JP2010117988A - System and method for high-level authentication and formation of secure virtual network - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a method for attaining high-level authentication while reducing a user's load and further to enhance a secure network connection and its security intensity. <P>SOLUTION: The authentication method using an external storage device attachable to an information processor transmits device specific information of the external storage device and a first authentication key randomly generated and stored in a non-data storage area to an authentication server, and performs authentication processing in the server. When authentication is permitted, the first authentication key stored in the non-data storage area is rewritten with a second authentication key which is newly randomly generated. Further, the authentication method using a portable communication terminal includes transmitting a mail including a randomly generated authentication URL to an address of a message transmitting destination of the portable communication terminal, detecting an access to the authentication URL, and performing authentication processing by use of terminal specific information of the portable communication terminal. An encrypted communication path is formed for each application. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a system and method for advanced authentication and secure virtualization network formation. More specifically, the present invention relates to a technique for reducing the burden on the user and improving the authentication capability. Furthermore, the present invention relates to a technique for forming a secure virtual network for communication between a client terminal and a server terminal.

  In recent years when cellular phones have become widespread and broadband Internet connections are widespread, network connections are indispensable not only for business environments but also for the lives of ordinary people. Recently, there are increasing opportunities to work by connecting to internal information devices from outside the company using the Internet for telecommuting, etc. On the other hand, the increase in telecommuting by the promotion of telework led by the country Foreign workers The need for remote work due to increased employment is increasing. Along with this, many new problems centering on network connection such as information leakage have occurred, and the importance of information management in network connection is increasing.

  In addition, there are many cases in which a malicious third party connects to an in-house information device from outside the company to tamper with information or take it illegally. Various devices and systems are being sold to prevent unauthorized connections, but authentication methods for identifying users and permitting connections may be incomplete or operation may be very troublesome. It has been pointed out. Furthermore, there is a problem with the means for preventing information leakage on the Internet line, and there are cases where information is actually leaked. There is a strong demand for authentication technology and a connection technology using the Internet that are “reliable and safe and easy for the user to operate” to solve these problems.

  Here, as an example of the authentication method, there is an authentication method that uses a commonly used ID and password. If this method is correctly operated, authentication is sufficiently strong. However, there are many unrealistic aspects such as memorizing a lot of complex passwords and changing the passwords regularly.

  Further, there is a method of using a removable external storage device such as a general USB memory for authentication. However, in this case, authentication is performed by obtaining a code that identifies the individual, but unlike smart card devices designed for authentication, there is no guarantee that the individual can be uniquely identified, rather from the manufacturing cost. If considered, it is reasonable to think that there are multiple devices with the same individual identification code and they overlap with a certain probability. For this reason, such an authentication technique is not used as a relatively weak authentication method in a limited field such as locking of a personal device. For example, a technique for locking by a simple act of inserting and removing USB as disclosed in Patent Document 1 is an example.

  In addition to the authentication technology, VPN (virtual private network) connection is generally used in order to ensure the security of network connection (see, for example, Patent Document 2). VPN is a service that can use a public line as if it were a dedicated line. In VPN, IPsec or PPTP is mainly used, and an IP or UDP protocol is used for the transport layer. Recently, a protocol using TCP and a protocol using HTTP exist. There are terminal-terminal, terminal-network, and network-network connection modes. In any form, a protocol stack is generated at both ends so that any application can communicate with each other through VPN as an alternative to a dedicated communication path. Become.

JP 2005-351996 A Japanese Patent Laid-Open No. 11-284664

  In the conventional authentication method, the higher the burden on the user, the higher the security. However, the burden on the user is increased, and there is a situation in which information leakage occurs frequently. In order to increase the accuracy and strength of authentication, it is optimal to combine a plurality of authentication methods and a plurality of authentication paths, but this further burdens the user and lacks practicality.

