JP2000222360A - Method and system for authentication and authentication processing program recording medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To exclude any illegal access by identifying any legal access with a small calculation quantity in single sign on type authentication for permitting plural times of access by single user authentication. SOLUTION: Secrecy information 4 is shared by a client means 1 and an authentication server means 2. The authentication server means 2 issues an authentication ticket 5 including collation information obtained by performing an irreversible arithmetic operation (f) on the secrecy information 4 (n) times. The client means 1 indicates this authentication ticket and presentation information obtained by performing an irreversible arithmetic operation (f) on the secrecy information 4 (n-k) times to a permission server means 3. The permission server means 3 performs the irreversible arithmetic operation (f) on the presented information (k) times, and checks whether or not this presented information matches the collation information. In this case, (k) is increased from 1 to (n) so that the authentication ticket 5 can be used for the maximum (n) times of access without calculating the next presented information from the past presented information.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] The present invention relates to a method for judging whether a client device accesses a server device.
A single sign-on type authentication method and authentication system that permits multiple accesses in a single process, in particular, eliminates the need for encryption processing in a client device and enables processing with a device having a low computation processing capacity. is there.

[0002]

2. Description of the Related Art In recent years, with the development of digital communication technology, a server-client type system comprising a server device and a client device connected via a network has become popular. In such a server-client type system, it is important to confirm that the client device and its user have a legitimate right to access the server device, and to prevent unauthorized access. As an authentication method for confirming the access authority, a method of inputting a password is well known, but a method of requesting a password input every time access is secure is inconvenient for a user. Sign-on type authentication methods have come to be used. Such single sign-on type authentication methods include, for example, Ker
TTP (Trusted) used in the bios authentication system
Third-party Protocol) is generally known.

Hereinafter, a conventional single sign-on type authentication method will be described with reference to the drawings. FIG. 23 is a conceptual diagram showing an outline of a conventional single sign-on type authentication method, and FIG. 24 is a protocol sequence diagram showing a protocol. 23 and 24, reference numeral 81 denotes a client having a user interface; 82, an authentication server for performing user authentication; and 83, an authorization server for performing access authorization by judging access authority.

[0004] In the user authentication procedure between the client means 81 and the authentication server means 82, the user identifier UID and the server identifier S input through the user interface are input.
Authentication request Authen with ID and authentication presentation information
The client means 81 sends the ticate Request 801 to the authentication server means 82, and the authentication server means 82 sends an authentication response Authorize Request 802 with the session key SK encrypted using the password PW as a key to the authentication ticket Ti.
Send back with cket803.

[0005] Further, in the use authorization procedure between the client means 81 and the authorization server means 83, the client means
81 is the user identifier UI encrypted with the session key SK
D and an authorization request Authorize Request 804 with time stamp TSk as presentation information
805 together with 805, the authorization server 83 verifies the presentation information in the authentication request Authorize Request 804 and the authentication ticket Ticket 805, and returns an authorization notification Result 806 if it is found to be valid.

The configuration of the conventional single sign-on type authentication method having the above protocol sequence will be described below with reference to FIG. FIG.
FIG. 5 is a functional block diagram showing a configuration of a conventional single sign-on type authentication method. Also in FIG. 25, reference numeral 81 denotes a client having a user interface, 82 denotes an authentication server for performing user authentication, and 83 denotes an authorization server for judging access authority and authorizing use.

The client means 81 includes a first transmitting / receiving means 311 for transmitting / receiving data, an input means 811 for obtaining an input from a user, a session key decrypting means 812 for decrypting a received session key, and a received authentication ticket. 314, a process selecting unit 315 for selecting a process according to the holding state of the authentication ticket, and a secret storage unit 316 for secretly storing the decrypted session key.
Certifying means 813 for clocking the time, and certifying information encrypting means 814 for encrypting the authenticated certifying information using the session key.

The authentication server unit 82 includes a second transmission / reception unit 321 for transmitting / receiving data, an authentication clock unit 322 for clocking time, and an authentication information storage unit 323 storing user authentication information such as a password. A session key generation unit 821 for generating an encryption key for each user authentication process; a session key encryption unit 822 for encrypting a session key using a password; and a ticket encryption unit 823 for encrypting an authentication ticket using a session key. It is composed of

The authorization server unit 83 includes a third transmission / reception unit 331 for transmitting / receiving data, an authorization clock unit 332 for clocking the time, a ticket decryption unit 831 for decrypting the authentication ticket, and the validity of the authentication ticket. Ticket validity determining means 832 for performing determination, proof information decrypting means 833 for decrypting authenticated proof information, proof information validity determining means 834 for performing validity determination of authenticated proof information, contents of the authentication ticket and authenticated Authorization verification means 835 for comparing and verifying the contents of the certification information.

The operation of the conventional single sign-on type authentication method configured as described above will be described below with reference to FIG. First, in the client means 81, a user identifier UID indicating the user himself, a password PW for user authentication registered in advance in the authentication server means 82, and a server identifier SID for which use authorization is to be obtained are input to the input means 811 as a user input 800. It is input (ST3101, ST8101). Input means 811
Holds user input 800 temporarily and server identifier 310
1 is taken out and sent to the ticket holding means 314. The ticket holding means 314 searches the authentication ticket data corresponding to the server identifier 3101 (ST3102), and notifies a search result notification 3102.
Is sent to the processing selection means 315. The process selecting unit 315 sends a user authentication process start notification 8101 to the input unit 811 when the search result notification 3102 indicates no, and sends a use authorization procedure start notification 8102 to the ticket holding unit when it indicates yes.
314, and sends it to confidential storage means 316 and certification information encryption means 814 (ST3103).

[0011] The input means 811 receives the user authentication start notification 8
When 101 is given, a pair 8103 of the user identifier and the server identifier extracted from the temporarily held user input 800 is stored in the first place.
Authentication request via the sending and receiving means 311 of the Authenticate Reques
It is sent to the authentication server means 82 as t801 (ST8102),
The user identifier 8104 is sent to the certification information encryption unit 814, and the password 8105 is sent to the session key decryption unit 812.

In the authentication server means 82, the authentication request Au
The thenticate Request 801 is received by the second transmission / reception means 321 and the extracted user identifier 8201 is stored in the authentication information storage means 32
3 and sent to the ticket encryption means 823, and the server identifier 8202
Is sent to the ticket encryption means 823 (ST8201).
Authentication information storage means 323 searches for a password corresponding to user identifier 8201 (ST8202), and if present, sends password 8203 to session key encryption means 822,
A search result notification 8204 is sent to the session key generation means 821 and the session key encryption means 822 (ST8203). When search result notification 8204 indicates presence, session key generating means 821 newly generates a random session key 8205 and sends it to session key encrypting means 822 and ticket encrypting means 823 (ST8204). When the search result notification 8204 indicates presence, the session key
Is generated using the password 8203 to generate an encrypted session key 8206 (ST8205), and this is sent to the client means 81 as an authentication response Authenticate Response802 via the second transmitting / receiving means 321 (ST8207). The authentication clock unit 322 measures the current time, and supplies a time stamp 3212 based on the current time to the ticket encryption unit 823. The ticket encryption means 823 uses the server common key stored internally and corresponding to the server identifier 8202 to generate the user identifier 8201, the server identifier 8202, and the time stamp 3212.
Ticket data obtained by encrypting the session key 8205
8207 (ST8202, ST8206), and sends it to the client 81 as an authentication ticket Ticket 803 via the second transmitting / receiving means 321 (ST8207).

In the client means 81, an authentication response
The Authenticate Response 802 is sent to the session key decrypting means 812 via the first transmitting / receiving means 311 as an encrypted session key 8106, and the authentication ticket Ticket 803 is supplied as authentication ticket data 8108 via the first transmitting / receiving means 311 to the ticket holding means 314. (ST8103). The ticket holding means 314 holds the authentication ticket data 8108 in association with the server identifier 3101 (ST3112).
The session key decryption means 812
Is decrypted using the password 8105 (ST810).
4). Therefore, a correct session key can be obtained only when a correct password is input. The session key 8107 obtained by the session key decrypting means 812 is sent to the confidential storage means 316 and stored.

The confidential storage unit 316 stores the session key 8107 in secret and permits only a predetermined access (ST8105). When the use authorization procedure start notification 8102 is given, the stored session key 8109 is stored in the confidential storage unit 316. This is sent to the certification information encryption means 814. The certification timekeeping means 813 keeps the current time, and supplies a timestamp 8110 based on the current time to the certification information encryption means 814. Certificate information encryption means 814
When the use authorization procedure start notification 8102 is given, the user identifier 8104 and the time stamp 8110 are stored in the session key 8109.
Authenticated certification information 8111 encrypted using is generated (S
T8106), this is sent to the authorization server unit 83 as the authorization request Authorize Request 804 via the first transmission / reception unit 311 (ST8107). The ticket holding means 314,
When the use authorization procedure start notification 8102 is given, the held authentication ticket data 8112 corresponding to the server identifier 3101 is
It is sent as an authentication ticket Ticket 805 to the authorization server means 83 via the first transmitting / receiving means 311 (ST8107).

In the authorization server means 83, the authorization request Au
The thorize Request 804 is sent to the proof information decrypting means 833 as authenticated proof information 8308 via the third transmitting / receiving means 331, and the authentication ticket Ticket 805 is transmitted as authentication ticket data 8301 via the third transmitting / receiving means 331 to the ticket decrypting means 83.
1 (ST8301). Ticket decryption means 831
The user identifier 8302 is obtained by decrypting the authentication ticket data 8301 using the own server common key internally held, and obtaining the user identifier 8302
The server identifier 8303 and the time stamp 8304 are sent to the ticket validity judging means 832, and the session key 8305 is sent to the certification information decrypting means 833 (ST8302). Approved timing means 332
Measures the current time, and supplies the current time information 8306 to the ticket validity judging means 832 and the proof information validity judging means 834. The ticket validity judging means 832 judges whether the server identifier 8303 matches its own server identifier held therein, and determines the time stamp 8304 and the current time information 832.
It is checked that the difference from 06 is within a predetermined expiration date range, and if both are true, the user identifier 8302 is sent to the authorization matching means 835 as the ticket user identifier 8307 (ST3306, ST3307). Certificate information decryption means
833 decrypts the authenticated certification information 8308 using the session key 8305 and sends the obtained user identifier 8309 and time stamp 8310 to the certification information validity determination means 834 (ST
8303). Since the authenticated credential is encrypted using the session key at the client, only when the correct session key is used at the client,
Here, the correct user identifier and time stamp are obtained. The certification information validity determination means 834 includes a time stamp 8310
Check that the difference between the current time information 8306 and the current time information 8306 is within a predetermined time difference range.
09 is sent to the authorization matching means 835 as the certification user identifier 8311 (ST8304, ST8305). Authorization collation means 835
Is the ticket user identifier 8307 and the proof user identifier 8311
(ST8306), and if true, sends an authorization notification 8312 to the client unit 81 as an authorization notification Result 806 via the third transmitting / receiving unit 331 (ST8306).
8307, ST3317), and are received by the client means 81 (ST3118). At this time, if the match judgment is true, the user identifier and the time stamp are obtained correctly, which indicates that the correct session key was used by the client means, which indicates that the correct password was input. This means that the user authentication result and the use authorization result match.

[0016]

However, in the above-described conventional configuration, encryption processing requiring a large amount of calculation is frequently used, and in particular, it is necessary to perform encryption processing on the client side every time use authorization processing is performed. Therefore, when the client side is a device having a low calculation processing capability such as a portable information terminal or a smartphone, there is a problem that it is difficult to perform the use authorization process in a practical processing time.

Further, in the above-described conventional configuration, the number of times of use of one authentication ticket is not limited and only the expiration date is provided, so that the encryption of the authentication ticket that is intercepted by a third party should be decrypted. There is also a problem that even if an unauthorized access is performed, it is highly likely that the access will end without being discovered.

The present invention solves such a conventional problem, and does not require encryption processing on the client side, and performs use authorization processing in a practical processing time even with a device having a low calculation processing capability. It is an object of the present invention to provide a single sign-on type authentication method and an authentication system capable of easily managing the number of times of use of an authentication ticket.

[0019]

In order to solve this problem, the present invention firstly holds an authentication ticket whose effective number is n (n is a positive integer) and indicates the authentication ticket to use the authentication ticket. A requesting client means, and an authorization server means for requesting presentation information in response to the request, collating the authentication ticket with the authentication ticket, and authorizing use of the authentication ticket. And the verification information is obtained by performing a predetermined irreversible operation on the secret information shared by the issuer of the authentication ticket and the client means n times, and the authentication ticket When the number of uses is k (k is a positive integer equal to or less than n), the presentation information is obtained by performing the predetermined irreversible operation on the secret information nk times.

As a result, there is provided a single sign-on type authentication method and authentication system which can easily manage the number of times of use of an authentication ticket and eliminate double use without requiring encryption processing on the client side. Can be

Secondly, the authentication server means generates a random number in a user authentication procedure, requests the client means to indicate the generated random number, and requests the client means to provide authentication information. The secret information includes the user authentication information and the user authentication information. The method is characterized in that the predetermined irreversible operation is performed one or more times in connection with a random number, and the authentication presentation information is obtained by performing the predetermined irreversible operation on the secret information n times.

[0022] In addition to the above-mentioned effects, in addition to the above-mentioned effects, the user authentication procedure does not require encryption processing on the client side, and the operation processing of authentication presentation information and the operation processing of presentation information can be shared. An authentication method and an authentication system of the type are obtained.

Third, the authentication server means generates a random number in a user authentication procedure, requests the client means to indicate the generated random number, and requests the client means to provide authentication information. An exclusive OR operation result of a result of performing the predetermined irreversible operation at least once on the connection with the random number and an authentication random number generated by the client means, and the secret information is inversely calculated from the authentication presentation information. The authentication random number.

Thus, in addition to the above effect, the collation information included in the authentication ticket becomes irrelevant to the user authentication information, so that there is no possibility that the user authentication information is guessed from the authentication ticket. Authentication method and authentication system are obtained.

Fourth, the predetermined irreversible operation is a one-way hash operation.

Thus, in addition to the above-described effects, a single sign-on type authentication method and authentication system can perform the use authorization process in a practical processing time even if the client side is a device having a low calculation processing capability. can get.

Fifth, the authentication ticket includes an issuer identifier, and the authorization server means authorizes the use and updates the verification information, validity count, issue date and time, issuer identifier, and authenticator of the authentication ticket. Wherein the verification information is obtained by performing the predetermined irreversible operation on the secret information by nk
The number of times of validity is updated, and the number of effective times is updated by nk.

Thus, in addition to the above effects, the authentication ticket is updated every time it is used, and in particular, the time stamp is updated, so that the expiration date in the validity determination can be set shorter, so that unauthorized use by a third party is possible. Thus, a single sign-on type authentication method and an authentication system that can further reduce the operability and shorten the response time of use authorization can be obtained.

Sixth, the client means manages the number of times the authentication ticket is used, and requests the use authorization by indicating this together with the authentication ticket.
Comprising a plurality of said authorization server means, comprising an authentication ticket management means for managing the number of times the authentication ticket is used,
The authentication server means issues the authentication ticket and instructs the authentication ticket management means to issue and register the authentication ticket, and the authorization server means receives the presentation of the authentication ticket and gives the authentication ticket management means It is characterized in that use of an authentication ticket is instructed to update the history of the authentication ticket, and usage is not authorized when a rejection notification is received from the authentication ticket management means.

