JP2002140298A - Authentication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent an impersonation though it has not been able to be effectively revealed by a conventional authentication server. SOLUTION: An impersonation can be prevented even if a person can steal a communication telegram and deliberately analyze it for stealing authentication information, because authentication is made to be carried out by using time information.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to electronic authentication on a communication line, and more particularly to an authentication method using time information for authentication. In addition, D that uses time information authentication
It relates to a network connection service using VD (Digital Video Disc).

[0002]

2. Description of the Related Art Conventionally, authentication via a communication line has been performed, and various authentication methods have been proposed. For example, Japanese Patent Application Laid-Open No. H11-31129 discloses a technique for enabling a user to access another page within a valid time if the user authenticates once, and an authentication host when a WWW server is accessed from a terminal. There has been proposed a technology for requesting authentication. This is similar to the present invention in that time information is used for an access right, but is not a technique for performing authentication using time information. Further, Japanese Patent Application Laid-Open No. H10-124449 proposes a technology that uses a logical address of a WWW server to prevent spoofing after authentication. The present invention uses authentication information that can be used only by a specific logical address to prevent spoofing when transmitting and receiving a message. Once authentication has been performed, spoofing can be effectively prevented. However, since the time information is not used for the first authentication, if the message is carefully analyzed and once successfully spoofed, subsequent spoofing cannot be effectively prevented. JP-A-11-212912
Japanese Patent Application Laid-Open Publication No. HEI 9-214969 proposes a technique for managing communications connected to a plurality of servers as the same session. This too
The time information is not used for the authentication itself, and the prevention of spoofing cannot be solved.

[0003]

As described above,
With the conventional authentication server, it was not possible to prevent effective spoofing. The reason is that the authentication information can be stolen if the communication message is stolen and analyzed carefully. Therefore, the present invention provides an authentication method in which spoofing is not possible even if the communication information is stolen and the authentication information is stolen by carefully analyzing the communication message.

[0004]

According to an embodiment of the present invention, time information is used for authentication. The time information refers to time information that a side accessing a server or the like passes to the receiving side at the time of access. The authenticating side checks whether or not the time information is within a predetermined time range. If the time information is within the predetermined time range, the access is authenticated as a valid access, and if the time information is not within the predetermined time. Authenticates that the access is not legitimate and is denied. By using the time information in this form, the spoofing person is not given time to steal and analyze the communication message, so that spoofing can be prevented.

[0005]

DESCRIPTION OF THE PREFERRED EMBODIMENTS (Background of the Invention) The present invention first proposes a secure authentication method and system using time information. Next, a mechanism of a network connection service using a DVD or the like using this method or system will be proposed. In recent years, as the number of network users increases, the DVD market is about to explode. The number of DVD video players spread is 199
It had a cumulative total of 400,000 units in eight years, but exceeded 1 million units in early 2000. In addition, as the price of DVD players has been reduced, the price range is 40,000 yen in the 60,000 yen range,
The 40,000-50,000 yen level accounts for 30% of the total. This situation is in a price range in which ordinary households can sufficiently consider purchasing, and further price reductions are expected to support the spread in the future. In addition, platforms using DVDs have been diversified, and the mounting of DVD drives in personal computers has been rapidly expanding. In addition, DVD drives are mounted on next-generation game devices and car navigation systems, and DVDs are becoming accessible anytime, anywhere.

Under such circumstances, the DVD software market is expanding, and DVD software titles are catching up with VTR software titles in number.

[0007] The DVD is expected to play a role not only as a replacement for a VTR tape for viewing recorded contents but also as a portal connected to a network.

In view of the above background, the present invention makes it possible to secure a network connection as a service derived from, for example, a DVD (technically not limited to a DVD) (time information authentication). ). Furthermore, it enables a unique (unique) identification to make the network service high value-added (“BC
A (burst cutting area) certification. ). In addition, we will provide technology (a mechanism for performing authentication work) that ensures the economic efficiency of service providers.

An embodiment of the present invention will be described below for each embodiment.

(Embodiment 1) Embodiment 1 of the present invention is a method for performing authentication using both time information and an identification code. In this embodiment, as shown in FIG. 1, first, the process waits until there is an input for processing (step S0101), and when there is an input, first time information is obtained (step S010).
2), obtain a first identification code (step S0103),
A second identification code is generated from the first time information and the first identification code (step S0104), and the second identification code is transmitted through a communication line (step S0105).
The second identification code may be generated by simply arranging the first time information and the first identification code, or may be embedded in the data of the first time information based on a certain rule. Of course, the first time information may be embedded in the first identification code. “Embed” means that an embedding target is divided and inserted at a predetermined position in a bit string of an embedding destination. For example, “BCA information” at the time of transmitting the second identification code and “BCA information” in “Example” in FIG. It is like generating “transmission data” from “time information”.

Next, the transmitted second identification code is received (step S0106), and the first time information and the first identification code are extracted from the received second identification code (step S0107). First time information or /
And authentication based on the first identification code (step S
0108). The extraction is performed based on a certain rule at the time of embedding. Therefore, the receiving side needs to know this rule in advance. In addition, the first time information is for the authentication requesting side to pass the authentication requesting side to the authenticating side for authentication, and is, for example, the time at which the authentication request message was transmitted. The identification code is a code composed of numbers, characters, and symbols for determining whether the authentication is valid or not.

A feature of the present invention is that time information is used for authentication. Since time information is used, even if a communication message is stolen and spoofing is performed by analyzing an identification code or the like, the time is not changed. Since the communication message is authenticated as an unauthorized communication message according to the progress, spoofing can be prevented.

Next, an example of a method for performing authentication based on the first time information and the first identification code will be described below.

As shown in FIG. 2, for example, it is assumed that the first time information 0201 is "11:12". Then, in a terminal such as a computer, a second identification code 0203 is generated from the first time information 0201 and the first identification code 0202, and transmitted to the authentication server side. The authentication server receives the second identification code 0204 transmitted from the terminal, and extracts the first time information 0205 and the first identification code 0206 from the received second identification code 0204. Next, the time on the server side is acquired, and the acquired time is, for example, a predetermined 3 times from the time indicated by the first time information 0205.
If it is within 0 seconds, it is authenticated as a valid sender. In some cases, it is also determined whether the first identification code 0206 is a predetermined identification code. With these, if the validity of the access can be confirmed, it is authenticated as valid.

