of the present invention includes a control unit 31, an information storage unit 32, a communication unit 33, a display unit 34, and an operation unit 35. It is comprised.

Further, in the user terminal 30, an application (software) for the user to receive the provision information 221 in the present embodiment is stored in the information storage unit 32, and is implemented so that the application can be executed.
The application includes a unique UUID 124 for identifying the application, and is stored in the information storage unit 32.

(Operation of the fourth embodiment)
(1) Provided Information 221 Providing Operation by Authentication System FIGS. 25 and 26 are sequence charts showing a flow of providing information 221 providing operation by the authentication system in the fourth exemplary embodiment of the present invention.
Hereinafter, the providing operation of the providing information 221 will be described in detail with reference to FIG.

Hereinafter, as an example, it is assumed that a user visits a store that sells clothes and considers the purchase of each product displayed and sold at the store. In addition, each wireless communication device 10 is associated with each product displayed and sold at the store, as shown in the example of FIG.
The provided information 221 is, for example, product information such as price, size, and color variations of each product, coordinate information indicating a combination of the product and other clothes.

  The user visits the store with the user terminal 30 and operates the operation unit 15 of the wireless communication apparatus 10 associated with the product of interest to request acquisition of the provision information 221 about the product (step S401). ). At this time, specifically, for example, the user presses a button constituting the operation unit 15.

  Then, the control unit 11 of the wireless communication apparatus 10 increases the number of operations indicated by the operation number information 125 by “1” and updates the value of the number of operations (step S402).

Next, the control unit 11 extracts the secret key 121 and device ID 123 stored in the information storage unit 12 (step S403), and extracts the secret key 121 and device ID extracted and the updated operation count information. Based on this, a device password is generated by the device password generation program 126 (step S404).
Here, the device ID is handled as, for example, information of a numeric string.
The method for generating a device password, which is a new numeric string, from the secret key 121, the device ID 123, and the operation count information 125, which are three numeric strings, is not limited to a specific method, and any conventional method can be used. Can be used.
However, when the combination of the secret key 121, the device ID 123, and the operation count information 125 is the same, the same device password is always generated.

Next, the control unit 11 encrypts the extracted device ID 123, the updated operation count information 125, and the generated device password using the encryption program 127 (step S405).
The encryption method is not limited to a specific method, and any conventional method can be used.

  Then, the control unit 11 extracts the UUID 124 (step S406), and transmits a wireless signal including the extracted UUID 124, the encrypted device ID 123, the operation count information 125, and the device password by short-range wireless communication (step S406). S407).

Here, by adjusting the radio wave intensity of the radio signal transmitted by the radio communication device 10 and adjusting the radio wave intensity recognized among the radio signals received by the user terminal 30, a device (within a certain distance from the own device ( Only the user terminal 30) can be configured to receive the radio signal.
Therefore, even when a plurality of users carrying the user terminal 30 are visiting a store or facility, only the user terminal 30 of the user who operates the operation unit 15 of the wireless communication device 10 receives the wireless signal. Can do.

When the user terminal 30 receives the wireless signal from the wireless communication device 10, the user terminal 30 extracts the UUID 124 included in the received wireless signal, and the UUID that is the same as the UUID 124 included in the wireless signal is stored in the information storage unit 32. It is determined whether or not there is (step S408).
Here, if it is determined that the same UUID as the UUID 124 of the wireless signal is not stored in the information storage unit 32 (step S408 / No), an application for receiving provision of the provision information 221 is installed in the user terminal 30. The operation is terminated because it cannot be received.

On the other hand, when it is determined that the same UUID as the UUID 124 of the radio signal is stored in the information storage unit 32 (step S408 / Yes), an application for receiving provision of the provision information 221 is installed in the user terminal 30. And you will be able to receive that offer.
Next, the control unit 31 acquires the current position information of the own device (user terminal 30) (step S409).
The current position information may be expressed by, for example, latitude and longitude, or may be another expression method such as a combination of a distance from a reference point and a direction, and is not limited to these.

  Next, the control unit 31 extracts the encrypted device ID 123, the operation count information 125, and the device password from the wireless signal received from the wireless communication device 10 (step S410), and extracts the extracted information and the extracted information. The UUID 124 and the acquired current position information are transmitted to the authentication server 20 via the network 100 as an acquisition request for the provision information 221 (step S411).

  When the authentication server 20 receives the acquisition request (device ID 123, operation count information 125, device password, UUID 124, current position information) of the provision information 221 from the user terminal 30, the control unit 21 of the authentication server 20 12 is used to decrypt the encrypted device ID 123, operation count information 125, and device password included in the provision information 221 acquisition request (step S412).