  There is also a problem in the VPN method used when ensuring the security of network connection. In the system using IP or UDP for the transport layer, connection cannot be made through NAPT (Network Address Port Translation) set in a general router. In the method using TCP for the transport layer, the connection is broken when retransmission starts due to packet delay or the like. In addition, the method using HTTP in the transport layer is not suitable for an application that requires high responsiveness because the connection is broken when retransmission starts due to packet delay or the like, and there is a problem in responsiveness. Further, a decisive problem of VPN is that safety other than the communication path is not taken into consideration, and if one of the networks is intruded, the connection destination is also infiltrated into the network.

  The present invention has been made in view of such a problem, and has an object of reducing the burden on the user and providing a method for realizing advanced authentication, and further, a secure network. The object is to provide a method for increasing the connection and its security strength.

  In order to solve this problem, the present invention is an authentication method using an external storage device that is detachable from an information processing apparatus and stores information for accessing an authentication server that stores user information in advance. Extracting the device unique information preset in the external storage device and the randomly generated first authentication key stored in the non-data storage area; and the extracted device unique information and authentication key To the authentication server, to perform authentication processing by comparing the device-specific information and the first authentication key with the stored user information at the server, and at the server If it is determined to permit authentication, the step of receiving information including a second authentication key newly generated randomly from the server, and the received second authentication key It provides authentication method characterized by comprising the step of rewriting the first authentication key stored in the data storage area.

  Further, the present invention is an authentication method further using a mobile communication terminal separate from the information processing apparatus, and the step of performing an authentication process in the server is performed by the user specified by the device specific information. The step of extracting the information of the mobile communication terminal registered in advance in the user information, and the authentication URL randomly generated for the message transmission address included in the extracted information of the mobile communication terminal Transmitting a mail containing information related to the information, detecting access from the mobile communication terminal to the authentication URL and extracting terminal-specific information of the mobile communication terminal used for the access; Comparing the extracted terminal specific information with the terminal specific information registered in advance in association with the mobile communication terminal, and And performing the authentication process using the result of the compare.

  Also, a method of connecting a plurality of information processing apparatuses communicating via a public network, wherein the information processing apparatus forms an encrypted communication path for each application using a pre-authenticated authorization key A method is provided comprising the steps.

  According to the present invention, it is possible to reduce the burden on the user and provide advanced authentication. Furthermore, it becomes possible to increase a secure network connection and its security strength.

  An information processing apparatus described below includes a CPU, a RAM, and a ROM as an example. The CPU executes processing based on various programs stored in the ROM program ROM. The CPU controls each device connected to the system bus. The RAM functions as a main memory and work area for the CPU. The information processing apparatus also includes an input operation unit including a keyboard or various switches for inputting predetermined commands or data, and a display unit for performing various displays.

  In the following description, a detailed description will not be given for the sake of brevity, but various processes described in this specification are performed by executing various applications (programs) from ROM to RAM as will be apparent to those skilled in the art. , And the CPU executes processing based on the read application (program).

  Hereinafter, embodiments of each invention will be described. In addition, this invention is not limited to the following embodiment at all, and can be implemented with a various aspect in the range which does not deviate from the summary.

  In this specification, the content related to authentication will be described first, and then the content related to secure network connection will be described.

<< Certification >>
The authentication technology described below mainly performs authentication using an external storage device such as a USB memory in an information processing device such as a personal computer, or performs authentication using a mobile communication terminal such as a mobile phone or PHS. Technology.

<Embodiment 1>
In this embodiment, an example in which authentication is performed using an external storage device will be described. An example of the external storage device is a general-purpose external storage device such as a USB memory. The USB memory includes device-specific information. However, unlike a MAC address, for example, the USB memory may not necessarily be information that uniquely identifies the device. Therefore, in this embodiment, the USB memory is uniquely identified and used as an authentication device by using an authentication key (for example, a one-time ID) together.

