HK1031936B - System and apparatus for user authentication - Google Patents

Description

User identification system and device

Technical Field

The present invention relates to a user identification system for performing individual identification (authentication) in services such as electronic information exchange, electronic commercial transactions, and the like, a user identification card and a user identification device used in the user identification system, and a lock control system adapted to the user identification system and allowing only an authorized person to open or close a lock.

Background

In recent years, various kinds of information received from communication networks have become diverse, ranging from electronic commerce such as product distribution or credit to online medical diagnosis or medical records of individuals, and reading of registration terms or issuing certificates from public offices. The application and use of such information is increasing year by year.

Some of this private information relates to personal secrets and is generally prohibited from others knowing if there is a risk of leakage to the public. In order to realize a more convenient information-oriented society in connection with an electronic information communication network, a highly reliable user identification system capable of clearly distinguishing between individuals is necessary.

Such a mechanism for identifying the identity of an individual can also be used in a locking device to prohibit unauthorized persons from entering a laboratory, business office or residence, thereby improving the security of electronic money.

Passwords have been commonly used to identify a user. Such passwords are easy to use, but difficult to deal with thieves who steal the user's password. To prevent password thieves, users pay attention to secure passwords, for example, by using long passwords, selecting difficult-to-guess passwords, or changing passwords from time to time. Passwords are also widely used in communication security to encrypt communication contents to prevent others from easily recognizing the contents even if data leaks.

However, this method of security may be imperfect, and the password may be stolen by others by eavesdropping on the communication, breaking the password, or viewing the password glance sideways at. Moreover, the more complex the password, the more difficult it is for the user to remember. Fundamentally, any complex password may be duplicated by any means, as long as the password is stored as digitized data.

To prevent others from impersonating the user and to reliably identify the user's identity, other methods of identifying the user's identity based on so-called biometric indicators of the user, such as fingerprints or speech, have been considered. However, biometric data generally contains a large amount of information, which requires a very high density of data flow for transmission between the identification access terminal and the authentication authority (authentication) that stores the biometric information of the user. Such a high-density data flow may cause transmission blocking of a communication channel to increase communication time, and it is difficult to put this method into practice unless there is a dedicated environment. In this approach, there are other problems with the data management space and management method.

In recent years, lock control systems have been widely used in research centers, business offices, laboratories, document archives, and security management of property or apartment buildings. In lock control systems, the access to a particular location is restricted, and the lock is opened only if a card issued to an authorized person is identified by the identification system.

It is also important to accurately identify the identity of an individual if only the principal is able to accept services such as e-commerce transactions such as product distribution and credit, online medical diagnosis, review of registration terms of personal medical records or public offices, or issuing certificates. Instead of face-to-face communication, such transactions are increasingly being operated by means of access to information from a communication network.

In conducting such transactions, it must be determined whether the party is an actual user. Such a determination must be accurate and not an interview. In this case, the personal identity can be identified with a card, thereby making it possible to improve reliability.

As the security level will vary with the category of the transaction and the level of personal identification. For example, in the case of selling inexpensive products, nothing is required and only the authenticity of the card thereof needs to be recognized. But in other cases, such as when issuing a diagnostic record, it may be desirable to authenticate the card along with biometric information that can reliably identify the identity of the individual (e.g., a positive photograph, a fingerprint, or a voice).

Key cards for lock control systems or access control systems are typically issued for each lock and are carried or used by authorized persons. If multiple rooms are under access control, the principal responsible person must master multiple key cards, thus complicating the use of keys. On the other hand, multiple principals may often share a key card with each other. In this case, if not strictly managed, it is easy for unauthorized persons to steal and illegally use the password or the card key, thus making the security work more difficult.

There is also a business card issued for each business transaction via a consensus among the involved parties, so that the number of such transaction cards carried by one person may become unknowingly more and more.

The use of the card as a key is also suitable for other applications, such as renting a locker. In this case, each locker is provided with a key card and lent to the user. Since other people who are not real users can unlock the lock by the key, the stored goods may be stolen by other people, and thus the security is not sufficient.

In the case of a more secure safe, the safe is not opened by a key held by the user at the time of renting the safe, unless another key held by the administrator is used at the same time. The inconvenience of such a system is that the administrator must participate in the unlocking of each safe. In addition, a thief or a duplicate key may be used to open the corresponding safe and thus still not secure enough.

Some safe systems provide a dialer or keypad for each safe to enter the lock code. In this case, the user enters a code when locking the safe to prohibit the safe from being opened without entering the same code. This makes it possible for the user to avoid carrying a key. Because the user opens the safe lock according to the password set by the user when using the safe each time, the safety is very high, and the safe lock can be used as safely as possible. Others may still glance sideways at steal the code or break the code by guessing or experimentation to open the safe.

In addition, there is another lock control system in which a person who accesses a laboratory, a file room, or a drug storage room is limited to only a security principal. In this case, the lock is not opened if any of the responsible persons passes the identification without using the card issued to him. However, if the card is carelessly kept or managed by a person selected in the company, it is possible that an unauthorized person can freely enter the places using the card.

Since security varies with the lock in and out of which the user has access, devices with lower security requirements should avoid the use of such over-secured systems, which require the user to perform overly complex operations. For example, to open a storage rack for highly toxic drugs, it is necessary to pass through a reliable identification with as complicated measures as possible, whereas for normal drugs, it is sufficient to use a simple identification as long as the prescribed dose is taken care of.

Even for safes, the degree of security varies depending on the importance of the item being stored. For example, the degree of security for expensive or valuable items that cannot be replaced may be different than the level of security for the replaceable item.

As for the type of card, in recent years, a card (e.g., an IC card) with a CPU and a memory incorporated therein has been used as a credit card or an electronic cash card.

The IC card has a characteristic of performing complicated calculations required for advanced recognition and is easy to rewrite and refresh recorded contents. This feature is being applied to recording cards for continuous transaction details one by one, or as electronic money.

Further, the memory capacity built in the IC card is increasing, which makes it possible for the user to carry various personal information through such a card. Such personal information that is conveniently carried around includes an ID number of an insurance contract, a credit card user number, a personal identification card number or personal resume in a company, a balance of an electronic money account number, a family record subsidiary, a medical history, a correspondence book, and the like. Such personal information carries something that is personal privacy and may often be required to be kept secret.

Since such an identification IC card identifies an individual's identity based on information recorded therein, card security is important.

It is therefore an object of the present invention to provide a subscriber identification system, and a subscriber identification card and a subscriber identification device used for the same, which can obtain a quick response while maintaining a high reliability of personal identification in electronic information exchange and electronic commerce transactions.

It is another object of the present invention to provide an integrated identification IC card which can identify qualified persons in combination with various identification cards issued for various transactions, thereby improving the security of each transaction or lock control system. It is a further object of the present invention to provide an identification IC card capable of securing access to information stored in the IC card while seeking complete privacy protection.

It is still another object of the present invention to provide a highly secure lock control system which can make a strict discrimination of an authorized person when the identification level of the authorized person is set as required.

Technical scheme

The user identification system of the present invention includes a registration station, an identification card issuance station, an identification access terminal, and at least one authentication authority. The recording station is provided with an information obtaining means for obtaining biometric data for use in identifying the individual user. The identification card issuing station issues the user with a user identification card in which at least part of the biometric individual characteristic data is recorded. The identification access terminal is provided with a user identification means comprising an input/output unit for reading information of a user identification card and a personal identification input unit for acquiring biometric data of a user. The authentication authority is connected to the identification access terminal through an information channel and stores a part of remaining biometric data which has been obtained at the registration station but is not recorded on the user identification card. The recorded content read out by the input/output unit of the identification access terminal is compared with the user biological characteristic data obtained in the field through the personal identity input unit so as to identify the identity of the user, if a higher authentication level is required, the authentication management agency compares the user biological characteristic data obtained at the identification access terminal with the part of the biological characteristic data which is not on the user identification card and sends the comparison result to the user access terminal for further identification so as to respond to the inquiry from the identification access terminal.

In this specification, biometric data refers to a unique feature that one person can distinguish from others because it is a natural attribute that cannot be controlled manually. Biometric data includes not only natural attributes such as fingerprints or handprints, iris or retinal patterns, and DNA information, but also features derived from handwriting and speech habits. Other more legible or more reliable biometric data may also be found.

In a second aspect of the present invention, a subscriber identification system includes a registration station, an identification card issuing station, and an identification access terminal, wherein a subscriber identification card has a calculation function. When the biometric data is acquired at the user access terminal and entered into the user identification card, the computing functionality of the user identification card compares the biometric data recorded on the user card with the biometric data of the user obtained on site by the identity acquisition device and, if necessary, further combines it with the identification results provided by the certification authority to identify the user as the actual holder of the user identification card.

The subscriber identification system of the second aspect of the invention preferably comprises at least one authentication authority connected to the identity access terminal via an information channel. Most of the biometric data obtained at the registration station is recorded on the user identification card, and the remaining portion not recorded on the user identification card is shared and recorded in each authentication authority. Preferably, the authentication authority compares the biometric data of the user obtained by the access terminal with a portion of the biometric data not on the user identification card for further identification in response to a query identifying the access terminal.

In a user identification system, a memory may be provided with the certificate authority to record biometric data obtained at the registration station.

In the user identification system of the invention, the user identification card at least records a part of biological characteristic data of user characteristics different from others, and when the user needs to be identified, the biological characteristic data in the user identification card is compared with the biological characteristic data input by the user on site, so that only the real user can pass the identification test, thereby preventing others from pretending to be users.

Not only is it difficult to duplicate their original form from the biometric digitized data, but even if others can reproduce those digitized data, they cannot mimic their biometric characteristics. This makes it possible to provide a high degree of reliability in user identification.

In particular, since the biometric data as a reference is recorded in the user identification card, the user to be identified can be confirmed directly at the identification access terminal in his (her) nature without inquiring for evidence from an authentication authority remote from the identification access terminal. This makes it possible to save a lot of time and cost in communicating with the certificate authority.

If the user identification card is equipped with a computing function such as a CPU and a Random Access Memory (RAM), through which biometric data obtained from a user using the user identification card is input and verified using those recorded in the user identification card, the load on the identification access terminal and the cost of equipment can be reduced, thereby providing an easy-to-use system. In addition, information processing can be performed inside the subscriber identity card, thereby preventing the identification data from leaking to the outside, and thus improving reliability.