As services that can be realized by using this system, there are various services shown in FIG. A content can be viewed by receiving a second identification code generated from the first time information and the first identification code from a personal computer as a terminal, or a management server is added to an authentication server that receives the second identification code. Then, the member service can be performed on the network, or the user management server and the accounting server can be added to the authentication server that receives the second identification code to enable the electronic commerce at the electronic commerce site. .

(Embodiment 2) Next, a computer which is a terminal for requesting authentication by using time information and an ID (hereinafter referred to as identification information) will be described. The present invention is as shown in FIG.
0 includes a first time information acquisition unit 0401, a first identification code acquisition unit 0402, a second identification code generation unit 0403, a second identification code transmission unit 0404, and an authentication response reception unit 0405.

The first time information obtaining unit 0401 obtains first time information. The first identification code acquisition unit 0402 acquires a first identification code. The second identification code generation unit 0403 includes:
A second identification code is generated from the first time information and the first identification code. The generation is performed according to a predetermined rule. It is assumed that the first time information and the first identification code are extracted, separated, and extracted from the generated second identification code on the side that has received the data, according to the predetermined rule.
The generation is performed, for example, as in the “example” of FIG. The second identification code transmitting unit 0404 transmits the second identification code via a communication line. The authentication response receiving unit 0405 receives a response to the authentication by the transmitted second identification code.

The first time information acquiring unit 0401 acquires the first time information from, for example, a clock built in a computer which is a terminal. In some cases, the standard time may be obtained via a network. First identification code acquisition unit 0
In step 402, the first identification code may be obtained from the serial number, device number, or the like of the terminal computer, or may be manually input to the terminal computer. Further, the information may be recorded in advance on a recording medium or the like read by a computer as a terminal. The recording medium is, for example, a DVD, CD, FD, or the like.

(Embodiment 3) Embodiment 3 is a program medium for making a computer which is a terminal of Embodiment 2 have the above functions. That is, the third embodiment is a terminal program medium that requests authentication using time information and an ID. The recording medium has a procedure of acquiring first time information, a procedure of acquiring a first identification code, and a step of generating a second identification code from the first time information and the first identification code acquired in the procedure. A computer readable program for executing the steps of: transmitting a second identification code generated in the procedure through a communication line; and receiving a response to the authentication by the second identification code transmitted in the procedure. This is a recording medium recorded on a.

These programs may be recorded on a DVD or the like containing content such as a movie, or may be recorded on a recording medium for executing only this program. Is also good. In the case where a program is recorded together with content such as a movie, this program is also read by reading a recording medium into the terminal for reproducing the content, and a WWW server or a WWW server for viewing the content according to predetermined conditions. Automatically connect to member service servers and e-commerce sites.

Thus, it is possible to safely provide an additional service to a person who purchases a content in a recording medium format such as a DVD. When the recording medium on which the program is recorded is read by a personal computer as a terminal, a digital television, a game device, a car navigation, or the like, the first time information as shown in FIG. An acquisition unit 0401, a first identification code acquisition unit 0402, a second identification code generation unit 0403, a second identification code transmission unit 0404, an authentication response reception unit 0405, and the like are generated. Actually, these functional parts are realized by a CPU, a memory, a transmission / reception unit, and the like provided in the device.

(Embodiment 4) Next, an authentication server on the authentication side will be described. This authentication server is an authentication server that performs authentication using time information and an ID. This authentication server has functional blocks as shown in FIG. 5, and includes a second identification code receiving unit 0501, a first information extracting unit 0502, an authentication unit 0503, and an authentication response transmitting unit 0504.

The second identification code receiving unit 0501 receives the second identification code generated from the first time information and the first identification code. This second identification code is generally transmitted from a computer or the like which is a terminal requesting authentication. The transmission is performed via a network. Of course, a dedicated communication line may be used. This communication means may be wired or wireless. The communication protocol is not particularly limited. However, if the validity is determined based on the elapsed time from the first time information when using the time information, the communication needs to have a certain degree of immediacy. The first information extraction unit 0502 extracts the first time information and the first identification code from the second identification code. The extraction rule may be the reverse of the procedure for generating the second identification code using the first time information and the first identification code. The authentication unit 0503 performs authentication based on the first time information or / and the first identification code extracted by the extraction unit 0502.

It is not always necessary to use both the first time information and the first identification code for authentication. Authentication response transmission unit 0504
Sends a response based on the authentication. The response based on the authentication is a signal that constitutes information for accessing a specific WWW server for the terminal when it is determined that the terminal is valid by the authentication. This authentication server 050
0 has these functional parts, and performs authentication required by a computer that is the terminal according to the second embodiment or the terminal that has read the recording medium according to the third embodiment. Then, a response to the authentication result is returned to a specific terminal or the like. This terminal is generally the terminal that has requested authentication.

FIG. 6 shows an example of authentication using first time information. As an example of the authentication, there is a method in which the time difference between the time indicated by the first time information and the time at the time of authentication is determined to be within a predetermined time, and if the time difference is within the predetermined time, it is determined to be valid. In some cases, it is determined whether the time indicated by the first time information is a time within a certain period. Further, there may be a case where it is determined whether the time indicated by the first time information is a specific time.

(Summary) FIG. 7 shows an example of the above-described authentication request and authentication signal. As a method for determining a first identification code, which is an individual ID, first, a first identification code is generated from the disc ID and the content ID. The first identification code may be generated simply by arranging both, or may be a new code generated with a certain regularity. What is necessary is just to be able to take out both the disk ID and the content ID from the first identification code. Date information as time information is added to the first identification code and encrypted. The disc ID is an identification code recorded on a disc read by a computer as a terminal, and the content ID is an identification code indicating a file recorded on the disc. These are the first identification codes in the present invention. As described above, it is needless to say that the first identification code is not limited to one code, and may be composed of a plurality of identification codes.

Next, as for the authentication method on the authentication server side, as shown in the figure, first, decryption is performed, then the date and time are checked, and information is displayed. Decryption refers to returning the encrypted and transmitted second identification code to plain text. In the present invention, this may be performed by the receiving unit of the authentication server. Then check the date and time. "Date"
Is, for example, the absolute time of Unix. Of course, Greenwich Mean Time may be used.
Checking means authenticating the validity using the first time information. Next, the information display is performed as a response to the authentication when the authentication using the first time information is determined to be valid.
The URL of P is displayed, or the content of a specific HP is displayed.

