JP2000276444A - Communication equipment, communication system, and computer readable storage medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To securely perform authentication by only performing unidirectional communication on a network once. SOLUTION: In a Web browser 200, a first time from a time acquisition part 206 and a password from a password part 205 are operated in a hash part 207, and a message including this first operation result and the first time is transmitted from a message transmission part 202 to a Web server 100. In the Web server 100, the received first time and a password in a password storage part 104 are operated in a hash part 106 to obtain a second operation result. A validity examination part 107 compares a second time from a time acquisition part 105 with the first time, and it is decided that the receiver message is valid when the second time is later than the first time and the first operation result is matched with the second operation result.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a communication device used by a server and a client, which is suitable for use in a communication system in which a server on a network authenticates the validity of a client located at a remote place. And a computer-readable storage medium used in the communication system.

[0002]

2. Description of the Related Art In recent years, the following technologies or products related to authentication have been provided.・ Authentication method using one-way function Use a function that processes input irreversibly. This is a function in which it is difficult to guess the information that has become the input (argument) of the function from the output result of the function. For example, RFC1321
Is a function such as MD5 shown in
It is also used for creating a Digest. In implementation, a function known as a hash function may be used.

One-time password type authentication method With the development of networks such as the Internet, illegal acquisition or use of accounts and passwords by techniques such as peeping packets flowing on the network has been performed. Was. One-time password type authentication methods such as OTP by AT & T are used for the purpose of defending against such illegal acts. In this method, the password information flowing on the network is designed to change every time.

[0004] cha11engage response
Type authentication method For the same purpose as above, cha11enge respo
An nse type authentication method is used. This is because, by incorporating cha11enge data provided from the server side to the client that has issued the connection request into the hash of the password on the client side, the hash result is re-created even though the password itself does not change.
It is designed so that the value of the sponse data changes several times. Therefore, even if the packet used to send the password information may be peeped in the middle of the network, the same password information will not be effective very much for probability detection, and the password security will be improved. [See FIG. 1 (b)].

[0005] NTP (Network Time P)
protocol (TP) is a protocol for properly adjusting the internal clock of a computer connected to a network.
rk Time Protocol; RFC1119)
Is used.

[0006]

However, according to the conventional challenge response type authentication method, a connection request is received from a client. The cha11engage data generated on the server side is sent back to the client side, and the cha11eng data is further transmitted on the client side.
In order to take the procedure of generating response data from the “engage” data and sending the generated response data to the server side, it is necessary to transmit and receive communication packets at least three times to authenticate one connection request. This has a problem that the responsiveness of an application used in a network having a high communication cost such as the Internet is reduced.

SUMMARY OF THE INVENTION The present invention has been made to solve the above problem, and has as its object to authenticate a single connection request by transmitting and receiving a single communication packet. And

[0008]

To achieve the above object, in a communication apparatus according to the present invention, a time obtaining means for obtaining a time, a password inputting means for inputting a password, and inputting the obtained time. There is provided an operation means for irreversibly processing and calculating the password thus obtained, and a transmission means for creating and transmitting a message including the operation result and the time.

In another communication apparatus according to the present invention, a receiving means for receiving a message including a first calculation result obtained by irreversibly processing a first time and a password and the first time, Time acquisition means for acquiring a second time at the time of reception; operation means for irreversibly processing the first time and a predetermined password to output a second operation result; Determining means for comparing the second time with the second time and comparing the received first calculation result with the second calculation result in accordance with the comparison result to determine the validity of the message; I have.

Further, in the communication system according to the present invention, the first time obtaining means for obtaining the time, the password inputting means for inputting the password, and the obtained first time and the input password are irreversibly changed. A first calculating means for performing a processing calculation and outputting a first calculation result;
A first communication device having a transmitting unit that creates and transmits a message including the calculation result of the above and the first time, a receiving unit that receives the message, and a second unit that receives the message.
A second time obtaining means for obtaining the time of the second time, a second calculating means for irreversibly processing the first time and the predetermined password, and outputting a second calculation result; The second time is compared with the first time, and the first time is determined according to the comparison result.
And a second communication device having a determination unit that determines the validity of the message by comparing the calculation result of the above with the second calculation result.