Further, if biometric data is distributed between the user identification card and the authentication authority, necessary information is separated, which makes it difficult for others to pass through the entire identification system even if they may copy from the card to a part of the biometric data recorded in the identification card. Further, since data for identifying an individual's identity cannot be copied only from the subscriber identity card, a high degree of reliability can be maintained. Moreover, even if the recorded content in the user identification card is forged, since the information of the certificate authority is still maintained, other people are unlikely to masquerade as legitimate users.

The process of storing data according to the present invention differs from the conventional process in that instead of judging the recombined data collected at the same location, the identification access terminal and the authentication authority independently identify the identity of the individual based on the held biometric data, so that both results can be reflected in the identification. Since the entire original data is never possible to be reconstructed, it is possible to maintain the secrecy of these data with high reliability.

Even when a person successfully attacks the certificate authority, he cannot forge the information of the subscriber identification card carried by the user, thereby maintaining the security.

Also, in the case of using a plurality of certificate authorities, each certificate authority can independently perform individual identification in response to an inquiry from an identification access terminal or other certificate authorities in addition to user identification based on information of a user identification card. In this case, if the authentication authorities arranged in a hierarchy in the system obtain the identification result on a level-by-level basis, the reliability of user identification can be further improved.

In the subscriber identification system of the present invention, a pass/fail confirmation can be selectively made only with the identification result obtained by the identification access terminal based on the information recorded on the subscriber identification card, or a more reliable confirmation is additionally made by the certificate authority or a plurality of certificate authorities based on the confirmation result obtained by the information stored in the certificate authority and not recorded in the subscriber identification card, depending on the reliability requirement for identification.

The level of identification may be predetermined for each identified access terminal or each transaction, or may be set for each transaction that identifies an access terminal. In addition, the price can be automatically set according to the selling price or other reasonable indexes.

Further, in such distributed information processing, even if all the biometrics data is used for user identification, as long as such identification is performed on an identification access terminal that obtains most of the data from the user identification card, the information traffic exchanged in the communication line can be reduced, and therefore the transmission traffic on the communication line and the time taken for inquiry can be reduced. This information distribution also affects the control of the processing performance and storage capacity of the certificate authority necessary to store large amounts of user information and process large amounts of queries.

In addition, the user identification system may include an enrollment authority having a memory for storing the user biometric data obtained from the enrollment station. The registration authority maintains a complete record of the biometric data of the user obtained from the registration station for determining where unauthorized use data or abnormal conditions occurred, for reissuing a corrupted identification card, or for repairing the data of the underlying certificate authority. Even if the user does not carry an identification card, the registration authority can identify him (or her) with a certain degree of reliability based on the record stored in the registration authority. For example, if a user loses his (or her) identification card, the user identified from the data in the registration authority may declare that the stolen card was missed and apply for a reissue.

In such a registration authority, the storage medium recording the biometric data can be detached from the information channel of the user identification system, so that it can be attached only when necessary. This makes it possible to prevent attack by hackers and thus prevent leakage and forgery of personal information. For security, it is most effective to record only part of the user biometric data in the user identification card and the underlying certificate authority, respectively, and thus not to allow the entire data to be stored in one place.

The biometric data employed by the user identification system of the present invention may include handwriting and writing processes. The handwriting is very representative of each person's biometric features, effectively preventing others from mimicking the person's features, and furthermore, the input device or analyzer is easily able to detect such features. The user can write letters or numbers as his (or her) feature at will, but it is more desirable for the user to write his (or her) signature because of the better repeatability of the signature. Others can imitate someone's handwriting, but writing processes like stroke order or how heavy they are down are what one's biometric features, thus making it difficult for others to imitate. Thus, using an online input device to attach information about the writing process to the handwriting can make the recognition more reliable.

Biometric data may also include fingerprints, voice, iris or retina pictures and DNA information. In addition, other biometric features may be found in the future that are more easily recognizable and more reliable.

The biometric data may be recorded in the user device card and in the certification authority by physical classification. For example, the first half and the second half of the biometric data may be recorded in the identification card and the certification authority, respectively, and verified separately. In other words, these data may be divided by category, with shape information of the handwriting being recorded on the user identification card, and information of the stroke intensity and the stroke order being recorded on the certification authority.

In addition, a plurality of kinds of biometric data (such as a fingerprint and voice) can be recorded separately so as to judge the identity of an individual according to various kinds of information, thereby improving reliability.

Also, a variety of biometric data may be registered to conduct different transactions depending on the type of input data.

In addition to general biometric data, other unique information can also be used together, which is only valid in certain situations. For example, a user is forced to leave his (or her) signature under threat or duress by others, and the user may secretly apply a covert symbol or marking in his (or her) signature to notify security authorities in an emergency situation, but convince the threat that he (or she) is compliantly signing a word in the normal manner.

As an alternative to this, normal transactions such as unlocking a door or withdrawing cash can be displayed to ensure personal safety in case of emergency. The type of biometric data used in an emergency may be the same type of normal data or a combination of different types of data, such as a voice signature. In turn, the combined data in which the specific code data is added to the dummy data may be used as the modified identification data.

The subscriber identity card used in the subscriber identity system of the present invention is a storage medium having a readable storage area in which a signal identifying the identity card and at least a portion of biometric data for distinguishing the subscriber from other persons are stored.

The storage medium may be a read-only storage medium such as a ROM or CD-ROM, but writable/readable storage media capable of attaching transaction detail records or new information may also be used, since the risk of counterfeiting the recorded content of the biometric data indicative of the user in such a storage volume is small.

It is desirable to use a highly reliable IC card having a high anti-counterfeit check function and a large data space and imparting an intellectualization and encryption system.

If an IC card equipped with a CPU and a RAM is used, the IC card can extract biometric data of a user in the card and compare the biometric data with verification data stored in the card for identifying the identity of the user. In this case, the load for identifying the access terminal and the equipment cost of the terminal can be reduced. In addition, the identification data of the subscriber identity card can be made unreadable externally to improve security.

A multi-purpose card for providing advanced identification of an individual's identity is provided by using an IC card equipped with a plurality of functions. The IC card used here may be a combination type of a contact type in which data is read and written by an external terminal and a non-contact type in which data is read and written without an external terminal.

In particular, if information is recorded separately, since it is not useful to forge the recorded contents on the user identification card, an economical and easy-to-use medium such as a floppy disk can be used as the user identification card. It is also possible to use other rewritable media like CD-ROM, DVD, recording tape or MD (magnetic disk).

An identification IC card for identifying an individual using an IC card includes a CPU, an identification file for storing individual information, and application files classified according to identification levels. In this structure, when an external request is made to show information recorded in any application file, the CPU compares externally input identification information with identification information stored in an identification file, thereby confirming a desired level of identification. Then, when a receivable is found from the comparison, the information of the application file is sent out by the CPU.

In the conventional art, a personal card is issued to each person who needs to be individually identified not only because the system is simple and easy to handle and it is difficult to stick different individuals to each other, but also because different levels of identification are required depending on the contents of the transaction and single identification information is insufficient to cover the different levels of identification. In addition, if the cardholder has a card that is available for multiple transactions, the technical imperfections may give the cardholder excessive capabilities.

According to the identification IC card of the present invention, application files in the card are classified according to an identification level corresponding to the confidentiality of each file. When an external request presents information recorded in any application file, the CPU checks and confirms the inputted identity information. Then, when the input identity information is confirmed according to the preset corresponding grade of the file, the target information in the application file is displayed through the CPU.

The identity information entered by the cardholder in the field may be verified by an external device (or pre-recorded in the device) having the identity information provided by the card. The use of the function of the external device enables complicated image processing or information processing to be performed, and thus is effective when the capacity of the CPU or the memory space of the identification card is insufficient. In addition, reliable identification is ensured by distributing stored identity information in the external device.

The identity information stored in the identification document may include biometric information for identifying the identity of an authorized holder of the IC card.

Some application files classified by identification level may only record identification numbers (IDs) for various transactions. Such Ids are valid when the cardholder is to be verified that he (or she) is not a legitimate person accessing external transaction information in an external resource.

Other proprietary information of the cardholder may also be recorded in the application file. The IC card has high capacity of identifying personal identity, and the card holder has no permission and no access to the personal information of the card, so that the protection of personal rights and interests is perfect.

A mechanism may be used with the above mechanism in which the identification conditions to access each application file are pre-entered so that only a confirmed person is allowed to access the corresponding file. Such files may be arranged in two dimensions in combination with the level of identification and thus may respond to more complex requests.

In using the identification IC card of the present invention, information as an entry certificate or a bank ID is first stored in an application file, and at the same time, identification programs required for various transactions are specified. In addition, identity information to be used for identifying the identity of the individual is stored in the identification file.

For example, allowing access to a building may only carry an authorized identification card without other special identification requirements, but allowing access to an office requires the user to not only carry an identification IC card, but also to verify that the cardholder is authentic by password verification. In addition, allowing access to the data room requires more rigorous identification to check his (or her) fingerprint.

In this case, identification information indicated by the IC card, a password of the card holder, and fingerprint information are recorded in the identification file; and a password signal for opening a door to be entered, a password signal for opening an office door, and a password signal for opening a data room door are stored in each application file.

A person carrying an identification IC card reads the card through a card reader mounted on the door. The card reader extracts the information in the card and confirms that the card is truly authorized and the passwords match. If the card is validated, the door is opened to allow access to the cardholder.

At the door of the office, the card reader is equipped with a keyboard and the cardholder must enter a password to read the identification IC card. When the authenticity of the identification card is confirmed and the password input by the card holder is matched with the password recorded in the identification file of the identification IC card, a door opening password signal is sent to the card reader through the CPU. The cardholder is then allowed to enter the office when this password signal is correct.

In the door of a filing room, a card reader is provided with a fingerprint reader, and a card holder who wants to enter the room must make the card reader read an identification IC card and place his or her finger designated on the fingerprint reader, and when the fingerprint matches the fingerprint recorded in the identification file, a signal indicating the door opening password is sent to the card reader through a CPU. Then, when the card reader judges that the password signal is true, the door is opened to allow the card holder to enter.

The same mechanism may be used for the financial system.

The credit card may reduce the process if it requires a cumbersome signature entry procedure for each inexpensive purchase. On the other hand, expensive shopping such as jewelry and ornaments must strictly identify individuals. Thus, although the identification level is changed by the credit card type corresponding to the user password to be output from the application file, the identification IC card of the present invention can handle different levels of identification.

In addition, the condition for accessing each application file may be registered in advance such that only qualified persons are allowed to access the corresponding file, and thus, access of information through the card reader is limited to only a necessary area in order to prevent excessive leakage of personal secrets.