The lower part of FIG. 7 shows an example of the content of the signal. For example, the BCA information (burst cutting area of DVD) as the first identification code is “1”.
If the first time information is “yyyymmddhhmmss”, the second identification code as the transmission data is “1y2”.
3y4m567m89d0d12h3h45m6m78
s90s ”. This second identification code is transmitted from the computer as the terminal and received by the authentication server.
The first time information and the first identification code are extracted from the second identification code, and the first time information obtained from the terminal computer, which is the user PC, is compared with the time at the time of authentication of the authentication server. Usually, time for communication, encoding,
Since the time for decoding has elapsed during this time, the time difference between the two is not large and is at most about 30 seconds.
Therefore, if the time difference between the two is less than 30 seconds, this authentication request is considered valid, and if more than 30 seconds have elapsed, it is not considered valid.

(Embodiment 5) Next, an authentication server that generates information including time information, a URL, and an ID when the result of the authentication is valid will be described.

FIG. 8 shows an example of a functional block according to the fifth embodiment. As shown in this figure, this authentication server 0800
Is a second identification code receiving unit 0801 and a first information extracting unit 0
802, an authentication unit 0803, and a second time information acquisition unit 08
04, a third identification code acquisition unit 0805, a URL acquisition unit 0806, a fourth identification code generation unit 0807, and a fourth identification code transmission unit 0808.

The second identification code receiving unit 0801 receives the second identification code generated from the first time information and the first identification code. The first information extracting unit 0802 extracts the first time information and the first identification code from the received second identification code. The authentication unit 0803 performs authentication based on the first time information and / or the first identification code extracted by the extraction unit. The configuration up to this point is the same as in the fourth embodiment already described.
Is the same as The second time information acquisition unit 0804 is
Obtain second time information. Here, the second time information is
Time information included in a built-in clock or the like of the authentication server 0800, such as the time of authentication. This second time information is transmitted as a response to the authentication to a computer or the like which is the terminal requesting the authentication, and can be used to determine that the response to the authentication is valid.

However, in addition to the above, the URL is returned to the computer as a terminal together with the URL information, so that the URL is used for authentication when accessing the URL. The third identification code acquisition unit 0805 acquires a third identification code. This third identification code is generated by the third identification code generation unit. This third identification code is used in the same manner as the second time information.
For example, the validity of the information from the authentication server in the terminal computer is determined, or the information is returned to the terminal computer together with the URL information, and is used for authentication when the terminal accesses the URL.

The URL obtaining unit 0806 obtains a target URL, which is an address on the network, based on the authentication. The target URL is a URL on a network that generates information to be viewed and viewed from a computer that is a terminal, or that indicates an address of a server that stores the information.
RL. The fourth identification code generation unit 0807 generates a fourth identification code from the second time information, the third identification code, and the target URL. Fourth identification code transmission unit 080
8 transmits this fourth identification code. The transmission destination is a computer or the like which is a terminal that has requested authentication.

FIG. 9 shows this series of flows. As shown in this figure, a terminal, for example, a personal computer terminal 0901 once requests authentication to the authentication server 0902 and can access the information server 0903 based on the authentication. The flow will be briefly described with reference to this figure. First, a second identification code is passed from the personal computer terminal 0901 to the authentication server 0902. The second identification code is generated from the first time information and the first identification code. The first time information is “11:00” in this example, and the first identification code is “ABC” in this example. Then, the authentication server 090 receiving the second identification code
In step 2, the first time information and the first identification code are extracted from the second identification code. Then, the first time information “11:00”
"11:01" at which authentication is performed by the authentication server 0902
Compare with As a result, the predetermined time information criterion “within 5 minutes” is satisfied, so that the first time information is determined to be valid.

Next, it is determined whether the first identification code "ABC" is valid. In this case, the identification code "AB" is used.
Since "C" was originally set as a valid identification code, the validity of the first identification code is also recognized, and finally, the second identification code is determined to be valid. Based on this determination, the authentication server 0902 transmits the fourth identification code to the personal computer terminal 0901 which is a terminal. The fourth identification code includes information that enables the personal computer terminal 0901 to view the HP of the information server 0903. The fourth identification code is generated from the second time information, the third identification code, and the target URL. In this example, the second time information is “11:02”, and the third identification code is “DEF” (“DE
“F” includes the same case as “ABC”. ), The target URL is “URL01”.

Then, the personal computer terminal 0901 that has received the fourth identification code transmits the target URL “URL0”.
For “1”, the second time information, the third identification code, and the target URL are transmitted. Information server 09 at the target URL
03, the second time information “11:02” is compared with the authentication time “11:03” at the information server 0903, and it is within 5 minutes. to decide. Also, the third identification code is determined to be valid, and the information of the target URL can be browsed, or the information generation program of the target URL (for example, CGI (Common Gateway Interface)) is started and Is transmitted to the personal computer terminal 0901.

(Embodiment 6) The authentication server 09
02 may have a target URL storage unit that is a URL database and a target URL rewriting unit that enables rewriting of the target URL of the database. This is the sixth embodiment. The sixth embodiment is basically the same as the fifth embodiment except that a database and the like are added. Therefore, a duplicate description will be omitted, but a basic configuration will be described.

FIG. 10 is a diagram showing functional blocks of the authentication server 1000 according to the sixth embodiment. As shown in this figure, the authentication server 1000 includes a second identification code receiving unit 1001, a first information extracting unit 1002, an authentication unit 1
003, a second time information acquisition unit 1004, a third identification code acquisition unit 1005, a URL acquisition unit 1006, a fourth identification code generation unit 1007, and a target URL storage unit 1008.
, A target URL rewriting unit 1009, and a fourth identification code transmitting unit 1010.

The second identification code receiving section 1001 receives the second identification code generated from the first time information and the first identification code. The first information extracting unit 1002 extracts the first time information and the first identification code from the received second identification code. The authentication unit 1003 performs authentication using the first time information and / or the first identification code extracted by the extraction unit 1002. The second time information obtaining unit 1004 obtains second time information. Third identification code acquisition unit 1005
Obtains a third identification code. URL acquisition unit 1006
Obtains the target URL. The URL acquisition unit 1006
The target URL is acquired from the target URL storage unit 1008.
The destination URL storage unit 1008 holds a plurality of destination URLs that are addresses on the network. The purpose U
The RL rewriting unit 1009 includes a target URL storage unit 1008
The target URL stored in the URL is rewritten. The fourth identification code generation unit 1007 generates a fourth identification code from the second time information, the third identification code, and the target URL. The fourth identification code transmitting section 1010 transmits the fourth identification code.