  FIG. 1 is a diagram showing processing of the present embodiment. In the example of FIG. 1, a state in which authentication processing is performed between a PC (information processing apparatus) and a server (authentication server) is shown.

  Here, user information is stored in the server in advance. “User information” refers to information related to a user to be authenticated, and specifically, device-specific information (terminal ID of the USB memory) and first information associated with the device-specific information. Are included in the information table as one record. Note that the first authentication key is a randomly generated one-time ID, and is stored in advance in the non-data storage area of the USB memory prior to the actual authentication process. The non-data storage area means an area that is not used for normal information recording (cannot be accessed by general users). Specific examples include MBR (Master Boot Record), a sector with a bad sector mark, and the like. Note that the user information does not necessarily have to be stored in the authentication server. The authentication server accesses another server device or the like, or the authentication server refers to a storage device connected to the authentication server. It is also possible to use it.

  Further, it is assumed that the USB memory is mounted in advance on an information processing apparatus (not necessarily an apparatus used for authentication) and stores predetermined information from the authentication server. Specifically, an authentication application program (dedicated software in the figure) used for authentication and access information such as the IP address and domain of the authentication server for accessing the authentication server are stored. . In addition, the one-time ID is stored in advance in the non-data storage area from the authentication server using a dedicated command.

  A case where the user performs authentication using the USB memory in the above state will be described below. FIG. 2 is a diagram illustrating an example of the flow of authentication processing according to the present embodiment. First, a USB memory is attached to the information processing apparatus. Then, the application program for authentication stored in the USB memory is started, and the device-specific information of the USB memory and the first authentication key generated randomly stored in the non-data storage area are extracted and authenticated. (S201, S202). Note that the first authentication key does not necessarily have to be transmitted simultaneously with the device specific information. For example, a dedicated command for accessing the tamper-resistant area may be returned from the authentication server that has received the device specific information, and the first authentication key may be transmitted to the authentication server accordingly.

  Next, in the server for authentication, the transmitted device specific information and the first authentication key are compared with information included in the user information (S203). Here, if the two match, the authentication server determines that the authentication is permitted, and returns an approval key used in the subsequent information processing apparatus. At that time, a second authentication key (one-time ID) newly generated at random is also returned (S204). Then, using the returned second authentication key, the first authentication key stored in the non-data storage area is rewritten (S205). At the same time, the user information on the server side is also updated.

  By performing the processing in this way, authentication can be performed while maintaining the uniqueness of a general-purpose USB memory. Also, since the authentication key is rewritten every time it is used in this way, even if the USB memory is forged by copying or the like to another person, the authentication key is rewritten by the use of the user again. It becomes invalid and the authentication strength is improved.

  The information processing apparatus can receive a subsequent service using the received approval key. Note that the exchange of information regarding authentication performed between the information processing apparatus and the authentication server is preferably performed by encrypted communication.

<Embodiment 2>
In the present embodiment, an example in which even stronger authentication processing is performed with a simple user operation will be described. Specifically, the authentication method further uses a mobile communication terminal that is separate from the information processing apparatus. A mobile communication terminal is a device used by an individual on a daily basis, such as a mobile phone or a PHS, and often includes various types of information or electronic money, and is sufficiently managed. Furthermore, since it is possible to identify the terminal uniquely by checking the terminal-specific information on the communication carrier side, it is suitable as a device for authentication. In the present embodiment, a portable communication terminal that can use e-mail and Web access is used.

  In the present embodiment, the mobile communication terminal information is stored in advance in addition to the user information stored in the authentication server described above. Specifically, information relating to a message transmission destination such as an e-mail address and a telephone number used in the mobile communication terminal, terminal-specific information of the mobile communication terminal, and the like are stored in advance.

  A case where the user performs authentication using the mobile communication terminal in the above state will be described below. FIG. 3 shows an example of a sequence diagram in the present embodiment, and FIG. 4 is a diagram showing an example of the flow of authentication processing of the present embodiment. In the present embodiment, an example in which the mobile communication terminal is further used for the authentication process using the USB described in the first embodiment will be described. However, the authentication process described below may be performed using the mobile communication terminal alone. Is possible.