For example, allowing an open-lock system to require only identification information and an unlock password signal frees the CPU from excessive access to the stored medical record files through the system. In some cases, the CPU may shut down all information exchange to prevent unauthorized access to prevent theft or counterfeiting of the information.

The identification IC card of the present invention records a password signal for permitting a certain transaction and service in the identification IC card held by a person who is permitted to perform the transaction and service. Such identification cards are used to identify that the person carrying the IC card is indeed the true holder of the card each time the transaction or service is carried out.

Therefore, the service provider should receive information from the identification IC card indicating that the card carrier is the legitimate holder of the card and that a cryptographic signal is recorded in the card which confirms the legitimacy of the service. On the other hand, the identification IC card should confirm that the card reader is correct and that the card carrier is the legitimate owner of the card.

The identification IC card of the present invention stores characteristic information of a card holder including a qualification for entering a building or a data room, a bank account, ownership of a credit card, family history and history, and balance of an electronic money account, thereby making it possible to integrate identification data of all confirmation transactions into one card.

The identification IC card of the present invention qualifies a cardholder (not the card itself) for a transaction, thereby operating with higher reliability than other ordinary card systems. Therefore, it is not necessary to have to hold a plurality of cards issued for various services as in the conventional system, and therefore it is not necessary to strictly control the use of cards (for example, in the case where a plurality of persons share one open-lock card) to deal with unauthorized persons.

The identification IC card of the present invention can identify a legitimate card holder only based on information recorded on the IC card and information input on site by the card holder. Since the security of such a card becomes more important than that of a card of a general system, such an identification IC card is provided with a high security means to prevent others than a real transaction user from stealing the identification card. Such means include biometric information of the transaction user like signature, voice, fingerprint or iris combined with a highly reliable password, thereby preventing someone other than the authorized user from directly or after tampering from using a stolen or picked-up identification IC card.

Such an identification IC card should also be equipped with a means for notifying the user of the identification information recorded therein when the user forgets his (or her) own identification information. Also, there may be situations where the user needs to rewrite or refresh the identity information. Therefore, others may steal the above means to deceive or collude with the person in charge to steal the illegally obtained identity information.

Furthermore, illegally obtained identification information can be used to rewrite the IC card or make a fake identification card from a new IC card. Such criminal behavior is difficult to avoid completely.

In any case, the identification IC card is found to be difficult to prevent vicious counterfeiting or forgery of the identification IC card by a person familiar with the system or an insider.

To prevent this, the identification IC card of the present invention includes a CPU, an identification file storing identification information or identification information, or both, and an application file storing a work program or related data classified by an identification hierarchy. When the application file is accessed from the outside, the identification IC card permits the access because a correct judgment is made based on the identification information or the identification information of the identification file. In addition to the identity information of the authorized user, the identification file in the identification IC card of the present invention stores the identity information of a second individual or the identification information of a second organization. The tasks or data handled by such a card have been preset based on the identification requirements of the second individual or second organization. When a specific transaction or data requests execution or display, the CPU compares identification information or identification information inputted from the outside with information in an identification file, and when such identification is acceptable, allows the specific transaction or data to be executed or displayed.

The present invention identifies the IC card by obtaining an authorization (hereinafter referred to as a witness) to an authorized second person or organization in addition to the authorized user of the card accessing the particular transaction or data. In this case, a transaction such as a request to confirm the legitimacy of the identification IC card itself or the legitimacy of the user thereof may be specified for a high security level.

The witness' approval is valid only when such a witness is confirmed based on the identification or identification information recorded in the identification IC card.

For example, there may be one or several witnesses at the time of issuance of the identification IC card, and thus the identification information and identification information of these witnesses may be recorded in the identification card together with the user information. Users of such identification IC cards are required to be authenticated by a witness even if the user himself/herself is confirmed when decrypting user record identification information or updating identification or identification information. The one or more witnesses may be a third party trusted by the user, or someone designated by the card issuer, or an organization such as a work unit, or an organization such as a card issuer.

Such a system requires the identification and recognition of a witness, not a user, or a user must pass through the identification together with the witness, which not only prevents others from stealing identification information and embezzling identification IC cards, but also prevents others from colluding with insiders to rewrite identification information.

In addition, high-level security for identification can be set in accordance with the reliability inherent in the identification IC card, and the security of such a card can be protected even if there is no ultimate security system at the identification IC card issuing station. Also, all personal data can be stored in the identification IC card, and backup data is not left at the card issuing station.

Therefore, it is possible to easily establish a card issuance system with high reliability.

It should be noted that whether the CPU in the IC card or an external device is identified, the identification can be judged. If the external device is used for judgment, the identity information or the identification information stored in the identification file is output to the external device through the CPU. Then, when the external device judges that the identification is acceptable, access to the application file is allowed through the CPU.

If the CPU in the card judges the identification, the equipment on the IC card reader can be simplified, so the equipment cost can be saved.

The use of the external device allows the IC card performance to be simplified. In addition, when the identification information is shared with a memory outside the identification IC card, such a card is suitable for a system requiring a higher security level.

The identification information preferably includes biometric information for identifying the identity of the card holder by the IC card attachment method. The biometric information may include a signature, voice, fingerprint, and iris. Not to say, a password with high reliability can be used together with its biometric information.

Further, it is preferable that a transaction log related to the identification witness is recorded in the identification IC card.

Such logs are useful for inferring the environment and cause of the incident.

The user identification apparatus of the present invention for identifying an individual by means of a user identification card comprises an input/output unit for reading out information recorded in the user identification card, an individual identification input unit for acquiring biometrics data of the user, a judgment unit for collecting biometrics data in the identification IC card read out by the input/output unit and biometrics data obtained by the individual identification input unit on site and judging whether it is acceptable, and a display unit for presenting the judgment result.

According to the user identification apparatus of the present invention, a person who requests identification of an individual places a user identification card in an input/output unit, and inputs his (or her) biometric data of the same kind recorded in the user card identification card through the individual identification input unit. Then, the judgment unit checks the biometrics characteristic data recorded in the user identification IC card with the data obtained by the individual identification input unit, judges whether or not the result of the check is acceptable, and presents the judgment result by the display unit. Thus, it is possible to immediately recognize whether the person carrying the subscriber identity card is a legitimate card holder without conducting external communication.

The user identification means should be provided with the same type of personal identity input unit as the biometric input means used at the user registration station. A device having a handwriting sample collection function can be used as a personal identification input unit. Such a handwriting sample acquisition unit can input a predetermined handwriting sample such as a signature as digital data, and thus easily compare the input sample with the biometric data on the user identification card.

The user identification device of the present invention preferably includes a communication unit which communicates with an external authentication authority, wherein at least a part of the biometric data of the user input through the personal identification input unit is transmitted to the external authentication authority, so that the user identification device can receive the pass/fail judgment result made by the authentication authority and present the result thereof through the display unit.

If the user identification device is connected to an external certificate authority to perform hierarchical processing of identification data, malicious access and falsification by an intruder can be prevented, thereby making it possible to provide a higher security level of identification performance.

The user identification system of the invention is applicable to a lock control system. The lock control system of the present invention employs an IC card as a key in which personal identification data of a user is recorded, wherein identification data input by the user on site is checked against the personal identification data, and when the user passes the identification check, the lock is opened.

In the lock control system of the present invention, a user authorized to use the lock obtains a user identification card as a key card, which is formed of an IC card storing personal identification data of the user. When the lock is to be opened, the user presents the key card and enters his (or her) identity data. The identity data entered by the user in the field is checked against the data recorded on the key card and if they match within acceptable limits, the lock is opened.

Since the lock is never opened when the identity data of the accessing person does not match the personal data recorded in the key card, only authorized persons can unlock the lock.

Such systems grant legitimate users the right to unlock the lock, and the key fob is only used to verify that the person carrying the key fob is not entitled. In such systems, the fob has only partial key functionality.

Therefore, even if other outsiders detect, steal, or copy the key card, the lock cannot be opened by a legitimate user, thus improving the security of the lock.

In addition, since the user's personal information is stored on the key card, the lock device does not require a large database to store information about all potential users, nor does it require data to be obtained from the host device via high-speed communications.

However, for greater security, part of the personal information may be stored in the lock side memory for use with the data recorded in the key card.

The personal identification data recorded in the key card may be living body information of the user or information data created by the user. Such information may further increase the security of the lock.

In addition, the key fob may record certain data selected from a wide variety of personal identification data.

If there is a mechanism that prevents outsiders from recognizing the identification data stored in the key card, others who attempt to steal the key IC card cannot use the stolen card unless they know which of the fingerprint, voice, signature, password or other information is used as the identification data, thus reducing the risk of stealing the card.

In addition, the receiving terminal may be provided with a plurality of identity data input means corresponding to a plurality of personal identification data so that the user can select one of them. If multiple identification data are optional, a person attempting to tamper with the key card must determine the correct identification data type for the key card, which improves the security of the lock. Of course, multiple personal identification data may be used in combination to prevent the lock from being opened unless all selected data passes the identification check.

In addition, a single key card may be used to unlock multiple locks and to selectively apply various types of personal identification data to the respective locks.

In this case, not only is the cost reduced compared to the case where one card is issued per lock, but the number of cards carried by one user is also reduced, thereby freeing the user from the dilemma of selecting a corresponding card for each lock.

Such a key fob is also effective for using a single door lock in conjunction with multiple locks staged in a storage compartment hierarchy. If the storage room is provided with shelves of different management levels, for example, shelves for general medicines or shelves for violent medicines, even a person authorized to open the storage room door may not allow opening of the shelves for violent medicines. This key card is also suitable for storing personal documents and account documents in a storage room, but only the person in charge of each department can access each relevant document.

In this case, an alarm function may be added to the system to give an alarm when a person outside the card holder enters the field or touches the material, thereby improving security. For this purpose, sensors for detecting the entry of a person outside can be fitted to the cabinet frame in the storage compartment. Since the sensor does not need to be operated when any authorized person enters, the associated sensor circuit of the restricted area should be controlled not to output an alarm to the authorized person who has passed the identification.

The system is constructed so that the entrance of an unauthorized person is notified in the control room and the door of the storage room is closed to prevent the unauthorized person from escaping.

In addition, the lock control system of the invention has the function of marking the individual persons who have already unlocked, and the accumulated access data automatically generate the stock records of the storage room.

The lock control system of the present invention also ensures the security of the safe in which valuables are stored. In particular, its use in a safe may provide a very secure facility for the safe system, even without any witnesses from the managing party. In addition, safe users can determine the security level themselves based on the value of the stored items.