As described above, the target URL storage unit 1008
And the target URL rewriting unit 1009, it is possible to allocate an optimum target URL according to a plurality of types of authentication requests. For example, it is possible to browse information from an optimal information server according to the contents of a DVD read by a computer as a terminal. This is because a target URL can be selected from a plurality of URLs stored in the target URL storage unit 1008 according to the first identification code included in the second identification code. In addition, since a plurality of target URLs can be stored in the target URL storage unit 1008, authentication of a plurality of information servers can be performed on behalf of the server.

Then, the address of the information server is added,
Changes can also be made by the target URL rewriting unit 1009. For example, when the authentication server 1000 authenticates a certain type of DVD, information is provided from an information server at a certain destination URL. The information becomes outdated over time, and if one wishes to provide information from a new information server at another URL, the authentication server 1000
Target URL stored in the target URL storage unit 1008
It is only necessary to rewrite L from an old one to a new one.
In this regard, it is more convenient than when the target URL is directly recorded on the DVD. This is because when the target URL is directly recorded on the DVD, the target URL of the DVD must be rewritten from the oldest one to the newest one. This is because if this embodiment is used, the address recorded on the DVD is the address of the authentication server 1000, and does not record the target URL.

With the function of storing and rewriting URLs, the authentication server 1000 of this embodiment effectively functions as an authentication server acting as a proxy for the authentication function originally possessed by each HP. By performing proxy authentication, the HP that provides each content can simplify a complicated authentication system. This is because it is only necessary to be able to process the fourth identification code, which is authentication information in a format sent from the authentication server 1000.

(Embodiment 7) In Embodiment 6, the second identification code passed from the computer as the terminal is the first time information and the first identification code, but without the first time information,
An authentication server that performs authentication using only the first identification code is also conceivable. In this embodiment, since the second identification code does not include the first time information, the message is stolen during the transmission of the message from the computer as the terminal to the authentication server, and the impersonation is possible. Although inferior, the seventh embodiment is convenient when the computer as the terminal does not have a built-in clock function or when only an incorrect time can be obtained. In this embodiment, basically, Embodiments 5 and 6
Therefore, the same parts will not be described again.

The seventh embodiment is as shown in FIG. As shown in this figure, this authentication server 110
0 is the first identification code receiving unit 1101 and the authentication unit 1102
, A second time information acquisition unit 1103, a third identification code acquisition unit 1105, a target URL acquisition unit 1106, a fourth identification code generation unit 1104, and a fourth identification code transmission unit 1107.

The first identification code receiving section 1101 receives the first identification code. The authentication unit 1102 performs authentication using the first identification code. The authentication unit 1102 does not perform authentication using the first time information as in the fifth and sixth embodiments.
The second time information acquisition unit 1103 acquires second time information. Third identification code acquisition section 1105 acquires a third identification code. The target URL acquisition unit 1106 is a part of the authentication unit 11
In response to the authentication in step 02, a target URL which is an address on the network is obtained. Fourth identification code generation unit 1104
Is the second time information, the third identification code, and the target URL.
To generate a fourth identification code. Fourth identification code transmission unit 1
107 transmits the fourth identification code. The transmission destination is a computer or the like that is a terminal that has requested authentication.

The state of the processing of this embodiment is shown in FIG.
FIG. From the personal computer terminal 1201 which is the terminal, the first identification code “ABC” is transmitted to the authentication server 1201.
2 is sent. The authentication server 1202 determines whether the transmitted first identification code "ABC" is valid, and in this example, transmits the fourth identification code as valid. The fourth identification code is generated from the second time information, the third identification code, and the target URL. In this example, the second time information is “11:02”, the third identification code is “DEF”, and the target URL is “URL01”.

The third identification code “DEF” may be the first identification code “ABC” itself, or may include authentication information. Furthermore, the third identification code “D
“EF” may be without data. In this case,
Although the fourth identification code is generated substantially only with the second time information and the target URL, it is also conceivable to encrypt the message in order to prevent the message from being stolen. Of course, if the third identification code is encrypted even if there is no data, it is possible to reduce the risk that the message will be stolen. The fourth identification code is received once by the personal computer terminal 1201, which is a terminal, from which the target UR is transmitted.
The second time information and the third identification code are transmitted to the information server 1203 of the address indicated by “URL01” which is L. From the transmitted fourth identification code to the information server 120
In 3, the second time information and the third identification code are extracted, and the second time information is compared with the authentication time “11:03” in the information server 1203.

In this example, the time within 5 minutes is valid and the second time information is determined to be valid.
Also, it is determined whether the third identification code “DEF” is also valid. In this example, since “DEF” is valid, the personal computer terminal 1201 can eventually view the HP of the information server 1203. If the message is not valid, an error message may be returned.

(Embodiment 8) Next, an embodiment of the authentication server authentication method shown in Embodiment 5 will be described.

FIG. 13 shows the flow of processing in this embodiment. That is, in the eighth embodiment, a step of obtaining a second identification code generated from the first time information and the first identification code, and, from the second identification code, the first time information, the first identification code, Extracting, and performing authentication using the extracted first time information or / and first identification code, obtaining second time information, and obtaining a third identification code. Acquiring a destination URL that is an address on a network in response to the authentication; and generating a fourth identification code from the second time information, the third identification code, and the destination URL. Authentication method.

Since this description is the same as that of the fifth embodiment, the details are omitted.

(Embodiment 9) Next, an embodiment of the authentication method of the authentication server shown in Embodiment 7 will be described. The difference between this embodiment and the eighth embodiment is that time information is not used for the first authentication. The common point between this embodiment and the eighth embodiment is that the first identification code is used for the first authentication, and the second time information, the third identification code, and the target URL are used for the next authentication. Is a point.

