JP5958043B2 - Authentication system, authentication method, and authentication program - Google Patents

Description

  The present invention relates to an authentication system, an authentication method, and an authentication program, and more particularly, to an authentication system, an authentication method, and an authentication program that authenticate a user by reading an authentication card of a different authentication method.

  Vending machines such as vending machines, beverages, food and drinks, cigarettes, tickets, etc. (hereinafter collectively referred to as vending machines) have become widespread. The company sells goods and copying functions by inserting money or prepaid cards.

  In recent years, billing settlement using an electronic card for a copy operation, a scanner operation, and the like has been proposed in a copy apparatus installed in a convenience store, a store, or the like (see Patent Document 1).

  However, in the above prior art, electronic cards with different authentication methods (standards) have been issued by various card companies, and conventionally, one of these electronic cards with different authentication methods has been selected. Thus, it is possible to make a settlement only with the specified electronic card as applied to the vending machine. As a result, when an electronic card is used to use a vending machine, the electronic card cannot be authenticated without using the electronic card applied to the vending apparatus, and electronic card payment is used. It is not possible to make a payment using the vending machine. As a result, there has been a need for improvement in making use of electronic cards and settlement based on authentication while improving usability.

  Accordingly, an object of the present invention is to perform authentication by reading authentication information from storage media having different authentication methods.

To achieve the above object, an authentication system according to claim 1 includes a plurality of authentication devices that perform user authentication based on the authentication information of a storage medium storing authentication information related to authentication, and the storage medium. An authentication system in which an information processing apparatus that provides various information processing services on the condition of user authentication used and an auxiliary apparatus that assists user authentication in the information processing apparatus are connected by a predetermined communication line. The storage medium has a secret area and a non-secret area, and a settlement possible amount for billing by the information processing apparatus is recorded in the secret area, and the auxiliary device is for accessing the storage medium. A storage means for storing an access file in which information is recorded and an authentication module for decoding authentication information of the storage medium; and in response to a request from the information processing apparatus And an auxiliary information providing unit that provides the access module and the authentication module, and the information processing apparatus acquires communication source that communicates with the storage medium and authentication source information that identifies an authentication source of the storage medium Authentication source information acquisition means, auxiliary information acquisition means for acquiring the access file and the authentication module corresponding to the authentication source information acquired by the authentication source information acquisition means from the auxiliary device, and the auxiliary information acquisition means An authentication information acquisition means for accessing the storage medium by the communication means using the access file and acquiring the authentication information from the storage medium using an authentication module acquired by the auxiliary information acquisition means; and An authentication information transmitting means for transmitting the authentication information to the authentication device corresponding to the authentication information; and A notification unit that receives the authentication result of the authentication based on the transmitted authentication information from the authentication device testimony information notifying an authentication permission result, various information processing services provided to the user successfully authenticated by the storage medium Charging means for subtracting the charge amount for the storage medium from the settlement possible amount of the storage medium using the access file, and sending the charge amount charged by the charge means to the auxiliary device as charge information, Charging information notifying means for requesting the auxiliary device to transmit the charging information to the authentication source .

  According to the present invention, authentication information can be read and authenticated from storage media having different authentication methods.

1 is a system configuration diagram of an authentication system to which an embodiment of the present invention is applied. The block block diagram of an authentication system. The principal part block block diagram of a decoding apparatus and an information processing part. The top view of an operation input part. The functional block diagram of an information processing part. Authentication processing sequence diagram. FIG. 7 is a sequence diagram showing a continuation of the authentication process of FIG. 6. The figure which shows an example of company ID. The flowchart which shows company ID acquisition processing. The figure which shows an example of the storage area and data storage state of an electronic card. The flowchart which shows the detailed process of a company ID acquisition process. The figure which shows an example of the instruction | indication file by an XML file format. The figure which shows an example of the batch file of an instruction | indication. The figure which shows the example of notification of service utilization information. The figure which shows an example of a log file.

  Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. In addition, since the Example described below is a suitable Example of this invention, various technically preferable restrictions are attached | subjected, However, The range of this invention is unduly limited by the following description. However, not all the configurations described in the present embodiment are essential constituent elements of the present invention.

  1 to 15 are diagrams showing an embodiment of an authentication system, an authentication method, and an authentication program of the present invention, and FIG. 1 is an embodiment of an authentication system, an authentication method, and an authentication program of the present invention. 1 is a system configuration diagram of an authentication system 1. FIG.

  In FIG. 1, an authentication system 1 includes a composite device 10, a relay server (auxiliary device) CSV, and a plurality of authentication servers (authentication devices) NSVa to NSVn connected by a LAN (Local Area Network) that is a predetermined communication line. Yes. Note that the predetermined communication line is not limited to the LAN, but may be, for example, a dedicated line, the Internet, or the like. In FIG. 1, the composite device 10 and the relay server CSV are connected to the LAN one by one. However, a plurality of composite devices 10 and relay servers CSV may be connected to the LAN.

  The multifunction device 10 is connected to a charging device 11 and a card R / W (communication means) 12 for reading and writing an electronic card EC as a storage medium, and an information processing unit (information processing device) 13 shown in FIG. It is equipped with.