Brief description of the drawings

FIG. 1 is a block diagram illustrating a subscriber identification system implemented in one example of the invention; fig. 2 is a perspective view illustrating an example of the user identification device used in the embodiment; fig. 3 is a circuit diagram of the user identifying apparatus of the embodiment; fig. 4 is a block diagram showing a first or second example of the structure of the subscriber identity card used in the present embodiment; FIG. 5 is a flowchart illustrating the subscriber identification card issuance process according to the present embodiment; fig. 6 is a flowchart illustrating a receiving terminal identification process in the present embodiment; fig. 7 is a block diagram of a third embodiment of an identification IC card according to the present invention; fig. 8 is a block diagram illustrating a file structure in the identification IC card of the third embodiment; fig. 9 is a block diagram illustrating an application example of an identification IC card of the third embodiment; fig. 10 is a flowchart illustrating an application example of the identification IC card of the third embodiment; fig. 11 is a block diagram illustrating a structure of a subscriber identity IC card implemented in a fourth embodiment of the present invention; fig. 12 is a flowchart illustrating a subscriber identification card issuance process of the fourth embodiment; fig. 13 is a flowchart illustrating a process of reading out the identification information recorded in the subscriber identity card of the fourth embodiment; fig. 14 is a flowchart illustrating a process of rewriting or refreshing the identity information recorded in the subscriber identity card of the fourth embodiment; FIG. 15 is a block diagram illustrating a first embodiment of a lock control system according to the present invention; fig. 16 is a block diagram illustrating a second embodiment of a lock control system according to the present invention.

Best mode for carrying out the invention

Embodiments of the present invention will be described with reference to the accompanying drawings.

As shown in fig. 1, the subscriber identification system of the present invention has a hierarchical structure in which an authorized registration authority, a plurality of authentication authorities, and a plurality of identification access terminals are hierarchically arranged.

An authorized or designated (policy) registration authority (PRA)1 monitors the entire identified network and issues a delegation certificate granting partial rights to a plurality of intermediate or designated certification authorities (PCA) 2. The specified certificate authority to which such rights are granted issues a delegation certificate granting a part of the rights to a plurality of end point Certificate Authorities (CAs) 3 as a child license.

The end point (end) Certification Authority (CA)3 functions as an intermediary in connecting an identification access Terminal (TM)4 as a principal using user identification and a user 8 enjoying service provided by the principal. In the following description, making various services available may be referred to as "transactions".

The authorized or designated registration authority (PRA)1 is provided with a memory 11 which is removable from the master device, while the designated certification authority (PCA)2 and the end point Certification Authority (CA)3 are provided with memories 21, 31 permanently connected to the respective devices.

These facilities are connected to each other through a private line or a public line so that information can be exchanged at any time. Such a connection may be made through an intranet or the internet. In the exchange of information via a communication line, it is preferable to ensure security by an encryption system using a public key or a symmetric key.

A designated certification authority (PCA) may be provided in the subscriber identification system. Conversely, a designated certification authority (PCA) may also be configured in multiple levels to increase the level of identification beyond three levels.

The designated registration authority (PRA), designated certification authority (PCA) and endpoint Certification Authority (CA) may also be replaced by one that integrates all functions.

The end point Certification Authority (CA)3 is generally authorized by a designated registration authority (PRA) or a higher designated certification authority (PCA) to perform identification within a defined area, such as a public authority, a medical research institute, a private company, an apartment building, a shopping mall, and the like.

An end point Certification Authority (CA) connects the identified access Terminals (TM) in parallel with belonging to the defined area.

The identification access Terminal (TM) may represent a window of an administrative office, department and pharmacy reception in a hospital, a door of a laboratory or office, an information tool for accessing a database to be protected, an apartment entrance or apartment door, a remote control of facilities in the door, a club facility for members only, a check-out counter at each small store or large retail store like department store, a window of a bank teller machine, an automatic ticket checker, etc.

In particular, it is certain that user identification will be more important in the future direct market field. In this case, the identification access terminal 4 may be placed in the home 8 of each user.

The end point Certificate Authority (CA)3 authorizes a user registration station (RG)5 to receive a registration request for a customer user 8 who wants to become an identification access Terminal (TM)4, and authorizes an identification card Issuing Station (IS)6 to issue a user identification card 7.

The user registration station (RG)5 is provided with an input means 51 for acquiring biometric data. This example uses an online handwriting-graphical input device with a pad and a pen. The on-line handwriting-graphic input device inputs the handwriting of the user along with the writing process for graphic recognition, so that when the character is input, the information about the trend and the sequence of each stroke of the character can be easily obtained.

When speech is used as the means for capturing the biometric feature, a microphone 52 is provided for inputting the user's voice. Any other means, like fingerprint and handprint input means, or means for observing the pupil to obtain a pattern of the iris or retina may also be provided.

And a plurality of personal characteristic authentication means are adopted to ensure that the identification is safer.

The identification card Issuing Station (IS)6 IS equipped with an identification card issuing device 61. The identification card issuing apparatus 61 writes information to be used for user identification into the user identification card 7 and issues the user identification card to the user 8. In this embodiment, the user identification system uses an IC card as the user identification card. However, any other recording medium can be used as long as it can be used for writing/reading, and for example, any electronic recording medium, such as a magnetic recording medium including CD-ROM, floppy disks, and magnetic cards, or a magneto-optical recording medium, can be used.

The identification access Terminal (TM)4 is provided with a user identification means 41 for verifying the authenticity of a user identification card 7 carried by a user 8 and identifying the user 8.

Fig. 2 and 3 show an example of the structure of the user identification device 41.

The panel of the user identification means 41 is provided with an input/output unit 401 with a slot for the identification card 7, which exchanges information with the storage area of the inserted identification card 7; an identification level setting unit 402 for setting an identification depth required for the current transaction; a personal identity input unit 403 for collecting biometric data of the user; and an identification display 404 for displaying the identification result.

The personal identity input unit 403 is identical to the biometric input means 51 used in the user registration station (RG) 5. If speech is used simultaneously for user recognition, it is of course necessary to equip the user recognition means 41 of the recognition storage Terminal (TM)4 with a microphone 42. The individual identity input unit 403 is then also provided with the relevant input method corresponding to the type of biometric required.

The electronic circuit 410 is inserted inside the user identification means 41; it is used for organically combining the functions of the units for user identification.

The electronic circuit 410 includes an identification card read/write control section 411, an identification information conversion section 412, a judgment section 413, and a communication section 414.

The identification card read/write control section 411 has functions of reading out the recorded information content in the identification card through the input/output unit 401, decoding the encoded digital data, and recording the transaction result to the identification card.

The identity information conversion section 412 converts the biometric data acquired through the individual identity input unit 403 into digital data.

The judgment section 413 extracts output information from the identification card read/write control section 411, the identification information conversion section 412 and the identification level setting unit 402, identifies the user's identity at a desired identification level based on these output information plus information exchanged with the certificate authority through the communication section 414, and presents the identification result through the identification display 404.

When the user is identified and the transaction is completed, the transaction result is input from the transaction details input unit 420 and the transaction conditions are displayed on the transaction display 421, so that the user 8 can confirm the transaction details. These transaction conditions are also recorded in the memory 422.

The decision part 413 may be designed to automatically transmit the user identification result to the transaction detail input unit 420 so that it can be determined whether the transaction is accepted or rejected.

Also, such transaction situation or transaction history may be recorded in the subscriber identity card 7 by inputting transaction information through the transaction-detail input unit 420.

For example, when the user identification card 7 is used for settlement, the date of purchase, the name of purchase, and the price thereof are recorded, and these data make it easy for the user to check the account of the transaction when making a payment. When such a card is used for management services, various evidences or certification documents including those related to health insurance cards, driver's licenses, medical records, and residence certificates may be received and stored in the user identification card 7.

In order to protect the privacy of the user, a person requests user authentication whenever reading the recorded contents of the user identification card 7, and therefore any access by others than the user concerned should be prohibited.

In addition to the biometric data for normal identification, other unique information that is valid only in special cases can be used together. For example, in the case where a user is forced to leave his or her signature in the face of a threat by a pirate or duress, the user may secretly place a covert secret or mark in his or her actual signature, and notify the security of an emergency while the transaction is being conducted normally (e.g., opening a door or withdrawing a money), so that security personnel can take appropriate action (e.g., arresting a criminal) to ensure user security as quickly as possible.

Such biometric data for a particular purpose may be a combination of many different types of data, such as two-sound coughing while signing.

Fig. 4 is a block diagram illustrating the internal layout of the subscriber identity card 7 formed by an IC card.

The subscriber identification card 7 used in this example is a combination type IC card equipped with a contact connector for transmitting an electric signal through the terminal 71 and a non-contact connector for communication by electrostatic coupling or electromagnetic induction without contact between the electrodes 73 in the card and the electrodes in the identification card read/write control unit. The subscriber identity card 7 is designed in such a way that a plurality of card issuing locations each have a terminal for a single universal card, which terminal can be shared and is open for use by the card carrier at each card issuing location. However, the connector to which such an IC card is fitted may be either of these two types.

The terminal 71 is connected to the connection circuit 72; the non-contact type electrode 73 is connected to a communication connection circuit 74. Both of which are connected to internal memory.

The subscriber identity card 7 further comprises a CPU75 and a memory consisting of a random access memory unit RAM76, a read only memory unit ROM77, an electrically writable programmable read only memory unit PROM78, and an electrically erasable programmable read only memory unit EROM 79. These units are connected to each other by a bus.

The connection circuit 72, communication control circuit 74, CPU75, and memory may be assembled on a single IC chip.

Upon insertion of the user identification card 7, the identification card read/write control unit 411 accesses the stored material of the user identification card 7, or from the terminal 71 through the connection circuit 72, or from the noncontact electrode 73 through the communication control circuit 74.

The PROM78 stores card identification data for verifying the authenticity of the associated identification card, the ID of the issuer who has been authorized to issue the user identification card, and the like. Data written once to the PROM78 cannot be refreshed.

EEPROM79 stores biometric data used to identify a user and records of transactions made with an identification card. The ROM77 stores programs for controlling the CPU75 to perform coding/decoding, data input/output control, verification of authenticity of the user identification device 41, and the like. The RAM76 temporarily stores data collected from the outside and data necessary for computer processing, and the like.

Unused subscriber identification cards 7 are distributed to each identification card issuing station 6, provided that correct card verification information has been written in the PROM78 of the authorized or designated registration authority 1, proving that these identification cards are genuine cards available in the identification system. All the identification card issuing station 6 must therefore do is write part of the biometric data of the user to the EEPROM79 in accordance with the instructions of the authorized registration authority 1. From this point of view, the write function of the PROM78 in the identification card issuing apparatus can be omitted to prevent the card from being counterfeited.