In the storage medium according to the present invention,
Time acquisition processing for acquiring time, password input processing for entering a password, computation processing for irreversibly processing the acquired time and the inputted password, and creating a message including the computation result and the time And a transmission process for executing the transmission process.

Further, in another storage medium according to the present invention, a receiving process for receiving a message including a first calculation result obtained by irreversibly processing a first time and a password and the first time, A time acquisition process for acquiring a second time at the time of reception, an arithmetic process for irreversibly processing the first time and a predetermined password, and outputting a second operation result; And performing a determination process of comparing the received first calculation result with the second calculation result according to the comparison result to determine the validity of the message. For storing programs.

[0013]

Embodiments of the present invention will be described below with reference to the drawings. (First Embodiment) FIG.
FIG. 1 is a block diagram showing a communication system when used for an ide Web (hereinafter abbreviated as Web) server and a Web browser as a client. In FIG. 2, 100
Is a Web server having an authentication function according to the present embodiment,
200 is a We that transmits a message according to the present embodiment.
b browser.

Web server 100 and Web browser 20
0 are connected to the network 300, respectively, and a request for Web page information is sent from the Web browser 200 to the Web server 100 via the network 300 as a message. The Web server 100 first determines the legitimacy of the received message, and if it is determined to be valid, sends the requested Web page information to the Web browser 200. Web browser 2
At 00, the received Web page information can be displayed.

The network 300 shown in FIG. 2 may be an intranet operated in a company or an organization, or may be the Internet connecting the world.

FIG. 3 shows an example of a hardware configuration for operating the Web server 100, and is constituted by a general computer system. That is, the HD device 10 storing the program, the memory 11, and the network 30
0, a CPU 13 for executing various processes according to the program, an FD device 14 for loading the program from a medium, a peripheral controller 15, a display board 16, a mouse 17, a keyboard 18, a display device 19 It is composed of

FIG. 4 shows an example of a hardware configuration for operating the Web browser 200, and is constituted by a general computer system. That is, the HD device 20 storing the program, the memory 21 and the network 3
00, a CPU 23 for executing various processes according to the program, an FD device 24 for loading the program from a medium, a peripheral controller 25, a display board 26, a mouse 27, a keyboard 28, a display device 29. It is composed of

FIG. 5 is a block diagram schematically showing the configuration of the Web server 100 and the Web browser 200. A program that implements the processing of each of these units is, on the hardware configuration in FIGS.
1 and 21 or the FD devices 14 and 24 and executed by the CPUs 13 and 23 as needed.

The Web server 100 has a network 30
0, a message receiving unit 101 for receiving data from above,
Message sending unit 1 for sending data over the network
02 and individual Web page information, and a Web information storage unit 10 for extracting them as required.
3 and a password storage unit 104 in which a password is registered in advance, and a time acquisition unit 1 for acquiring time information in the computer.
05, a hash unit 106 for providing a one-way function for performing an irreversible machining operation, and a validity examination unit 10 for judging the validity of a request from input time information and a hash result.
And 7.

The Web browser 200 is a message receiving unit 201 for receiving data from a network.
And a message transmitting unit 202 for transmitting data over a network, and a UR for specifying Web information desired by the user.
L in addition to a normal Web browser configuration including a Web information designating unit 203 for obtaining L and the like and a Web information display unit 204 for displaying received Web page information, and a user input from a keyboard or other input device. A password obtaining unit 205 for obtaining a unique password;
b server 100 and the same time acquisition unit 206
The server has the same hash unit 207 as the server b.

FIG. 6 is a flowchart showing the processing of a program implemented by the Web browser 200. When trying to access the Web server 100, the Web browser 200 first obtains a URL such as a URL from the Web information acquisition unit 203 in step S1001 (hereinafter abbreviated as step).
b Get the specified value report. Next, in step S1002, a password is obtained from the password obtaining unit 205. Subsequently, in S1003,
The time is obtained from the time obtaining unit 206. And S1004
Then, the password and the time are hashed by the hash unit 207.

In step S1005, the access request is sent from the message transmitting unit 202 to the web server 100 by adding the time, the user name, and the web designation information to the hash result.
Send to Then, in step S1006, the process waits for a response from the web server 100. Then, if the Web server 100 recognizes the validity of the message, the Web server 100 transmits the page information. Therefore, in S1007, the message receiving unit 201 receives the Web page information from the Web server 100. Subsequently, in S1008, the Web page information is displayed on the Web information display unit 204.