  The multifunction device 10 provides services such as a coffee service that reads an image of a document and prints it out on paper, a scanner-to-memory service that reads an image of a document and stores it in a storage memory such as a USB (Universal Serial Bus), A scan-to-transfer service that reads an image of a document and transmits it to a designated computer, a scan-to-media service that reads an image of a document and stores it in an external medium, and image data transmitted from an external device such as a computer or external media When using a print service, a facsimile service, or the like to record and output on paper, the cash is charged into the billing device 11 according to the fee (charge) set in advance for the requested service, or the card R / W 12 Requests user authentication with the held electronic card EC.

  The authentication system 1 enables the use of the composite device 10 by performing user authentication using the electronic card EC when the composite device 10 is used. Since different types of electronic cards (in FIG. 1, types of electronic cards from Company A to Company N) have been issued, authentication methods corresponding to electronic cards EC of different authentication methods are executed and appropriately authenticated. I do.

  Therefore, the authentication system 1 of the present embodiment connects the composite apparatus 10 to the relay server CSV, and the relay server CSV is used for authentication of the electronic card EC held from the authentication servers NSVa to NSVn of each company to the card R / W 12. An access file in which information for accessing the necessary authentication module and the common area (non-secret area) and the secret area of the electronic card EC of a plurality of authentication methods is stored in the internal memory (storage means) and combined By providing the composite apparatus 10 in response to a request from the apparatus, the authentication information of the electronic card EC of a different authentication method is performed using the card R / W 12 without preparing an authentication module of each company in the composite apparatus 10. .

  As shown in FIG. 2, the multifunction device 10 is mounted with the card R / W 12 connected and the information processing unit 13 connected via a LAN. The connection with the device 10 is not limited to the LAN, and may be connected with a dedicated line such as a bus while being built in the composite device 10.

  In the authentication system 1, the information processing unit 13 is connected to the relay server CSV via a LAN, and the relay server CSV is connected to the authentication servers NSVa to NSVn of each company via a communication line such as a LAN or the Internet.

  The composite apparatus 10 and the information processing unit 13 are configured as blocks as shown in FIG. The composite apparatus 10 includes a LAN control unit 21, a printing unit 22, an image reading unit 23, and the like. The information processing unit 13 includes a LAN control unit 31, a CPU (Central Processing Unit) 32, a memory 33, a storage unit 34, An external media input / output unit 35, an operation input unit 36, a wireless control unit 37, and the like are provided.

  The printing unit 22 and the image reading unit 23 of the multifunction apparatus 10 operate under the control of the CPU 32 via the LAN control unit 21 and the LAN and LAN control unit 31 of the information processing unit 13, and perform the above various services to the information processing unit. Provided under 13 controls.

  The printing unit 22 forms and outputs a color image or a monochrome image on a sheet based on the image data delivered from the information processing unit 13 by a predetermined printing method (electrophotographic method, ink ejection method, etc.).

  For example, an image scanner using a charge coupled device (CCD) or a complementary metal oxide semiconductor (CMOS) is used as the image reading unit 23, and generally includes an ADF (Auto Document Feeder). The ADF feeds the set originals one by one to the original reading position of the image reading unit 23. The image reading unit 23 irradiates the original conveyed from the ADF with light, photoelectrically converts the light reflected by the original with a CCD or CMOS, and reads an image on the original with a predetermined resolution.

  The LAN control unit 21 exchanges signals and data with the information processing unit 13 via the LAN.

  The storage unit 34 is composed of a hard disk or the like, and stores image data of a document read by the image reading unit 23, image data sent from an information processing apparatus such as a computer, image data read from an external medium, and the like. The basic control program of the composite apparatus 10, the authentication program of the present invention, and various data necessary for executing the program are stored under the control of a CPU (Central Processing Unit) 32.

  The memory 33 is composed of a RAM (Random Access Memory) or the like, and is used as a work memory for the CPU 32.

  The CPU 32 controls each unit of the information processing unit 13 and the composite device 10 based on a program in the storage unit 34 to cause the composite device 10 to perform basic processing as the composite device and execute the authentication method of the present invention. To do.

  That is, the information processing unit 13 includes a ROM, an EEPROM (Electrically Erasable and Programmable Read Only Memory), an EPROM, a flash memory, a flexible disk, a CD-ROM (Compact Disc Read Only Memory), a CD-RW (Compact Disc Rewritable), a DVD. An authentication program for executing the authentication method of the present invention recorded on a computer-readable recording medium such as a (Digital Versatile Disk), an SD (Secure Digital) card, or an MO (Magneto-Optical Disc) is read into the storage unit 34. The information processing apparatus is configured to execute an authentication method for appropriately performing authentication using the electronic card EC without depending on an authentication method described later. This authentication program is a computer-executable program written in a legacy programming language such as assembler, C, C ++, C #, Java (registered trademark) or an object-oriented programming language, and is stored in the recording medium. Can be distributed.

  Then, as will be described later, the CPU 32 uses the access file and the auxiliary information acquisition unit that acquires the access file and authentication module corresponding to the acquired company ID as the authentication source information from the relay server CSV, and the card R / W 12 uses the access file. Authentication information acquisition means for accessing the secret area and the common area (non-secret area) of the electronic card EC and acquiring the authentication information from the electronic card EC using the authentication module, and the authentication information of the authentication source corresponding to the authentication information In addition to functioning as authentication information transmitting means for transmitting to the authentication servers NSVa to NSVn, together with the operation input unit 36 described later, authentication results based on the authentication information are sent from the authentication servers NSVa to NSVn that have transmitted the authentication information. It functions as a notification means for receiving and notifying the result of authentication.