The identification card is not limited to the type of memory configuration and allocation made in this example. For example, biometric data for identifying the identity of an individual may be stored in PROM78 or RAM 76.

The following section describes an example of the subscriber identification card issuance process in accordance with fig. 5.

The user registration station 5 receives a registration request from the user 8 who wishes to receive service from an access terminal identified in the region of the user registration station 5 (S11). The user registration station 5 collects information indicative of the user' S biometric characteristics, including information used to prequalify the user 8(S12), if necessary. Biometric data as used herein is a living body characteristic that uniquely represents a user; the selection of these data should be of a character that distinguishes the user from others who forge and imitate the user.

In this embodiment, handwriting is used to identify the user. Although any fingerprint is possible, it is inconvenient to identify the user's personal identity if the user 8 enters a different fingerprint each time. It is therefore desirable for the user to leave his (or her) signature to ensure its repeatability. In addition to handwriting, the use of multiple biometric data can improve the reliability of recognition, and therefore, an additional microphone 42 is provided to capture speech.

The applicant' S qualification information and biometric data collected at the user registration station 5 are transmitted to the authorized registration authority 1 (S13).

The authorized registration authority 1 performs prequalification on the applicant based on the information of the user registration station 5 and permits issuing of the identification card to the applicant who has passed the prequalification (S14). The qualification criteria are determined by the target service that the user desires to identify. In this regard, the end point certification authority 3 that actually accepts the user can verify the qualification of the user.

The authorized registration authority 1 divides the biometric data of the registered user 8 into a plurality of layers of data blocks in a predetermined ratio, decides to assign the data blocks to the user identification card 7 and the authentication authorities 2, 3, respectively, and distributes them to each place (S15).

The biometrics data distributed to each place by the authorized registration authority 1 is accessed by the identification access terminal 4 according to the required identification accuracy. If the identification of the access terminal 4 requires the lowest level of identification, this identification only requires checking the result of the checking of the identification means 41 identifying the access terminal 4. If a medium level of identification is required, the user needs to be identified based on the verification result of the identification means 41 plus information stored in the end-point certificate authority 3. If the highest level of identification is required, the determination should be made by concentrating all biometric data distributed throughout the different places.

The inventive user identification system is designed such that further identification by a superordinate control authority on the basis of the biometric data can only take place if the authenticity thereof has been checked and passed at the identification access terminal. The upper management authority performs identification based on information other than the information in the subscriber identity card.

Therefore, it is necessary to assign sufficient information to the user identification card 7 to accurately perform authentication by comparison with biometric data input on site by the user so as to be able to judge that the user is genuine.

In this example, 60% of the information is assigned to the subscriber identity card 7, 30% to the end point certification authority 3 and the remaining 10% to the intermediate authority 2. The information quantity reduced step by step can not only save the storage capacity of the upper management mechanism, but also reduce the load time of each recognition, thereby improving the information protection performance of the whole system.

It should be noted that it is desirable that the user identification card 7 holds a high percentage of biometric data in order to avoid excessive information being transmitted to the upper management authority when a higher level of identification is requested.

Conversely, assigning too high a percentage of information on the subscriber identity card may reduce the reliability of the subscriber identity.

Therefore, it is important to allocate the biometric data in an appropriate ratio in each actual case in consideration of the number of accesses by the user, the required level of security of identification, and the like.

The information is divided such that all the digital data is naturally decomposed in a predetermined ratio, or one-level decomposition. For example, the handwriting information may be decomposed into information related to the final graphics of the handwriting, information related to the strokes of the writing style, and information related to the sequence of strokes. Any biometric data may be classified for each relevant locale, e.g., speech may be classified by frequency band, and fingerprints may be classified by finger.

In the case of extracting various types of biometric data (such as handwriting and voice), the biometric data may be assigned by type.

The authorized registration authority 1 stores the information about the identification card and the user in a removable mass storage 11 on the host device, such as a magnetic tape, a CD-ROM, a magneto-optical disk, a DVD, or a removable hard disk (S16), and once the lower authority makes a request, the administrator inserts the storage into the drive to check the registration information.

At the authorized registration authority 1, when the apparatus is not used, the removable recording medium 11 is stored separately from the external communication network in order to prevent falsification or forgery of the record.

The authentication authorities 2, 3 store the assigned partial individual biometrics data in the memories 21, 31, respectively, and read out the data upon request.

The identification card issuance station 6 records a part of the biometrics data of the registered applicant assigned by the authorized registration authority 1 in the user identification card 7 carrying the principal identification code, and issues the card 7 to the user 8 (S17).

A plurality of user registration stations (RG)5 and identification card Issuance Stations (IS)6 may belong to one end point Certification Authority (CA) 3.

Further, since the user 8 is required to go to the user registration station 5 and input his (or her) biometric data, it is convenient if the identification card issuance station 6 that issues the card to the user 8 is located at the same place as the user registration station 5.

It may also be useful to find a reliable witness to identify the user 8. But it is difficult for any organization to recognize a person disguised as another from the beginning.

In addition, the identification card is not necessarily issued immediately after the registration procedure is completed, and may be mailed to the user later to confirm the fact of the declaration by the user.

Also, the user registration station (RG)5 and the identification card Issuance Station (IS)6 may belong to the authorized registration authority (PRA) 1.

In addition, if the card issuer has a portable terminal having the same functions as the user registration station (RG)5 and the identification card Issuing Station (IS)6, he can handle the registration/issuing procedure anywhere. The use of such a portable terminal should be limited to only the card issuer to which the license has been granted by the authorized registration authority. Even in this case, the card issuer is never allowed to use the portable terminal without passing strict examination and obtaining the card issuance certificate.

An example of the process of authenticating the identity of the user at the identification access terminal 4 using the subscriber identity card 7 is described below with reference to fig. 6.

When the user 8 presents his or her user identification card 7 at the identification access terminal 4 and applies for a transaction, the user identification card 7 is inserted into a card slot (input/output unit) 401 of the identification means 41 of the identification access terminal 4, and identification information is read from the user identification card 7. These identification information include information used to confirm the authenticity of the card and biometric data used to identify the user.

In identifying the access terminal 4, the card is first identified (S12). The identification of the card confirms that the subscriber identity card 7 is authentic, i.e. that the card is suitable for use by a subscriber identity system for identifying the access terminal 4 and that the person is the legitimate holder of the card. If the subscriber identity card 7 does not fit into the identification system, the identification storage terminal 4 will not accept any transactions from the beginning.

It should be noted that in order to confirm that the subscriber identity card 7 is not accessible by an unauthorized device, a mechanism may be provided for a program in the subscriber identity card 7 to verify that the identity device 41 is itself entitled to access the identity card, and if the device is not entitled, the identity card refuses to reveal its stored contents.

When the user identification card 7 passes the identification, the user 8 is requested to present the same biometric feature as that stored when the user obtained the user identification card 7, for example, by writing his or her signature on a small tablet (personal identification input unit) 403 (S22).

The biometric data input from the small tablet 403 is collated with the biometric data recorded in the user identification card 7, for example, 60% of the user biometric data, which determines whether the user 8 of the window is the legitimate holder of the user card 7 (S23). This time, the user recognition result is displayed on the display 404 (S24).

The subsequent process of identifying the access terminal 4 changes depending on whether the user has been recognized (S25). If the user identification result is negative, the identification access terminal 4 rejects any transaction (S33). If the user identification result is positive, it is checked from the check whether a higher-order identification instruction is required to check whether further online identification is required (S26). If online identification is not required, the identification access terminal 4 may accept the transaction requested by the user 8 (S32).

The presence or absence of the online identification and the level of the identification can be input by the operator or the user 8 using the identification level designation means 402 at each transaction, or can be automatically set according to the nature of the transaction or the amount of the transaction.

If online identification is required, a request of a certain identification level is transmitted to the end-point certification authority 3 together with the information of the user identification card and the individual identification information obtained at the individual identification input unit 403 (S27). The individual identification information to be transmitted may be a part (e.g., 40%) of the individual identification information excluding the part used by the identification access terminal 4, so that the amount of information exchanged between the identification access terminal 4 and the end point certificate authority 3 can be reduced.

The necessity of online identification should be determined at a desired level of security depending on the nature of the transaction. Particularly with respect to commercial transactions for high fidelity items and valuables, disclosure of personal information, and certain transactions requiring confidential identification; such transactions should require user identification of the high level authority.

The hierarchy of online identification may also be specified according to the nature of the identifying access terminal 4. For example, at a hospital reception, a high level of personal identification may often be required to protect personal privacy and to issue accurate medical prescriptions. Particularly in the case of telemedicine diagnosis, it is preferable to request user identification of a high-level authority.

The information transmitted to the destination certificate authority 3 is collated with the identification feature information of the user 8 and the identification information stored in the memory 31(S28), and the identification result is transmitted to the identification access terminal 4 (S29).

Since the end point certificate authority 3 only has 30% of the identity information records of the user, the specified certificate authority 2 will be requested for further user identification if the user identification of the end point certificate authority 3 is not fulfilled. Since the specified certificate authority 2 has only 10% of the identity information records per user, the specified certificate authority 2 uses 10% of the identity information obtained from the identification access terminal 4, and thus the information to be passed from the end-point certificate authority 3 to the specified certificate authority 2 can be greatly reduced.

The user identification result of the specified authentication authority 2 is sent back to the identification access terminal 4 via the destination authentication authority 3.

The user recognition result assemblies of all the recognition devices are output and displayed on the recognition display 404. If the overall result satisfies the user identification, the transaction is accepted (S32), and if not, the transaction is rejected (S33).

When the user identification is denied, there may be some possibility of fraud, such as counterfeit recording or impersonation of the user. In this case, this information is preferably transmitted to the authorized registration authority 1 to analyze the failure and its cause.

Since the authorized registration authority 1 has a protected record that is hard to infringe or forge from the outside, the record of the authorized registration authority can be compared with the data input from the identification access terminal 4, thereby clearly judging which of the user identification card 7, the end point certification authority 3, or the designated certification authority 2 has an abnormality.

If the contents of the subscriber identity card 7 do not match the information entered by the user 8, it should be considered that the subscriber identity card 7 is faulty, e.g. not the actual user but someone else who has detected or stolen the subscriber identity card 7, or that the subscriber identity card data has been overwritten by illegal access.

A second embodiment of the subscriber identification system according to the invention is described below.