Next, the control unit 21 refers to the operation number DB 230 and extracts operation number information associated with the decrypted device ID (step S413).
Next, the control unit 21 compares the operation count information extracted from the operation count DB 230 with the decrypted operation count information 125, and the decrypted operation count information 125 is extracted from the operation count DB 230. It is determined whether or not the number is larger than the operation count information (whether or not the number is large) (step S414).
Here, when the control unit 21 determines that the decrypted operation count information 125 is equal to or smaller than the operation count information extracted from the operation count DB 230 (step S414 / No), the decryption operation count information 125 is decrypted. It is recognized that the acquisition request for the provision information 221 including the operation count information 125 is not valid.
That is, the control unit 21 determines that the user of the user terminal 30 that has transmitted the acquisition request for the provision information 221 is not the user who actually operated the wireless communication device 10, and the authentication server 20 provides the provision information 221. Without stopping, the operation is finished.

On the other hand, when the control unit 21 determines that the decrypted operation number information 125 is larger than the operation number information extracted from the operation number DB 230 (step S414 / Yes), the provision information 221 is provided. It is recognized that the user of the user terminal 30 that has transmitted the acquisition request is the user who actually operated the wireless communication apparatus 10 and the acquisition request for the provision information 221 including the decrypted operation count information 125 is valid. To do.
Next, the control unit 21 extracts the UUID 124 from the received acquisition request, refers to the authentication DB 229, and extracts the secret key 121 associated with the extracted UUID 124 (step S415).

  Next, the control unit 21 uses the device password generation program 227 based on the secret key extracted from the authentication DB 223, the decrypted device ID 123, and the decrypted operation count information 125 to use the device password. Is generated (step S416).

Next, the control unit 21 compares the generated device password with the decrypted device password, and determines whether or not the two device passwords match (step S417).
If the control unit 21 determines that the two device passwords do not match (step S417 / No), the control unit 21 recognizes that the authentication has failed and the user of the user terminal 30 that has transmitted the acquisition request for the provision information 221 actually Therefore, the authentication server 20 ends the operation without providing the provision information 221.

  On the other hand, if the control unit 21 determines that the two device passwords match (step S417 / Yes), the control unit 21 recognizes that the authentication is successful, and the user of the user terminal 30 that has transmitted the acquisition request for the provision information 221 actually wirelessly It is determined that the user has operated the communication device 10.

  Next, the control unit 21 refers to the device position DB 226 and extracts installation position information associated with the decrypted device ID 123 (step S418).

  Next, the control unit 21 of the authentication server 20 compares the extracted installation position information with the current position information included in the acquisition request for the provision information 221, and both positions indicated by both position information are within a predetermined distance range. It is judged whether it is in (step S419).

Here, when it is determined that both positions are separated by a predetermined distance or more (step S419 / No), the control unit 21 has transmitted a request for obtaining the provision information 221 with the user who has operated the wireless communication device 10. It is determined that the user of the user terminal 30 is a different person, and the acquisition request is recognized as illegal.
For example, when the installation position of the corresponding wireless communication device 10 is Sapporo in Hokkaido and the current position of the user terminal 30 is Shibuya-ku, Tokyo, the user of the user terminal 30 operates the wireless communication device 10. Since this is physically impossible, it is determined that the acquisition request for the provision information 221 is illegal (authentication failure).

  On the other hand, when the control unit 21 determines that the distance between the two positions is less than the predetermined distance (step S419 / Yes), the control unit 21 has transmitted a request for obtaining the provision information 221 with the user who has operated the wireless communication device 10. It is determined that the user of the user terminal 30 is the same person, and the acquisition request is recognized as valid (authentication success).

As described above, when the authentication is successful, the control unit 21 of the authentication server 20 refers to the provision information DB 222, extracts the provision information ID associated with the decrypted device ID 123, and extracts the provision information ID. The provided information 221 is extracted from the information storage unit 22 (step S420).
The authentication server 20 transmits the extracted provision information 221 to the user terminal 30 (step S421).

When receiving the provision information 221 from the authentication server 20, the user terminal 30 displays it on the display unit 34 (step S422).
The user views the provision information 221 displayed on the display unit 34 and considers the purchase of the product displayed in front of him.

(Summary of the fourth embodiment)
As described above, according to the authentication system in the fourth embodiment of the present invention, when providing the provided information 221 in response to an acquisition request from the user terminal 30, the authentication server 20 Authentication is performed based on whether or not the acquired number of operations of the wireless communication device 10 exceeds the number of past operations of the wireless communication device 10 managed by the own device, and the provision information 221 is provided only when the authentication is successful. For a device that has intercepted a wireless signal transmitted from the wireless communication device 10 to the user terminal 30 and has illegally requested acquisition of the provision information 221. Can provide the provision information 221 only to the user terminal 30 of the user who operates the wireless communication device 10 without providing the provision information 221.

