Biometric authenticaton system and method with vulnerability verification
First Claim
1. A biometric authentication system that provides a service after carrying out personal identification of a service requester through a data communication network, comprising:
- a client terminal that receives an input of biometric information of the service requester and performs a biometric authentication with its own biometric authentication unit using the received biometric information;
a service provider that provides a service; and
a vulnerability verification server,wherein;
the client terminal is equipped with a process profile producing unit that produces a process profile, which includes specifying information that specifies the biometric authentication unit, an authentication result by the biometric authentication unit, and a condition of use indicating under what kind of security control the client terminal itself is used, and that sends the produced process profile to the service provider;
the vulnerability verification server is equipped with;
a first storage device that stores the specifying information of the biometric authentication unit, the condition of use indicating under what kind of security control the client terminal, having the biometric authentication unit, is used, and vulnerability information indicating a level of vulnerability of the biometric authentication unit specified by the specifying information and the condition of use; and
a vulnerability verification unit that acquires the vulnerability information from the first storage device based on the specifying information and the condition of use included in the process profile, and sends the acquired vulnerability information to the service provider, when receiving the process profile from the service provider;
the service provider is equipped with;
a second storage device that stores an authentication policy indicating the criteria of the vulnerability information can provide the service in each plurality of vulnerability levels which is determined according to strictness of security control of the client terminal;
a vulnerability verification unit that, when receiving the process profile, sends the process profile to the vulnerability verification server, and receive the vulnerability information sent from the vulnerability verification server;
a policy verification unit that judges, based on the condition of use included in the process profile, the vulnerability level of the client terminal which sent the process profile, and further judges, based on the authentication policy, whether or not the vulnerability information sent from the vulnerability verification server satisfies the criteria at the judged vulnerability level;
a service providing judgment unit that judges, based on the judgment by the policy verification unit, whether or not the service can be provided to the client terminal which sent the process profile; and
a service providing unit that provides a service to the client terminal where the request of the service was made in the case that the service providing judgment unit judges it is possible.
1 Assignment
0 Petitions
Accused Products
Abstract
A biometric authentication device has a threat of an attack of pretending to be someone else by such as forgery. The present invention supports a service provider to appropriately decide the level of such threat.
A vulnerability verification server 150 is provided in the system, and the vulnerability of each biometric product is centrally managed. A service provider 130 sends the information that specifies the device in which a client terminal 110 executes the biometric authentication to the vulnerability verification server 150, and receives the vulnerability information. The service provider 130 decides whether the service can be provided or not to the client terminal 110 using the vulnerability information that was received.
6 Citations
13 Claims
-
1. A biometric authentication system that provides a service after carrying out personal identification of a service requester through a data communication network, comprising:
-
a client terminal that receives an input of biometric information of the service requester and performs a biometric authentication with its own biometric authentication unit using the received biometric information; a service provider that provides a service; and a vulnerability verification server, wherein; the client terminal is equipped with a process profile producing unit that produces a process profile, which includes specifying information that specifies the biometric authentication unit, an authentication result by the biometric authentication unit, and a condition of use indicating under what kind of security control the client terminal itself is used, and that sends the produced process profile to the service provider; the vulnerability verification server is equipped with; a first storage device that stores the specifying information of the biometric authentication unit, the condition of use indicating under what kind of security control the client terminal, having the biometric authentication unit, is used, and vulnerability information indicating a level of vulnerability of the biometric authentication unit specified by the specifying information and the condition of use; and a vulnerability verification unit that acquires the vulnerability information from the first storage device based on the specifying information and the condition of use included in the process profile, and sends the acquired vulnerability information to the service provider, when receiving the process profile from the service provider; the service provider is equipped with; a second storage device that stores an authentication policy indicating the criteria of the vulnerability information can provide the service in each plurality of vulnerability levels which is determined according to strictness of security control of the client terminal; a vulnerability verification unit that, when receiving the process profile, sends the process profile to the vulnerability verification server, and receive the vulnerability information sent from the vulnerability verification server; a policy verification unit that judges, based on the condition of use included in the process profile, the vulnerability level of the client terminal which sent the process profile, and further judges, based on the authentication policy, whether or not the vulnerability information sent from the vulnerability verification server satisfies the criteria at the judged vulnerability level; a service providing judgment unit that judges, based on the judgment by the policy verification unit, whether or not the service can be provided to the client terminal which sent the process profile; and a service providing unit that provides a service to the client terminal where the request of the service was made in the case that the service providing judgment unit judges it is possible. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A biometric authentication system that provides a service after carrying out personal identification of a service requester through a data communication network and that is equipped with:
-
a client terminal that receives an input of biometric information of the service requester and performs a biometric authentication with its own biometric authentication unit using the received biometric information, a service provider that provides a service, and a vulnerability verification server, wherein; the client terminal is equipped with a process profile producing unit that produces a process profile, which includes specifying information that specifies the biometric authentication unit, an authentication result by the biometric authentication unit, and a condition of use indicating under what kind of security control the client terminal itself is used, and that sends a produced process profile to the service provider; the vulnerability verification server is equipped with; a first storage device that stores the specifying information of the biometric authentication unit, the condition of use indicating under what kind of security control the client terminal, having the biometric authentication unit, is used, and the vulnerability information indicating the level of vulnerability of the biometric authentication unit specified by the specifying information and the condition of use; and a change notifying unit that sends, when information stored in the first storage device is updated, updated information to the service provider; the service provider is equipped with; a second storage device that stores an authentication policy indicating criteria of the vulnerability information which can provide the service in each plurality of vulnerability levels which is determined according to strictness of security control of the client terminal; a third storage device that stores the specifying information of the biometric authentication unit, the condition of use indicating under what kind of security control the client terminal, having the biometric authentication unit, is used, and the vulnerability information indicating the level of vulnerability of the biometric authentication unit specified by the specifying information and the condition of use; and a vulnerability information management unit that causes the third storage device to store the updated information when receiving the updated information from the vulnerability verification server; a vulnerability verification unit that acquires based on the specifying information and the condition of use included in the process profile, when receiving the process profile, the vulnerability information sent from the third storage device; a policy verification unit that judges, based on the condition of use included in the process profile, the vulnerability level of the client terminal which sent the process profile, and further judges, based on the authentication policy, whether or not the acquired vulnerability information satisfies the criteria at the judged vulnerability level; a service providing judgment unit that judges, based on the judgment by the policy verification unit, whether or not the service can be provided to the client terminal which sent the process profile; and a service providing unit that provides a service to the client terminal where the request of the service was made in a case that the service providing judgment unit judges it is possible. - View Dependent Claims (8, 9, 10)
-
-
11. A service providing propriety judging method implemented via a biometric authentication system that provides a service after carrying out personal identification of a service requester through a data communication network, wherein:
-
the biometric authentication system is equipped with a client terminal, a vulnerability verification server, and a service provider, and; the client terminal is equipped with a process profile producing unit that produces a process profile, which includes specifying information that specifies a biometric authentication unit, an authentication result by the biometric authentication unit, and a condition of use indicating under what kind of security control the client terminal itself is used, and that sends a produced process profile to the service provider; the vulnerability verification server is equipped with a first storage device that stores the specifying information of the biometric authentication unit, the condition of use indicating under what kind of security control the client terminal, having the biometric authentication unit, is used, and vulnerability information indicating a level of vulnerability of the biometric authentication unit specified by the specifying information and the condition of use; and the service provider is equipped with a second storage device that stores an authentication policy indicating criteria of the vulnerability information which can provide the service in each plurality of vulnerability levels which is determined according to strictness of security control of the client terminal; and the service provider executes sending, when receiving the process profile, the process profile to the vulnerability verification server; the vulnerability verification server executes acquiring, based on the specifying information and the condition of use included in the process profile, when receiving the process profile from the service provider, the vulnerability information from the first storage device and sending acquired vulnerability information to the service provider; and the service provider executes; receiving the vulnerability information send from the vulnerability verification server; judging, based on the condition of use included in the process profile, a vulnerability level of the client terminal which sent the process profile, and further judges, based on the authentication policy, whether or not the vulnerability information sent from the vulnerability verification server satisfies a criteria at a judged vulnerability level; judging, based on the judgment by a policy verification unit, whether or not the service can be provided to the client terminal which sent the process profile; and providing a service to the client terminal in a case that a service providing judgment unit judges providing the service is possible.