With this, in addition to the above effects, in a system in which the authentication ticket is not updated, the authentication ticket can be used in common for a plurality of authorization servers. Authentication method and authentication system are obtained.

Seventh, the client means manages the number of times the authentication ticket is used, and requests the use authorization by indicating the number of use times together with the authentication ticket.
A plurality of said authorization server means, wherein said authentication server means issues said authentication ticket and stores an issue history, said authorization server means updates said authentication ticket and stores an update history, Upon receiving the presentation, the history of the authentication ticket is referred to the authentication server means or the authorization server means indicated by the issuer identifier of the authentication ticket, and when a rejection notification is received from the authentication server means or the authorization server means, The feature is that the use is not authorized.

Thus, in addition to the above effects, in a system in which the authentication ticket is updated, the use of the authentication ticket can be managed in a distributed manner, thereby reducing the number of management resources in one place. Is obtained.

[0033]

Embodiments of the present invention will be described below with reference to the drawings.

(First Embodiment) As shown in FIG. 1, an authentication system according to a first embodiment includes a client unit 1 having a user interface, an authentication server unit 2 for performing user authentication, and a client unit 1. Authorization server means 3 for judging the access authority of the user and authorizing use. For example, a general-purpose computer, a portable information terminal, a smartphone, or the like can be used for the client unit 1. For example, a general-purpose computer, a dedicated authentication server device, or the like can be used for the authentication server unit 2.
For example, a general-purpose computer, a dedicated authorization server device, a dedicated information providing device, or the like can be used.

The client 1 and the authorization server 3 are connected by a wired or wireless communication network. Although the client means 1 and the authentication server means 2 are not necessarily connected by a communication network, the secret information 4 must be shared. As the secret information 4, for example, a password, a common key type encryption key, or a calculated value calculated therefrom is used.

The client means 1 holds an authentication ticket 5 used in the use authorization procedure. This is issued by the authentication server means 2 to the client means 1. The authentication server means 2 performs the irreversible operation f on the secret information 4 n times (n is the number of valid times of the authentication ticket) and compares the result with the collation information. Then, an authenticator is added to this to generate an authentication ticket 5. The authenticator is added for the purpose of preventing falsification of the authentication ticket and certifying the issuer, and a message authentication code or a digital signature can be used.

In the use authorization procedure between the client means 1 and the authorization server means 3, the client means 1 performs the irreversible operation f on the secret information 4 nk times (k is the number of uses in the authentication ticket use authorization procedure). The result is presented information 6
Used as As long as the irreversible operation f has sufficiently secure irreversibility and the length and randomness of the result, the presentation information 6 cannot be calculated by a third party who does not know the secret information 4. Indicates that the user is a valid user who knows the secret information 4. Further, since the number of irreversible operations f in the presentation information is increased as far back in the past, the next presentation information cannot be calculated from the presentation information 6, so that there is no need for encryption.

The client unit 1 receives the presentation information 6
Is transmitted to the authorization server means 3 together with the held authentication ticket 7, and the authorization server means 3 verifies the authenticator included in the authentication ticket 7 and performs the irreversible operation f on the presentation information k times k Is confirmed to match the collation information included in the authentication ticket 7, and if it is determined to be valid, the authorization notification 8 is sent back.

According to this method, the client 1 can obtain the use authorization by using the authentication ticket 7 up to n times without disclosing the secret information 4 to a third party including the authorization server 3.

As described above, the authentication system according to the present embodiment holds an authentication ticket whose effective number is n (n is a positive integer), indicates the ticket, requests the use authorization, and receives the request. Authorization server means for requesting presentation information, collating with the authentication ticket and authorizing use.

The authentication ticket includes, in addition to the collation information,
Information such as a ticket identifier, a valid number of times, an issue date and time, and a server identifier can be included, and an authenticator is given to this. The collation information is information obtained by performing a predetermined irreversible operation on the secret information shared by the issuer of the authentication ticket and the client means n times. The presentation information is information obtained by performing a predetermined irreversible operation on the secret information nk times when the number of times of use of the authentication ticket is k (k is a positive integer equal to or less than n).

With such a configuration, there is provided a single sign-on type authentication method and authentication system which can easily manage the number of times of use of an authentication ticket and eliminate double use without requiring encryption processing on the client side. can get.

(Second Embodiment) In the authentication system according to the second embodiment, the client means comprises an authentication server means.
It requests the authentication ticket by indicating the authentication presentation information to 22.

This authentication system, as shown in FIG.
It comprises a client means 11 having a user interface, an authentication server means 12 for performing user authentication, and an authorization server means 3 for judging the access authority of the client means 11 and performing use authorization. The client means 11, the authentication server means 12 and The connection with the authorization server means 3 is established by a wired or wireless communication network. This authorization server means 3 is the same as in the first embodiment (FIG. 1), and includes an authentication ticket sent back from the authentication server means 12 to the client means 11, presentation information transmitted by the client means 11 to the authorization server means 3, and The authorization ticket and the authorization notification 8 sent back from the authorization server unit 3 to the client unit 11 are the same as those in the first embodiment (FIG. 1).

The client means 11 and the authentication server means 12 of this authentication system perform the irreversible operation f once to connect the password PW input via the user interface and the random number R obtained from the authentication server means 12. The result is shared as secret information 14. As long as the irreversible operation f has sufficiently secure irreversibility and the length and randomness of the result,
This secret information 14 cannot be calculated by a third party who does not know the password PW.

In the user authentication procedure between the client means 11 and the authentication server means 12, the authentication server means 12 generates a random number, indicates this, and requests the client means 11 for authentication presentation information. The client means 11 uses the password P
The secret information 14 is calculated by performing an irreversible operation f once on the connection between W and the random number R obtained from the authentication server means 12, and the irreversible operation f is further performed on the secret information 14 n times (total n + 1 times, where n is The number of times the ticket has been valid)
It is sent to the authentication server means 12 as 13.

On the other hand, when the authentication server unit 12 confirms that the secret information 14 matches from the authentication presentation information 13, the authentication server unit 12 performs the irreversible operation f on the secret information 14 n times as collation information, and Authentication ticket 5 with an authenticator added to
Send back. The client means 11 holds this for use in the use authorization procedure. The authenticator is added for the purpose of preventing the authentication ticket from being tampered with and certifying the issuer, and can use a message authentication code, a digital signature, or the like.

In the use authorization procedure between the client means 11 and the authorization server means 3, the client means 11
Performs the irreversible operation f on the secret information 14 nk times (k is the number of times the authentication ticket is used in the use authorization procedure) and uses the result as the presentation information 6. As long as the irreversible operation f has sufficiently secure irreversibility and the length and randomness of the result, the presentation information 6 cannot be calculated by a third party who does not know the secret information 14. By confidential information 14
It is shown that the user is a valid user who knows. Further, since the number of irreversible operations f in the presentation information is increased as far back in the past, the next presentation information cannot be calculated from the presentation information 6, so that there is no need for encryption.

The client means 11 sends the presentation information 6
Is transmitted to the authorization server means 3 together with the held authentication ticket 7, and the authorization server means 3 verifies the authenticator included in the authentication ticket 7 and performs the irreversible operation f on the presentation information 6.
Is performed k times, and it is confirmed that the result matches the collation information included in the authentication ticket 7. If the result is determined to be valid, the authorization notification 8 is sent back.

According to this method, the client unit 11 can obtain the use authorization by using the authentication ticket 7 up to n times without revealing the secret information 14 and the password PW to a third party including the authorization server unit 3. .

As described above, in the authentication system according to the present embodiment, the authentication server means generates a random number in the user authentication procedure, indicates this, and requests the client means for authentication presentation information. As the secret information at this time, one obtained by performing a predetermined irreversible operation at least once on the connection between the user authentication information and the random number is used, and as the authentication presentation information, a predetermined irreversible operation is performed on the secret information n times. Is presented.

With such a configuration, in addition to the effects of the first embodiment, encryption processing on the client side is not required in the user authentication procedure, and the calculation processing of the authentication presentation information and the calculation processing of the presentation information are not performed. A single sign-on type authentication method and authentication system that can be shared can be obtained.

(Third Embodiment) In the authentication system of the third embodiment, as shown in FIG.
The authentication random number generated by 21 is shared as secret information 24 between client means 21 and authentication server means 22.

In this system, in the user authentication procedure, the authentication server means 22 generates a random number, indicates the random number, and requests the client means 21 for authentication presentation information. The client means 21 performs an exclusive OR operation on the result of performing the irreversible operation f once on the connection between the password PW and the random number R obtained from the authentication server means 22, and the secret information 24 secretly generated by the client means 21. To the authentication server means 22 as authentication presentation information 23. In FIG. 3, the symbol “記号” indicates an exclusive OR (EXOR) operation.

On the other hand, the authentication server means 22 calculates the secret information 25 by performing an inverse calculation from the authentication presentation information 23, the password PW and the random number R. An irreversible operation f is performed n times on the secret information 25, the operation result is used as collation information, and an authentication ticket 5 with an authenticator added thereto is sent to the client unit 21.
Send it back to The client means 21 holds this for use in the use authorization procedure.

Incidentally, if the user presents the authentication presentation information 23 properly by an unauthorized third party, even if the client means 21 can obtain the authentication ticket 5,
The secret information 25 calculated by the server from the authentication presentation information 23 using the password PW and the random number R is not known to the client means 21. Therefore, the unauthorized access can be eliminated in the subsequent use authorization procedure.

In the use authorization procedure between the client means 21 and the authorization server means 3, the client means 21 performs the irreversible operation f on the secret information 24 nk times (k is the number of uses in the authentication ticket use authorization procedure). The result is presented information 6
Used as As long as the irreversible operation f has sufficiently secure irreversibility and the length and randomness of the result, the presentation information 6 cannot be calculated by a third party who does not know the secret information 24. Indicates that the user is a valid user who knows the secret information 24. Further, since the number of irreversible operations f in the presentation information is increased as far back in the past, the next presentation information cannot be calculated from the presentation information 6, so that there is no need for encryption.

The client means 21 transmits the presentation information 6
Is transmitted to the authorization server means 3 together with the held authentication ticket 7, and the authorization server means 3 verifies the authenticator included in the authentication ticket 7 and performs the irreversible operation f on the presentation information 6.
Is performed k times, and it is confirmed that the result matches the collation information included in the authentication ticket 7. If the result is determined to be valid, the authorization notification 8 is sent back.

According to this method, the client means 21
The use authorization can be obtained using the authentication ticket 7 up to n times without disclosing the secret information 24 and the password PW to a third party including the authorization server unit 3.

As described above, in the authentication system of the present embodiment, the authentication server means generates a random number in the user authentication procedure, indicates the random number, and requests the client means for authentication presentation information. The authentication presentation information is a result of an exclusive OR operation between a connection between the user authentication information and the random number, which has been subjected to a predetermined irreversible operation at least once, and an authentication random number (secret information) generated by the client means. The secret information is back calculated from the authentication presentation information by the authentication server means.

With this configuration, the collation information included in the authentication ticket becomes irrelevant to the user authentication information. Therefore, a more secure single sign-on type authentication method and authentication system can be obtained without the possibility that user authentication information is guessed from an authentication ticket.

(Fourth Embodiment) In a fourth embodiment, a specific communication procedure in the authentication system of the second embodiment and a block configuration of each means for executing the procedure will be described.

FIG. 4 is a protocol sequence diagram showing a protocol in this system. In FIG. 4, reference numeral 31 denotes a client having a user interface; 32, an authentication server for performing user authentication; 33, an authorization server for performing access authorization by judging an access right; a symbol "S (K |-)" Indicates an authenticator attaching function using the key K.

In the user authentication procedure between the client means 31 and the authentication server means 32, first, the client means
31 sends an authentication request Authenticate Request 301 with the user identifier UID and the server identifier SID input via the user interface to the authentication server means 32. At this time, the authentication request Authenticate Request 301 may be accompanied by the number of valid times n of the authentication ticket. Otherwise, the authentication server may fixedly determine the number of valid times n.

On the other hand, the authentication server means 32 sends back an authentication challenge 302 with a random number R0 generated differently each time. Upon receipt of this, the client means 31 sends back an authentication challenge response Response 303 with the result of performing an (n + 1) -stage hash operation H on the concatenation of the password PW input via the user interface and the random number R0. On the other hand, the authentication server means 32 sets n + in the challenge response Response303.
The one-stage hash operation result is compared with the self-performed n + 1-stage hash operation result, and if they match, it is recognized as valid, and the newly generated ticket identifier TID, n + 1-stage hash operation result, time stamp TS0, server identifier SID, and authentication are performed. The server returns the authentication ticket Ticket 304 to which the authenticator is added with the issuer identifier IID indicating the server 32 itself. The client means 31 holds this for use in the use authorization procedure.

In the use authorization procedure between the client means 31 and the authorization server means 33, the client means 31
Is Authorization Request and Authentication Ticket Ticket3
05 is sent to the authorization server means 33. At this time, Authorization request Author
The ize Request may be accompanied by a user identifier UID. In response, the authorization server unit 33 returns an authorization challenge Challenge 306 with a value k based on the number of times the authentication ticket has been used. Receiving this, the client means 31 sends back an authorization challenge response Response 307 with the result of performing nk + 1-stage hash operations H on the connection between the password PW and the random number R0.

As long as the hash operation H has a sufficiently secure one-way property and the length and randomness of the result, the hash operation result can be calculated by a third party who does not know the password PW and the random number R0. Since it is impossible, the hash calculation result indicates that the user is a valid user who knows the password PW. Further, since the number of stages of the hash operation H is increased as far back in the past, the next hash operation result cannot be calculated from the hash operation result, and thus there is no need for encryption. As such a hash calculation H, for example, an algorithm such as MD5 or SHA can be used.

On the other hand, the authorization server means 32 compares the result obtained by further performing k-stage hash computation on the nk + 1-stage hash computation result in the authorization challenge response Response 307 with the n + 1-stage hash computation result in the authentication ticket Ticket. Verify, and if they match, it is deemed to be valid
Send back sult308. At this time, the authorization notification 308 may be accompanied by the information Info whose access has been permitted by the use authorization.

According to the above-described protocol sequence, the client unit 31 can obtain the use authorization by using the authentication ticket 304 up to n times without revealing the password PW to a third party including the authorization server unit 33. .

The configuration of an authentication system having such a protocol sequence will be described with reference to a functional block diagram of FIG.

In FIG. 5, reference numeral 31 denotes a client having a user interface; 32, an authentication server for performing user authentication; and 33, an authorization server for judging access authority and authorizing use.

The client means 31 comprises: a first transmitting / receiving means 311 for transmitting / receiving data; an input means 312 for obtaining an input from a user; a hash means 313 for connecting two inputs to perform a hash operation H; Ticket holding means 314 for holding the obtained authentication ticket, processing selecting means 315 for selecting a processing in accordance with the holding state of the authentication ticket, and secret storage means 316 for secretly storing the hash calculation result.
And a multi-stage hash means 317 for performing a hash operation on a given number of stages or a difference between two given numerical values.