FIG. 14 shows the flow of processing in this embodiment. As shown in this figure, the processing flow of this embodiment includes a step of waiting for an input for processing (step S1401), receiving (acquiring) a first identification code (step S1402), and a step of receiving the first identification code. (Step S1403) and Step of Acquiring Second Time Information (Step S1404)
And a step of acquiring a third identification code (step S14)
05) and a step of acquiring a target URL which is an address on the network according to the authentication (step S14)
06), the second time information, the third identification code,
A step of generating a fourth identification code from the target URL (step S1407); and a step of transmitting the fourth identification code (step S1408).

(Embodiment 10) Next, Embodiment 10 of an information server for a computer as a terminal to obtain information from an authentication server and browse information will be described.

FIG. 15 is a functional block diagram of the information server 1500 according to the tenth embodiment. As shown in this figure, the information server includes a fourth identification code receiving unit (acquisition unit)
1501, a third information extraction unit 1502, and an authentication unit 150
3, a program starting unit 1504, and a transmitting unit 1505.

The fourth identification code acquisition section 1501 receives the fourth identification code generated from the second time information, the target URL, which is an address on the network, and the third identification code.
The third information extracting unit 1502 extracts the second time information and the third identification code from the fourth identification code. The authentication unit 1503 performs authentication using the second time information and the third identification code extracted from the third information extraction unit 1502. Authentication using the second time information is the same as the authentication method already described for the authentication server. The same applies to the authentication using the third identification code. Program activating unit 1504
Starts a program for browsing information specified by the target URL. If the signal sent by the authentication is authenticated, the transmitting unit 1505 transmits the information that can be viewed by starting the program.

Information that can be viewed in this manner is content such as a movie, membership service information, information for electronic commerce, and the like. Information for browsing is, for example, HTTP
Generated by CGI under D (HTTP daemon).

FIG. 16 is a diagram showing the flow of this processing. First, the process waits until there is an input for processing (step S1601).
The fourth identification code generated from the RL and the third identification code is obtained (received) (step S1602). The second time information and the third identification code are extracted from the obtained fourth identification code (step S1603). Further, authentication is performed using the extracted second time information and the third identification code (step S
1604) If the result of the authentication is correct, the process proceeds to the next step; otherwise, the process ends.
If it is valid, the program for browsing the information indicated by the target URL, that is, the associated information is started (step S1).
605), and transmits the information that can be viewed by the activation to the computer that is the terminal that has requested the information (step S1606). For example, the program to be activated is HTTPD, and the information transmitted is HTTP
Is the information described in.

(Embodiment 11) An information server which can perform the above-described processing, and can browse information only from time information and URL as a fourth identification code. Is also good. This embodiment is basically similar to the tenth embodiment, except that the fourth identification code does not need to include the third identification code.

FIG. 17 shows an information server 1700 of this embodiment. As shown, the information server 1700 includes a fourth identification code receiving unit 1701, a second time information extracting unit 1702, an authentication unit 1703, a program starting unit 1704, and a transmitting unit 1705. Then, the fourth identification code receiving unit 1701 receives the fourth identification code generated from the second time information and the address on the network. The second time information extracting unit 1702 extracts the second time information from the fourth identification code. Authentication unit 1
703 performs authentication using the second time information extracted from the second time information extraction unit 1702. Here, the third identification code is not used as in the tenth embodiment. The program starting unit 1704 starts a program for browsing information specified by the target URL. In the transmitting unit 1705,
Information that can be viewed by starting the program is transmitted.

FIG. 18 is a diagram showing a processing flow of this embodiment. As shown in this figure, first, it waits until there is an input for processing (step S180)
1) Then, if there is an input, the second time information and the destination URL
Is received (step S1).
802), second time information is extracted from the fourth identification code (step S1803), authentication is performed using the second time information (step S1804), and if the authentication result is valid, The information browsing program indicated by the URL is activated (step S1805), and the information that can be viewed by the activation is transmitted to the computer that is the terminal that has requested authentication (step S1806).
If it is determined in the authentication using the second time information (step S1804) that the authentication is not valid, the process ends.

(Embodiment 12) This embodiment is a system including a terminal, an authentication server, and an information server. Here, when requesting authentication from the terminal to the authentication server, the identification code and the time information are used, and the information passed from the terminal to the information server and used for the authentication also includes the time information given by the authentication server. It is of a type that includes an identification code. A thirteenth embodiment described below is different from the thirteenth embodiment in that the terminal uses only the identification code when requesting authentication from the authentication server.

The terminal, the authentication server, and the information server constituting the twelfth embodiment have already been described in the above-described embodiments, and therefore will not be described repeatedly. The terminal is of the second embodiment, and the authentication server is the authentication server described in the fifth embodiment. The information server is the information server described in the tenth embodiment.

FIG. 19 shows a concept in a case where the present embodiment is used as a system for automatically performing authentication upon activation from an application and browsing a URL. First, a DVD-ROM or DVD-RAM 1904
Is read into the user terminal 1901 which is a terminal,
The UI is activated and a program for BCA authentication is activated. Then, the terminal obtains BCA information from a DVD-ROM or the like, inputs / outputs other authentication information such as Internet connection, HTTP communication, and time information, starts a browser, and sends the BCA information and other A first identification code, which is information for authentication, is transmitted.

The authentication server 1902 activates a CGI to perform authentication based on the second identification code BCA, time information, and the like.
Purpose URL for providing information related to VD titles, etc.
Is acquired. The validity of the time information is also determined, and the validity of another identification code is also determined. Then, these information and the time information of the authentication server 1902, which is the second time information, are obtained by the HTTPD, the third identification code is obtained, and sent back to the user terminal 1901. The user terminal 1901 that has obtained the information is the information server 190
3, the second time information and the third identification code are transmitted, the validity is determined, information for browsing is generated by HTTPD, and the information is sent back to the user terminal 1901. As a result, a mechanism for automatically browsing a specific HP from an application such as a DVD is completed.

In the twelfth embodiment, the information sent from the computer as the terminal to the authentication server includes time information, and the authentication server performs the authentication using the time information. 7, the time information may not be used for authentication. This embodiment is a thirteenth embodiment.