-
-
12. A non-transitory computer-readable medium embodying a program for running a computer of a service provider in a biometric authentication system that provides a service after carrying out personal identification of a service requester through a data communication network comprising:
-
a client terminal that receives an input of biometric information of the service requester and performs a biometric authentication with its own biometric authentication unit using the received biometric information; a service provider that provides a service; and a vulnerability verification server; wherein; the client terminal is equipped with a process profile producing unit that produces a process profile, which includes specifying information that specifies the biometric authentication unit, an authentication result by the biometric authentication unit, and a condition of use indicating under what kind of security control the client terminal itself is used, and that sends a produced process profile to the service provider; the vulnerability verification server is equipped with; a first processor; a first storage device that stores the specifying information of the biometric authentication unit, the condition of use indicating under what kind of security control the client terminal, having the biometric authentication unit, is used, and vulnerability information indicating a level of vulnerability of the biometric authentication unit specified by the specifying information and the condition of use; and the service provider is equipped with; a second processor; a second storage device that stores an authentication policy indicating criteria of the vulnerability information which can provide the service in each plurality of vulnerability levels which is determined according to strictness of security control of the client terminal; wherein the program, when executed, causes; the first processor of the vulnerability verification server to function as a vulnerability verification unit that acquires the vulnerability information from the first storage device based on the specifying information and the condition of use included in the process profile, and sends acquired vulnerability information to the service provider, when receiving the process profile from the service provider; the second processor of the service provider to function as; a second vulnerability verification unit that, when receiving the process profile, sends the process profile to the vulnerability verification server, and receive the vulnerability information sent from the vulnerability verification server; a policy verification unit that judges, based on the condition of use included in the process profile, a vulnerability level of the client terminal which sent the process profile, and further judges, based on the authentication policy, whether or not the vulnerability information sent from the vulnerability verification server satisfies criteria at the judged vulnerability level; a service providing judgment unit that judges, based on the judgment by the policy verification unit, whether or not the service can be provided to the client terminal which sent the process profile; and a service providing unit that provides the service to the client terminal where the request of the service was made in a case that the service providing judgment unit judges that providing the service is possible.
-
-
13. A vulnerability verification server that notifies vulnerability information indicating the vulnerability level of the biometric authentication unit of a client depending on a request from a service provider providing a service in a biometric authentication system that provides the service after carrying out personal identification of a service requester through a data communication network;
-
wherein; a client terminal is equipped with a process profile producing unit that produces a process profile, which includes specifying information that specifies a biometric authentication unit, an authentication result by the biometric authentication unit, and a condition of use indicating under what kind of security control the client terminal itself is used, and that sends a produced process profile to the service provide; the service provider is equipped with; a storage device that stores an authentication policy indicating criteria of the vulnerability information which can provide the service in each plurality of vulnerability levels which is determined according to strictness of security control of the client terminal; a vulnerability verification unit that, when receiving the process profile, sends the process profile to the vulnerability verification server, and receives the vulnerability information sent from the vulnerability verification server; a policy verification unit that judges, based on the condition of use included in the process profile, a vulnerability level of the client terminal which sent the process profile, and further judges, based on the authentication policy, whether or not the vulnerability information sent from the vulnerability verification server satisfies criteria at a judged vulnerability level; a service providing judgment unit that judges, based on judgment by the policy verification unit, whether or not the service can be provided to the client terminal which sent the process profile; and a service providing unit that provides the service to the client terminal where the request of the service was made in a case that the service providing judgment unit judges that providing the service is possible; the vulnerability verification server is equipped with; another storage device that stores the specifying information of the biometric authentication unit, the condition of use indicating under what kind of security control the client terminal, having the biometric authentication unit, is used, and the vulnerability information indicating the level of vulnerability of the biometric authentication unit specified by the specifying information and the condition of use; and a vulnerability verification unit that acquires the vulnerability information from the first storage device based on the specifying information and the condition of use included in the process profile, and sends the acquired vulnerability information to the service provider, when receiving the process profile from the service provider.
-
Specification