The first transmitting / receiving means 311 is, for example, a LAN interface device such as a LAN card, an ISDN interface device such as a terminal adapter, a telephone interface device such as a modem, a portable data communication card, a PIAFS card, etc. And an infrared interface device such as an IrDA module, and some of them may be used depending on the communication partner. Input means 312
Is composed of, for example, a character input device such as a keyboard and a numeric keypad, a pointing device such as a mouse, a trackball, and a pen tablet, a combination of a selection button or a dial and a display screen, or a touch panel. The hash means 313 is configured by combining, for example, a logic circuit and an arithmetic circuit incorporating an algorithm of the hash operation H. As the ticket holding means 314, for example, a memory circuit is used. As the processing selection means 315, for example, a logic circuit can be used. The confidential storage unit 316 is configured by a tamper-resistant memory device such as an IC card. The multi-stage hash means 317 is configured by adding a connection for feeding back an output to an arithmetic circuit incorporating the algorithm of the hash operation H, a counter for counting the number of stages, an arithmetic circuit for calculating a difference between numerical values, and the like. Each of the above means may be realized by using a microcomputer or a computer program on a general-purpose computer. Alternatively, the computer program may be recorded on a program recording medium in a readable format, and realized by a configuration in combination with a program recording medium reader.

The authentication server means 32 includes a second transmission / reception means 321 for transmitting / receiving data, an authentication clock means 322 for clocking the current time, and an authentication information storage means 323 for storing user authentication information such as a password. A random number generating means 324 for generating a random number for each user authentication process, a second multi-stage hash means 325 for performing one more hash operation H than a given number, and an authentication matching means for comparing and matching two multi-stage hash values. 326 and ticket identifier generating means 327 for generating a unique ticket identifier every time an authentication ticket is issued.
And an authenticator adding means 328 for generating and adding an authenticator to the authentication ticket.

The second transmission / reception means 321 is, for example, a LAN interface device such as a LAN card, an ISDN interface device such as a terminal adapter, a telephone interface device such as a modem, a portable data communication card, a PIAFS card, etc. And an infrared interface device such as an IrDA module. As the authentication clock unit 322, for example, a timer counter is used. Authentication information storage means 32
3 is a large-capacity memory device, and it is even better if it is a tamper-resistant memory device. The random number generation means 324 is composed of, for example, an arithmetic circuit incorporating a random number generation algorithm, a converter for converting electromagnetic noise into data, and the like. The second multi-stage hash means 325 is configured by adding a connection for feeding back an output to an arithmetic circuit incorporating an algorithm of the hash operation H, a counter for counting the number of stages, and the like. Authentication verification means 32
6 is composed of, for example, a comparison circuit. The ticket identifier generation means 327 is constituted by, for example, a counter circuit having a sufficient bit length. The authentication code adding means 328 is configured by an arithmetic circuit and a memory circuit incorporating an authentication code generation algorithm. Each of the above means may be realized by using a microcomputer or a computer program on a general-purpose computer. Alternatively, the computer program may be recorded on a program recording medium in a readable format, and realized by a configuration in combination with a program recording medium reader.

The authorization server means 33 includes a third transmission / reception means 331 for transmitting / receiving data, an authorization timekeeping means 332 for timing the current time, and an authenticator verification means for verifying the authenticator added to the authentication ticket. 333, a ticket validity determining unit 334 for determining the validity of the authentication ticket, a ticket use managing unit 335 for managing the ticket identifier of the authentication ticket, the number of valid times, and the remaining usable number of times, and a hash operation H of a given number of stages. Third multi-stage hash means 33 for performing
6 and an authorization matching means 337 for comparing and matching two multi-stage hash values.

The third transmission / reception means 331 is, for example, a LAN interface device such as a LAN card, an ISDN interface device such as a terminal adapter, a telephone interface device such as a modem, a portable data communication card, a PIAFS card, etc. And an infrared interface device such as an IrDA module. As the authorization clock unit 332, for example, a timer counter is used. Authenticator verification means 333
Is composed of an arithmetic circuit and a memory circuit incorporating an authenticator verification algorithm. Ticket validity determination means 334
Is constituted by, for example, a combination of comparison circuits. The ticket use management means 335 is constituted by a combination of an arithmetic circuit for calculating the number of uses and a large-capacity memory device.
The third multi-stage hash means 336 is configured by, for example, an arithmetic circuit similar to the second multi-stage hash means 325 with a preset value of the counter being revised. The authorization matching unit 337 is configured by, for example, a comparison circuit. Each of the above means may be realized by using a microcomputer or a computer program on a general-purpose computer. Alternatively, the computer program may be recorded on a program recording medium in a readable format, and realized by a configuration in combination with a program recording medium reader.

The operation of the authentication method and the authentication system configured as described above will be described below with reference to FIG. Here, the authentication request Authenticate Req
A case where uest 301 has an authentication ticket valid number n will be described.

First, in the client means 31, a user identifier UID indicating the user himself, a password PW for user authentication registered in advance in the authentication server means 32, a server identifier SID for which use authorization is to be obtained, and the validity number n of the authentication ticket. Is input to the input means 312 as the user input 300 (ST3101, ST3104). The input unit 312 temporarily stores the user input 300 and extracts the server identifier 3101 to send to the ticket holding unit 314. The ticket holding unit 314 searches the authentication ticket data corresponding to the server identifier 3101 (ST3102), and sends a search result notification 3102 to the process selection unit 315. Processing selection means 315
Sends the user authentication process start notification 3103 to the input means 312 and the multi-stage hash means 317 when the search result notification 3102 indicates no, and when the search result notification 3102 indicates the presence (ST310
3), a use authorization procedure start notification 3104 is sent to the ticket holding means 314, the confidential storage means 316, and the multi-stage hash means 317.

The input means 312 receives the user authentication start notification 3
When 103 is given, a set 31 of a user identifier, a server identifier, and a valid number extracted from the temporarily held user input 300
05 to the authentication request via the first transmission / reception means 311 Authenticat
e Request 301 is sent to the authentication server means 32 (ST31
05), the validity number 3106 is sent to the multi-stage hash means 317,
The password 3107 is sent to the hash means 313.

In the authentication server means 32, the authentication request Au
The thenticate Request 301 is received by the second transmission / reception unit 321 and the extracted user identifier 3201 is stored in the authentication information storage unit 32
3 and the validity number 3202 is stored in the second multi-stage hash means 325.
The server identifier 3203 is sent to the authenticator adding unit 328 (ST3201). The authentication information storage unit 323 searches for a password corresponding to the user identifier 3201 (ST3202). If there is (ST3203), the authentication information storage unit 323 sends the password 3204 to the second multi-stage hashing unit 325, and sends the search result notification 3205 to the random number. Generation means 324
And to the second multi-stage hash means 325.

When the search result notification 3205 indicates presence, the random number generation means 324 generates a challenge random number 3206 for data disturbance.
Is generated randomly and the second multi-stage hash means 32
5 as well as the authentication challenge Challenge 302 via the second transmission / reception means 321 to the client means 31 (ST3204). When the search result notification 3205 indicates that the search result notification 3205 is present, the second multi-stage hash means 325 determines that the number of valid times 3202
The hash operation H of a large number of stages is performed, and the resulting multi-stage hash value 3207 is sent to the authentication matching means 326 (ST320).
5).

On the other hand, in the client means 31, the authentication challenge Challenge 302 is set to the first transmitting / receiving means 31.
At 1, the challenge random number 3108 is taken out and sent to the hash means 313 (ST3106). The hash means 313 performs a hash operation H on the connection between the password 3107 and the challenge random number 3108 (ST3107),
The resulting hash value 3109 is sent to the secret storage means 316 and the multi-stage hash means 317. The secret storage means 316 has a hash value of 3109
Is secretly stored and only predetermined access is permitted, that is, only addition and updating in the user authentication procedure and reference in the use authorization procedure are allowed (ST3108). Multi-stage hash means
317, when the user authentication procedure start notification 3103 is given, performs the hash operation H of the number of stages corresponding to the effective number 3106 on the hash value 3109 (ST3109), and transmits the resulting multi-stage hash value 3114 to the first transmission / reception. It is sent to the authentication server means 32 as an authentication challenge response Response 303 via the means 311 (ST3110).

On the other hand, in the authentication server means 32, the authentication challenge response Response 303 is received by the second transmission / reception means 321, and a multi-stage hash value 3208 is extracted and sent to the authentication collation means 326 (ST3206). The authentication matching unit 326 includes a multi-stage hash value 3207 and a multi-stage hash value 3208.
Is determined (ST3207), and the matching result 3209
Is transmitted to the ticket identifier generating means 327 and the multi-stage hash value 3208 is directly sent to the authenticator adding means 328 as the multi-stage hash value 3210. The ticket identifier generation means 327 outputs a valid ticket identifier 3 when the collation result 327 indicates a match.
212 is generated and sent to authenticator adding means 328 (ST320)
8).

The authentication time counting means 322 measures the current time, and supplies a time stamp 3211 based on the current time to the authenticator adding means 328. The authenticator adding means 328 includes a ticket identifier 3212, a multi-stage hash value 3210, an effective count 3202, a time stamp 3211, a server identifier 3203, and an authentication server 32.
It concatenates with the issuer identifier indicating itself, generates and adds an authenticator to this, and forms authentication ticket data 3213 (S
T3209), and send it to the client means 31 as an authentication ticket Ticket 304 via the second transmitting / receiving means 321 (ST)
3210).

On the other hand, in the client means 31, the authentication ticket Ticket 304 is received by the first transmitting / receiving means 311, the authentication ticket data 3110 is taken out, and sent to the ticket holding means 314 (ST3111). The ticket holding unit 314 holds the authentication ticket data 3110 in association with the server identifier 3101 (ST3112). When the use authorization procedure start notification 3104 is given, the ticket holding unit 314 sends the authentication ticket data 3111 via the first transmission / reception unit 311. To the authorization server means 33 together with the authorization request Authorize Request as an authentication ticket Ticket 305 (ST3113).
The number of valid times 3112 is extracted from the authentication ticket data and sent to the multi-stage hash means 317.

On the other hand, in the authorization server means 33, the authorization request Autho with the authentication ticket
The rize Request is received by the third transmitting / receiving means 331, the authentication ticket data 3301 is taken out, and sent to the authenticator verification means 333 (ST3301). The authenticator verification unit 333 verifies the consistency between the authenticator of the authentication ticket data 3301 and the data part other than the authenticator, and sends a verification result 3304 to the ticket validity determination unit 334 (ST3304). It takes out 3302 and server identifier 3303 and takes out ticket validity determining means 334, ticket identifier 3305, multi-stage hash value 3306, validity count 3307 and issuer identifier 3308, and sends them to ticket use managing means 335, respectively.

The approval timer 332 measures the current time, and supplies a time stamp 3309 based on the current time to the ticket validity judging means 334. When the verification result 3304 indicates that there is no error (ST
3305), and determines whether the server identifier 3303 matches the own server identifier held therein (ST330).
(2, ST3303), it is checked that the difference between the time stamp 3302 and the time stamp 3309 based on the current time is within a predetermined validity period (ST3306, ST3).
307) If both are true, the ticket validity notification 33
10 is sent to the ticket use management means 335. If this expiration date is set short, security is improved but user convenience is reduced. If the expiration date is set long, user convenience is improved but security is reduced. Therefore, the expiration date should be determined in consideration of these balances. For example, if the present invention is applied to a business system that does not require strict security, the working time may be set to 8 hours or 12 hours to cover one working day. However, it is necessary that at least the communication time between the client and the server and the time error between the time measuring means can be covered.

At this time, the ticket use management means 335 manages the ticket list. When the ticket validity notification 3310 is given, the ticket use management means 335 searches the ticket list using the ticket identifier 3305 to determine whether or not the ticket is already registered. A check is made (ST3308). If there is no corresponding number, a set of the ticket identifier 3305, the valid number 3307, and the valid number 3307 as a value indicating the remaining available number is added to the ticket list and stored (ST3309, ST3310). At this time, the multi-stage hash value 3306 and the issuer identifier 3308 may be stored together. The ticket use management means 335 subtracts one from the number of available remaining times for the added group or, if there is a corresponding one in the search, and indicates the number of times of use indicated by the difference between the number of valid times and the number of remaining available times. 3311 (ST33
11), this is sent to client means 31 as authorization challenge Challenge 306 via third transmitting / receiving means 331 (ST3312), and third multi-stage hash means 336 is provided.
Also send. Also, the multi-stage hash value 3306 is sent as it is to the authorization matching unit 337 as the multi-stage hash value 3312.

On the other hand, in the client means 31, the authorization challenge Challenge 306 is set to the first transmitting / receiving means 31.
It is received at 1 and the number of uses 3115 is extracted and sent to the multi-stage hashing means 317 (ST3114). When the use authorization procedure start notification 3104 is given, the multi-stage hash means 317 obtains the hash value 3113 from the confidential storage means 316 (ST3115), and adds the difference between the effective number 3112 and the use number 3115 to the hash value 3113. Is performed (ST3116), and the resulting multi-stage hash value 3116 is obtained.
To the authorization challenge response R via the first transmitting / receiving means 311
It is sent to the authorization server means 33 as esponse 307 (ST311
7).

This multi-stage hash value 3116 can be calculated by a third party who does not know the password PW and the random number R0 as long as the hash operation H has a sufficiently secure one-way property and the length and randomness of the result. Therefore, the multi-stage hash value 3116 indicates that the user is a valid user who knows the password PW. Further, since the number of stages of the hash operation H in the multi-stage hash value is increased as far back in the past, the next multi-stage hash value cannot be calculated from the multi-stage hash value 3116, so that there is no need for encryption. Note that a hash operation is generally one time smaller than a cryptographic operation.
It is said that the processing speed is 00 times or more, and if the number of stages is appropriate, the processing can be performed at a higher speed than when encryption is used.

On the other hand, in the authorization server means 33, the authorization challenge response Response 307 is
At step 31, the multi-stage hash value 3313 is extracted and sent to the third multi-stage hash means 336 (ST3313). The third multi-stage hash means 336 performs a hash operation H of the number of stages corresponding to the number of uses 3311 on the multi-stage hash value 3313, and outputs the resulting secondary multi-stage hash value 3314 to the authorization matching unit 337.
(ST3314). The authorization matching unit 337 determines whether the multi-stage hash value 3312 matches the secondary multi-stage hash value 3314 (ST3315, ST3316), and if true, sends an authorization notification 3315 and an authorization notification via the third transmission / reception unit 331. Send to the client means 31 as Result 308 (ST
3317), and are received by the client unit 31 (ST3118). In this way, the client means
The user 31 can use the authentication ticket 305 up to n times to obtain the use authorization without disclosing the password PW to a third party including the authorization server unit 33.

In the above description, the client means 31
Although the multi-stage hash value is calculated for each use authorization procedure in the above, the multi-stage hash value of all the stages may be pre-calculated and stored in the confidential storage unit 316 when the authentication ticket is acquired. In that case, confidential storage means 316
Although it is necessary to use a tamper-resistant memory device having a larger capacity, the processing time for each use authorization procedure can be shortened.

Next, in the authentication system of the fourth embodiment shown in FIG. 5, the authenticator adding means 328 and the authenticator verifying means 3 when the message authentication code is used as the authenticator.
33 will be described with reference to FIGS. 7 and 8. FIG.

As shown in FIG. 7, the authenticator adding means 328 includes a self-identifier storing means 328A storing an identifier indicating the authentication server itself, and a data linking means 328B for linking data.
And a concatenated data hash means 32 for performing a hash operation h
8C, a server common key storage unit 328D that stores a server common key that is shared by the authentication server unit 31 and the authorization server unit 32 as a common secret, a common key system encryption unit 328E that performs common key system encryption processing, Authenticator connecting means 328F for connecting a child to data.