FIG. 7 is a flowchart showing the processing of a program implemented by the Web server 100. First S
In 2001, the process waits for an access request from the Web browser 100. In S2002, a message is obtained from the message receiving unit 101. Next, in step S2003, a password corresponding to the user of the message is extracted from the password storage unit 104. Subsequently, in S2004, a reception time T1 on the Web server side is obtained from the time acquisition unit 105.

In step S2005, the time T2 on the Web browser is extracted from the received message. Also S2
In step 006, the password obtained from the password storage unit 104 and the time T2 are stored in the same manner as in step S1004.
The calculation is performed by the ash unit 106, and the hash result H1 is obtained. Also, the hash result H2 is extracted from the message.

At S2007, the time T1, T2
Then, the hash results H1 and H2 are examined by the validity examining unit 107 to determine whether or not authentication is possible. Then, in S2008, if the authentication is valid, the Web page information obtained from the Web designation information in the message is transmitted to the message transmitting unit 1.
02 to the Web browser 200. If the authentication is not valid, a reply is made to that effect. Finally S200
The process returns to 1 and waits for the next access request.

FIG. 8 is a flowchart showing the processing of a program in which the processing of the hash unit 106 and the hash unit 207 for providing a one-way function is implemented. Here, in order to simplify the explanation, the password and the time information to be input are represented by character strings, and as a one-way function, RFC13
A case where the MD5 function shown in FIG. 21 is used will be described. First, in step S3001, the received password and time information are converted into a character string. For the time information, for example, “1
998 / Jan / 05.13: 34: 20 ".

In step S3002, the password converted to the character string and the time information are combined and input to the MD5 function. In step S3003, the output of the MD5 function is set as a hash result. For example, when a character string represented by a password “paspaspas” and a time “1998 / Jan / 05.13: 34: 20” is combined and input to the MD5, the following output is obtained. MD5 (“paspas19
98 / Jan / 05.13: 34: 20 ") =" 0e4
7e121d048065433bbf8eded344
6258 "Therefore, the above" 0e47e121d0480 "
65433bbf8ed3446258 "is a hash
Results.

FIG. 9 is a flowchart showing the processing of a program in which the processing of the validity examination unit 107 is implemented. The validity checking unit 107 is generated from the time T2 included in the transmitted message and the time T1 in the Web server, the hash result H2 included in the transmitted message, and the password stored in the Web server. hash
The result H1 is given as an input, and a Boolean value for determining the validity of the message is answered.

First, in step S4001, the time T2 in the sent message is compared with the time T1 on the Web server side. If T2 is earlier than T1, the process proceeds to the next step. Answer FALSE. Next, in S4002, hash in the sent message
The result H2 is compared with the hash result H1 generated from the password stored in the Web server. If they match, the process proceeds to the next step. If they do not match, FALSE.
Answer. Next, in S4003, TRUE is answered.

In this embodiment, the password and the time are hashed as inputs, but in addition, the user name may be added to the input of the hash part. Also, in the present embodiment, the Web browser has been described as an original program, but Navigator or Netscape of Netscape, Inc.
Microsoft's Internet Explorer
J that runs on general-purpose Web browsers such as er
It can be implemented by an AVA program or an ActiveX program.

As described above, when authenticating a program used on a network, the password h
By additionally inputting time information into the ash section, c
It is possible to provide the same level of security while having a lower communication cost than the ha11engage-response type authentication.

(Second Embodiment) In the first embodiment, the validity examining unit 107 determines whether
If the time T2 included in the transmitted message is earlier than the time T1 in the Web server, the message is determined to be valid. However, in the present embodiment, in addition to this part, “the last time of the same user It is characterized in that it is determined to be valid only when the time T2 included in the current message is later than the time T3 included in the message of the access request.

For this purpose, the processing of S4001 and S
The following step S42 is performed during the processing of step S4002.
This can be realized by inserting 01. In S4201, the time T2 in the sent message is compared with the time T3 of the previous access in the user information stored in the Web server, and the time T2 included in the current message is in the future. If so, the time T2 is registered as the previous access time in the user information, and the process proceeds to the next step. Conversely, if the time included in the current message is in the past, FALSE is answered. Thus, the validity of the message from the Web browser can be more strictly checked.