  Further, in the fourth embodiment of the present invention, the device password received from the user terminal 30 is compared with the device password generated by itself, and the provision information 221 is provided only when the authentication is successful. It becomes possible to guarantee a high level of security.

Further, according to the fourth embodiment of the present invention, the authentication server 20 determines the installation position of the wireless communication device 10 operated by the user and the current position of the user terminal 30 of the user who seems to have performed the operation. In comparison, when both positions are separated by a predetermined distance or more, it is determined that the user of the user terminal 30 that has requested acquisition of the provision information 221 is impersonating the user who operated the wireless communication device 10. The acquisition request for the provision information 221 is rejected.
Therefore, it becomes possible to prevent the provision of unauthorized provision information 221 by a malicious third party who intercepts a wireless signal between the wireless communication device 10 and the user terminal 30 in advance.

In this embodiment, a plurality of UUIDs 124 are assigned to each wireless communication device 10. However, a common UUID 124 is assigned to all the wireless communication devices 10 and stored in the information storage unit 12. Good.
In this case, a common secret key 121 is stored in the information storage unit 12 of all the wireless communication devices 10.

As described in the present embodiment, the authentication server 20 determines that the number of operations of the wireless communication device 10 received from the user terminal 30 is “1” more than the number of operations of the wireless communication device 10 managed by the own device. The authentication is not successful only when “too many”, but the authentication is successful only when “too many”.
By configuring in this way, even if the wireless communication state between the wireless communication device 10 and the user terminal 30 is poor and the wireless communication device 10 is operated, the user terminal 30 may not be able to receive a wireless signal. The authentication server 20 can execute appropriate authentication without affecting the subsequent authentication.

<Summary of Embodiment>
As described above, according to the authentication system in the first to third embodiments of the present invention, the authentication server 20 includes the one-time password included in the acquisition request for the provision information 221 received from the user terminal 30; Since the comparison is made with the one-time password generated based on the secret key stored in its own database to authenticate whether or not the acquisition request is valid, the wireless communication device 10 to the user terminal 30 It is possible to eliminate an unauthorized acquisition request for the provision information 221 from a malicious third party who intercepts a radio signal transmitted to the network.

  Further, according to the authentication system in the fourth embodiment of the present invention, the authentication server 20 includes the number of operations of the wireless communication device 10 managed by itself and the wireless included in the information received from the user terminal 30. The number of operations of the communication device 10 is compared and authentication is performed to determine whether or not the acquisition request is valid. Therefore, a malicious third that intercepts a wireless signal transmitted from the wireless communication device 10 to the user terminal 30. It is possible to eliminate an unauthorized acquisition request for the provision information 221 from a person.

The wireless communication device 10, the authentication server 20, and the user terminal 30 are realized mainly by a program loaded on the CPU and the memory. However, it is also possible to configure this apparatus or server by a combination of any other hardware and software, and the high degree of freedom of design will be easily understood by those skilled in the art.
When the wireless communication device 10, the authentication server 20, or the user terminal 30 is configured as a software module group, the program is recorded on a recording medium such as an optical recording medium, a magnetic recording medium, a magneto-optical recording medium, or a semiconductor. It may be loaded from the above recording medium or may be loaded from an external device connected via a predetermined network.

The above-described embodiment is an example of a preferred embodiment of the present invention. The embodiment of the present invention is not limited to this, and various modifications can be made without departing from the scope of the present invention. It becomes possible to do.
For example, an authentication system configured by combining the authentication system in the second embodiment described above and the authentication system in the third embodiment can be realized.
In addition, in the authentication system in the fourth embodiment, the one-time password authentication in the first embodiment and the acquisition request of the earliest provision information 221 received by the authentication server 20 in the second embodiment It is also possible to apply a combination of techniques that effectively process only the above.
Further, the combination is not limited to the above.