  In the server for authentication, further processing is performed to make a determination to permit the authentication processing. Specifically, when the device specific information of the USB memory is received, the e-mail address of the mobile communication terminal registered in advance in the user information of the user specified by the device specific information is extracted (S401). . Then, a mail including a randomly generated URL for authentication is transmitted to the mail address (S402). Note that the authentication URL does not necessarily have to be a Web page included in the authentication server as long as the authentication server can confirm the access. Thereafter, when the user clicks on the URL included in the mail transmitted to the mobile communication terminal, the terminal-specific information is transmitted from the mobile communication terminal to the communication carrier when accessing the URL. Then, terminal-specific information is passed from the communication carrier to the authentication server.

  The authentication server detects access to the specified URL and extracts terminal-specific information of the mobile communication terminal used for the access (S403). Then, the authentication server compares whether the extracted terminal specific information matches the terminal information registered in advance in association with the mobile communication terminal in the user information (S404). If they match, a process for permitting authentication is performed (S405).

  The operation performed by the user in the above processing is only one click for accessing the URL included in the received mail address. In the meantime, (1) confirmation of validity due to arrival of mail at the mail address, (2) confirmation of validity due to access to the specified URL, and (3) validity of the mobile communication terminal based on the terminal specific information That is, the three types of authentication processes for confirmation are performed. In addition, when the processing at the time of USB memory authentication described above is added, (4) confirmation of validity by the device unique information of USB, (5) confirmation of validity by one-time ID (first authentication key), That is, the process is performed. Since these are performed behind the user's operation, they are performed without increasing the burden on the user. Nevertheless, in the present embodiment, the complex authentication process as described above is performed, and advanced authentication is realized.

  FIG. 5 is a diagram illustrating an example of an operation screen in the processing described above. As shown in FIG. 5, for example, when this embodiment is used to access a remote desktop, authentication is further performed by finally inputting an ID or password for logging in to the remote desktop on the information processing apparatus. It will be.

  In addition, as shown in FIG. 3, it is possible to perform further strength authentication without increasing the burden on the user. When the authentication URL described above is pressed using a button or the like of the mobile communication terminal, further processing can be added to prompt the user to operate the mobile communication terminal. Specifically, information for instructing the user to operate the mobile communication terminal is transmitted from the authentication server on the display screen of the information processing apparatus (PC operated by the user in parallel). For example, a display such as “Press 3 button on mobile phone” is displayed on the display of the PC. On the other hand, when the user presses the 3 button of the mobile communication terminal, the authentication server receives information indicating that the mobile communication terminal is operated in response to the instruction. As an example, a script is embedded in the authentication URL included in the e-mail address addressed to the mobile communication terminal so that the information of the pressed button is immediately transmitted to the authentication server. Information on pressing the portable communication terminal button is transmitted to the authentication server. Then, in the authentication server, it is determined whether the operation instructed to the information processing apparatus matches the operation indicated by the received information, and authentication processing is performed using this determination result.

  By this operation, in addition to the above, it is possible to further confirm (6) the legitimacy that the user in front of the information processing apparatus actually uses the mobile communication terminal. In this case as well, the user simply presses the button once, and in addition to the above-described contents, the user performed the button operation only twice in combination with the URL authentication click. Not too much. Nevertheless, according to the present embodiment, authentication processing is performed several times as described above, so that advanced authentication processing can be realized.

  Note that the process for prompting the user to perform an operation can be performed repeatedly. The more repeated, the higher the strength. Further, in order to further increase the authentication strength, it is possible to instruct the operation described above using biometric authentication such as fingerprint authentication or vein authentication. Furthermore, since the mobile communication terminal can extract position information by using information such as a base station to be used or a function such as GPS, a position to be used (for example, within Japan) is registered in advance in user information. By doing so, it is possible to prevent unauthorized use from overseas. Furthermore, it can be used in combination with an existing authentication card, an authentication device called a smart device, an authentication system used in a bank ATM, or the like.