The self-identifier storing means 328A is constituted by, for example, a memory. The data connection means 328B can be constituted by, for example, a logic circuit. The concatenated data hash means 328C is composed of, for example, an arithmetic circuit incorporating an algorithm of a hash operation h. Here, the hash operation h may be the same as or different from the hash operation H. The server common key storage unit 328D is preferably configured by a memory, for example, as long as it is a tamper-resistant memory device. The common key cryptosystem 328E is composed of, for example, an arithmetic circuit incorporating a cryptographic algorithm or a processor dedicated to cryptographic processing.
Here, as the encryption algorithm, for example, DES or triple DES can be used. Authenticator connecting means 328F
For example, it is composed of a logic circuit.

As shown in FIG. 8, the authenticator verifying means 333 separates the authenticator from the data.
3A, a second concatenated data hash means 333B for performing a hash operation h, and a second server common key storage means 333C for storing a server common key which the authentication server means 31 and the authorization server means 32 have as a common secret. A second common key encryption means 333D for performing encryption processing of a common key method, a data separation means 333E for dividing and separating a data part, an issuer identifier collation means 333F for collating an issuer identifier, and a message authentication code. It has comparison means 333G for comparing and verifying.

This authenticator separating means 333A is constituted by, for example, a logic circuit. Second connected data hash means 333B,
The second server common key storage unit 333C and the second common key encryption unit 333D correspond to 328C, 328D, and 32 in FIG. 7, respectively.
It is configured the same as 8E. The data separating unit 333E is configured by, for example, a logic circuit. Issuer identifier collating means 333F
Is composed of, for example, a memory circuit and a comparison circuit. The comparison means 333G is constituted by, for example, a combination of comparison circuits. Each of the above means may be realized by using a microcomputer or a computer program on a general-purpose computer. Alternatively, the computer program may be recorded on a program recording medium in a readable format, and realized by a configuration in combination with a program recording medium reader.

The authenticator adding means 32 configured as described above
8 and the operation of the authenticator verification means 333 will be described. In the authenticator adding means 328, first, the identifier indicating the authentication server itself is supplied from the own identifier storage means 328A to the data linking means 328B as the issuer identifier 328a. Data linking means
328B includes a valid number 3202 and a server identifier 3203 obtained from the second transmission / reception unit 321; a multi-stage hash value 3210 obtained from the authentication matching unit 326; a time stamp 3211 obtained from the authentication clock unit 322; The ticket identifier 3212 obtained from 327 and the issuer identifier 328a obtained from the own identifier storage means 328A are arranged and connected in a predetermined order, and sent to the connection data hash means 328C and the authenticator connection means 328F as a data part 328b.

The linked data hash means 328C has a data part
A hash operation h is performed on 328b, and the resulting hash value 328c is sent to the common key cryptosystem 328E. The common key encryption means 328E obtains the server common key 328d from the server common key storage means 328D, and uses this as the encryption key to
8c is encrypted and sent to the authenticator linking means 328F as a message authentication code 328e. Authenticator linking means 328F links message authentication code 328e to data section 328b and outputs authentication ticket data 3213.

In the authenticator verifying means 333, first, the authentication ticket data 3301 is input to the authenticator separating means 333A, separated into a message authentication code 333a and a data part 333b, and the message authentication code 333a is sent to the comparing means 333G. , The data section 333b is sent to the second connected data hash means 333B and the data separation means 333E, respectively. The second concatenated data hash means 333B performs a hash operation h on the data part 333b and sends the resulting hash value 333c to the second common key encryption means 333D. Second common key encryption means
333D obtains the server common key 333d from the second server common key storage unit 333C, and uses the server common key 333d as a hash value 333c
Is encrypted and sent to the comparison means 333G as a comparison message authentication code 333e. The data separating means 333E
333b is separately output as a time stamp 3302, a server identifier 3303, a ticket identifier 3305, a multi-stage hash value 3306, a valid count 3307, and an issuer identifier 3308, and the issuer identifier 3308 is also sent to the issuer identifier collating means 333F. send. The issuer identifier matching means 333F checks whether the issuer identifier 3308 is an identifier of the authentication server 32, and checks the matching result 333f
To the comparison means 333G. The comparison unit 333G outputs the comparison result 333f
Indicates a match, or outputs a verification result 3304 based on whether the message authentication code 333a and the comparison message authentication code 333e match. The verification result 3304 indicates that there is no error when all match.

Next, in the authentication system of the fourth embodiment shown in FIG. 5, the configurations and operations of the authenticator adding means 328 and the authenticator verifying means 333 when a digital signature is used as the authenticator are shown in FIGS. This will be described with reference to FIG. FIG.
7 is different from FIG. 7 in that the server common key storage unit 328D
And the authentication server 32 instead of the common key cryptosystem 328E.
The point is that self-secret key storage means 328G for storing its own public-key cryptographic secret key and public-key cryptography means 328H for performing public-key cryptographic processing are provided. As the self-secret key storage means 328G, for example, a memory can be used, and a tamper-resistant memory device is more preferable. Public key cryptosystem
As 328H, for example, an arithmetic circuit incorporating a cryptographic algorithm or a processor dedicated to cryptographic processing can be used. Here, as the encryption algorithm, for example, RSA or elliptic curve encryption can be used.

The difference between FIG. 10 and FIG. 8 is that
Instead of the second server common key storage unit 333C, the second common key encryption unit 333D, and the issuer identifier verification unit 333F,
A server public key storage unit 333H for storing one or more public keys of the authentication server unit 31 in association with a server identifier and a public key system decryption unit 333J for performing a decryption process of a public key system encryption are provided. It is in the revised point. The server public key storage unit 333H may store not only the authentication server unit 32 but also the public key of the authorization server unit 33. As the server public key storage unit 333H, for example, a memory circuit can be used, and a large-capacity memory device is more preferable.
As the public key decryption means 333J, for example, an arithmetic circuit incorporating a decryption algorithm or a processor dedicated to cryptographic processing can be used. Here, it goes without saying that a decryption algorithm corresponding to the encryption algorithm in the public key cryptosystem 328H is used as the decryption algorithm.
Each of the above means may be realized by using a microcomputer or a computer program on a general-purpose computer. Alternatively, the computer program may be recorded on a program recording medium in a readable format, and realized by a configuration in combination with a program recording medium reader.

The authenticator adding means 32 configured as described above
8 and the operation of the authenticator verification means 333 will be described. In the authenticator adding means 328, the operations of the own identifier storing means 328A, the data linking means 328B, and the linked data hashing means 328C are shown in FIG.
The data section 328b is identical to the authenticator linking means 32.
At 8F, the hash value 328c is supplied to the public key cryptosystem 328H. The public key encryption means 328H obtains the secret key 328f from the secret key storage means 328G, encrypts the hash value 328c by using the secret key 328f as an encryption key, and generates the digital signature 32.
It is sent to the authenticator linking means 328F as 8g. Authenticator connecting means 32
8F connects the digital signature 328g to the data section 328b and outputs the authentication ticket data 3213.

In the authenticator verifying means 333, first, the authentication ticket data 3301 is input to the authenticator separating means 333A and separated into a digital signature 333g and a data part 333b. And the data section
333b is sent to the second connected data hash means 333B and the data separation means 333E, respectively. The second concatenated data hash means 333B performs a hash operation h on the data section 333b.
And sends the resulting hash value 333h to the comparison means 333G. The data separating unit 333E separates and outputs the data part 333b into a time stamp 3302, a server identifier 3303, a ticket identifier 3305, a multi-stage hash value 3306, a valid count 3307, and an issuer identifier 3308. It is also sent to server public key storage means 333H. Server public key storage means 333H is an authentication server whose issuer identifier 3308 is known.
It checks and checks whether the identifier is 31 (or the authorization server 32), sends the matching result 333i to the comparing means 333G, and sends the server public key 333j corresponding to the issuer identifier 3308 to the public key method decrypting means 333J.

The public key system decryption means 333J sends the server public key
Decrypt the digital signature 333g using 333j as the decryption key,
The hash value is sent to the comparison means 333G as a comparison hash value 333k. The comparing means 333G determines whether the matching result 333i indicates a match or a hash value.
The verification result 3304 is output based on whether 333h matches the comparison hash value 333k. The verification result 3304 indicates that there is no error when all match.

As described above, by adopting the configuration of this embodiment in the authentication system, it is possible to perform the use authorization process in a practical processing time even if the client side is an apparatus having a low calculation processing capability.

(Fifth Embodiment) In a fifth embodiment, a specific communication procedure in the authentication system of the third embodiment and a block configuration of each means for executing the procedure will be described.

FIG. 11 is a protocol sequence diagram showing the protocol of the authentication system according to the fifth embodiment. 11 differs from FIG. 4 in a client unit 41 having a user interface and an authentication server unit 42 for performing user authentication, and the authorization server unit 33 is unchanged. Also, the authentication challenge response Response 401 is a password PW input via the user interface.
Exclusive OR of the result of performing a one-stage hash operation H on the concatenation of the random number R0 and the random number R0 for authentication and the authentication random number S0 secretly generated by the client means 41 (the symbol “＠” indicates the exclusive OR With operation), authentication ticket Ticket
The hash calculation result accompanying 402 and 403 is an authentication random number S0.
The difference is that the hash calculation result with the authorization challenge response Response 404 is an nk-stage hash calculation with respect to the authentication random number S0.

According to the above protocol sequence, the client means 41 can obtain the use authorization by using the authentication ticket 402 up to n times without revealing the password PW to a third party including the authorization server means 33. Since the authentication ticket 402 is irrelevant to the password PW, it is not even an attack target for stealing the password PW by an unauthorized third party, and the security is higher.

The configuration of an authentication system having such a protocol sequence will be described with reference to the functional block diagram of FIG.

FIG. 12 also differs from FIG. 5 in the client means 41 having a user interface and the authentication server means 42 for performing user authentication, and the authorization server means 33 is unchanged. The client unit 41 differs from the client unit 31 of FIG. 5 in that an authentication random number generation unit 411 that generates a random number for each user authentication process and a first exclusive logical unit that performs an exclusive OR operation for each bit This is the point that the summing means 412 is provided and a part of the connection is modified. The authentication server means 32 shown in FIG.
What is different from the second embodiment is that instead of the second multi-stage hash means 325 and the authentication matching means 326, a second hash means 421 for performing a hash operation H and a second exclusive OR for performing an exclusive OR operation for each bit Means 422, second multi-stage hash means 423 for performing a hash operation H of a given number of stages,
The point is that some connections have been changed. Authentication random number generation means 411
For example, an arithmetic circuit incorporating a random number generation algorithm or a converter for converting electromagnetic noise into data can be used. First and second exclusive OR means 41
For example, a logic circuit can be used as 2,422. As the second hash means 421, for example, an arithmetic circuit incorporating an algorithm of the hash operation H can be used. As the second multi-stage hash means 423, for example, a connection for feeding back an output to the same arithmetic circuit as that of the 421, a counter for counting the number of stages, and the like can be added. Each of the above means may be realized by using a microcomputer or a computer program on a general-purpose computer.
Alternatively, the computer program may be recorded on a program recording medium in a readable format, and realized by a configuration in combination with a program recording medium reader.

The operation of the authentication system configured as described above will be described with reference to FIG. here,
The case where the authentication request Authenticate Request 301 has an authentication ticket valid number n will be described.

First, in the client means 41 and the authentication server means 42, first and second transmission / reception means 311, 321; input means 312; ticket holding means 314;
The operations of the authentication information storage means 323 and the random number generation means 324 are shown in FIG.
It is the same as the case of FIG. 6, and the authentication request Authenticate Reque
st301 and Authentication Challenge Challenge302 are exchanged,
In the client means 41, the user authentication processing start notification
In the authentication server means 42, a valid number 4201, a server identifier 3203, a password 3204, a search result notification 4202, and a challenge random number 3206 are obtained from the authentication server means 42. However, the point that the user authentication processing start notification 4101 is sent to the input means 312, the authentication random number generation means 411, and the first exclusive OR means 412, the validity count 4201 is changed to the second multi-stage hash means 423 and the authenticator addition The point that the search result notification 4202 is sent to the second hash means 421, the random number generation means 324 and the ticket identifier generation means 327, the challenge random number 3206 is sent to the second hash means 421, and the second Is transmitted to the client means 41 via the transmitting / receiving means 321.

Next, in the client means 41, when the authentication random number generation means 411 receives the user authentication processing start notification 4101, the authentication random number generation means 411 uses the authentication random number 41 used for authentication verification.
02 is newly generated randomly and secretly and sent to the first exclusive OR means 412 and the confidential storage means 316 (ST410).
1). The confidential storage unit 316 stores the authentication random number 4102 in secret and permits only predetermined access, that is, only additional updating in the user authentication procedure and reference in the use authorization procedure (ST4102). First exclusive OR means 412
When a user authentication process start notification 4101 is given, a hash value 4103 obtained by the hash means 313 and an authentication random number 4102
The exclusive OR operation for each bit is performed between the first transmitting / receiving means 31 and the resulting disturbed hash value 4104.
It is sent to the authentication server means 42 as an authentication challenge response Response 401 via 1 (ST4103, ST4104).

On the other hand, in the authentication server means 42, the authentication challenge response Response 401 is received by the second transmission / reception means 321 and the disturbed hash value 4204 is taken out and sent to the second exclusive OR means 422 ( ST420
2). On the other hand, the second hash means 421 outputs the search result notification 4
If 202 indicates that there is, a hash operation H is performed on the connection between the password 3204 and the challenge random number 3206, and the resulting hash value 4203 is supplied to the second exclusive OR means 422 (ST4201). Second exclusive OR means
422 is a hash value 4203 obtained from the second hash means 421
An exclusive OR operation for each bit is performed between the hash value and the disturbed hash value 4204, and the obtained authentication random number 4205 is sent to the second multi-stage hash means 423 (ST4203). Second multi-stage hash means 423 performs hash operation H of the number of stages corresponding to valid number 4201 on authentication random number 4205, and sends the resulting multi-stage hash value 4206 to authenticator adding means 328 (ST 4204).

Hereinafter, the operations of the ticket identifier generating means 327, the authentication time counting means 322, and the authenticator adding means 328 are the same as those in FIGS. 4 and 5, except that the ticket identifier generating means 327 performs a search instead of the collation result 3209. The point of using the result notification 4202 is that the authenticator adding means 328 sets the validity number 3202 and the
The difference is that the validity count 4201 and the multi-stage hash value 4206 are used instead of 0, and authentication ticket data 4207 having contents different from the authentication ticket data 3213 is obtained (ST420).
5), authentication ticket Ticke via the second transmission / reception means 321
It is sent to the client means 41 as t402.

On the other hand, in the client means 41, the first transmitting / receiving means 311, the ticket holding means 3
5 operates in the same manner as in FIGS. 5 and 6, and when the use authorization procedure activation notification 3104 is given, the authentication ticket Ticket 40
3 is the authorization server means together with the authorization request Authorize Request
The valid number 3112 is sent to the multi-stage hash means 317.

The operation of the authorization server means 33 in response to this is the same as in the case of FIGS.
e306 is returned.