  The external media input / output unit 35 is detachably mounted with a portable external medium such as a USB (Universal Serial Bus) memory card, SD card, etc., and under the control of the CPU 32, writing data to the external medium and the external medium Read data from.

  For example, as shown in FIG. 4, the operation input unit 36 includes a function key 41 for designating various functions (copy, scan, etc.), a numeric keypad 42, a power key 43, a login / logout key 44, a start key 45, a clear / stop. A key 46 and an LCD (Liquid Crystal Display) 47 with a touch panel are provided, and the external media input / output unit 35 is provided.

  The login / logout key 44 is pressed when logging in to the multifunction apparatus 10 and using various services (functions) of the multifunction apparatus 10, particularly when logging in using the electronic card EC and using the multifunction apparatus 10. In addition, this button is pressed when logging out after the use of the multifunction apparatus 10 is completed.

  The clear / stop key 46 is pressed when clearing or stopping various operations by the input operation or the composite apparatus 10.

  The touch panel LCD 47 has a touch panel overlaid on the LCD display screen. Various function buttons are displayed on the LCD display screen, and the position on the touch panel LCD 47 corresponding to the function button is touch-operated. Thus, commands assigned to the function buttons, data selection, key input, and the like can be performed. The LCD 47 with a touch panel functions together with the CPU 32 as notifying means for receiving an authentication result for the authentication request from the authentication servers NSVa to NSVn and notifying the authentication result.

In FIG. 3 again, the wireless control unit 37 communicates with various devices wirelessly to exchange data and signals. The LCD 47 with a touch panel, together with the CPU 32,
Then, the information processing unit 13 has a GUI (Graphical User Interface) module 51, a charging service module 52, a card plug-in service module 53, as shown in FIG. 5, by introducing the basic program and the authentication program of the present invention. Log management service module 54, fax service module 55, scan service module 56, print service module 57, session manager module 58, ID management service module 59, media management module 60, data reception module 61, data transmission module 62, encryption Modules such as a library module 63, a data storage management module 64, and a system management module 65 are constructed.

  The GUI module 51 exchanges signals and data with the operation input unit 36, and in particular, displays a screen of function buttons that can be touch-operated on the LCD 47 with a touch panel.

  The billing service module 52 is a module that manages the provision of this service and the insertion of cash into the billing apparatus 11, although it is necessary to pay a fee to use functions such as a copy service. The charging service module 52 is changed to the free mode when the login / logout key 44 of the operation input unit 36 is pressed and the login process is completed.

  When the login / logout key 44 is pressed, the card plug-in service module 53 determines whether the electronic card EC is held at a predetermined interval. When the electronic card EC is held, the card plug-in service module 53 stores the storage area of the electronic card EC. Read information. The card plug-in service function unit 53 inquires of the relay server CSV via the session manager module 58 whether or not the ID acquired from the electronic card EC is a pre-registered ID. The card plug-in service function unit 53 performs a login permission process when the result of the inquiry to the relay server CSV is a registered ID.

  The log management service module 54 is a module for log management of information on IDs classified according to a predetermined classification standard by an ID management service module 59 described later.

  The fax service module 55 is a module that instructs the facsimile communication unit (not shown) of the multifunction apparatus 10 to transmit and receive facsimile data.

  The scan service module 56 is a module that instructs the image reading unit 23 of the multifunction apparatus 10 to read a document.

  The print service module 57 is a module that instructs the printing unit 22 of the multifunction apparatus 10 to print an image.

  The session manager module 58 is a module that issues and manages an ID necessary for login, and performs an inquiry process as to whether the ID acquired by the card plug-in service module 53 is a registered ID with respect to the relay server CSV. Also do.

  The ID management service module 59 classifies IDs read from the electronic card EC by the card plug-in service module 53 according to a predetermined classification standard, for example, a classification standard such as a company name or a user name, and cannot normally be read. This is a module that performs processing so that data in the secret storage area of the electronic card EC can be read, and details of the operation of the ID management service module 59 will be described later.

  The media management module 60 is a module that performs data writing, data reading, and data management with respect to an external medium attached to the external media input / output unit 35.

  The data receiving module 61 is a module that receives a data file via a network or from a screen.

  The data transmission module 62 is a module that transmits a data file such as a data file stored in the data storage management module 64 to a specified destination via a network.

  The encryption library module 63 transmits the data as an encrypted code when exchanging data to the secret area of the electronic card EC with the relay server CSV, and also transmits the code from the relay server CSV to the data This module expands to

  The data storage management module 64 is a module that performs storage management of data in the data storage unit such as the memory 33, the storage unit 34, and an external medium.

  The system management module 65 is a module that checks and activates each service state when the information processing unit 13, that is, the composite apparatus 10 is activated. The system management module 65 is a module that terminates the service when the information processing unit 13, that is, the multifunction apparatus 10 is terminated.