The user identification system used in the second embodiment is different from the first embodiment only in that: the user identification card has an operation function of checking the user biological characteristic data with the information record stored therein, instead of checking the biological characteristic data input by the individual identification input unit with the biological characteristic data recorded in the user identification card by using a logical operation unit installed in the identification access terminal. Here, only the portions different from the first embodiment will be described with reference to the same drawings as those used for describing the first embodiment.

In the IC card used here as the user identification card 7, some elements such as the CPU75 and the RAM76 may be mounted so as to obtain some operation function.

In the system of the present embodiment, in identifying the user 8 whose access terminal 4 wants to receive a service, his (or her) own biometric data is input through the user identifying means 41. These biometric data are then appropriately processed, converted into digital form and transmitted to the subscriber identity card 7.

The user identification card 7 temporarily stores the input data information in the RAM 76. Then, the CPU75 reads out the biological information data of the identified user from the EEPROM79, and compares the information data temporarily stored in the RAM76 with the information data read out from the EEPROM 79. If the comparison shows that all the similarity points between the two information data are within an acceptable range, the person who requests the service at the identification access terminal 4 is recognized as the real card holder of the subscriber identification card 7, and the identification access terminal 4 is informed of acceptance. If the person is not identified, the identification access terminal 4 is notified that it should reject.

Receiving the identification result from the subscriber identification card 7, the identification access terminal 4 provides the subscriber 8 with the desired service. If more careful identification is required, the identification access terminal 4 requests the end point certification authority 3 or the designated certification authority 2 to further identify the person based on the identification result of the upper authority. It should be noted that the identification access terminal 4 may be incorporated with the end point certificate authority 3.

Although the proportion of the distribution of the biological information data at the relevant site can be determined arbitrarily, it is advantageous to allocate a higher proportion of the biological information data to the low-level recognition as in the first embodiment. This makes it possible to reduce the communication load of the entire system and thus improve the operability of the system. Therefore, it is preferable to allocate more than 60% of the biometric information data to the user identification card 7.

In the present embodiment, the system allows the smart IC card to be used as the user identification card 7, not only reducing the calculation load of the user identification device 41, but also reducing the equipment cost. Therefore, the establishment of facilities for identifying the access terminal 4 at a lower cost will lower the threshold for the user to join the system, thereby increasing its usage.

Further, since all information processing is performed in the subscriber identity card, a read-out inhibition area can be provided on the identity card to record important information as identification data that inhibits any access by outsiders. This makes it possible to prevent secret information from leaking and improve security.

A third embodiment of the subscriber identification card used in the subscriber identification system of the present invention is an identification IC card using the IC card shown in fig. 7. In this embodiment, the information stored in the IC card is provided only when the IC card has been identified by all required levels. In this case, the identification IC card may store 100% of the identification information, and thus the user may not use the identification of any upper authentication authority.

In the present embodiment, the identification IC card includes a CPU101 for information processing, a ROM102 for storing an information processing program, a RAM103 for storing operation data, a data memory 104 capable of writing/reading information, an applet interface 105, an external connection circuit 106, and an external connection terminal 107.

As shown in fig. 8, the files in the data storage 104 include an identification file 110 storing identification data and an application file 120 storing information to be exchanged with the outside.

The external terminal 107 used for signal transmission and power supply may be a non-contact type electrode or antenna. In other words, terminals equipped with both contact type and non-contact type can be used to support various types of card readers.

The application interface 105 receives an applet (applet) from the outside and operates the CPU in accordance with the program. The interface has a function to recognize that the received applet is harmless to the identification IC card.

For security, the identification IC card may not receive the applet. In this case, the applet interface 105 does not need to be installed in the identification IC card.

Stored in the identification document are personal identification information for identifying the real holder of the identification IC card and data for proving the authenticity of the IC card. The identification of the multiple levels of identification data from the simplest to the highest level is recorded in the order of steps I, II, iii. The identity information preferably includes personal secret information and biometric information that is difficult for others to copy, such as passwords, fingerprints, voice and handwritten signatures.

The division of the application file 120 is by a first classification related to the type of information and a second classification related to the level of recognition. The first classification includes subclasses a, b, c., where information is normally classified by type of units providing identification services, such as housing management information, medical information, financial information, and communications information. The second classification comprises the subclasses I, II, III, wherein the identification information is classified in the desired level of identification, for example, according to the level of identification, from the case where a person is allowed access with the easiest identification, to the case where access is only allowed if the person has been authenticated by a high level of identification based on his (or her) fingerprint.

For example, a series of related information is recorded as follows: information transmitted by the house management company is stored in the section b of the first category; the password allowed to enter the apartment building is in the subclass I file; allowing passwords that open and close suites to be in the second classification section II; and the password to open the personal residence is in the zone III file of the second category.

These files may also record keys, electronic certificates, and the like.

In this case, one card reader is provided at each entrance of the apartment building. When entering an apartment building, the resident must take out his identification IC card and read it by a card reader. When the IC is judged to be authentic by the mutual check of the card and the card reader, the resident can be allowed to enter the apartment building. Since each room in the building is locked strictly, only a simple identification step is needed to identify the identification IC card, and the resident can be allowed to enter the building.

Such an identification IC card has a function of confirming the authenticity of the card reader. It is important to prevent an unauthorized card reader from stealing the secret information written in the identification IC card or rewriting the information content.

Fig. 9 is a block diagram illustrating a typical application of the housing management identification IC card.

Each apartment door 130 is provided with a door opening/closing control unit 131 for preventing the door from being opened by hand. The door opening/closing control unit 131 is connected to an identification control unit 132; the door opening/closing control unit 131 opens or closes the door 130 in response to a control signal of the recognition control unit 132. The recognition control unit 132 is connected to an identity input unit 133 and a card reader 134.

The following paragraph describes information processing for identifying an IC card with reference to the flow of fig. 10.

To enter the user' S apartment, the card holding user inserts his (or her) identification IC card 135 into the card reader 134 (S41). The identification control unit 132 sends the card reader ID to the identification IC card 135, and acquires the card ID from the identification IC card (S42). The identification IC card 135 verifies the card reader by checking the card reader ID against the information in the identification document, and if it is confirmed that the card reader is a card that is permitted to handle itself (S43), transmits the card ID recorded in the identification document to the card reader 134 (S44). These processing steps are all executed by the CPU; the card reader 134 cannot access the memory in the identification IC card.

The identification control unit 132 then determines whether the ID identifying the IC card is authentic and acceptable for the system (S45). When the card is judged to be unacceptable, the unit ejects the card to reject (S50). If the card is judged to be acceptable, the recognition controlling unit 132 requests the user to input a personal identity, such as a fingerprint, preset at the recognition level, and reads out information input by the user from the identity information input unit 133(S46), and extracts necessary information from all the input information to create identity information (S47).

Then, the identification control unit 132 determines that the identification IC card and the door opening/closing control unit certify the authenticity of these identification information (S48). If it is determined in advance that such authenticity is recognized by the identification IC card 135, the identification control unit 132 issues identification information to the identification IC card 135 and inquires the door-open password from the identification IC card 135 (S49).

The identification IC card 135 collates the received identification information with the identification information stored in the identification file (S50). If the two are identical to each other, the identification IC card 135 sends the door-opening password recorded in the preset application file (i.e., the biil file) to the identification control unit 132 through the card reader 134 (S51).

In contrast, if the authenticity of the identification information is to be confirmed by the door opening/closing control unit, the identification control unit 132 inquires the identification information from the identification IC card 135 (S52), and checks the identification information transmitted by the identification IC card 135 against the user identification information obtained on site (S54). If the result of the collation is acceptable, the identification control unit 132 inquires the door opening information from the identification IC card 135 (S55). In response to such inquiry, the identification IC card 135 transmits the door opening information recorded in the preset application file to the identification control unit 132 (S51).

If the door-opening password thus received is true, the identification control unit 132 transmits a door-opening instruction message to the door opening/closing control unit 131 (S57) to open the door 130(S58), thus identifying the holder of the IC card to gain access to the door (S59).

The identification information can be distributed between the identification IC card 135 and the identification control unit 132, so that the storage area of the data memory 104 in the identification IC card 135 can be reduced. In this case, the door-open password is sent out immediately after the identification information input by the identification input unit is checked against the identification information assigned to be stored in the identification IC card 135 and the identification control unit 132. The allocation of the identification information between the identification IC card 135 and the identification control unit 132 is not only advantageous in saving the memory capacity but also more secure because it is impossible for others to be confirmed only by the identification information stolen from the identification IC card file.

In the above example, the identification information stored in the identification document is used in three steps, but the sequence number of the steps can be arbitrarily selected. Such identity information may include information from the simplest level (e.g., an ID number written by the issuer) to a password given by the cardholder, live information such as a fingerprint, iris, or photograph of the cardholder, dynamic information such as a signature entered by the cardholder in the field, and advanced combinations of the above.

The biometric information exhibits characteristics that are difficult to copy because the real card holder has the biometric characteristics of its living body, and the information data itself is likely to be stolen by copying. In contrast, dynamic information accompanying live activities of the human body makes it more difficult for others to imitate, and thus, the reliability of recognition can be improved.

The identification information input unit must have various functional parts for obtaining various identification data information to be used, for example, an image input part for signature, a keyboard for issuing a password, a fingerprint capturing part, a judgment part with a camera for acquiring a pupil image in the case of using an iris image.

In the case of accessing the identification information stored in the IC card or requesting disclosure of medical records of a hospital, it may be necessary to allow the card holder to determine the identification depth by himself/herself. For example, if the cardholder wishes to use different levels of identification between obtaining a residence card or tax payment credentials, the cardholder may record each level of identification for the application files for the different passwords used in requesting the various certificates.

It is also apparent that the importance of the difference in the level of personal identification between payment of medical fees and acceptance of remote medical care, to which the identification IC card of the present invention can be adapted.

In addition, the individual identification IC card can be used in various applications, for example, as a membership card, a personnel card, an administrative ID card, a long-term use monthly ticket, a prepaid card, a credit card, a telephone card, a shopping card, and an electronic cash card capable of modifying settlement of a debit account of a card holder.

Further, the identification IC card is available for temporary use, for example, when entering a hotel, a door-opening password for a room is recorded in a file of the identification IC card, and when going out, it is erased.

A fourth embodiment of the subscriber identity card for use in the subscriber identity system of the invention is characterized in that a sponsor or witness is added as a target for identification with the identification IC card, as shown in fig. 1.