On the other hand, in the client means 41, the first transmitting / receiving means 311 and the multi-stage hash means 317 operate in the same manner as in FIGS. However, what is obtained from the secret storage means 316 is an authentication random number 4105 (ST
4105), and processing is performed on this. That is, the multi-stage hash means 317 determines that the validity number 3112 and the use number 311
The hash operation H of the number of stages corresponding to the difference from 5 is performed (ST4106), and the resulting multi-stage hash value 4106 is passed through the first transmission / reception means 311 to the authorization challenge response Response404.
To the authorization server means 33 (ST4107).

As a result, a multi-stage hash value associated with the authorization challenge response Response 404 obtained by the authorization server unit 33,
The multi-stage hash value with the authentication ticket Ticket403 is
5 and 6, only the hash target is different, and the former and the latter have a relation of operation. Therefore, the operation of the authorization server means 33 for this is the same as in the case of FIGS. 5 and 6, the relationship between the two multi-stage hash values is checked, and if it is found to be valid, an authorization notification Result 308 is returned. Received. By this method, the client means 41 does not disclose the password PW to a third party including the authorization server means 33, and is independent of the password PW and has a higher security authentication ticket 402.
Can be used up to n times.

In the above description, the client means 41
Although the multi-stage hash value is calculated for each use authorization procedure in the above, the multi-stage hash value of all the stages may be pre-calculated and stored in the confidential storage unit 316 when the authentication ticket is acquired. In that case, confidential storage means 316
Although it is necessary to use a tamper-resistant memory device having a larger capacity, the processing time for each use authorization procedure can be shortened.

As described above, by adopting the configuration of this embodiment in the authentication system, it becomes possible to perform the use authorization process in a practical processing time even if the client side is an apparatus having a low calculation processing capability. Further, since the verification information included in the authentication ticket becomes irrelevant to the user authentication information, there is no possibility that the user authentication information is guessed from the authentication ticket, and a more secure single sign-on type authentication method and authentication system are provided. Is obtained.

(Sixth Embodiment) In the authentication system according to the sixth embodiment, the authorization server sends a request to the client means.
An authentication ticket whose usage count has been updated is sent together with the authorization notification.

FIG. 14 is a protocol sequence diagram showing the protocol of this authentication system. 14 differs from FIG. 4 in the client unit 51 and the authorization server unit 53, and the authentication server unit 32 is the same. In addition, the authorization notification is sent from the authorization server 53 to the client unit 51.
The difference is that the updated authentication ticket Ticket501 is sent together with the Result308.

The authentication ticket Ticket 501 is different from the authentication ticket 305 in the following points.

That is, the result of the (n + 1) -stage hash operation in the authentication ticket 305 is replaced by the result of the (n−k + 1) -stage hash operation (k is the number of uses). The number of valid times n in the authentication ticket 305 has been replaced by the remaining available number of times nk. The time stamp TS0 has been replaced with a new time stamp TSk. The issuer identifier IID has been replaced with a server identifier indicating the authorization server 53 itself. Further, a new authenticator has been added.

According to this method, the client means 51
The use authorization can be obtained by using the authentication ticket 304 or the updated authentication ticket 501 up to n times without revealing the password PW to a third party including the authorization server unit 53. Further, since the time stamp of the authentication ticket is updated every time, the expiration date can be set shorter. As a result, the period during which a third party can be targeted by a fraudulent third party is reduced,
More secure. In addition, since the hash operation in the authorization server means 53 may be performed in one stage, the response time in the use authorization procedure can be reduced.

The structure of an authentication system having such a protocol sequence will be described with reference to FIG.

In FIG. 15, what differs from FIG. 5 is the client means 51 and the authorization server means 53, and the authentication server means 32 is unchanged. The client unit 51 is different from the client unit 31 in FIG. 5 in that the ticket holding unit 511 uses the authentication ticket T from the authorization server unit 53.
The point is that the authentication ticket data 5101 of the icket501 can be held. The difference between the authorization server means 53 and the authorization server means 33 of FIG.
It is assumed that 531 also outputs the remaining available number of times, and a one-stage hash operation H is used instead of the third multi-stage hash means 336.
Is provided, and a second authenticator adding means 533 for generating and adding an authenticator to the authentication ticket is newly provided, and a part of the connection is modified.

As the ticket holding means 511, a configuration similar to that of the ticket holding means 314 can be used with additional connection. As the ticket use management unit 531, a configuration similar to that of the ticket use management unit 335 can be used by adding a connection. As the third hash means 532, for example, an arithmetic circuit incorporating the algorithm of the hash operation H can be used. As the second authenticator adding unit 533, the same configuration as the authenticator adding unit 328 can be used. Each of the above means may be realized by using a microcomputer or a computer program on a general-purpose computer. Alternatively, the computer program may be recorded on a program recording medium in a readable format, and realized by a configuration in combination with a program recording medium reader.

The operation of the authentication system configured as described above will be described with reference to FIG. here,
The case where the authentication request Authenticate Request 301 has an authentication ticket valid number n will be described.

First, the operations in the client means 51 and the authentication server means 32 are the same as those in FIGS. 5 and 6, and the user authentication procedure is performed.
The authentication ticket Ticket 304 is sent to the client means 51.

On the other hand, in the client means 51, the first transmitting / receiving means 311 operates in the same manner as in FIGS. 5 and 6, and the ticket holding means 511 is the ticket holding means 314 in FIGS. Works the same as the Authentication Ticket Ticke
The time t305 is sent to the authorization server means 53 together with the authorization request Authorize Request, and the valid number 3112 is extracted from the authentication ticket data and sent to the multi-stage hash means 317.

On the other hand, in the authorization server unit 53, the third transmission / reception unit 331, the authorization clock unit 332, the authenticator verification unit 333, and the ticket validity determination unit 334 operate in the same manner as in FIGS. The ticket identifier 3305, the multi-stage hash value 3306, the number of valid times 3307, the issuer identifier 3308, and the ticket validity notification 3310 are supplied to the ticket use managing unit 531. The ticket use management means 531 operates almost in the same manner as the ticket use management means 335 in the case of FIGS. 5 and 6, and sends the number of uses 5301 to the client means 51 as the authorization challenge Challenge 306 via the third transmission / reception means 331. Then, the multi-stage hash value 3306 is sent as it is to the authorization verification unit 337 as the multi-stage hash value 5302, and a ticket identifier, a remaining usable count and a server identifier set 5303 is output and sent to the second authenticator adding unit 533.

The operation of the client means 51 in response to this is the same as in the case of FIG. 5 and FIG.
An authorization challenge response Response 307 is returned to the nge 306.

On the other hand, in the authorization server means 53, the authorization challenge response Response 307 is received by the third transmitting / receiving means 331, the multi-stage hash value 5304 is taken out, and the third hash means 532 and the second authenticator addition Sent to means 533. The third hash means 532 includes a multi-stage hash value 530
Then, a hash operation H is performed on 4, and a secondary multi-stage hash value 5305 in which the number of hash stages is increased by 1 is sent to the authorization matching unit 337 (ST5301). Authorization matching means 337 determines whether multi-stage hash value 5302 and secondary multi-stage hash value 5305 match (ST5302, ST3316), and compares collation result 5307 with second
To the authenticator adding means 533.

[0138] The authorization timekeeping means 322 measures the current time, and supplies a time stamp 5306 based on the current time to the second authenticator adding means 533. Second authenticator adding means 5
33 is a set 5303 of the ticket identifier, the remaining usable number and the server identifier, the multi-stage hash value 5304, and the time stamp 5306.
And an issuer identifier indicating the authorization server 53 itself, and an authenticator is generated and added to this to obtain authentication ticket data 5308 (ST5303). Authorization notification Result308
Is sent to the client means 51 (ST5304).

On the other hand, in the client means 51, the authentication ticket Ticket 501 is received by the first transmitting / receiving means 311 and sent to the ticket holding means 511 as authentication ticket data 5101 and held (ST5101, ST5).
102), used in the next use authorization procedure.

As a result, the number of stages of the multi-stage hash value associated with the authentication ticket 305 sent from the client unit 51 to the authorization server unit 53 decreases by one for each use authorization. Only the response time can be shortened. In addition, since the time stamp is updated, the expiration date can be set to a value short enough to cover the access interval, for example, 1 hour, and the security can be improved without lowering the user convenience. According to this method, the client unit 31 obtains the use authorization with a shorter response time up to n times using the authentication ticket 305 with higher security without disclosing the password PW to the third party including the authorization server unit 53. be able to.

In the above description, the client means 51
Although the multi-stage hash value is calculated for each use authorization procedure in the above, the multi-stage hash value of all the stages may be pre-calculated and stored in the confidential storage unit 316 when the authentication ticket is acquired. In that case, confidential storage means 316
Although it is necessary to use a tamper-resistant memory device having a larger capacity, the processing time for each use authorization procedure can be shortened.

As described above, in the authentication system according to the present embodiment, the possibility of unauthorized use by a third party can be reduced, and the response time of use authorization can be shortened.

(Seventh Embodiment) The authentication system of the seventh embodiment can use an authentication ticket in common for a plurality of authorization servers.

FIG. 17 is a protocol sequence diagram showing the protocol of this authentication system. 17 differs from FIG. 4 in a client unit 61, an authentication server unit 62, and an authorization server unit 63, and further includes an authentication ticket management unit 64. Also, authentication challenge response
The authentication server means 62 receiving the Response 303 sends the authentication request Authe
Ticket identifier TID extracted from nticate Request301
That an authentication ticket issuance / registration instruction Registration 601 including the ID, the server identifier SID, and the number of valid times n is sent to the authentication ticket management means 64; the point that the authorization request Authorize Request 602 is accompanied by the number of uses k;
02 and the authorization server means 6 receiving the authentication ticket Ticket 305
3 is authorization request Authorize Request 602 and authentication ticket 305
Identifier TID and server identifier SI retrieved from
An authentication ticket history update instruction Update603 with D and the number of uses k is sent to the authentication ticket management means 64. In response to this, an authentication ticket rejection notification Reject606 is provided as necessary.
Is returned, the point that the authorization challenge Challenge 604 is accompanied by a random number Rk generated differently each time instead of the number of uses k, and the authorization challenge response Response 605 is an (n−k + 1) -th hash operation for the connection between the password PW and the random number R0. The difference is that a result obtained by performing an exclusive OR operation with Rk is added to the result obtained by performing H.

By this method, the client means 61
The use authorization can be obtained by using the authentication ticket 304 up to n times without revealing the password PW to a third party including the authorization server means 63, and the number of uses k is transmitted from the client means 61 and the authorization server means 63 Since the authentication ticket management means 64 is independent of the authentication ticket 304, the authentication ticket 304
Can be commonly used by a plurality of authorization server means 63.

A configuration of an authentication system having this protocol sequence will be described with reference to FIG. FIG. 18 also differs from FIG.
1. An authentication server means 62 and an authorization server means 63, and an authentication ticket management means 64 is further added. The client unit 61 is different from the client unit 31 in FIG. 5 in that a ticket holding management unit 611 that holds an authentication ticket and manages the number of uses k is provided in place of the ticket holding unit 314, and an exclusive bit for each bit is provided. This is the point that the first exclusive OR means 612 for performing the OR operation is provided, and a part of the connection is modified. Further, the authentication server means 62 differs from the authentication server means 32 of FIG. 5 in that a ticket registration instructing means 621 for generating authentication ticket issuance registration instruction data is provided, and a part of the connection is modified.

The difference between the authorization server means 63 and the authorization server means 33 shown in FIG. 5 is that the ticket identifier, the validity count and the remaining usable count of the authentication ticket are received and supplied to the respective units, and the authentication ticket history update instruction data is transmitted. A ticket update instructing unit 631 to be generated is provided in place of the ticket use managing unit 335, a second random number generating unit 632 that generates a random number for each use authorization process, and a second exclusive OR that performs an exclusive OR operation for each bit This is the point that the logical sum means 633 is provided and a part of the connection is modified.

As the ticket holding management means 611,
An addition circuit for calculating the number of uses is added to the same configuration as the ticket holding means 335. As the first and second exclusive OR means 612 and 633, for example, a logic circuit can be used. As the ticket registration instructing means 621, for example, a logic circuit can be used. For example, a logic circuit can be used as the ticket update instruction means 631. As the second random number generating means 632, the same configuration as the random number generating means 324 can be used. The authentication ticket management means 64 can be configured by a combination of various communication interface devices, a logic circuit for dividing and coupling data, an arithmetic circuit for checking the number of uses, a comparison circuit, and a large-capacity memory device. Each of the above means may be realized by using a microcomputer or a computer program on a general-purpose computer. Alternatively, the computer program may be recorded on a program recording medium in a readable format, and realized by a configuration in combination with a program recording medium reader.

The operation of the authentication system configured as described above will be described with reference to FIG. here,
The case where the authentication request Authenticate Request 301 has an authentication ticket valid number n will be described.

First, the operations in the client means 61 and the authentication server means 62 in the user authentication procedure are almost the same as those in FIGS. 5 and 6, and finally, the authentication server means 62 sends the authentication ticket Ticket 304 to the client means 61. Can be However, in the client means 61, the operation of the ticket holding means 314 at this time is performed by the ticket holding management means 611. In the authentication server means 62, the number of valid times 6201 extracted from the authentication request Authenticate Request 301 is also sent to the ticket registration instruction means 621 in addition to the multi-stage hash means 325 and the authenticator adding means 328, and the server identifier 6202 is used as the authenticator adding means. The ticket identifier 6203 generated by the ticket identifier generating means 327 is also transmitted to the ticket registration instructing means 621 in addition to the authenticator adding means 328.

The ticket registration instructing means 621 generates the authentication ticket issuance registration instruction data 6204 by linking the ticket identifier 6203, the server identifier 6202, and the number of valid times 6201.
Authentication ticket issuance registration instruction Reg via transmission / reception means 321
Send to the authentication ticket management means 64 as istration601 (S
T6201). Upon receiving this, the authentication ticket management unit 64 manages the ticket list, and when the authentication ticket issuance registration instruction Registration 601 is given, searches the ticket list using the ticket identifier to check whether or not the ticket is already registered. . If there is no corresponding number, a set of a ticket identifier, a valid count and a valid count as a value indicating the remaining available count is added to the ticket list and stored.

On the other hand, in the client means 61, the authentication ticket Ticket 304 is received by the first transmitting / receiving means 311, and the authentication ticket data 3110 is taken out and sent to the ticket holding and managing means 611. Ticket holding management means 611
Holds the authentication ticket data 3110 in association with the server identifier 3101 and simultaneously manages the number of valid times extracted from the authentication ticket data as the remaining usable number of times (ST610).
1) When the use authorization procedure start notification 6101 is given,
The authentication ticket data 3111 is used as the authentication ticket Ticket 305 via the first transmission / reception means 311, and the number of uses 6102 obtained by subtracting the remaining number of usable times from the valid number of times taken out of the authentication ticket after subtracting 1 is used (ST 610).
2) Authorization R via first transmission / reception means 311
equest602 to the authorization server means 63 (ST61
03) Further, the valid number 3112 extracted from the authentication ticket data is sent to the multi-stage hash means 317.