  The relay server CSV is an issuer that is an authentication source of an electronic card EC that may be used in the composite apparatus 10 in order to support all authentication methods of the electronic card EC that may be used in the composite apparatus 10. It is connected to authentication servers NSVa to NSVn of companies (in FIG. 1 and FIG. 2 from company A to company N) by a network such as a LAN, and the card company code of the electronic card EC is sent from the information processing unit 3 of the composite apparatus 10. When the authentication module of the corresponding card company code has already been stored in the internal memory, the authentication module is passed to the information processing unit 13, but the authentication module of the corresponding card company code is stored in the internal memory. If not, the authentication module is automatically downloaded from each authentication server NSVa-NSVn of the card company Stores in the internal memory Te, and passes the information processing unit 13. Further, the relay server CSV has an access file in which information for accessing the secret area and the common area of the electronic card EC is recorded, specifically, an instruction file described in the XML format described later, and the instruction An instruction batch file for executing the file is stored in the internal memory, and although not shown, an auxiliary information providing function (auxiliary information providing means) that is passed to the information processing unit 13 of the composite apparatus 10 is provided together with the authentication module.

  Further, the relay server CSV updates the authentication modules stored in the built-in memory by accessing the authentication servers NSVa to NSVn of each company periodically or at an appropriate timing.

  Each of the authentication servers NSVa to NSVn is an authentication server for a normal electronic card EC, and does not perform any special operation or processing in the present invention, and provides an authentication module in response to an authentication module request from the relay server CSV. The authentication result is transmitted in response to the authentication request.

  Next, the operation of this embodiment will be described. The authentication system 1 according to the present embodiment performs user authentication using the electronic card EC when using the composite device 10, thereby performing charge processing when using the composite device 10 using the electronic card EC, exemption from charge, Processing such as usage management (management of the number of copies, etc.) is performed.

  However, it is desirable that the electronic card EC used for user authentication differs depending on the place where the multifunction apparatus 10 is installed, or that a plurality of authentication type electronic cards EC can be used.

  Therefore, the authentication system 1 according to the present embodiment uses the authentication method of the electronic card EC requested to be once authenticated by the relay server CSV in order to properly authenticate the electronic cards EC of these plural authentication methods in the composite apparatus 10. Are downloaded from the authentication servers NSVa to NSVn and stored, and the authentication module and the access file are transferred to the information processing unit 13 of the composite apparatus 10 which has made an authentication request to the relay server CSV, and the card User authentication can be performed by causing the R / W 12 to read authentication information necessary for authentication from the secret area of the electronic card EC.

  That is, the authentication system 1 performs authentication processing according to an authentication processing sequence as shown in FIGS. As shown in FIG. 6, when the user U operates the login / logout key 44 that is a card authentication screen transition button of the operation input unit 36 of the multifunction apparatus 10 (S1), the printing system 1 For example, the GUI module 51 displays and outputs a card authentication screen as shown in FIG. 4 on the LCD 47 with a touch panel of the operation input unit 36, and in response to this display, the user inserts the electronic card EC as an authentication card into the card R / When it is held over W12 (S2), the GUI module 51 makes a card number acquisition request to the card plug-in module 53 (S2.1). In FIG. 6 and FIG. 7, in the notation of each module, the letter of the module is omitted, and for example, the GUI module is indicated only as GUI.

  Upon receiving a card number acquisition request, the card plug-in module 53 performs card initialization, performs read processing (S2.1.1), reads the company ID as authentication source information from the electronic card EC, The ID management service module 59 is requested to confirm the consistency of the read company ID (S2.1.2).

  The card plug-in 53 confirms the consistency of the company ID and passes the confirmation result to the card plug-in 53. FIG. 6 shows a case where the company ID is not registered in the data storage management module 64. For example, as shown in FIG. 8, the company ID is registered for each company.

  If there is a report from the ID management service module 59 that the company ID is not registered, the card plug-in 53 notifies the GUI module 64 that the card number has been successfully acquired but the company ID is not registered.

  When notified that the company ID is not registered, the GUI module 64 displays a message prompting the company ID to be input on the LCD 47 with a touch panel of the operation input unit 36 (S2.2). When entered, the entered company ID is passed to the card plug-in module 53 together with a card number acquisition confirmation request (S4).

  The card plug-in service module 53 performs the card number acquisition completion process (S4.1), passes the acquired company ID to the management service 59, and makes a request for checking the consistency of the company ID to the ID management service 59 ( S5) The ID management service module 59 determines the consistency of the input company ID (the number of digits of the input ID, the input character type, etc.), and if the consistency is appropriate, the card plug indicates successful consistency. Return to the in-module 53.

  When the consistency of the company ID is confirmed, the card plug-in service module 53 creates an authentication request thread (S6), performs a reading process (S7), and confirms the inquiry of the card number to the media management module 60. (S8).

  Upon receiving the card number inquiry confirmation, the media management module 60 performs processing for acquiring the data in the secret area of the card number (S8.1), processing for decryption necessity (S9), and decryption from the relay server CSV. Authentication module and access file download processing (S10), decryption start processing (S11) of the secret area of the electronic card EC using the access file and authentication module, and access file and authentication module by executing a patch file to be described later Are sequentially performed, and the encryption library module 63 is instructed to decrypt the encryption to the authentication servers NSVa to NSVn (S13).

  When the encryption library 63 receives the encrypted data from the encryption library module 63, it passes the encrypted data to the data transmission module 62 and instructs the external authentication servers NSVa to NSVn to decrypt the encrypted data. (S14) When the data reception module 61GUI module 51 performs a successful authentication display on the LCD 47 with the touch panel and receives a notification that the authentication has succeeded by the authentication servers NSVa to NSVn, the charging service module 52 by the module 51 is received. The charging control is performed to stop the charging and perform the necessary charging process (S15).