DESCRIPTION OF SYMBOLS 10 Wireless communication apparatus 11,21,31 Control part 12,22,32 Information storage part 13,23,33 Communication part 14,34 Display part 15,35 Operation part 19 Strap 20 Authentication server 30 User terminal 100 Network 121 Secret key 122 , 224 One-time password generation program 123 Device ID
124 UUID
125 Operation count information 126, 227 Device password generation program 127 Encryption program 221 Provision information 222 Provision information DB
223,229 Authentication DB
225 Reception history DB
226 Device position DB
228 Decryption program 230 Number of operations DB

Claims (6)

A wireless communication device that transmits a wireless signal; a user terminal that is operated by a user; and an authentication server that authenticates the provided information and provides the provided information when the authentication is successful. Authentication system,
When the wireless communication device is operated for the purpose of obtaining provided information by the user,
An apparatus ID that is identification information unique to the own apparatus, a program identification ID that identifies a program for the user terminal to receive the provision of the provision information, and an operation that indicates the number of operations for the purpose of obtaining the provision information Extract frequency information and
Using the current time information, the device ID, and the operation count information, generate a password by encrypting authentication information associated with the provided information and stored in the own device,
A radio signal including the extracted device ID, program identification ID, the operation count information, and the generated password is transmitted,
The user terminal stores a program for receiving provision of the provision information and a program identification ID of the program. Upon receiving the radio signal, the user terminal reads the program identification ID included in the radio signal, and When it is determined whether or not the same program identification ID as the program identification ID is stored in the own device, and it is determined that the same program identification ID exists in the own device, the password and the device included in the wireless signal Extracting the ID and the operation count information and sending it to the authentication server as an acquisition request for the provision information,
When the authentication server receives an acquisition request for the provision information from the user terminal, the number of operations indicated by the operation number information included in the received acquisition request is an operation of the wireless communication apparatus managed by the own device. If the number of operations is greater than the number of operations indicated by the number information, the current time is received to acquire the current time information, and stored in the own device based on the device ID included in the provision information acquisition request The authentication information is extracted, and the extracted authentication information, the device ID, the operation count information, and the acquired current time information are encrypted to generate a password, and the generated password The authentication system is characterized by comparing and verifying with a password included in the received provision information acquisition request, and transmitting the provision information to the user terminal when the authentication is successful. Beam. A wireless communication device that transmits a wireless signal; a user terminal that is operated by a user; and an authentication server that authenticates the provided information and provides the provided information when the authentication is successful. Authentication system,
When the wireless communication device is operated for the purpose of obtaining provided information by the user,
An apparatus ID that is identification information unique to the own apparatus, a program identification ID that identifies a program for the user terminal to receive the provision of the provision information, and an operation that indicates the number of operations for the purpose of obtaining the provision information Extract frequency information and
Using the current time information, the device ID, and the operation count information, generate a password by encrypting authentication information associated with the provided information and stored in the own device,
A radio signal including the extracted device ID, program identification ID, the operation count information, and the generated password is transmitted,
The user terminal stores a program for receiving provision of the provision information and a program identification ID of the program. Upon receiving the radio signal, the user terminal reads the program identification ID included in the radio signal, and When it is determined whether or not the same program identification ID as the program identification ID is stored in the own device, and it is determined that the same program identification ID exists in the own device, the password and the device included in the wireless signal Extracting the ID, the number-of-operations information, and the program identification ID, and sending it to the authentication server as an acquisition request for the provided information;
When the authentication server receives an acquisition request for the provision information from the user terminal, the number of operations indicated by the operation number information included in the received acquisition request is an operation of the wireless communication apparatus managed by the own device. If the number of operations is greater than the number of operations indicated by the number information, the current time is received to acquire the current time information, and stored in the own device based on the program identification ID included in the provision information acquisition request And generating the password by encrypting using the extracted authentication information, the device ID, the operation count information, and the acquired current time information, and generating the password And a password included in the received request for obtaining provided information are compared and authenticated, and when the authentication is successful, the provided information is transmitted to the user terminal. Authentication system.   When the authentication server receives the provision information acquisition request from a plurality of the user terminals within a predetermined time, the authentication server performs authentication only for the received provision information acquisition request received first. The authentication system according to claim 1 or 2, characterized in that.   When the authentication server receives the provision information acquisition request from the user terminal, the authentication server determines whether or not a predetermined time has elapsed since the provision information acquisition request was previously received from the user terminal. The authentication system according to any one of claims 1 to 3, wherein authentication is performed when time elapses.   5. The authentication according to claim 1, wherein the current time information is acquired based on a current time obtained by converting all current times included in a predetermined time zone into the same time. 6. system. When the user terminal receives the wireless signal from the wireless communication device, the user terminal measures current position information, and the authentication request is received for the provided information acquisition request including the measured current position information and information included in the wireless signal. To the server,
When the authentication server receives the provision information acquisition request from the user terminal, the authentication server performs authentication based on the current position information included in the received provision information acquisition request and the installation position of the operated wireless communication device. The authentication system according to any one of claims 1 to 5, wherein:

Images