On the other hand, in the authorization server means 63, the authentication ticket Ticket 305 and the authorization request Authorize Req
The uest 602 is received by the third transmitting / receiving means 331, the authentication ticket data 3301 is taken out and sent to the authenticator verification means 333, and the number of uses 6301 is taken out and the ticket update instructing means 63
1 (ST6301). The authorization clock unit 332, the authenticator verification unit 333, and the ticket validity determination unit 334 operate almost in the same manner as in FIGS.
02 is transmitted to the ticket update instructing means 631 in addition to the ticket validity determining means 334, and the validity notification 6303 is transmitted to the ticket update instructing means 631 and the second random number generating means 632. Upon receiving the validity notification 6303, the ticket update instructing means 631
Ticket identifier 3305, server identifier 6302, and number of uses 6301
To generate the authentication ticket history update instruction data 6304 and send it as the authentication ticket history update instruction Update603 to the authentication ticket management means 64 via the third transmission / reception means 331 (ST6302), and use the number of uses 6301 as it is. The number is sent to the third multi-stage hash means 336 as 6306. When the authentication ticket history update instruction Update603 is given, the authentication ticket management unit 64 searches the ticket list using the ticket identifier, and the value indicating the corresponding valid number is the value indicating the corresponding remaining available number. And the total number of use times accompanied by the authentication ticket history update instruction Update 603 is checked, and if it is correct, the value indicating the remaining usable number of times in the ticket list is reduced by 1, and if not correct, the authentication ticket rejection notification Reject 606 is returned. . The authentication server rejection notification 606 is sent from the authorization server unit 63 to the ticket update instruction unit 631 as authentication ticket rejection notification data 6305 via the third transmission / reception unit 331. The ticket update instructing unit 631 sends the multi-stage hash value 3306 as it is to the authorization matching unit 337 as the multi-stage hash value 3312. However, when the authentication ticket rejection notification data 6305 is given, the ticket update instructing unit 631 suppresses this. Second random number generating means 632
When a valid notification 6303 is given, a new random number 6307 for data disturbance is randomly generated and sent to the second exclusive OR means 633, and the third transmitting / receiving means 331
Is transmitted to the client means 61 as an authorization challenge Challenge 604 (ST6303).

On the other hand, in the client means 61, the authorization challenge Challenge 604 is set to the first transmitting / receiving means 31.
It is received at 1 and the challenge random number 6103 is taken out and sent to the first exclusive OR means 612 (ST6104). The multi-stage hash unit 317 obtains the hash value 3113 from the confidential storage unit 316 when the use authorization procedure start notification 6101 is given, and the hash value 3113 corresponds to the difference between the valid number 3112 and the use number 6102. The hash operation H of the number of stages is performed, and the resulting multi-stage hash value 6104 is sent to the first exclusive OR means 612. The first exclusive OR means 612 performs an exclusive OR operation for each bit between the multi-stage hash value 6104 and the challenge random number 6103 when the use authorization procedure start notification 6101 is given, and A hash value 6105 is generated and sent to the authorization server means 63 via the first transmission / reception means 311 as an authorization challenge response Response 605 (ST
6105, ST6106). As long as the hash operation H has a sufficiently secure one-way property and the length and randomness of the result, the disturbed multi-stage hash value 6105 must be calculated by a third party who does not know the password PW, the random number R0 and the challenge random number. Therefore, the disturbed multi-stage hash value 6105 indicates that the user is a valid user who knows the password PW. Further, since the number of stages of the hash operation H in the multi-stage hash value is increased as far back in the past, the next multi-stage hash value cannot be calculated from the multi-stage hash value 6104, so that there is no need for encryption. It should be noted that the hash operation is generally 100 times or more faster than the encryption operation, and the processing can be performed at a higher speed than the case of using the encryption if the number of stages is appropriate.

On the other hand, in the authorization server means 63, the authorization challenge response Response 605 is received by the third transmitting / receiving means 331, the disturbed multi-stage hash value 6308 is taken out, and sent to the second exclusive OR means 633. (ST630
4). The second exclusive OR means 633 generates the challenge random number 6
An exclusive OR operation for each bit is performed between 307 and the disturbed multi-stage hash value 6308 to obtain a multi-stage hash value 6309 and send it to the third multi-stage hash means 336 (ST6305). The third multi-stage hash means 336 performs a hash operation of the number of stages corresponding to the number of uses 6306 on the multi-stage hash value 6309,
The resulting secondary multi-stage hash value 3314 is sent to the authorization matching means 337. The authorization collation means 337 operates in the same manner as in FIGS. 5 and 6, sends the authorization notification data 3315 to the client means 61 as the authorization notification Result 308 via the third transmission / reception means 331, and is received by the client means 61. However,
This is not the case when the supply of the multi-stage hash value 3312 is suppressed by receiving the authentication ticket rejection notification Reject 606 (ST6306, ST6307). In this way,
Client means 61 transmits password PW to authorization server means
The use authorization can be obtained for a plurality of authorization server means using the authentication ticket 305 up to n times without disclosing to a third party including 63.

In the above description, the client means 61
Although the multi-stage hash value is calculated for each use authorization procedure in the above, the multi-stage hash value of all the stages may be pre-calculated and stored in the confidential storage unit 316 when the authentication ticket is acquired. In that case, confidential storage means 316
Although it is necessary to use a tamper-resistant memory device having a larger capacity, the processing time for each use authorization procedure can be shortened.

As described above, in this embodiment, a highly convenient single sign-on type authentication system that can use an authentication ticket in common with a plurality of authorization servers under a method in which the authentication ticket is not updated. Can be configured.

(Eighth Embodiment) The authentication system of the eighth embodiment can manage the use of an authentication ticket in a distributed manner.

FIG. 20 is a protocol sequence diagram showing the protocol of this authentication system. 20 differs from FIG. 14 in a client unit 71, an authentication server unit 72, and an authorization server unit 73, and further includes a second authorization server unit 74. Authorization request Author
The point that the ize Request 701 has the number of uses k, the authorization request Au
thorize Request 701 and the ticket identifier TID extracted from the authorization request Authorize Request 701 and the authentication ticket 305 by the authorization server 73 receiving the authentication ticket Ticket 305
To send the authentication ticket history inquiry Inquiry 702 with the ID, the server identifier SID, and the number of times of use k to the authentication server means 72 or the second authorization server means 74. In response to this, an authentication ticket rejection notification Reject 705 is returned if necessary. point,
The point that the authorization challenge Challenge 703 has a random number Rk generated differently each time instead of the number of uses k, and the authorization challenge response Response 704 is that the password PW and the random number R0
The difference is that the result of performing an nk + 1-stage hash operation H for the concatenation with the result of the exclusive OR operation with Rk is further added.

According to this method, the client means 71 does not disclose the password PW to the third party including the authorization server means 73 and the second authorization server means 74, and the authentication ticket 304 and the updated authentication ticket 501 are updated up to n times. Can be used by using
The authentication ticket 304 is shared by the plurality of authorization server units 73 and 74 in order to send the authentication ticket from the server 71 to the authentication server unit 72 that issued the authentication ticket via the authorization server unit 73 or to the updated second authorization server unit 74 for checking. It can be used, and the traffic of the check processing can be distributed.

The structure of an authentication system having such a protocol sequence will be described with reference to FIG. FIG. 21 also differs from FIG. 15 in a client means 71, an authentication server means 72, and an authorization server means 73, and further includes a second authorization server means 74. The client unit 71 is different from the client unit 51 of FIG. 15 in that a ticket holding management unit 711 that holds an authentication ticket and manages the number of uses k is provided instead of the ticket holding unit 511, and an exclusive This is the point that the first exclusive OR means 712 for performing the OR operation is provided, and a part of the connection is modified. The difference between the authentication server means 72 and the authentication server means 32 in FIG.
The point is that a ticket issuance management unit 721 for managing issuance of an authentication ticket and responding to an inquiry is provided, and a part of the connection is modified. Also, the authorization server means 73 differs from the authorization server means 53 of FIG. 15 in that the ticket identifier, the validity count, and the remaining usable count of the authentication ticket are received and supplied to each unit, and the update of the authentication ticket is managed and referred. To the ticket update management means 731
In place of 31, a second random number generating means 732 for generating a random number for each use authorization process, and a second exclusive OR means 733 for performing an exclusive OR operation for each bit are provided. It is in the revised point. The second authorization server means 74 has the same configuration as the authorization server means 73.

As the ticket holding / managing means 711, an addition circuit for calculating the number of times of use can be added to the same configuration as that of the ticket holding means 511. As the first and second exclusive OR means 712 and 733, for example, a logic circuit can be used. The ticket issuance management means 721 can be composed of, for example, a combination of a logic circuit that performs data division and combination, an arithmetic circuit that checks the number of uses, and a comparison circuit and a large-capacity memory device. The ticket update management means 731 can be composed of, for example, a combination of a logic circuit for dividing and coupling data, an arithmetic circuit for collating the number of uses, a comparison circuit, and a large-capacity memory device. As the second random number generating means 732, the same configuration as the random number generating means 324 can be used. Each of the above means may be realized by using a microcomputer or a computer program on a general-purpose computer. Alternatively, the computer program is recorded on a program recording medium in a readable format,
It may be realized by a configuration in combination with a program recording medium reader.

The operation of the authentication system configured as described above will be described with reference to FIG. here,
The case where the authentication request Authenticate Request 301 has an authentication ticket valid number n will be described.

First, the operations of the client means 71 and the authentication server means 72 in the user authentication procedure are shown in FIG.
It is almost the same as the case of FIG.
The authentication ticket Ticket 304 is sent from the 72 to the client means 71. However, in the client means 71, the operation of the ticket holding means 511 at this time is performed by the ticket holding management means 711. In the authentication server means 72, the number of valid times 7201 extracted from the authentication request Authenticate Request 301 is also sent to the ticket issue management means 721 in addition to the multi-stage hash means 325 and the authenticator adding means 328, and the server identifier 7202 is The ticket identifier 7203 generated by the ticket identifier generation unit 327 is also transmitted to the ticket issuance management unit 721 in addition to the authenticator addition unit 328. The ticket issuance management means 721 manages the issued ticket list, and includes a ticket identifier 7203, a server identifier 7202, a valid count 7201, and a valid count 72 as a value indicating the remaining usable count.
01 is added to the ticket list and stored (ST720)
1).

On the other hand, in the client means 71, the authentication ticket Ticket 304 is received by the first transmission / reception means 311, and the authentication ticket data 3110 is taken out and sent to the ticket holding management means 711. The ticket holding management unit 711 stores the authentication ticket data 3110 in the server identifier 3
101, and the number of valid times extracted from the authentication ticket data is simultaneously managed as the remaining available number of times (ST7101). When the use authorization procedure start notification 7101 is given, the authentication ticket data 3111 is stored in the first number. The number of uses 7102 obtained by subtracting 1 from the valid number of times obtained from the authentication ticket after reducing the remaining available number of times by 1 via the transmitting / receiving means 311 (ST7102) is transmitted to the first transmitting / receiving means 311. The request is sent to the authorization server unit 73 as an authorization request Authorize Request 701 via the authentication server (ST7103), and the validity number 3112 extracted from the authentication ticket data is sent to the multi-stage hash unit 317.

On the other hand, in the authorization server means 73, the authentication ticket Ticket 305 and the authorization request Authorize Req
The uest 701 is received by the third transmission / reception unit 331, the authentication ticket data 3301 is taken out and sent to the authenticator verification unit 333, and the number of uses 7301 is taken out and the ticket update management unit 73
1 (ST7301).

The authorization timekeeping means 332, the authenticator verification means 333 and the ticket validity determining means 334 operate almost in the same manner as in FIGS. 15 and 16, except that the server identifier 7302 is used in addition to the ticket validity determining means 334 and the ticket update management. The validity notification 7303 is also sent to the means 731 and sent to the ticket update management means 731 and the second random number generation means 732. The ticket update management means 731 manages the issued ticket list, and when the validity notification 7303 is given, the ticket identifier 3305, the server identifier 7302, and the number of uses 7301 are connected to obtain the authentication ticket history inquiry data 7304, The authentication server means 72 indicated by the issuer identifier 3308 or the second
Inquiry 702: Inquiry 702 of authorization ticket history to authorization server means 74 of
And the ticket identifier 3305 and the server identifier 73
A set of 02, valid number 7301, and valid number 7301 as a value indicating the remaining usable number is added to the ticket list and stored (ST7302).

In the authentication server means 72 having received this, the authentication ticket history inquiry Inquiry 702 is received by the second transmission / reception means 321 and becomes the authentication ticket history inquiry data 7205 including the ticket identifier, the server identifier and the number of uses. It is sent to the issue management means 721. The ticket issuance management means 721 checks whether or not the number of uses extracted from the authentication ticket history inquiry data 7205 matches one obtained by adding one to the difference between the effective number managed by itself and the remaining available number of times. Uses authentication ticket rejection notification data 7204 as the second
Authentication ticket rejection notification Reject7
Send back as 05. When the second authorization server 74 receives this, the ticket update management means performs the same role as the ticket issuance management means 721.

In the authorization server unit 73, the authentication ticket rejection notification 705 is sent to the ticket update management unit 731 as authentication ticket rejection notification data 7305 via the third transmission / reception unit 331. The ticket update management unit 731 sends the multi-stage hash value 3306 as it is to the authorization matching unit 337 as the multi-stage hash value 5302, and sends the set 5303 of the ticket identifier, the remaining available number of times, and the server identifier to the second authenticator addition unit 533. Sent, but when the authentication ticket rejection notification data 7305 is given, these are suppressed. Second random number generating means 732
When the validity notification 7303 is given, a challenge random number 7306 for data disturbance is newly generated at random and sent to the second exclusive OR means 733, and the third transmitting / receiving means 331
Is sent to the client means 71 as an authorization challenge Challenge 703 (ST7303).

On the other hand, in the client means 71, the authorization challenge Challenge 703 is transmitted to the first transmitting / receiving means 31.
The challenge random number 7103 is received at 1 and is sent to the first exclusive OR means 712 (ST7104). The multi-stage hash unit 317 obtains the hash value 3113 from the confidential storage unit 316 when the use authorization procedure start notification 7101 is given, and corresponds to the difference between the valid number 3112 and the use number 7102 in the hash value 3113. The hash operation H for the number of stages is performed, and the resulting multi-stage hash value 7104 is sent to the first exclusive OR means 712. The first exclusive OR means 712 performs an exclusive OR operation for each bit between the multi-stage hash value 7104 and the challenge random number 7103 when the use authorization procedure start notification 7101 is given, and A hash value 7105 is generated and sent to the authorization server means 73 as an authorization challenge response Response 704 via the first transmitting / receiving means 311 (ST
7105, ST7106). As long as the hash operation H has a sufficiently secure one-way property and the length and randomness of the result, the disturbed multi-stage hash value 7105 must be calculated by a third party who does not know the password PW, the random number R0, and the challenge random number. Therefore, the disturbed multi-stage hash value 7105 indicates that the user is a valid user who knows the password PW. Further, since the number of stages of the hash operation H in the multi-stage hash value is increased as far back in the past, the next multi-stage hash value cannot be calculated from the multi-stage hash value 7104, so that there is no need for encryption. It should be noted that the hash operation is generally 100 times or more faster than the encryption operation, and the processing can be performed at a higher speed than the case of using the encryption if the number of stages is appropriate.