  Then, the information processing unit 13 performs processing from when the electronic card EC is held over until the company ID is acquired as shown in FIG. That is, the information processing unit 13 can determine the company name of the card company from information (data) read from the common library with the electronic card EC held over the card R / W 12, that is, the storage unit 34 or It is checked whether it matches the company ID registered in the memory 33 (step S101), and if it can be determined, the authentication module and access file of the corresponding card company are automatically acquired from the relay server CSV (step S102). At this time, the fact that the company ID is registered in the information processing unit 13 means that the authentication module and the access file of the card company corresponding to the internal memory (storage means) of the relay server CSV are already stored. Therefore, the information processing unit 13 can acquire the authentication module and access file of the corresponding card company from the relay server CSV.

  The information processing unit 13 accesses the secret area of the electronic card EC using the acquired authentication module and access file, and acquires information (data) of the secret area (step S103).

  That is, the electronic card EC has a storage area and a data storage state as shown in FIG. 10, and is stored in a secret area that is encrypted and cannot be read unless a dedicated authentication module is used. Information and information stored in a common area (common library) which is a non-secret area that is not encrypted and can be read using a common authentication module. The information processing unit 13 reads the ID of the card company from the common library group, and if the read company ID is already registered in the storage unit 34 or the memory 33, the company name can be determined. The company authentication module (for example, files such as .dll for company C, .exe for car C) and access files are read.

  Then, the information processing unit 13 reads the information of the secret area using the read authentication module, sends a decryption command to the encryption library module 63 (step S104), and determines login based on the decryption result, that is, It is checked whether login is possible (step S105). In this login determination, for example, the information processing unit 13 has an invalid company ID or information indicating the validity of the electronic card EC registered in a secret area prepared for each company (for example, an expiration date, The validity / invalidity of the electronic card EC is determined based on a use prohibition flag for an external employee and user information when linked with an in-house server.

  If login is possible in step S105 (YES in step S105), the information processing section 13 permits login (step S106), writes a log of the operation process during login, and relays it. The process is transmitted to the server CSV, and the company ID acquisition process is terminated (step S107).

  If login is impossible in step S105 (NO in step S105), the information processing section 13 rejects login and ends the company ID acquisition process (step S108).

  When the company name cannot be determined from the common library in step S101 (NO in step S101), the information processing unit 13 displays a company ID input screen on the LCD 47 with a touch panel of the operation input unit 36 ( In step S109), the consistency confirmation request for the input company ID is checked (step S110). If there is consistency (YES in step S110), the process proceeds to step S102, and the relay server CSV The same processing as described above is performed from the processing for automatically acquiring the authentication module of the corresponding card company (steps S102 to S108).

  If the input company ID is not consistent in step S110, the information processing unit 13 rejects the login and ends the company ID acquisition process (step S108).

  Then, the information processing section 13 performs the company ID acquisition processing shown in FIG. 9, particularly the initialization processing and reading processing shown in FIG. 6, as shown in FIG. That is, the information processing unit 13 initializes the library as an initialization process of the electronic card EC by the card plug-in module 53 (step S201), and is in an open state in which the card R / W 12 can be read and written. (Step S202). Next, the information processing unit 13 changes the status from the standby state to the authentication state, and ends the initialization process (step S203).

  Next, the information processing unit 13 proceeds to the reading process of the electronic card EC, and firstly sets a predetermined polling retry count that is the number of times the electronic card EC is read by polling using the card R / W 12 (step S204). ), Polling is started (step S205), and it is checked whether the status is an authentication state (step S206).

  In step S206, when the status is not in the authentication state (NO in step S206), the information processing unit 13 performs polling again to perform the color image forming apparatus knitting in which the status is the authentication state (step S205, S206).

  If the status is authenticated in step S206 (YES in step S206), the information processing unit 13 checks whether the number of read sheets is 1 (step S207), and when the number is greater than 1 (step S207). If NO in step S207, the process returns to step S205 to perform the same processing as above from polling (steps S204 to S207).

  When the number of read sheets is 1 in step S207 (YES in step S207), the information processing section 13 reads the service data (step S208) and changes the status from the authentication state to the standby state (step S208). Step S209), the card R / W 12 is closed (Step S210).

  The information processing unit 13 opens the library (step S211), and checks whether there is a transfer of a predetermined amount (for example, 500 yen in FIG. 10) in which the remaining chargeable amount of the electronic card EC is set (step S212). ) If the amount exceeds the predetermined amount, a flag file describing the card type, balance, IDM (unique ID number recorded on the electronic card EC that cannot be rewritten) and the like is generated (step S213), and the ID acquisition is successful. The notification is performed by a method such as display output on the LCD 47 with a touch panel of the operation input unit 36 by the GUI module 51, and the process is terminated (step S214).

  In step S212, if the balance is less than the predetermined amount, the information processing unit 13 performs a method such as displaying a notification of ID acquisition failure on the LCD 47 with the touch panel of the operation input unit 36 by the GUI module 51 and ends the process. (Step S215).