(Third Embodiment) In the first embodiment, the validity examining unit 107 determines in S4001 that the time T2 included in the transmitted message is earlier than the time T1 in the Web server. This part is determined to be valid in a certain case, but in the present embodiment, this part is determined to be valid only when the absolute value of the difference between the times T1 and T2 is within a predetermined time. There are features.

This can be realized by changing the process of S4001 to the following step S4101. Here, the “predetermined time” will be described as 20 minutes, but other times may be used. Further, the value may not be a fixed value but a value initially set when the Web server is started. In step S4101, the difference between the time in the transmitted message and the time of the Web server is calculated. If the absolute value is within 20 minutes, the process proceeds to the next step. If more than 20 minutes, answer FALSE.

Thus, it is possible to cope with a time lag between the computers, and it is possible to determine that a message generated sufficiently in the past is invalid. In addition, since the time information can be used for access control, more flexible access control is possible.

Although the "predetermined time" is fixedly described here, the following correspondence table between the user name and the specified time is created so that the variable time can be changed for each user. The prescribed time can be applied. If the specified time in the following table is 0, the TRU is unconditionally
E may be answered.

Specified time (minutes) User name 50 Akiyama 0 Katura 20 Kurosawa 10 Sakamoto 120 Tamura 50 Yamamoto

Next, a storage medium according to another embodiment of the present invention will be described. The present invention relates to a CPU and a memory or an HD.
When configuring the computer system with the devices and the like, the memory, the HD device, and the like constitute a storage medium according to the present invention.
That is, a storage medium storing a program code of software for executing the operation according to the flowchart described in each of the above-described embodiments is used in a system or an apparatus, and the CPU of the system or apparatus stores the program stored in the storage medium. By reading and executing the code, the object of the present invention can be achieved.

As the storage medium, ROM, R
Semiconductor memory such as AM, optical disk, magneto-optical disk,
A magnetic medium or the like may be used, and these may be configured and used in a CD-ROM, a floppy disk, a magnetic medium, a magnetic card, a nonvolatile memory card, or the like.

Therefore, the storage medium is used in a system or apparatus other than the system or apparatus described in each embodiment, and the system or computer reads out and executes the program code stored in the storage medium. Also, the same functions as those of the above embodiments can be realized, the same effects can be obtained, and the object of the present invention can be achieved.

An OS running on a computer
When performing part or all of the processing, or after the program code read from the storage medium is written to a memory provided in an extended function board or an extended function unit connected to the computer, Even when the CPU or the like provided in the above-mentioned extended function board or extended function unit performs a part or all of the processing based on the instruction of the program code, the same functions as those of the above embodiments can be realized and the same functions can be realized. Effect can be obtained,
The object of the present invention can be achieved.

[0043]

As described above, according to the present invention,
The communication device on the client side also hashes the time information together at the time of hashing (irreversible processing) of the password for the purpose of requesting authentication on the network, creates a message including the hash result and the time, and creates Since the information is transmitted to the communication device, the authentication can be easily performed only by performing the communication once in one direction by using the monotonically increasing time information in the computer on the client side. Also, since the same authentication information is not used repeatedly, the conventional cha11eng-re
It is possible to obtain the same level of security while reducing the communication cost as compared with the sponse type authentication.

[Brief description of the drawings]

FIG. 1 shows an authentication method according to an embodiment of the present invention and a conventional c.
FIG. 2 is a configuration diagram for explaining a hall-response type authentication method.

FIG. 2 is a block diagram showing a network system to which the present invention is applied.

FIG. 3 is a block diagram illustrating an example of a hardware configuration of a Web server.

FIG. 4 is a block diagram illustrating an example of a hardware configuration of a Web browser.

FIG. 5 is a block diagram schematically illustrating a configuration of a Web server and a Web browser.

FIG. 6 is a flowchart illustrating processing of a Web browser.

FIG. 7 is a flowchart illustrating processing of a Web server.

FIG. 8 is a flowchart illustrating processing of a hash unit.

FIG. 9 is a flowchart illustrating processing of a validity checking unit.