The identification IC card in this embodiment includes a CPU201 for arithmetic processing, similar to the identification IC card of the third embodiment,

A ROM202 storing an arithmetic processing program, a RAM203 storing data for arithmetic processing, a data memory 204 capable of writing/reading data, an interface 205 for applets, an external connection circuit 206, and an external terminal 207.

The files in the data storage 204 include an identification file 210 storing identification data and an application file 220 storing a job program for executing a specific job and various data.

The identification file 210 stores data for identifying the authenticity of the IC card and identity information of an authentic card holder. The identification information is not limited to one type, and a plurality of types of identification information may be stored so as to selectively employ only single identification information or a plurality of combinations of information.

The identification file 210 stores a first identification file 211 for proving authenticity of identity information of a holder of the identification IC card, and a second identification file 212 for storing identity information about a second person (e.g., a guarantor, a witness, or a card issuer), or identification information about a second organization. Two or more evidences of a second person or organization may be used as required by the system.

The application file 220 includes a first work file 221 storing part of information for processing the authenticity of the identification IC card and a second work file 222 storing part of information for effecting the same in accordance with the identification result.

The second working file 222 stores information required for each service provider identified by classifying the information according to a desired identification level, and this file may also store a key, an electronic certificate, etc., or may also store various programs such as an unlocking guide program.

The first work file 221 stores various jobs and information about the authenticity of the identification IC card, for example, a job of writing identity-information, a job of reading/rewriting identity-information, and a job of reading/rewriting a log.

The various jobs and information stored by the first work file 221 may be divided into a group requiring only identification of the cardholder, a group requiring only identification of the second individual, and a group requiring identification of both the cardholder and the second individual, depending on the level of confidentiality desired.

Referring to fig. 12 to 14, the application of the identification IC card of the present embodiment is explained below.

Fig. 12 shows such an identification IC card issuance process.

Upon receiving a request for issuing an identification IC card (S111), the card issuer checks the credit of the applicant to be authenticated by the identification card (S112). If the applicant approves the use of the identification card through the verification, the card issuer requests the identified person to designate a certain person as a trusted person as a witness (S113).

When the identification IC card is issued, all the relevant persons are gathered at a special card issuing station (S114). First, it is confirmed that the identification IC card and the card issuer are authentic (S115), and then, if the device IC card is allowed to be issued (S116), each person inputs identification information (S117), respectively.

The function of authenticating the reliability of the card reader is installed in the identification IC card to prevent the information content stored in the identification IC card from being stolen or rewritten.

The person to be the cardholder enters several identity information such as passwords, special symbols or marks, signatures, fingerprints, voice, iris patterns, handprints etc. to be used selectively according to the level of confidence required for various transactions to be conducted through the card. The witnesses may also be required to enter a variety of identity information, but there are few instances where they are to be identified, so there is no need to use different identity information for them. The witness may be an organization or a school such organization. In this case, the identification of the witness may be based on the certification information, such as an electronic signature instead of biometric information.

Such an identification IC card can be used in a company to confirm various kinds of authority. In this case, the person in charge of issuing the card or the person in charge of issuing the card may be authenticated as the card issuer or witness, or the person in charge of the department in which the card holder is located may be authenticated.

Input data of cardholder identity information is stored in a first identity-information file 211; the identity information or certification information of its witness is stored in a second identity-information file 212. An electronic certificate may be required during the identification process to account for its authenticity and evidence. Such an electronic certificate to be issued by the identification IC card is stored in the second working file 222 of the application file 220 together with application data for various transactions (S118).

A program for displaying or rewriting identification information recorded in an identification IC card is stored in a first work file 211, and access to the program is permitted only after satisfaction has been made with all identification steps preset according to each job.

After the above required information has been written into the identification IC card, the issuer clerk tests the product integrity of the IC card, for example, to confirm that the identification IC card is functioning properly when the person to be identified inputs his or her own identification information (S119). If the identification IC card has passed the test, it is issued to the card holder (S120). If the test is not passed, the necessary steps such as the identification information writing step (S118) are repeated so that the identification IC card can be repaired and actually repaired and issued to the card holder.

When the identified person is prequalified (S112), if the card issuer determines that the person is not qualified to use the card in the identification system, the issuance of the identification card is rejected.

Such an identification IC card can be used in an institution in which a password signal for each service or transaction (hereinafter referred to as transaction) is allowed to be recorded in advance in an identification IC card carried by a person authorized to perform the transaction, and thus the transaction is allowed after confirming that the person carrying the identification IC card is an actual card holder.

In this case, the person in charge of such a transaction receives information from the identification IC card to confirm that the person carrying the identification IC card is the actual cardholder and that a cryptographic signal proving that the identification IC card is eligible to accept the transaction has been recorded, and on the other hand, the identification IC card confirms that the card reader is the actual and that the person carrying the card is the actual cardholder.

Because the identification IC card stores the characteristics of the card holder, the identification functions for all qualified transactions can be integrated into one card, including entering a building or a data room, banking accounts or drawing credit cards, family records or resumes, and debiting accounts in the case of electronic-cash cards.

Such an identification IC card can be used to manage entrance into a house in the same way as the third embodiment, in which case this example provides a highly reliable identification card for others who deal with counterfeit cardholders.

Such an identification IC card selects some different kinds of identification information depending on the situation, which may even cause the authorized cardholder to forget the actual identification information to be used on site. To avoid this inconvenience of not being able to use the card, the identity information recorded in the card is generally displayed.

In addition, the cardholder can periodically change his identity information to prevent leakage or theft, which also improves security. Thus, it is preferred that the identity information be changeable as desired by the cardholder.

It is not easy to maliciously extract information stored in an identification IC card and counterfeit or counterfeit the identification IC card by a high hand who is familiar with the operation of the identification IC card and the apparatus.

To prevent this, the identification IC card of the present example requires identification of the person to be certified for the predetermined job. If such identification of the witness is required when accessing the identification information of the identification IC card, even a person who is familiar with the internal information cannot steal or rewrite the identification information.

Fig. 13 is a flowchart illustrating a process required when an authorized person to be identified confirms his (or her) own identity information.

When the identification information of the identified person is read from the identification IC card (S131), the person concerned with the identified person, the person to be identified, the card issuing witness, the person in charge of the card issuing station, or the organization (S132) are summoned up, and after the authenticity of the card is confirmed (S133), they input the respective identification information or identification information (S134).

If the identity and identification information of each person or organization coincide with the data stored in the identification IC card, the fact that the card is currently accessed is recorded in the memory of the identification IC card (S136), and then such recorded identity information is displayed on the display of the card reader (S137). If all necessary information (e.g., identity information) do not coincide with each other, the current access is considered to be disqualified, and the display of the identity information is rejected (S138).

In this case, the person who is card-identified inputs a type of identification information he (or she) remembers, and if the input identification information matches the corresponding information stored in the identification IC card, the current access is considered to be true. In another possible case, an identification information is revealed only when the identification information to be displayed is an identification information with a high recognition level. For example, when a person to be identified does not want to start his password, the forgotten password can be revealed by means of his fingerprint, but the signature is not displayed even if his password matches the password recorded in the IC card.

Identity information that does not require a high level of security is revealed only when the cardholder is authenticated using identity information based on the biometric characteristics of the cardholder, no need for a summons of witnesses, and the like. Moreover, in special cases, the card issuing person may be responsible for his (or her) reading out certain information at will.

Fig. 14 is a flowchart showing a process when the identification information is refreshed or rewritten.

When the identified person requests the issuer to refresh or rewrite his identity information (S141), the witness and the card issuing person in charge are gathered with the identified person (S142) to confirm authentication of all the related items. This is because if the update of the identification information is accepted only with the consent of the identified person, it is possible that the identification information is updated by an unauthorized person without using the identification card. After all the related items are approved, the identification IC card and the issuing apparatus mutually confirm their authenticity (S143), and all the persons gathered together input respective identification information or identification information (S144). If the input of the identification or identification information thereof matches the information stored in the identification IC card (S145), the updating of the identification information is permitted.

When all persons pass the respective authentication, the identification information previously recorded in the identification IC card is transferred to the external memory (S146), and the updated or rewritten log is recorded in the identification IC card (S147). Then, unnecessary old identification information data is erased (S149). Then, the new identification information is stored in the identification IC card (S150).

Thereafter, the clerk at the issuing place tests the function of identifying the IC card (S151). If the identification IC card passes the test, the card is issued to the cardholder (S152). If the IC card is not qualified, the ID information is refreshed again, and only when the card passes the test, the IC card can be issued to the card holder.

If any one of the stakeholders fails to be identified, the refresh of the identity information will be rejected because there may be one access not allowed (S153).

When the identity information is read or overwritten, this may be caused by abnormal phenomena, such as illegal use of the card. It is therefore preferable to log down the log itself in the identification IC card.

The identification IC card of the present embodiment can require the consent of a witness or the like to read and refresh the identification information, so that not only the identification IC card cannot be used or forged by others who have picked up or stolen the identification IC card, but also persons who are familiar with the identification IC card issuance apparatus, the card reader and the rewriting apparatus cannot use the identification IC card without obtaining the consent of the witness. Thus, such an identification IC card provides a high level of security.

The user equipment system and the identification IC card according to the invention are suitable for use in a lock control system.

A first exemplary embodiment of a lock control system according to the invention is the use of an identification system in the control of a security locker. In this embodiment, the user is authenticated with the identification data recorded in the identification IC card, and thus it is possible to provide a high level of security.

Referring to fig. 15, a key card issuing station 301 issues a dedicated IC card as a key card 302 to a user who applies for using a safe. The safe 303 reads the key card 302 and the identification information of the user, and opens the safe designated by the key card 302 when the key card 302 passes the identification.

The key card issuing station 301 is provided with a host computer 311, a data input/output device including a display and a keyboard, an identity data input device 313, and a read/write device 314 for issuing a key IC card.

When a user applies for a safe, the card key issuing station 301 allows the user to enter his or her identity data from the identity data input device 313. These identity data are used to identify the user.

The host 311 has key card issuance software, key-control software, and identification-data recording software in its software system. The key-control software grasps the current usage status of the safe, adapts the safe to the key card, manages the security level of the lock and specifies the type of identification data, and manages the issuance and return of the card, and securely erases the record contents of the recovered key card.

The data input/output device 312 includes a display, a keyboard, a printer, and other things that are typically required in a computer.

The identity data input device 313 is a device for inputting information for a user that may be identified and may include a fingerprint reader to extract and classify the fingerprint pattern of a finger pressed thereon, a voice recognition device consisting of a microphone and voice analyzer, and a writing board for writing a signature and a signal code. In the simplest case, only a keyboard is available for entering the password string.