  That is, as shown in FIGS. 6 and 7, the information processing unit 13 reads the common area of the electronic card EC held by the card R / W 12, or obtains the company ID from the result of the input operation. Upon acquisition, the authentication module with the company ID is downloaded from the relay server CSV, the secret area of the electronic card EC is read, data necessary for authentication and data necessary for charging are acquired. At this time, the relay server CSV passes an instruction file instructing which data in which area of the electronic card EC of the company ID is read / written, for example, an XML file as shown in FIG. The information processing unit 13 accesses the electronic card EC based on the instruction file and executes a batch file of instructions as shown in FIG. 13 to write to the area described in the XML file. , Read, update, write in log, match with other data, execute authentication module in batch and execute cryptographic authentication process. The XML file (instruction file) and the instruction batch constitute an access file as a whole.

  That is, when accessing the secret area of the electronic card EC, if the interface of the card R / W 12 is open, it can be accessed using the open interface and the electronic module EC can be authenticated by the authentication module. If it is not publicized, the above-mentioned instruction file (XML file) and batch file, which are access files, can be used to call the secret area of the electronic card EC so that the authentication module can exchange data. Authenticate the electronic card EC.

Then, the determination when you log in, by referring to the limits obtained from the electronic card EC in the XML file that is pre-set to the relay server CSV (settlement amount available), the services available in the user name at the time of login Then, for example, as shown in FIG. 14, the available service is displayed and output on the LCD 47 with a touch panel of the operation input unit 36 of the information processing unit 13. In FIG. 14, when a user of a company C company uses the composite device 10 to authenticate with the electronic card EC, the maximum amount that can be used in the month of the company C is copy and fax. , And the usage status up to the current month.

  Further, as shown in FIG. 7, after the login is completed and the process is completed, the information processing unit 13 describes the executed content in a log file (billing information), passes it to the relay server CSV, and relays it. The server CSV transmits to a necessary destination, for example, a company administrator by e-mail or the like. The log file is, for example, a file as shown in FIG. 15. In FIG. 15, time (time), user (User), company (Company), secret code (SecretCode), and executed contents (color copy). One sheet, A4) is recorded.

  In the above description, the information processing unit 13 that performs authentication processing has a configuration independent of the basic function unit of the composite device 10, but the composite device 10 serves as an information processing device within the basic configuration. Authentication processing may be performed.

  As described above, the authentication system 1 according to the present embodiment includes a plurality of authentication servers (authentication devices) NSVa that perform user authentication based on the authentication information of the electronic card (storage medium) EC in which authentication information related to authentication is stored. -The composite apparatus 10 equipped with the information processing unit 13 that provides various information processing services on the condition of user authentication using the NSVnEC and the electronic card EC, and assisting the user authentication in the information processing unit 13 An authentication system 1 in which a relay server (auxiliary device) CSV is connected by a predetermined communication line, and the relay server CSV has an access file and an electronic card in which information for accessing the electronic card EC is recorded An internal memory (storage means) for storing an authentication module for decrypting EC authentication information, and access according to a request from the information processing unit 13 And an auxiliary information providing function (auxiliary information providing means) for providing a file and an authentication module. The information processing unit 13 communicates with the electronic card EC. The card R / W (communication means) 12 and the electronic card EC CPU (authentication source information acquisition means) 32 for acquiring a company ID (authentication source information) for specifying an authentication source, and CPU (auxiliary information acquisition) for acquiring an access file and an authentication module corresponding to the acquired company ID from the relay server CSV Means) 32 and a CPU (authentication information acquisition) that accesses the electronic card EC by the card R / W 12 using the access file acquired by the CPU 32 and acquires authentication information from the electronic card EC using the authentication module acquired by the CPU 32 Means) and the authentication information to authentication servers NSVa to NSVn as authentication sources corresponding to the authentication information. A CPU (authentication information transmitting means) 32 that transmits the authentication information, and a CPU 32 that is a notification means for receiving an authentication result of authentication based on the authentication information from the authentication servers NSVa to NSVn that have transmitted the authentication information and notifying the authentication result. LCD 47 with a touch panel.

  Therefore, even when a plurality of types of electronic cards EC having different authentication methods whose authentication module interface is not disclosed are used, an area where authentication information of the electronic card EC is stored is accessed and the electronic card EC is accessed. Authentication information can be acquired, and electronic cards EC with different authentication methods can be appropriately authenticated.

  The authentication system 1 of the present embodiment uses a plurality of authentication servers NSVa to NSVn that perform user authentication based on the authentication information of the electronic card EC in which authentication information related to authentication is stored, and the electronic card EC. A composite device 10 equipped with an information processing unit 13 that provides various information processing services on the condition of user authentication, an access file in which information for accessing the electronic card EC is recorded, and authentication information of the electronic card EC An authentication in which an authentication module for decoding is provided in response to a request from the information processing unit 13 and a relay server CSV that assists user authentication in the information processing unit 13 is connected via a predetermined communication line A company in which the information processing unit 13 of the system 1 communicates with the electronic card EC and a company that identifies the authentication source of the electronic card EC Authentication source information acquisition processing step for acquiring D, an auxiliary information acquisition processing step for acquiring the access file and authentication module corresponding to the acquired company ID from the relay server CSV, and the access acquired in the auxiliary information acquisition processing step An authentication information acquisition processing step of accessing the electronic card EC in the communication processing step using a file and acquiring authentication information from the electronic card EC using the authentication module acquired in the auxiliary information acquisition processing step; Is transmitted to the authentication servers NSVa to NSVn of the authentication source corresponding to the authentication information, and the authentication information is transmitted from the authentication servers NSVa to NSVn to which the authentication information is transmitted in the authentication information transmission processing step. Notification processing step for receiving the authentication result and notifying the authentication result If, running an authentication method having a.