  In the present embodiment, an example using electronic mail has been described. However, in the present invention, any method may be adopted as long as it can be transmitted to a specific mobile communication terminal. For example, an authentication URL or the like may be transmitted to the mobile communication terminal using SMS (Short Message Service).

  In the present embodiment, the “URL related to authentication URL” has been described by taking the authentication URL as an example. However, the information included in the message from the authentication server includes other information. May be included instead. For example, information regarding a description of a predetermined operation method of the mobile communication terminal may be included. Specifically, an instruction for starting an application included in the mobile communication terminal may be included together with the URL. In this case, the mobile communication terminal can access the URL included in the message by activating the application in accordance with the instruction included in the message. Alternatively, the message itself sent from the authentication server may not include the URL itself. For example, consider a case where an application of a mobile communication terminal stores information related to an authentication URL in advance. Here, when the message sent from the authentication server includes a start instruction and a predetermined parameter, the mobile communication terminal starts the application based on the start instruction, acquires the predetermined parameter by the started application, and performs arithmetic processing. By performing the above and combining with the URL stored in advance, information on the URL for authentication can be generated on the mobile communication terminal side. Thereafter, the mobile communication terminal starts access to the generated URL. Thus, in the present invention, various embodiments can be employed as long as a response from a specific mobile communication terminal is possible based on an instruction from the authentication server.

<< Virtualized network >>
<Embodiment 3>
Next, an example of using a secure network when performing network connection will be described. FIG. 6 is a conceptual diagram in which an image of a conventional VPN connection is compared with an image of a connection according to the present invention. In the VPN connection shown in FIG. 6A, the network (1) and the network (2) are virtually used as a dedicated line. In this case, for example, if a malicious third party intrudes into the network (1), the network (2) is infiltrated as it is through the VPN connection. This occurs because the VPN is encrypted and communicates in protocols such as TCP and IP, and the contents cannot be checked by a firewall or the like.

  On the other hand, in this embodiment, encryption is performed at the upper layer stage for each application. For this reason, as shown in FIG. 6B, since encrypted communication is performed for each application, even if a malicious third party intrudes into the network (1), for example, it enters into the network (2). There is nothing. For this reason, a more secure network connection is possible.

  FIG. 7 is a diagram illustrating a system configuration example of the present embodiment. In the present embodiment, for example, when one terminal is located in a closed network such as an in-house LAN and the other terminal cannot be directly connected, such as when the other is connected to the WAN for remote access. Using a relay server component for relay, enables secure encrypted communication between both terminals. FIG. 7 illustrates various examples in which the terminal A accesses the server A, for example. Note that the relay server component is a software program and may be physically included in the server A as shown in FIG. 7A, or the server B as shown in FIG. 7B. As shown in FIG. 7C, and may be included in the device of terminal A.

  FIG. 8 is a diagram illustrating an example of a sequence in the present embodiment. The client terminal A and the application server A exchange data via the relay server B. The relay server B (relay server component) is more specifically divided into agents A, B, and C. The agent A is an authentication / encryption communication program incorporated in the terminal A, and the agent B The authentication / encryption program incorporated in the server B, and the agent C is an authentication / encryption program incorporated in the server A. Agents A and C authenticate with agent B, respectively. When the agent A receives a connection request from the application of the client terminal A, the agent A makes a connection request to the agent B to perform encrypted communication.

  FIG. 9 is a diagram for explaining an example of performing encrypted communication in the case of FIG. FIG. 9 shows an example in which a terminal A located outside the company attempts to remotely access the server A in the in-house LAN via the public network. The server B is connected to a DMZ (DeMilitarized Zone) in the in-house LAN. positioned.