Briefly describing only the outline of the thirteenth embodiment, this system is a system including a terminal, an authentication server, and an information server. An information acquisition unit, a first identification code acquisition unit that acquires a first identification code, a second identification code generation unit that generates a second identification code from the first time information and the first identification code, A second identification code transmitting unit that transmits an identification code through a communication line, and an authentication response receiving unit that receives a response to authentication by the transmitted second identification code, wherein the authentication server receives the second identification code A second identification code receiving unit, a first information extraction unit that extracts the first time information and the first identification code from the received second identification code, and the first time information extracted by the extraction unit Or / and first knowledge An authentication unit that performs authentication by using a code, a second time information obtaining unit that obtains second time information, a third identification code obtaining unit that obtains a third identification code, and a purpose according to authentication by the authentication unit. A target URL obtaining unit for obtaining a URL, a fourth identification code generating unit for generating a fourth identification code from the second time information, the third identification code, and the target URL; A fourth identification code transmitting unit that transmits a, the information server, the fourth identification code receiving unit that receives the fourth identification code, and, from the fourth identification code, the second time information, A third information extracting unit for extracting the third identification code, an authentication unit for performing authentication using the second time information and the third identification code extracted from the third information extracting unit, A program to start the information browsing program specified in And parts, is a system and a transmission unit for transmitting the information has become available for viewing by the activation of said program.

(Embodiment 13) Embodiment 13
The authentication server does not use time information,
A system comprising a terminal, an authentication server, and an information server, the terminal comprising: a first identification code acquisition unit that acquires a first identification code; and a first identification code that transmits the first identification code through a communication line. A code transmitting unit and an authentication response receiving unit that receives a response to the authentication by the transmitted first identification code, wherein the authentication server receives the first identification code, the first identification code receiving unit, An authentication unit for performing authentication based on the first identification code; a second time information obtaining unit for obtaining second time information;
A target URL acquisition unit for acquiring an RL, a fourth identification code generation unit for generating a fourth identification code from the second time information and the target URL, and a fourth identification code for transmitting the fourth identification code A transmitting unit, wherein the information server includes a fourth identification code receiving unit that receives the fourth identification code, and a second time information extracting unit that extracts the second time information from the fourth identification code. An authentication unit for performing authentication using the second time information extracted from the third information extraction unit;
A system comprising: a program activating unit that activates an information browsing program designated by L; and a transmitting unit that transmits information that can be viewed by activating the program.

(Embodiment 14) Next, an embodiment will be described in which the first identification code obtained by the procedure of the program recorded on the recording medium of Embodiment 3 is the identification code recorded on the recording medium. The program recorded on the recording medium according to the third embodiment is read by a computer as a terminal and executes a procedure for requesting authentication to a server or the like. Has a procedure for obtaining a first identification code.

This first identification code is a material for determining whether or not the server is valid in the server. Embodiment 14
It is characterized in that the first identification code is a recording medium that records contents and the like to be read by a computer as the terminal. In this embodiment, as shown in FIG.
If you try to play specific content on the computer that is the terminal, perform specific data processing, or obtain specific information, the content, data processing, HP of the content related to the information, membership, etc. It is easy to automatically log in to the service HP or the e-commerce site. FIG. 21 is a comparison between the current network service usage mode and the network service usage (for example, DVDnet) mode of the present embodiment. In the current network usage mode, DV
If you are watching a movie on D-Video and want to know the actor's name or profile, for example, about the movie, you should stop watching it and connect your personal computer to the Internet, The movie comprehensive information HP where the information of the actor was published from the title of the movie that was being played, the DVD latest information HP,
We need to find out about movie works HP.

However, the retrieval method is complicated and it is difficult to reach the information of interest. In addition, even if the user arrives at the member service HP or the e-commerce HP in connection with the DVD, there are problems that it is not very interesting, the procedure for the member is complicated, and the user does not want to input a credit card number.

However, when this embodiment is used, the DVD
A specific movie comprehensive HP or DV automatically
D It is convenient because it can be transferred to the latest information HP or movie HP, and if the credit card number of the member is input in advance in the authentication server (BCA authentication server), the transfer procedure to the member is performed each time. Easy and secure because you don't have to enter the card number.

(Fifteenth Embodiment) In a fifteenth embodiment, the first identification code to be authenticated by the authentication server of the fourth embodiment is recorded on a recording medium which is read by a computer which is a terminal requesting the authentication. It is characterized by. This is a view of Embodiment 14 seen from the authentication server side.

(Embodiment 16) Embodiment 16 is characterized in that the first identification code of Embodiments 12 and 13 is recorded on a recording medium read by a computer as a terminal. is there. Embodiment 14 and Embodiment 15 are combined as a system, and an authentication server is added.

(Embodiment 17) Embodiment 17 is characterized in that the recording medium is an optical disk, and the first identification code is recorded on a unique BCA that can uniquely identify the optical disk. . The BCA, as already mentioned, is called the burst cutting area,
An area in which a specific code is irreversibly recorded on the innermost periphery of a VD (digital video disk). As shown in FIG. 22, the BCA is a data area existing on the innermost circumference of all DVD media, and is a standard standardized also in the DVD forum. By writing the serial number in this data area, it is unique (only DVD
Can be manufactured). This BCA is a standard standardized by the DVD Forum, but is not actually used at present, and its use for encryption for content security is being studied in the future. However, the use standard of BCA has not been decided. By clarifying the management system, assigning serial numbers and specifying media,
Various services can be provided from a DVD through a network. The present invention proposes an authentication method and means for this service.

FIG. 23 shows a DVD medium 230.
2 shows how physical data is described in the BCA 2303 of FIG. 2. Since recording is performed irreversibly using the laser 2301 on the innermost circumference, it cannot be falsified, and various networks linked to DVD contents Ideal for service authentication.

(Embodiments 17, 18, 19) Therefore, Embodiment 14 in which the recording medium is an optical disk, for example, a DVD.
, The authentication server described in the fifteenth embodiment, and the system described in the sixteenth embodiment, various individual services can be efficiently and easily realized according to the authentication. A specific operation flow in this case is as shown in FIGS. 24 and 25, for example. In CASE1 shown in FIG. 24, a BCA authentication program is installed and executed on a computer which is a user terminal.
This shows a case where the authentication program already exists on the computer that is the user terminal.

In CASE 1 shown in FIG. 24, the processing at the user terminal is “start browser (manual) → dedicated UR”.
L (manual input of URL) → download BCA authentication program (user specification) → execute BCA authentication program → read BCA information → send BCA information to BCA authentication server → receive URL and individual ID (including time information) → individual "The ID is stored in the browser side → HP browsing by URL and individual ID → delete the individual ID from the browser side → end”.