  Therefore, even when a plurality of types of electronic cards EC having different authentication methods whose authentication module interface is not disclosed are used, an area where authentication information of the electronic card EC is stored is accessed and the electronic card EC is accessed. Authentication information can be acquired, and electronic cards EC with different authentication methods can be appropriately authenticated.

  Furthermore, the authentication system 1 of the present embodiment uses a plurality of authentication servers NSVa to NSVn that perform user authentication based on the authentication information of the electronic card EC in which authentication information related to authentication is stored, and the electronic card EC. A composite device 10 equipped with an information processing unit 13 that provides various information processing services on the condition of user authentication, an access file in which information for accessing the electronic card EC is recorded, and authentication information of the electronic card EC An authentication in which an authentication module for decoding is provided in response to a request from the information processing unit 13 and a relay server CSV that assists user authentication in the information processing unit 13 is connected via a predetermined communication line The information processing unit 13 of the system 1 specifies a communication process for communicating with the electronic card EC and an authentication source of the electronic card EC. Authentication source information acquisition processing for acquiring the company ID to be acquired, auxiliary information acquisition processing for acquiring the access file and authentication module corresponding to the acquired company ID from the relay server CSV, and the access file acquired by the auxiliary information acquisition processing An authentication information acquisition process for accessing the secret area and the common area of the electronic card EC by the communication process using the authentication process and acquiring the authentication information from the electronic card EC using the authentication module acquired by the auxiliary information acquisition process; Authentication information transmission processing for transmitting authentication information to authentication servers NSVa to NSVn as authentication sources corresponding to the authentication information, and authentication servers NSVa to NSVn to which authentication information is transmitted in the authentication information transmission processing, based on the authentication information Equipped with a notification program that receives the authentication result and notifies the authentication result. There.

  Therefore, even when a plurality of types of electronic cards EC having different authentication methods whose authentication module interface is not disclosed are used, an area where authentication information of the electronic card EC is stored is accessed and the electronic card EC is accessed. Authentication information can be acquired, and electronic cards EC with different authentication methods can be appropriately authenticated.

  Further, in the authentication system 1 according to the present embodiment, the access file includes an XML file that causes the card R / W 12 to execute various accesses to each area of the electronic card EC, a batch file that executes the XML file, have.

  Therefore, even when a plurality of types of electronic cards EC having different authentication methods whose authentication module interfaces are not disclosed are used simply and easily, an area where authentication information of the electronic card EC is stored is stored. Therefore, the authentication information can be acquired by simply and easily accessing, and authentication of electronic cards EC having different authentication methods can be performed easily and appropriately.

  Furthermore, in the authentication system 1 of the present embodiment, the electronic card EC has a secret area and a common area (non-secret area), and a limit amount for charging by the information processing unit 13 installed in the composite apparatus 10 (settlement is possible). Amount) is recorded in the secret area, and the information processing unit 13 uses the access file to determine the charge amount for various information processing services provided to the user who has been successfully authenticated by the electronic card EC. CPU (billing means) 32 for subtracting from the limit amount, and the charged billing information is sent to the relay server CSV, and transmission of the billing information to the authentication source of the electronic card EC to be billed is sent to the relay server CSV. And a requesting CPU (billing information notification means) 32.

  Accordingly, it is possible to accurately grasp the contents of the billing performed in the composite apparatus 10 at the authentication source, and to appropriately provide billing processing and information processing service associated with user authentication.

  Further, in the authentication system 1 of the present embodiment, the information processing unit 13 of the multifunction apparatus 10 acquires a limit amount (payable amount) from the electronic card EC using an access file, and charges and various limits for various services. Further, a CPU (service notification means) 32 for notifying the service contents that can be used is provided.

  Therefore, the user can know the service content that can be used from the settlement amount of the electronic card EC, and the usability can be improved.

  The invention made by the present inventor has been specifically described based on the preferred embodiments. However, the present invention is not limited to that described in the above embodiments, and various modifications can be made without departing from the scope of the invention. It goes without saying that it is possible.

DESCRIPTION OF SYMBOLS 1 Authentication system 10 Compound apparatus CSV relay server NSVa-NSVn Authentication server 11 Billing apparatus EC Electronic card 12 Card R / W
13 Information Processing Unit 21 LAN Control Unit 22 Printing Unit 23 Image Reading Unit 31 LAN Control Unit 32 CPU
33 Memory 34 Storage Unit 35 External Media Input / Output Unit 36 Operation Input Unit 37 Wireless Control Unit 41 Function Key 42 Numeric Keypad 43 Power Key 44 Login / Logout Key 45 Start Key 46 Clear / Stop Key 47 LCD with Touch Panel
51 GUI module 52 Billing service module 53 Card plug-in service module 54 Log management service module 55 Fax service module 56 Scan service module 57 Print service module 58 Session manager module 59 ID management service module 60 Media management module 61 Data reception module 62 Data transmission Module 63 Encryption library module 64 Data storage management module 65 System management module

Japanese Patent Laid-Open No. 05-166019

Claims (5)