On the other hand, in the authorization server means 73, the authorization challenge response Response 704 is received by the third transmission / reception means 331, the disturbed multi-stage hash value 7307 is taken out, and sent to the second exclusive OR means 733. (ST730
4). The second exclusive OR means 733 generates the challenge random number 7
An exclusive OR operation for each bit is performed between 306 and the disturbed multi-stage hash value 7307 to obtain a multi-stage hash value 7308 and send it to the third hash means 532 (ST7305). The third hash unit 532 performs a hash operation on the multi-stage hash value 7308, and sends the resulting secondary multi-stage hash value 5305 to the authorization matching unit 337. The authorization matching means 337 and the second authenticator adding means 533 operate in the same manner as in FIGS. 15 and 16, and send the authentication ticket data 5308 to the client means 71 as the authentication ticket Ticket 501 via the third transmitting / receiving means 331. . However, this does not apply to the case where the supply of the multi-stage hash value 5302 and the set 5303 of the ticket identifier, the remaining available number of times, and the server identifier is suppressed by receiving the authentication ticket rejection notification Reject 705 (ST7306, ST730).
7).

On the other hand, in the client means 71, the authentication ticket Ticket 501 is received by the first transmission / reception means 311 and sent to the ticket holding management means 711 as authentication ticket data 5101 and held (ST7107, S7107).
T7108), which is used in the next use authorization procedure.

As a result, the disturbed multi-stage hash value accompanying the authentication ticket 305 sent from the client unit 71 to the authorization server unit 73 decreases the number of stages by one for each use authorization.
Only the steps need be performed, and the response time can be reduced. In addition, since the time stamp is updated, the expiration date can be set to a value short enough to cover the access interval, for example, 1 hour, and the security can be improved without lowering the user convenience. According to this method, the client means 71 uses the authentication ticket 305 with higher security and uses it up to n times with a shorter response time without disclosing the password PW to third parties including the authorization server means 73 and 74. Authorization can be obtained, the authentication ticket can be used in common by a plurality of authorization servers, and the traffic of the check processing can be distributed.

In the above description, the client means 71
Although the multi-stage hash value is calculated for each use authorization procedure in the above, the multi-stage hash value of all the stages may be pre-calculated and stored in the confidential storage unit 316 when the authentication ticket is acquired. In that case, confidential storage means 316
Although it is necessary to use a tamper-resistant memory device having a larger capacity, the processing time for each use authorization procedure can be shortened.

As described above, by configuring the authentication system as in the present embodiment, the use of the authentication ticket can be managed in a distributed manner under the method of updating the authentication ticket. Therefore, one management resource can be reduced.

[0176]

As is clear from the above description, the present invention firstly eliminates the need for encryption processing on the client side and easily manages the number of times an authentication ticket is used to eliminate double use. And a single sign-on type authentication method and authentication system.

Second, also in the user authentication procedure, the encryption processing on the client side is not required, and the arithmetic processing of the authentication presentation information and the arithmetic processing of the presentation information can be shared. And an authentication system.

Third, in the case where the verification random number is generated by using the authentication random number generated by the client means as secret information,
Since the verification information included in the authentication ticket is irrelevant to the user authentication information, there is no possibility that the user authentication information is guessed from the authentication ticket, and a more secure single sign-on type authentication method and authentication system can be obtained.

Fourth, by performing the irreversible operation of the secret information by a one-way hash operation, it is possible to perform the use authorization process in a practical processing time even if the client side is a device having a low calculation processing capability. A single sign-on type authentication method and authentication system can be obtained.

Fifth, when the authorization server updates the authentication ticket collation information and the like, it is updated each time the authentication ticket is used, and in particular, the time stamp is updated, so that the validity period in the validity determination is set shorter. You can reduce the potential for unauthorized use by third parties,
Further, a single sign-on type authentication method and an authentication system that can shorten the response time of use authorization can be obtained.

Sixth, in the case where the authentication ticket management means for managing the number of times of use of the authentication ticket is provided, it is possible to use the authentication ticket commonly to a plurality of authorization servers in a system in which the authentication ticket is not updated. Therefore, a more convenient single sign-on type authentication method and authentication system can be obtained.

Seventh, when the authentication server means and the authorization server means store the issuance history of the authentication ticket, in a system in which the authentication ticket is updated, the use of the authentication ticket can be managed in a distributed manner. A single sign-on type authentication method and authentication system that can be reduced can be obtained.

[Brief description of the drawings]

FIG. 1 is a conceptual diagram showing an outline of an authentication system according to a first embodiment of the present invention;

FIG. 2 is a conceptual diagram showing an outline of an authentication system according to a second embodiment of the present invention;

FIG. 3 is a conceptual diagram showing an outline of an authentication system according to a third embodiment of the present invention;

FIG. 4 is a protocol sequence diagram of an authentication system according to a fourth embodiment of the present invention;

FIG. 5 is a functional block diagram of an authentication system according to a fourth embodiment of the present invention;

FIG. 6 is a flowchart showing an operation of the authentication system according to the fourth embodiment of the present invention;

FIG. 7 is a detailed functional block diagram of an authenticator adding unit when a message authentication code is used in the authentication system according to the fourth embodiment of the present invention;

FIG. 8 is a detailed functional block diagram of an authenticator verification unit when a message authentication code is used in the authentication system according to the fourth embodiment of the present invention;

FIG. 9 is a detailed functional block diagram of an authenticator adding unit when a digital signature is used in the authentication system according to the fourth embodiment of the present invention;

FIG. 10 is a detailed functional block diagram of an authenticator verification unit when a digital signature is used in the authentication system according to the fourth embodiment of the present invention;

FIG. 11 is a protocol sequence diagram of an authentication system according to a fifth embodiment of the present invention;

FIG. 12 is a functional block diagram of an authentication system according to a fifth embodiment of the present invention;

FIG. 13 is a flowchart showing an operation of the authentication system according to the fifth embodiment of the present invention;

FIG. 14 is a protocol sequence diagram of an authentication system according to a sixth embodiment of the present invention;

FIG. 15 is a functional block diagram of an authentication system according to a sixth embodiment of the present invention;

FIG. 16 is a flowchart showing the operation of the authentication system according to the sixth embodiment of the present invention;

FIG. 17 is a protocol sequence diagram of an authentication system according to a seventh embodiment of the present invention;

FIG. 18 is a functional block diagram of an authentication system according to a seventh embodiment of the present invention;

FIG. 19 is a flowchart showing the operation of the authentication system according to the seventh embodiment of the present invention;

FIG. 20 is a protocol sequence diagram of the authentication system according to the eighth embodiment of the present invention;

FIG. 21 is a functional block diagram of an authentication system according to an eighth embodiment of the present invention;

FIG. 22 is a flowchart showing the operation of the authentication system according to the eighth embodiment of the present invention;

FIG. 23 is a conceptual diagram showing an outline of a conventional authentication method.

FIG. 24 is a protocol sequence diagram of a conventional authentication method.

FIG. 25 is a functional block diagram of a conventional authentication method;

FIG. 26 is a flowchart showing the operation of a conventional authentication method.

[Explanation of symbols]

1, 11, 21, 31, 41, 51, 61, 71, 81 Client means 2, 12, 22, 32, 42, 62, 72, 82 Authentication server means 3, 33, 53, 63, 73, 83 Authorization server Means 4, 14, 24 Secret information 5, 7, 803, 805 Authentication ticket 6, 804 Presentation information 8, 806 Authorization notice 13, 23, 801 Authentication presentation information 64 Authentication ticket management means 74 Second authorization server means 311 First Input / output means 312, 811 input means 313 hash means 314 ticket holding means 316 confidential storage means 317 multi-stage hash means 321 second transmission / reception means 322 authentication timer means 323 authentication information storage means 324 random number generation means 325 second multi-stage hash means 326 Authentication collation means 327 Ticket identifier generation means 328 Authenticator addition means 328A Own identifier storage means 328B Data connection means 328C Connection data hash means 328D Server common key storage means 328E Common key encryption means 328F Authenticator connection means 328G Private secret key storage means 328H Public key method encryption means 331 Third transmission / reception means 332 Authorization timekeeping means 333 Authenticator verification means 333A Authenticator separation means 333B Second connected data hash means 333C Second server common key storage means 333D Second common key method Encryption means 333E Data separation means 333F Issuer identifier collation means 333G Comparison means 333H Server public key storage means 333J Public key method decryption means 334, 832 Ticket validity determination means 335, 531 Ticket use management means 336 Third multi-stage hash means 337 Authorization Collation means 411 random number generation means for authentication 412, 612, 712 first exclusive OR means 421 second hash means 422 second exclusive OR means 423 second multi-stage hash means 511 ticket holding means 532 third Hash means 533 second authenticator adding means 611, 711 ticket holding and managing means 621 ticket registration instructing means 631 ticket update instructing means 632 second random number generating means 63 3,733 Second exclusive OR means 721 Ticket issuance management means 731 Ticket update management means 732 Second random number generation means 812 Session key decryption means 813 Certificate timekeeping means 814 Certificate information encryption means 821 Session key generation means 822 Session key Encryption means 823 Ticket encryption means 831 Ticket decryption means 833 Certification information decryption means 834 Certification information validity determination means 835 Authorization collation means

────────────────────────────────────────────────── ───

[Procedure amendment]

[Submission date] February 2, 1999 (1999.2.2)

[Procedure amendment 1]

[Document name to be amended] Drawing

[Correction target item name] Fig. 25

[Correction method] Change

[Correction contents]

FIG. 25

Continued on the front page F term (reference) 5B017 AA01 AA07 BA05 BA07 BB03 BB07 BB10 CA16 5B058 KA33 KA40 5B085 AE01 AE06 AE09 AE13 AE23 BC01 BG07 5B089 GA11 GA21 GB03 KA17 KB13 KC58 5J104 AA04

Claims (29)