  Note that pre-authentication processing is performed between the terminal A and the server B, and the terminal A receives the encryption key (first encryption key) and the approval key. Note that the pre-authentication process may be the authentication process described in the first or second embodiment, or may be a conventionally performed authentication process. That is, this embodiment creates a communication path using a pre-authenticated approval key, and the approval key used in this embodiment may be the one described in the previous embodiment or different. It may be.

  When performing data communication, first, an approval key is transmitted from the terminal A to the server B. In the server B, the transmitted approval key is received, and the encryption key (first encryption key) transmitted in the pre-authentication and associated with the approval key is searched in its own storage area. These processes are processes indicated by “authentication” in FIG. Next, the terminal A performs encrypted communication using the first encryption key, and transmits the address information of the server A that is the information processing apparatus to be connected to the server B (relay server component). The server B receives the address information transmitted from the terminal A according to the encrypted communication by using the first encryption key extracted by searching. Next, the server B uses this encrypted communication to transmit a second encryption key for encrypting data communication (application data) to the terminal A. In terminal A, data communication is started using the second encryption key. In practice, the terminal A transmits data to the server B, and the server B transmits and receives data from the terminal A to the server A based on the address information. In the process of encrypting data communication, the process of encrypting using a different encryption key for each application session is performed. By performing encryption in session units, a more secure network connection can be realized.

  When a plurality of client programs that require connection with the server operate simultaneously, a plurality of encrypted communication paths are formed along with the client program. For example, when three client programs that require connection with the server are started, three encrypted communication paths are established through an authentication process each time. In conventional encrypted communication such as VPN, data from a plurality of application programs is flowed through one encrypted communication path, so that once the encryption is broken, all data flowing through the communication path is decrypted. However, this does not occur in the present embodiment.

  FIG. 10 shows an example in which the server B is located on the public network as shown in FIG. Also in FIG. 10, authentication processing and encryption processing are performed as in the example of FIG. In FIG. 10, the terminal A and the server A are shown as one, but in actual use, connections corresponding to the plurality of terminals A and the server A occur with respect to the server B. become. Therefore, the connection code for the server B to recognize the set for connecting the target terminal A and the server A is exchanged in advance, and the encryption key (first encryption key) is changed. When transmitting, the connection code is also transmitted, so that the server B can grasp the connection set.

  In the example of FIG. 10, the encryption key used for communication between the terminal A and the server B and the encryption key used for communication between the server A and the server B are the same encryption key. It may be a different encryption key. When the same encryption key is used, encryption and decryption processing may be performed on the server B side, or encryption and decryption processing may be performed on the terminal A and the server A side. .

  FIG. 11 shows an example in which server B is located on the network to which terminal A belongs, as shown in FIG. As in the example of FIG. 9, authentication processing and encryption processing are performed.

  While various embodiments have been described in relation to the present invention, the present invention is not limited to these embodiments. Further, a recording medium in which a program for operating the configuration of the above-described embodiment so as to realize the function of the embodiment is stored in the storage medium is also included in the scope of the embodiment, and each of the operations for realizing each of these operations An information processing apparatus including means and a system using the information processing apparatus are also included in the scope of the embodiments.

It is a figure which shows an example of the sequence of the authentication process of Embodiment 1 of this invention. It is a figure which shows an example of the flow of the process of Embodiment 1 of this invention. It is a figure which shows an example of the sequence of the authentication process of Embodiment 2 of this invention. It is a figure which shows an example of the flow of the process of Embodiment 2 of this invention. It is a conceptual diagram which shows the authentication process of this invention. It is a contrast diagram with the prior art for demonstrating the virtual network of this invention. It is a figure which shows the Example from which the virtual network of this invention differs. It is a schematic diagram of the sequence of the virtual network of the present invention. It is a figure which shows an example of the sequence of the virtual network of this invention. It is a figure which shows another example of the sequence of the virtual network of this invention. It is a figure which shows another example of the sequence of the virtual network of this invention.