A plurality of authentication devices that perform user authentication based on the authentication information of a storage medium in which authentication information related to authentication is stored, and an information processing device that provides various information processing services on the condition of user authentication using the storage medium And an auxiliary device for assisting user authentication in the information processing device, and an authentication system connected by a predetermined communication line,
The storage medium is
Having a secret area and a non-secret area, and a settlement possible amount for charging by the information processing apparatus is recorded in the secret area;
The auxiliary device is
Storage means for storing an access file in which information for accessing the storage medium is recorded and an authentication module for decoding authentication information of the storage medium;
Auxiliary information providing means for providing the access file and the authentication module in response to a request from the information processing apparatus;
With
The information processing apparatus includes:
Communication means for communicating with the storage medium;
Authentication source information acquisition means for acquiring authentication source information for specifying an authentication source of the storage medium;
Auxiliary information acquisition means for acquiring the access file and the authentication module corresponding to the authentication source information acquired by the authentication source information acquisition means from the auxiliary device;
Authentication information acquisition for accessing the storage medium by the communication means using the access file acquired by the auxiliary information acquisition means, and acquiring the authentication information from the storage medium using the authentication module acquired by the auxiliary information acquisition means Means,
Authentication information transmitting means for transmitting the authentication information to the authentication device corresponding to the authentication information;
A notification means for receiving an authentication result of authentication based on the authentication information from the authentication apparatus that has transmitted the authentication information by the authentication information transmitting means and notifying the authentication result;
Billing means for subtracting a billing amount for various information processing services provided to a user who has been successfully authenticated by the storage medium from the settlement possible amount of the storage medium using the access file;
Charging information notifying means for sending the charging amount charged by the charging means to the auxiliary device as charging information, and requesting the auxiliary device to transmit the charging information to the authentication source of the storage medium;
An authentication system characterized by comprising: The access file is
The authentication system according to claim 1, further comprising: an XML file that causes the communication unit to execute various accesses to the storage medium; and a batch file that executes the XML file. The information processing apparatus includes:
It further comprises service notification means for acquiring the settlement possible amount from the storage medium using the access file and notifying the billing amount for the various services and the service content available from the settlement possible amount. The authentication system according to claim 1 or 2 . A plurality of authentication devices that perform user authentication based on the authentication information of a storage medium in which authentication information related to authentication is stored, and an information processing device that provides various information processing services on the condition of user authentication using the storage medium And an access module in which information for accessing the storage medium is recorded and an authentication module for decoding the authentication information of the storage medium in response to a request from the information processing apparatus. An authentication method in an authentication system in which an auxiliary device that assists user authentication is connected via a predetermined communication line,
The storage medium is
Having a secret area and a non-secret area, and a settlement possible amount for charging by the information processing apparatus is recorded in the secret area;
The information processing apparatus includes:
A communication processing step for communicating with the storage medium;
Authentication source information acquisition processing step for acquiring authentication source information for specifying an authentication source of the storage medium;
An auxiliary information acquisition processing step for acquiring the access file and the authentication module corresponding to the authentication source information acquired in the authentication source information acquisition processing step from the auxiliary device;
An authentication information acquisition processing step of accessing the storage medium in the communication processing step using the access file acquired in the auxiliary information acquisition processing step, and acquiring the authentication information from the storage medium using the authentication module;
An authentication information transmission processing step of transmitting the authentication information to the authentication device of the authentication source corresponding to the authentication information;
A notification processing step of receiving an authentication authentication result based on the authentication information from the authentication device to which the authentication information has been transmitted in the authentication information transmission processing step, and notifying the authentication availability result;
Billing processing step of subtracting the billing amount for various information processing services provided to the user who has been successfully authenticated by the storage medium from the settlement possible amount of the storage medium using the access file;
A billing information notification processing step of sending the billing amount billed in the billing processing step to the auxiliary device as billing information and requesting the auxiliary device to transmit the billing information to the authentication source of the storage medium;
An authentication method characterized by comprising: A plurality of authentication devices that perform user authentication based on the authentication information of a storage medium in which authentication information related to authentication is stored, and an information processing device that provides various information processing services on the condition of user authentication using the storage medium And an access module in which information for accessing the storage medium is recorded and an authentication module for decoding the authentication information of the storage medium in response to a request from the information processing apparatus. An auxiliary program for assisting user authentication is an authentication program installed in the information processing apparatus of the authentication system connected by a predetermined communication line,
In the information processing device ,
A communication process that has a secret area and a non-secret area, and communicates with the storage medium in which a settlement possible amount for billing by the information processing apparatus is recorded in the secret area ;
Authentication source information acquisition processing for acquiring authentication source information for specifying an authentication source of the storage medium;
Auxiliary information acquisition processing for acquiring the access file and the authentication module corresponding to the authentication source information acquired in the authentication source information acquisition processing from the auxiliary device;
An authentication information acquisition process for accessing the storage medium by the communication process using the access file acquired by the auxiliary information acquisition process, and acquiring the authentication information from the storage medium by using the authentication module;
An authentication information transmission process for transmitting the authentication information to the authentication device corresponding to the authentication information;
A notification process for receiving an authentication result of authentication based on the authentication information from the authentication apparatus to which the authentication information has been transmitted in the authentication information transmission process and notifying a result of the authentication availability;
Charge processing for subtracting the charge amount for various information processing services provided to a user who has been successfully authenticated by the storage medium from the settlement possible amount of the storage medium using the access file;
A billing information notification process for sending the billing amount billed in the billing process to the auxiliary device as billing information and requesting the auxiliary device to transmit the billing information to the authentication source of the storage medium;
An authentication program characterized by causing

Images