In CASE2 shown in FIG. 25, the processing at the user terminal is as follows: "start browser (automatic) → execute BCA authentication program → read BCA information → send BCA information to BCA authentication server → URL, individual ID (time information Received) → store the individual ID on the browser side → browse the website with URL and individual ID → delete the individual ID from the browser side → end

As an example of a file constituting this information processing system, B in a computer which is a user terminal
The CA authentication program includes a main program, a BCA information reading DLL (Dynamic Link Library, the same applies hereinafter) of a DVD, a BCA information file reading DLL, and an authentication server communication DLL.

The programs on the authentication server side are a storage directory, authentication, URL conversion (including embedding time information) CGI, URL database file, and html for error.

Further, the files required by the WWW server of the ISP (Internet service provider) include a storage directory and a URL CGI.

[0083]

As described above, the conventional authentication server cannot prevent the effective impersonation, but in the present invention, the authentication is performed by using the time information. Even if the communication message is stolen by stealing the communication message, spoofing cannot be achieved, and the security of authentication has been improved.

Further, when the present invention is used, the system automatically shifts to a specific movie general HP, the latest DVD information HP, a movie work HP, etc. without being conscious of a recording medium read by a computer as a terminal such as a DVD. If it is possible to input the credit card number of the member in advance in the authentication server (BCA authentication server),
An e-commerce site and an information providing site can be easily constructed since the card number need not be entered each time when transferring to a member.

Further, since the authentication server and the server that provides information based on the authentication can be separated, it is possible for one server to authenticate a person who provides a plurality of information providing services, and it is economical. Can be secured.

[Brief description of the drawings]

FIG. 1 is a diagram showing a processing flow according to a first embodiment.

FIG. 2 is a diagram showing a flow of authentication according to the first embodiment;

FIG. 3 is a diagram showing the use of the first embodiment;

FIG. 4 is a diagram showing functional blocks of Embodiments 2 and 3;

FIG. 5 is a diagram showing functional blocks according to a fourth embodiment;

FIG. 6 is a diagram illustrating an example of authentication using first time information according to a fourth embodiment.

FIG. 7 is a diagram showing a method for determining an individual ID (second identification code) and an authentication method according to the fourth embodiment;

FIG. 8 is a diagram showing functional blocks according to a fifth embodiment.

FIG. 9 is a diagram showing the concept of the fifth embodiment.

FIG. 10 is a diagram showing functional blocks according to a sixth embodiment;

FIG. 11 is a diagram showing functional blocks according to a seventh embodiment;

FIG. 12 is a diagram showing the concept of the seventh embodiment.

FIG. 13 is a diagram showing a flow of processing according to the eighth embodiment.

FIG. 14 is a diagram showing a processing flow of the ninth embodiment.

FIG. 15 is a diagram showing functional blocks according to the tenth embodiment.

FIG. 16 is a diagram showing a processing flow of the tenth embodiment.

FIG. 17 is a diagram showing functional blocks of the eleventh embodiment.

FIG. 18 is a diagram showing a processing flow of the eleventh embodiment.

FIG. 19 is a diagram showing overall functions of a twelfth embodiment.

FIG. 20 is a diagram showing the use of Embodiments 14 to 19;

FIG. 21 is a diagram showing a difference from the prior art of the fourteenth to nineteenth embodiments.

FIG. 22 is a view for explaining the BCA of the seventeenth to nineteenth embodiments.

FIG. 23 is a diagram showing BCA recording according to the seventeenth to nineteenth embodiments.

FIG. 24 is a view for explaining the processing flow of the seventeenth to nineteenth embodiments.

FIG. 25 is a view for explaining the processing flow of the seventeenth to nineteenth embodiments.

[Explanation of symbols]

S001 Step of waiting for input for processing S002 Step of acquiring first time information S003 Step of acquiring first identification code S004 Step of generating identification code from first time information and first identification code S005 Second Transmitting the identification code through the communication line S006 receiving the second identification code S007 extracting the first time information and the first identification code from the second identification code S008 extracting the first time information and / or the first identification Step of authenticating based on code 0201 First time information 0202 First identification code 0203 Second identification code 0204 Second identification code 0205 First time information 0206 First identification code 0207 Authentication

Continuing on the front page (72) Inventor Yukichi Moriyama 1006 Kadoma Kadoma, Osaka Prefecture Matsushita Electric Industrial Co., Ltd. (72) Inventor Yasuhiro Omi 1006 Okadoma Kadoma, Kadoma City Osaka Pref. Inventor Takuya Kato 1006 Kazuma Kadoma, Kadoma City, Osaka Prefecture F-term in Matsushita Electric Industrial Co., Ltd. 5B085 AC12 AE23 BG07 5J104 AA07 KA02 KA14 MA04 PA09 PA11

Claims (19)