[Explanation of symbols]

10, 20 HD device 11, 21 memory 13, 23 CPU 14, 24 FD device 18, 28 keyboard 100 Web server 101 message receiving unit 102 message transmitting unit 103 Web information storage unit 104 password storage unit 105 time acquisition unit 106 hash unit 107 Validity examination unit 200 Web browser 201 Message reception unit 202 Message transmission unit 203 Web information designation unit 204 Web information display unit 205 Password acquisition unit 206 Time acquisition unit 207 hash unit 300 Network T1 Time in Web server T2 Message sent T3 Time included in previous valid message H1 Hash result generated from password stored in Web server H2 Included in transmitted message ash Result

Claims (14)

[Claims] 1. A time obtaining means for obtaining a time, a password inputting means for inputting a password, a calculating means for irreversibly processing and calculating the obtained time and the inputted password, And a transmission unit for generating and transmitting a message including the following. 2. A receiving means for receiving a message including a first calculation result obtained by irreversibly processing a first time and a password and the first time, and obtaining a second time at the time of reception. Time obtaining means for performing an irreversible processing operation on the first time and a predetermined password and outputting a second operation result; comparing the first time and the second time; A communication device comprising: a determination unit that determines the validity of the message by comparing the received first calculation result and the second calculation result according to a comparison result. 3. The method according to claim 1, wherein the determining unit determines whether the first time is equal to the second time.
3. The message is determined to be valid when the difference between the first and second times is within a predetermined time and the first and second calculation results match. Communication device. 4. A storage means for storing the first time, wherein the determination means determines whether a first time included in a message received next time is later than the stored first time. The communication device according to claim 2, wherein 5. The apparatus according to claim 1, wherein the message includes transmission source information, and registration means for registering the predetermined time corresponding to each of the plurality of first communication devices is provided. 3. The communication device according to claim 2, wherein the registered predetermined time is compared with the difference time. 6. A first time obtaining means for obtaining a time,
Password input means for inputting a password; first operation means for irreversibly processing the obtained first time and the input password to output a first operation result; and first operation result A first communication device having transmission means for creating and transmitting a message including the message and the first time; receiving means for receiving the message; and second means for acquiring a second time at the time of reception. Comparing the first time and the second time with the second time obtaining means, the second time calculating means for irreversibly processing the first time and the predetermined password and outputting the second result And a second communication device having a determination unit that determines the validity of the message by comparing the first calculation result with the second calculation result according to the comparison result. 7. The method according to claim 7, wherein the determining unit determines whether the first time is equal to the second time.
7. The method according to claim 6, wherein the message is determined to be valid when the difference between the first calculation result and the second calculation result is within a predetermined time and the first calculation result and the second calculation result match. Communication system. 8. A storage device for storing the first time in the second communication device, wherein the determination unit determines that the first time included in the received message is the first time stored in the first message.
7. The communication system according to claim 6, wherein it is determined whether or not the time is later than the time. 9. A plurality of said first communication devices are provided,
Each of the first communication devices transmits the message including transmission source information, and the second communication device includes a registration unit that registers the predetermined time corresponding to each of the plurality of first communication devices. 7. The communication system according to claim 6, wherein the determination unit compares the registered predetermined time corresponding to the transmission source information with the difference time. 10. A time acquisition process for acquiring a time, a password input process for entering a password, an arithmetic process for irreversibly processing and computing the acquired time and the inputted password, And a computer-readable storage medium storing a program for executing a transmission process of creating and transmitting a message including: 11. A receiving process for receiving a message including a first calculation result obtained by irreversibly processing a first time and a password and the first time, and obtaining a second time at the time of the reception. Comparing the first time and the second time, and calculating the irreversible processing of the first time and the predetermined password to output a second operation result. A computer-readable program storing a program for executing a determination process for determining the validity of the message by comparing the received first calculation result and the second calculation result in accordance with the comparison result Storage medium. 12. The determination process according to claim 1, wherein a time difference between the first time and the second time is within a predetermined time, and the first calculation result and the second calculation result match. The computer-readable storage medium according to claim 11, wherein the message is determined to be valid. 13. A storage process for storing a time included in a received message is provided in the program, and the determination process determines whether the time included in the received message is later than the stored time. The computer-readable storage medium according to claim 11, wherein: 14. The message includes source information,
12. The method according to claim 11, wherein the determination process compares a predetermined time corresponding to the transmission source information among the predetermined times registered in advance corresponding to a plurality of transmission sources, and the difference time. The computer-readable storage medium according to any one of the preceding claims.