The card key issuing reader/writer 314 is constituted by an IC card reader/writer and an operating system for the IC card reader/writer.

The key card issuing station 301 designates a safe for rental, stores an authorized ID allowing use of the safe and individual user identification data obtained from the identification data input device 313 into a storage area of the identification IC card operating under CPU control, and issues the identification IC card as the key card 302 to the user.

This key card 302 is an IC card having a CPU and a built-in memory.

The safe 303 is provided with an unlocking processing unit 331 having an IC card reader/writer and an identification data input unit, and a plurality of locking type safes 332. The unlock processing device 331 has a safe control interface and identification data verification software. Each safe is provided with an electronic controller; it is operated locally to close and open the lock.

An anomaly sensor for detecting an anomaly and an alarm for reporting the anomaly are provided for ensuring the safety of the unattended system.

A user of the safe stores items in a safe 332 assigned to the user in the safe of the safe system 303. Once the safe is locked, the safe can only be opened by the unlock handling device 331 if the identification data entered by the user in the field is determined to be within an acceptable range from verification theory that the data matches the identification data read by the user's key card 302.

According to this control system, the safe cannot be opened even if the key card 302 is authentic, i.e., if the card carrier is not identified. Thus, the safe provides a high level of security without the control system having to acquire any witness (e.g., principal) approval. It is thus possible to operate such safes with unmanned control systems or the like.

Such a system may also utilize various types of identification information to selectively set the security level of the safe. When the security level is selectable, the user of the safe may select the identification information to be used in consideration of the value and ease of use of the stored items within the safe. If a high level of security is required, the user can be identified by his (or her) signature, and if a quick and easy method is to be chosen, only a character code is used for identification.

In addition, the system can combine more than two types of information into information to be checked simultaneously, which makes it possible to obtain a safer safe.

Further, a safe can be specified when the key card 302 is issued, and an ID code corresponding to the specified safe is simultaneously input to the IC card. In this case, even if the unused IC card is stolen, the risk of illegal use is small.

The same lock control system can also be used for other storage facilities which are accessed by multiple persons, such as an integrated safe or lock, or a key cabinet in a building management system.

A second exemplary embodiment of a lock control system according to the invention is the use of a warehouse control recognition system. In this example, a person authenticates by checking his IC card and handwritten signature, only authorized persons can enter the warehouse, and only items allowed to be taken can be removed. In the warehouse, important articles, medicines, hard medicines, drugs and the like can be safely stored.

The system has various functions for enhancing the security and reliability of storage, for example, coping with external attacks by notifying an unauthorized person to enter a warehouse and by switching a lock to a secure side of the system by a circuit through a sensor.

Figure 16 is a block diagram of a lock control system for a warehouse.

One warehouse 305 is divided into a plurality of storage rooms 351, 352 and 353.

The plurality of storage compartments and the small storage compartment are different from each other in safety level; they may be selected according to the security level of the stored item.

Taking a specific example, a company has a storage room 305 in which a first storage room 351 stores a confidential document, and only a part of the members of the company can enter the storage room and take the document. Of these security documents, the most secure document exists in first small storage chamber 354 of first storage chamber 351, and only a few persons selected further out of persons who are allowed to enter first storage chamber 351 can enter first small storage chamber 354. For example, the second cubicle 355 is a repository for personal profiles, and thus only the person responsible for the personal profile is allowed to access the second cubicle 355. The third small storage chamber 356 is a storage chamber for storing account documents, and thus is accessible only by a person in charge of the financial department.

The second storage chamber 352 is a storage chamber for storing development project-related materials that are required to prevent leakage of related information. Thus, only persons in the relevant department are allowed to enter. On the other hand, the third storage 353 is a storage for storing documents of relatively low importance so that anyone can enter, but staff entry and exit must be registered.

The same system can be used for a single storage room, such as a safe 357.

The storage room control system of the present embodiment is provided with a qualification check for entry into each storage room or small storage room, and issues an IC card as the key card 302 only to those qualified employees, similarly to the case of the first embodiment. Thus, an employee qualified by personal identification with the key card 302 can open a room for admission.

In other words, the key card (in a memory area operable under the control of the CPU) stores information that is assigned to a lock and allows access, as well as personal identification data obtained and processed by the identity input device.

The storage room 305 is also provided with a lock control device 304 including an IC card reader/writer 342 for reading the key card 302, a platform 343 as an identification data input device, a control unit 341 capable of exchanging information, and an interface 344 for controlling each storage room lock.

The doors of the storage compartments 351, 352, 353, the small storage compartments 354, 355, 356 and the safe 357 are provided with electronic locks that can be operated under the local control of the lock control device 304. Each door is also equipped with an anomaly sensor 358 that detects entry into the room and sends a signal to the lock control device 304.

An indicator light may be mounted on the door that notifies the entrant that the door is allowed to open.

When entering the storage compartment 305, the user inserts the key card 302 into the key card reader/writer 342 and inputs a password set at the time of user registration via the tablet 343. The control unit 341 confirms that the key card 302 is an actual IC card and to which lock the key card 302 corresponds, by means of the recorded contents transmitted through the CPU.

The identity information (e.g., signature) entered by the tablet is then checked against the personal identification data presented by the key card 302 and a determination is made as to whether it is the same. If the identification data verification software validates both records, it determines that the user is the person who can use the lock specified by the key fob 302 and the specified lock is opened.

If the user attempts to enter an area outside the allowable control range, the sensor issues an alarm. In the case of unauthorized access, the area may be automatically locked so that unauthorized access is locked back into the storage compartment.

In addition, to prevent a good person from entering the unauthorized area by mistake, an indicator light may be installed on the lock, in the storage room, or on the cabinet frame so that when the lock is opened according to the permission of the key card 302, the corresponding indicator light is illuminated.

The identification hierarchy may be preset according to the security level of each room. The repository may request that such a level of recognition be allowed, such as by just presenting the key card 302, or may require that the input signature code reflecting the shape, stroke order, stroke weight, be equal to its record code. Additionally, the repository may require a high level of authentication, such as a combination of a password and a signature.

To accommodate these different levels of security, a variety of identification data may be stored in one key card 302 for reading out the corresponding identification information data and checking each lock to be entered.

Alternatively, different types of identification data input means may be provided in the storage chamber 305 so that one identification data input means can be selected according to a desired level of identification. Generally, it is not required that such high security level locks be unlocked in a manner that is convenient and easily recognizable to the user, since the identification information corresponding to the high security level is more time consuming and laborious.

In addition, the precise identification information is selected from a variety of information data, which makes it easy to exclude unauthorized user entry. The security of the identification is further increased if the user is able to select a combination of identity data, which makes it more difficult for others to disguise the user.

Furthermore, since the locking situation of each person can be reliably and individually grasped in the control system, it is possible to automatically record which person entered, when entered, and which storage compartment (or rack) entered.

In the event of a brownout or blackout condition, the system is locked in a safe state to ensure the confidentiality of the information. It is desirable to provide a mechanism for alerting the control room when an abnormal condition occurs, such as a breach of the storage room.

It is also desirable to provide a level of supervisor identification that allows the supervisor to unlock the lock in an emergency.

Although this embodiment describes an example of document management, the same mechanism applies to drug storage compartments and drug cabinets or drug bins that are controlled to store drugs according to their risk indices.

Industrial applications

As described above, the user identification system according to the present invention is verified by the identity information directly input by the user at the identification access terminal using the biometric data stored in the identification card. Then, when a higher level of identification is required, part of the identity information is sent to a higher level certification authority to identify the individual. Thus, most of the information processing steps are performed at the identification access terminal without heavy load on the communication line, so that the user identification can be obtained at a desired security level. In addition, the identity information can be dispersed, and it is possible to establish a user identification system that is effective against external attacks.

The inventive IC card accesses information via a CPU, so that the right to access a document can be set arbitrarily, and unauthorized access is prevented by using the identity information. Thus, not only is the cardholder enabled to protect his (or her) privacy, but the service provider is enabled to provide secure transactions. Further, when using a plurality of services, the user can reduce the number of carrying cards.

In addition, the identification IC card according to the present invention requires a second person for certification at the time of issuance, so that the risk of illegal copying is small, thereby improving security.

The lock control system according to the invention provides a high level of security by allowing a reasonable identification of authorized persons. This makes it possible to establish a safe room management system or safe control system that is safer than conventional systems.

Claims (7)

1. A user identification system comprising: a registration station equipped with information acquisition means for obtaining user biometric data to authenticate the user's characteristics; an identification card issuing station for issuing a user identification card in which a part of the biometric data is recorded to a user; an identification access terminal equipped with a user identification means including an input/output unit for reading out user identification card information and a personal identification input unit for inputting user biometric data; and at least one authentication authority connected to the identification access terminal via an information communication channel and having a record of a remaining portion of the biometric data obtained at the registration station and not recorded in the user identification card; at the identification access terminal, comparing the recorded content of the user identification card read out by the input/output unit with the user biological characteristic data obtained on site by the personal identity input unit to identify the user identity; if a high level of identification is required, the authentication authority compares the biometric data of the user obtained at the identification access terminal with a portion of the biometric data not in the user identification card to answer the inquiry to the identification access terminal and sends the comparison result to the identification access terminal for further identification.

2. The subscriber identification system according to claim 1, wherein the subscriber identification card has a calculation function, and the calculation function performs a calculation for identifying the personal identification at the identification access terminal.

3. The subscriber identification system according to claim 2, wherein the information exchanged through the information communication channel is encrypted.

4. A subscriber identification system according to any of claims 1 to 3, wherein two or more certificate authorities separately record part of the biometric data obtained at the enrolment station without being recorded in the subscriber identity card, a certificate authority comparing the biometric data of the subscriber entered at the identification access terminal with part of the biometric data stored in the certificate authority in response to a query by the identification access terminal or other certificate authority for further identification.

5. A user identification system as claimed in any of claims 1 to 3 wherein the certification authority is provided with storage means for recording biometric data obtained at the registration station.

6. A user identification system as claimed in any of claims 1 to 3 wherein a plurality of types of biometric data are recorded to enable different transactions to be made in response to various input data.

7. A user identification device, comprising: an input/output unit for reading out information recorded in the identification IC card, a personal identification input unit for inputting biometric data of a user, a judgment unit for collating the biometric data of the identification IC card read out by the input/output unit with the biometric data input on site through the personal identification input unit and judging whether the user is acceptable, a communication unit for transmitting at least a part of the biometric data of the user input through the personal identification input unit to an external authentication authority and receiving the result of the authentication by the authentication authority, and a display unit for displaying the judgment result.