[Claims] A step of obtaining first time information; a step of obtaining a first identification code; a step of generating a second identification code from the first time information and the first identification code; Transmitting the two identification code through the communication line, receiving the transmitted second identification code, and extracting the first time information and the first identification code from the received second identification code, Performing authentication based on the extracted first time information and / or first identification code. 2. A first time information acquiring unit for acquiring first time information, a first identification code acquiring unit for acquiring a first identification code,
A second identification code generation unit that generates a second identification code from the first time information and the first identification code, a second identification code transmission unit that transmits the second identification code through a communication line, and the transmitted second A computer having an authentication response receiving unit that receives a response to authentication by the identification code. 3. A procedure for acquiring first time information, a procedure for acquiring a first identification code, and a procedure for generating a second identification code from the first time information and the first identification code acquired in the procedure. A computer-readable program for executing the steps of: transmitting a second identification code generated in the procedure through a communication line; and receiving a response to the authentication by the second identification code transmitted in the procedure. A recording medium on which recording is possible. 4. A second identification code receiving section for receiving a second identification code generated from the first time information and the first identification code, and the first time information, the first time information, A first information extraction unit for extracting an identification code, an authentication unit for performing authentication using the first time information or / and the first identification code extracted by the extraction unit, and an authentication response for transmitting a response based on the authentication An authentication server having a transmission unit. 5. A second identification code receiving unit for receiving a second identification code generated from first time information and a first identification code, and the first time information and the first time information from the received second identification code. A first information extraction unit for extracting an identification code, an authentication unit for performing authentication with the first time information or / and the first identification code extracted by the extraction unit, and a second unit for obtaining second time information A time information acquisition unit, a third identification code acquisition unit that acquires a third identification code, a URL acquisition unit that acquires a target URL that is an address on a network based on the authentication, the second time information, An authentication server comprising: a third identification code; a fourth identification code generation unit that generates a fourth identification code from the target URL; and a fourth identification code transmission unit that transmits the fourth identification code. 6. A second identification code receiving unit for receiving a second identification code generated from first time information and a first identification code, and the first time information and the first time information from the received second identification code. A first information extraction unit for extracting an identification code, an authentication unit for performing authentication with the first time information or / and the first identification code extracted by the extraction unit, and a second unit for obtaining second time information A time information acquisition unit, a third identification code acquisition unit for acquiring a third identification code, a destination URL storage unit for holding a plurality of destination URLs as addresses on a network, and the destination stored in the destination URL storage unit A target URL rewriting unit for rewriting a URL, and a target U for acquiring a target URL from the target URL storage unit in response to authentication by the authentication unit.
An RL acquisition unit, a fourth identification code generation unit that generates a fourth identification code from the second time information, the third identification code, and the target URL, and a fourth identification code transmission unit that transmits the fourth identification code. An authentication server having an identification code transmission unit. 7. A first identification code receiving unit for receiving a first identification code, an authentication unit for performing authentication using the first identification code, a second time information obtaining unit for obtaining second time information, A third identification code acquisition unit for acquiring a third identification code, and a target UR that is an address on a network in response to authentication by the authentication unit.
A target URL obtaining unit for obtaining L, a fourth identification code generating unit for generating a fourth identification code from the second time information, the third identification code, and the target URL; and transmitting the fourth identification code. An authentication server having a fourth identification code transmission unit. 8. A step of obtaining a second identification code generated from the first time information and the first identification code, and extracting the first time information and the first identification code from the second identification code. Performing the authentication using the extracted first time information or / and the first identification code, obtaining the second time information, obtaining the third identification code, An authentication method comprising: obtaining a target URL that is an address on a network in response to authentication; and generating a fourth identification code from the second time information, the third identification code, and the target URL. . 9. A method for obtaining a first identification code, performing authentication using the first identification code, obtaining second time information, obtaining a third identification code, Obtaining a target URL that is an address on a network according to the following; and generating a fourth identification code from the second time information, the second identification code, and the target URL. . 10. A fourth identification code receiving unit for receiving a fourth identification code generated from second time information, a target URL as an address on a network, and a third identification code, and The third information extracting unit that extracts the second time information and the third identification code, and performs authentication using the second time information and the third identification code extracted from the third information extracting unit An authentication unit, a program starting unit that starts a program for generating information specified by the destination URL,
An information server having a transmission unit for transmitting information that can be viewed by starting the program. 11. A fourth identification code receiving unit that receives a fourth identification code generated from second time information and an address on a network, and a fourth identification code extracting unit that extracts the second time information from the fourth identification code. A two-time information extraction unit, an authentication unit that performs authentication using the second time information extracted from the second time information extraction unit, and a program start that starts a program for viewing information specified by the target URL An information server, comprising: a transmitting unit that transmits information that can be viewed by starting the program. 12. An information processing system comprising a terminal, an authentication server, and an information server, wherein the terminal obtains a first time information obtaining unit for obtaining first time information, and obtains a first identification code. A first identification code acquisition unit, a second identification code generation unit that generates a second identification code from the first time information and the first identification code, and a second identification code that transmits the second identification code through a communication line A transmitting unit and an authentication response receiving unit that receives a response to the authentication by the transmitted second identification code, wherein the authentication server receives the second identification code, a second identification code receiving unit, Authentication is performed using a first information extraction unit that extracts the first time information and the first identification code from the two identification codes, and the first time information and / or the first identification code extracted by the extraction unit. Authentication unit and second time information A second time information obtaining unit to obtain, a third identification code obtaining unit to obtain a third identification code, a target URL obtaining unit to obtain a target URL according to authentication by the authentication unit, and the second time information A third identification code generation unit that generates a fourth identification code from the third identification code and the target URL, and a fourth identification code transmission unit that transmits the fourth identification code, The information server is a fourth identification code receiving unit that receives the fourth identification code, from the fourth identification code, the second time information, and a third information extraction unit that extracts the third identification code, An authentication unit that performs authentication using the second time information and the third identification code extracted from the third information extraction unit, and a program activation unit that activates an information browsing program specified by the target URL. Can be viewed by starting the program An information processing system and a transmission unit for transmitting information. 13. An information processing system comprising a terminal, an authentication server, and an information server, wherein the terminal communicates with a first identification code acquiring section for acquiring a first identification code, and communicates the first identification code. A first identification code transmitting unit that transmits the first identification code, and an authentication response receiving unit that receives a response to the authentication by the transmitted first identification code, wherein the authentication server receives the first identification code; A code receiving unit, an authentication unit that performs authentication based on the received first identification code, a second time information obtaining unit that obtains second time information, and a purpose of obtaining a target URL according to the authentication by the authentication unit A URL acquisition unit, a fourth identification code generation unit that generates a fourth identification code from the second time information and the target URL, and a fourth identification code transmission unit that transmits the fourth identification code. Having the information server, A fourth identification code receiving unit that receives the fourth identification code, and, from the fourth identification code, a second time information extraction unit that extracts the second time information, and the third information extraction unit that extracts the second time information. An authentication unit for performing authentication using the second time information, a program starting unit for starting a program for viewing information specified by the target URL, and a transmitting unit for transmitting information that can be viewed by starting the program And an information processing system having: 14. The recording medium according to claim 3, wherein said first identification code is an identification code recorded on a recording medium read by a computer. 15. The authentication server according to claim 4, wherein the first identification code is an identification code recorded on a recording medium read by a computer that has transmitted the second identification code. 16. The apparatus according to claim 12, wherein the first identification code is an identification code recorded on a recording medium read by the terminal.
Or a system according to any of the preceding claims. 17. The recording medium according to claim 14, wherein said recording medium is an optical disk, and said identification code is a unique identification code recorded on a BCA. 18. The authentication server according to claim 15, wherein the recording medium is an optical disk, and the identification code is a unique identification code recorded on a BCA. 19. The system according to claim 16, wherein the recording medium is an optical disk, and the identification code is a unique identification code recorded on a BCA.