[Claims] An authentication server for issuing an authentication ticket, an authorization server for authorizing use of the authentication ticket,
An authentication system comprising: a client unit that requests an authentication ticket from the authentication server unit and requests the authorization server unit to use the authentication ticket. In the authentication system, an authentication ticket whose effective number is n (n is a positive integer) is held. Client means for indicating this and requesting use authorization, and authorization server means for receiving the request and requesting presentation information from the client means and matching the authentication ticket to authorize use, the authentication ticket comprising: The authentication information includes a ticket identifier, collation information, and a valid number, and is provided with an authenticator. The collation information performs a predetermined irreversible operation on the secret information shared by the authentication server means and the client means n times. The presentation information when the number of times of use of the authentication ticket is k (k is a positive integer equal to or less than n) is included in the secret information. The predetermined irreversible operation is represented by n
An authentication system characterized in that the authentication is performed k times; 2. The authentication according to claim 1, wherein the authentication server manages user authentication information, executes a user authentication procedure with the client, and issues the authentication ticket. system. 3. The authentication server means generates a random number in a user authentication procedure, requests the client means to indicate the generated random number, and requests the client means to provide authentication information, wherein the secret information is a link between the user authentication information and the random number. Is subjected to the predetermined irreversible operation one or more times, the authentication presentation information,
The authentication system according to claim 2, wherein the predetermined irreversible operation is performed on the secret information n times. 4. The authentication server means generates a random number in a user authentication procedure, requests the client means to indicate the generated random number, and requests the client means for authentication presentation information, and the authentication presentation information is linked to the user authentication information and the random number. Is the result of an exclusive OR operation of a result of performing the predetermined irreversible operation at least once and an authentication random number generated by the client means, wherein the secret information is calculated backward from the authentication presentation information. The authentication system according to claim 2, wherein the authentication system is a random number. 5. The authentication system according to claim 2, wherein the user authentication information is a password input by a user. 6. The apparatus according to claim 2, wherein the user authentication information is a secret key cryptographic key held in secret.
5. The authentication system according to any one of items 1 to 4. 7. The authentication system according to claim 1, wherein the authenticator is a message authentication code. 8. The authentication system according to claim 1, wherein the authenticator is a digital signature. 9. The authentication system according to claim 1, wherein the predetermined irreversible operation is a one-way hash operation. 10. The authentication system according to claim 1, wherein the authentication ticket includes a server identifier. 11. The authentication system according to claim 1, wherein the authentication ticket includes an issue date and time. 12. The authentication ticket includes an issuer identifier, and the authorization server means authorizes use and updates collation information, validity count, issue date, issuer identifier, and authenticator of the authentication ticket, 12. The authentication system according to claim 11, wherein the verification information is updated to a value obtained by performing the predetermined irreversible operation on the secret information nk times, and the effective number is updated to nk. . 13. The authentication system according to claim 1, wherein the authorization server manages the number of times the authentication ticket is used, and requests the presentation information by indicating the number of times of use. . 14. The method according to claim 1, wherein the client unit manages the number of times the authentication ticket is used, and requests the use authorization by indicating the number of use times together with the authentication ticket. Authentication system. 15. An apparatus comprising: a plurality of said authorization server means; and an authentication ticket management means for managing the number of times of use of said authentication ticket, wherein said client means manages the number of times of use of said authentication ticket. Requesting use authorization by indicating this together with the authentication ticket, wherein the authentication server means issues the authentication ticket and instructs the authentication ticket management means to issue and register the authentication ticket, and the authorization server means 2. The method according to claim 1, wherein receiving the presentation of the authentication ticket, instructing the authentication ticket management means to update the history of the authentication ticket, and rejecting use when receiving a rejection notification from the authentication ticket management means. 12. The authentication system according to any one of 11). 16. The authentication server means, comprising a plurality of the authorization server means, wherein the client means manages the number of times the authentication ticket is used, and requests the use by indicating the use number together with the authentication ticket. Issues the authentication ticket and stores the issue history,
The authorization server means updates the authentication ticket and stores an update history. Upon receiving the authentication ticket, the authentication server means or the authorization server means indicated by the issuer identifier of the authentication ticket transmits the authentication ticket. 13. The authentication system according to claim 12, wherein a history is inquired, and if a rejection notification is received from said authentication server means or said authorization server means, use is not authorized. 17. The authorization server means generates a random number in a use authorization procedure, and requests the presentation information by indicating the random number. When the number of times the authentication ticket is used is k, the presentation information is 17. The authentication system according to claim 14, wherein the secret information is an exclusive OR operation result obtained by performing the predetermined irreversible operation nk times and the random number. 18. An authentication server for issuing an authentication ticket, an authorization server for authorizing use of the authentication ticket, requesting an authentication ticket from the authentication server, and requesting an authorization for use of the authentication ticket from the authorization server. An authentication system comprising: an input unit for obtaining an input of a user identifier, user authentication information, a server identifier, and the number of valid times of an authentication ticket; and an authentication ticket obtained from the authentication server unit. A ticket holding unit to be presented to the authorization server unit, a process selection unit that obtains the presence / absence information of the authentication ticket from the ticket holding unit and selects a process, and obtains the user authentication information from the input unit, and Hash means for obtaining random numbers and performing a hash operation on these concatenations, Confidential storage means for secretly storing the hash value obtained from the hash means, and taking out the hash value from the confidential storage means to obtain a valid number n (n is a positive integer) from the input means in the user authentication procedure. , The multi-stage hash value obtained by performing the n-stage hash operation is sent to the authentication server means. In the use approval procedure, the number of uses k (k is a positive integer equal to or less than n) is obtained from the approval server means, and a multi-stage hash unit for sending a multi-stage hash value obtained by performing a k-stage hash operation to the authorization server unit, wherein the authentication server unit generates an authentication information storage unit in which user authentication information is stored, and generates a random number And a random number generation means for sending to the client means, and a connection of the user authentication information obtained from the authentication information storage means and the random number generated by the random number generation means, and a hash function of n + 1 stages. Second multi-stage hash means for performing authentication, a multi-level hash value obtained from the client means and a multi-level hash value obtained by the second multi-level hash means, and an authentication and collation means, and a ticket identifier for generating a valid ticket identifier Generating means, an authentication timing means for measuring time and outputting time information, a ticket identifier obtained from the ticket identifier generating means, a multi-stage hash value obtained from the authentication matching means, a server identifier obtained from the client means, and validity Authenticator adding means for adding an authenticator to the number of times, a time stamp based on the time information obtained from the authentication timer means, and a connection of the issuer identifier indicating the authentication server means, and sending the authenticator as an authentication ticket to the client means. The authorization server verifies the authenticator of the authentication ticket obtained from the client. Certificate verification means, authorization timekeeping means for measuring time and outputting time information, ticket validity determination for checking the validity of the server identifier and the validity of the difference between the time stamp and the time information obtained from the authorization timekeeping means Means, a ticket use management means for managing the ticket identifier of the authentication ticket, the number of times of use, and the remaining available number of times; obtaining the number of times of use k from the ticket use management means; A third multi-stage hash means for outputting a second-order multi-stage hash value obtained by performing a multi-stage hash operation; a multi-stage hash value obtained from the ticket use management means; and a second-order multi-stage hash value obtained from the third multi-stage hash means. An authentication system comprising: an authorization verification unit that verifies a hash value. 19. The server according to claim 19, wherein said authenticator adding means includes a server common key storage means for storing a common key type encryption key shared between servers, a self identifier storage means for storing a self identifier, a ticket identifier and a multi-stage hash value. Data linking means for linking the valid number, time stamp, server identifier, and issuer identifier obtained from the own identifier storage means, linked data hash means for performing a hash operation on the linked data obtained from the data linking means, Common key encryption means for encrypting a hash value obtained from the linked data hash means using a common key encryption key obtained from a server common key storage means as an authenticator, and linked data obtained from the data connection means; And an authenticator linking means for linking the authenticator obtained from the common key type encryption means, wherein the authenticator verification means is shared between the servers. A second server common key storage unit for storing a pass-through encryption key, an authenticator separation unit for separating an authentication ticket into connection data and an authenticator, and a connection identifier obtained by the authentication unit separation unit as a ticket identifier. A data separation unit that separates into a multi-stage hash value, a valid count, a time stamp, a server identifier, and an issuer identifier; a second connection data hash unit that performs a hash operation on the connection data obtained from the authenticator separation unit; A second common key encryption means for encrypting a hash value obtained from the second linked data hash means using a common key encryption key obtained from a second server common key storage means and using the hash value as a comparison authenticator. Issuer identifier checking means for checking that the issuer identifier obtained from the data separation means is a valid server identifier; and a reference obtained from the issuer identifier check means. Comparing means for comparing the authenticator obtained from the authenticator separating means with the comparative authenticator obtained from the second common key encryption means when the combined result indicates validity, and outputting the result. 19. The authentication system according to claim 18, wherein: 20. An authenticator adding means comprising: a secret key storage means for secretly storing a public key cryptographic secret key of an authentication server; a self identifier storage means for storing a self identifier; a ticket identifier and a multi-stage hash. Data linking means for linking a value, a valid number of times, a time stamp, a server identifier, and an issuer identifier obtained from the self-identifier storage means, and linked data hash means for performing a hash operation on the linked data obtained from the data linking means; Public key encryption means for encrypting a hash value obtained from the concatenated data hash means using a public key encryption secret key obtained from the own secret key storage means and using the hash value as an authenticator; Authenticator linking means for linking the linked data and the authenticator obtained from the public key encryption means, wherein the authenticator verifying means links the authentication ticket. An authenticator separating means for separating the data and the authenticator, and separating and outputting the linked data obtained by the authenticator separating means into a ticket identifier, a multi-stage hash value, a valid count, a time stamp, a server identifier, and an issuer identifier. Data separating means, second connected data hash means for performing a hash operation on the connected data obtained from the authenticator separating means, and issuance obtained by storing the valid public key cryptographic public key of the valid server and obtaining from the data separating means A server public key storage unit that outputs a public key cryptographic public key corresponding to a user identifier, and an authenticator obtained from the authenticator separation unit using the public key cryptographic public key obtained from the server public key storage unit. Public key decryption means for decryption and use as a hash value for comparison, hash value obtained from the concatenated data hash means and comparison hash value obtained from the public key decryption means 19. The authentication system according to claim 18, further comprising comparison means for comparing the result with a default value and outputting a result. 21. The client unit includes an authentication random number generation unit and a first exclusive OR unit, wherein the authentication random number generation unit generates an authentication random number in a user authentication procedure, The exclusive-OR means calculates a disturbed hash value obtained by performing an exclusive-OR operation on the authentication random number obtained from the authentication random number generation means and the hash value obtained from the hash means in the user authentication procedure. Sending the authentication random number to the authentication server means, the secret storage means secretly stores the authentication random number obtained from the authentication random number generation means, and the multi-stage hash means extracts the authentication random number from the secret storage means and uses it. In the authorization procedure, the number of uses k is obtained from the authorization server means, and a multi-stage hash value obtained by performing nk hash operations is sent to the authorization server means. The second place of the authentication verification means
Hash means and second exclusive OR means,
The second hash means performs a hash operation on a concatenation of the user authentication information obtained from the authentication information storage means and the random number generated by the random number generation means, and the second exclusive OR means performs (2) performing an exclusive OR operation on the hash value obtained from the second hash means and the disturbed hash value obtained from the client means to obtain a random number for authentication; An n-stage hash operation is performed on the authentication random number obtained from the logical OR unit, and the authenticator adding unit generates a ticket identifier obtained from the ticket identifier generation unit, a multi-stage hash value obtained from the second multi-stage hash unit A server identifier and the number of valid times obtained from the client means, a time stamp based on the time information obtained from the authentication timer means, and an issuer identification indicating the authentication server means Authentication system according to any of claims 18 20 connected to the adding authenticator, and wherein the sending to the client device as an authentication ticket. 22. The authorization server means comprises a third hash means and a second authenticator adding means in place of the third multi-stage hash means, wherein the third hash means comprises:
A secondary multi-stage hash value obtained by performing a hash operation on the multi-stage hash value obtained from the client unit is output, and the authorization matching unit outputs the multi-stage hash value obtained from the ticket use management unit and the third hash unit. The second authenticator adding means compares the ticket identifier, the server identifier and the remaining number of uses obtained from the ticket use management means, and the multi-stage hash value obtained from the client means. 19. A method according to claim 18, further comprising adding an authenticator to a time stamp based on the time information obtained from said authorization clock means and a connection of an issuer identifier indicating an authorization server means, and sending the authentication ticket to said client means. 22. The authentication system according to any one of 21. 23. At least one authorization server means and authentication ticket management means for managing issuance and use of an authentication ticket, wherein the authentication ticket management means issues an authentication ticket obtained from the authentication server means. Based on the registration instruction, a set of the ticket identifier, the valid number of times, and the remaining number of uses is managed, and the consistency with the authentication ticket history update instruction obtained from the authorization server means is checked. Sending an authentication ticket rejection notice to the authorization server means, wherein the authentication server means comprises ticket registration instructing means, wherein the ticket registration instructing means comprises a ticket identifier obtained from the ticket identifier generating means and a server obtained from the client means. Generating an authentication ticket issuance registration instruction from the identifier and the number of valid times, sending the generated instruction to the authentication ticket management unit, The stage includes ticket holding and managing means in place of the ticket holding means, and first exclusive OR means, wherein the ticket holding and managing means obtains and holds an authentication ticket from the authentication server means and uses the number of times of use. And present them to the authorization server means,
The multi-stage hash means retrieves a hash value from the confidential storage means, sends a multi-stage hash value obtained by performing an n-stage hash operation in the user authentication procedure to the authentication server means, and in the use authorization procedure, The number of uses k obtained from the holding management means is obtained, and a multi-stage hash value obtained by performing nk hash operations is sent to the first exclusive-OR means, and the first exclusive-OR means is provided. Is
The exclusive-OR operation of the multi-stage hash value obtained from the multi-stage hash unit and the random number obtained from the authorization server unit is performed, and the resulting disturbed multi-stage hash value is sent to the authorization server unit. A ticket update instructing unit replacing the use managing unit, a second random number generating unit,
Exclusive OR means, wherein the ticket update instructing means includes a ticket identifier and a server identifier obtained from the authenticator verifying means when the determination result obtained from the ticket validity determining means indicates validity, and the client Generating an authentication ticket history update instruction from the number of uses obtained by the means and sending the same to the authentication ticket management means, and obtaining the number of uses obtained from the client means when the authentication ticket management means does not return an authentication ticket rejection notification k and the multi-stage hash value obtained from the authenticator verifying means, the second random number generating means generates a random number and sends it to the client means and the second exclusive OR means, 2
The exclusive-OR means performs an exclusive-OR operation on the random number obtained from the second random number generation means and the disturbed multi-stage hash value obtained from the client means to obtain a multi-stage hash value, Outputs a secondary multi-stage hash value obtained by performing a k-stage hash operation on the multi-stage hash value obtained by the second exclusive-OR unit, and the authentication ticket management unit outputs Based on the authentication ticket issuance registration instruction obtained from the server means, manages a set of a ticket identifier, a valid number of times, and the remaining use number, and checks consistency with the authentication ticket history update instruction obtained from the authorization server means, 2. An authentication ticket rejection notice is sent to said authorization server means in the case of inconsistency.
22. The authentication system according to any one of 8 to 21. 24. At least one authorization server means, wherein said authentication server means comprises ticket issuance management means,
The ticket issuance management unit manages a ticket identifier obtained from the ticket identifier generation unit, a server identifier obtained from the client unit, and a valid number of times, and obtains a ticket identifier based on a ticket use inquiry obtained from the authorization server unit. To check the consistency of the number of times of use, and in the case of inconsistency, sends an authentication ticket rejection notification to the authorization server means, wherein the client means comprises: a ticket holding management means in place of the ticket holding means; Exclusive OR means, wherein the ticket holding management means obtains and holds an authentication ticket from the authentication server means, manages the number of uses, and presents them to the authorization server means,
The multi-stage hash means retrieves a hash value from the confidential storage means, sends a multi-stage hash value obtained by performing an n-stage hash operation in the user authentication procedure to the authentication server means, and in the use authorization procedure, The number of uses k obtained from the holding management means is obtained, and a multi-stage hash value obtained by performing nk hash operations is sent to the first exclusive-OR means, and the first exclusive-OR means is provided. Is
The disturbed multi-stage hash value obtained by performing an exclusive OR operation of the multi-stage hash value obtained from the multi-stage hash unit and the random number obtained from the authorization server unit is sent to the authorization server unit. A ticket update management unit that replaces the ticket use management unit; a second random number generation unit; and a second exclusive OR unit, wherein the ticket update management unit determines that a determination result obtained from the ticket validity determination unit is In the case of indicating validity, a ticket use inquiry is generated from the ticket identifier and the server identifier obtained from the authenticator verification means and the number of uses obtained from the client means, and the authentication server means or the second authorization indicated by the issuer identifier is generated. Sent to the server means, and no authentication ticket rejection notification was returned from the authentication server means or the second authorization server means In this case, the number of uses obtained from the client unit and the multi-stage hash value obtained from the authenticator verification unit are output, and a ticket identifier, a server identifier, and the number of remaining uses are managed, and the second authorization server unit is used. If a ticket use inquiry is received, the consistency of the number of times of use is checked, and if not, an authentication ticket rejection notification is sent to the second authorization server means, and the second random number generation means Generated and sent to the client means and the second exclusive OR means, wherein the second exclusive OR means includes a random number obtained from the second random number generating means and a disturbance multi-stage obtained from the client means. An exclusive OR operation with the hash value is performed to obtain a multi-stage hash value, and the second hash means adds a hash value to the multi-stage hash value obtained from the second exclusive OR means. The second authenticator adding means outputs a ticket identifier, a server identifier and a remaining number of uses obtained from the ticket managing means, the second exclusive logical logic. Adding an authenticator to the concatenation of the multi-stage hash value obtained from the sum unit, the time stamp based on the time information obtained from the authorization clock unit, and the issuer identifier indicating the authorization server unit, and sending the authenticator to the client unit as an authentication ticket. The authentication system according to claim 22, characterized in that: 25. An authentication server for issuing an authentication ticket, an authorization server for authorizing use of the authentication ticket, requesting an authentication ticket from the authentication server, and requesting an authorization for use of the authentication ticket from the authorization server. In the authentication method of the authentication system, the authentication server means performs a predetermined irreversible operation on the secret information shared by the authentication server means and the client means n times (n is a positive integer). Including information,
The authentication unit issues an authentication ticket having a valid number of times n, the client unit requests the use authorization by indicating the authentication ticket to the authorization server unit, and in response to a request for presentation information of the authorization server unit, the client unit executes the authentication ticket When the number of uses is k (k is a positive integer equal to or less than n), a calculation result obtained by performing the predetermined irreversible calculation on the secret information nk times is presented as the presentation information, and the authorization server means An authentication method comprising: performing the predetermined irreversible calculation on presentation information k times; and identifying a match between the calculation result and the collation information. 26. An authentication server for issuing an authentication ticket, an authorization server for authorizing the use of the authentication ticket, requesting an authentication ticket from the authentication server, and requesting an authorization for use of the authentication ticket from the authorization server. In the authentication method of the authentication system, the authentication server means performs a predetermined irreversible operation on the secret information shared by the authentication server means and the client means n times (n is a positive integer). Including information,
The authentication unit issues an authentication ticket having a valid number of times n, the client unit requests the use authorization by indicating the authentication ticket to the authorization server unit, and in response to a request for presentation information of the authorization server unit, the client unit executes the authentication ticket When the number of uses is k (k is a positive integer equal to or less than n), a calculation result obtained by performing the predetermined irreversible calculation on the secret information nk times is presented as the presentation information, and the authorization server means The predetermined irreversible operation is performed once on the presentation information to identify a match between the operation result and the collation information, and the collation information included in the authentication ticket is converted into the secret information by the predetermined irreversible operation nk. An authentication method characterized by updating to a calculation result that has been applied. 27. The authentication server means requests authentication presentation information by indicating a random number to a client means requesting an authentication ticket, and the client means performs the predetermined irreversible operation on a connection between the user authentication information and the random number. The result of the calculation performed n + 1 times is presented as the authentication presentation information, and the authentication server means performs the predetermined irreversible calculation n + 1 times on the connection between the held user authentication information and the random number, and calculates the calculation result and the When the matching with the authentication presentation information is confirmed, a result of performing the predetermined irreversible operation once on the connection between the user authentication information and the random number is used as the secret information, and a predetermined irreversible operation is performed on the secret information by n (n is The authentication method according to claim 25, wherein an authentication ticket including the verification information that has been performed (positive integer) times is issued. 28. The authentication server means requests authentication presentation information by indicating a random number to a client means requesting an authentication ticket, and the client means performs the predetermined irreversible operation on a connection between the user authentication information and the random number. Presenting, as the authentication presentation information, an exclusive OR operation result of the one or more operations performed and the authentication random number generated by the client unit;
The authentication server means calculates the authentication random number from the authentication presentation information using the held user authentication information and the random number, and performs a predetermined irreversible operation on the authentication random number as the secret information. 27. The authentication method according to claim 25, wherein an authentication ticket including the collation information performed (n is a positive integer) is issued. 29. A computer readable format for an authentication method executed by the authentication system according to any one of claims 1 to 24 or a processing program of the authentication method according to any one of claims 25 to 28. The recording medium for the authentication processing program, recorded in step 2.