Explanation of symbols

S201 Device unique information and first authentication key extraction step S202 Device unique information and first authentication key transmission step S203 Authentication step S204 Second authentication key reception step S205 Rewrite step

Claims (16)

An authentication method using an external storage device that can be attached to and detached from the information processing apparatus, which stores information for accessing an authentication server that stores user information in advance,
Extracting device-specific information preset in the external storage device and a randomly generated first authentication key stored in the non-data storage area;
Transmitting the extracted device specific information and authentication key to the authentication server;
Performing authentication processing by comparing the device-specific information and the first authentication key with the stored user information at the server;
If it is determined that the authentication is permitted at the server, receiving information including a second authentication key newly generated at random from the server;
Rewriting the first authentication key stored in the non-data storage area with the received second authentication key. 2. The key exchange with the server is processed by being encrypted.
Authentication method described in. An authentication method further using a mobile communication terminal separate from the information processing apparatus,
The step of performing an authentication process on the server includes:
Extracting information of the mobile communication terminal registered in advance in the user information of the user specified by the device specific information;
Transmitting a message including information relating to a randomly generated URL for authentication to an address for message transmission included in the extracted mobile communication terminal information;
Detecting access from the mobile communication terminal to the URL for authentication and extracting terminal-specific information of the mobile communication terminal used for the access;
Comparing the extracted terminal-specific information with terminal-specific information registered in advance in association with the mobile communication terminal;
Including
The authentication method according to claim 1, wherein the authentication process is performed using the comparison result. The step of performing an authentication process on the server includes:
Transmitting information instructing a user to operate the mobile communication terminal on a display screen of the information processing apparatus;
Receiving information indicating that the mobile communication terminal has been operated in response to the instruction;
Determining whether the operation instructed to the information processing apparatus matches the operation indicated by the received information;
Further including
The authentication method according to claim 3, wherein the authentication process is performed using the determined result.   The authentication method according to claim 4, wherein the transmitting step, the receiving step, and the determining step are repeatedly performed.   The authentication method according to claim 4, wherein the user information includes information related to biometric authentication, and the operation is an operation using biometric authentication. The user information includes location information that the mobile communication terminal plans to use authentication,
Extracting location information of the mobile communication terminal used for the access;
A step of comparing the position information included in the user information with the extracted position information;
The authentication method according to any one of claims 3 to 6, wherein the authentication processing is performed using the comparison result. A method of connecting a plurality of information processing apparatuses communicating via a public network,
The information processing apparatus includes a step of forming an encrypted communication path for each application using a pre-authenticated authorization key. The information including the second authentication key newly generated randomly according to any one of claims 1 to 7 includes the approval key,
The method according to claim 8, wherein the information processing apparatus forms the communication path using the approval key. Including a relay server component that relays the communication path;
Forming the communication path comprises:
Exchanging the authorization key and the first encryption key with the relay server component;
Transmitting address information of an information processing apparatus to be connected to the relay server component by encrypted communication using the first encryption key;
Exchanging a second encryption key for encrypting data communication with the relay server component; and encrypting the data communication using the second encryption key. Item 10. The method according to Item 8 or 9.   The method of claim 10, wherein the step of encrypting data communication using the second encryption key is performed using an encryption key that is different for each session of an application.   The method according to claim 10 or 11, wherein the relay server component is included in one information processing apparatus or the other information processing apparatus.   The method according to claim 10 or 11, wherein the relay server component is included in a relay device that is separate from the information processing device.   The program for performing each step in any one of Claims 1-13. An authentication system using an external storage device that can be attached to and detached from the information processing apparatus, which stores information for accessing an authentication server that stores user information in advance,
Means for extracting device-specific information preset in the external storage device and a randomly generated first authentication key stored in the non-data storage area;
Transmitting the extracted device specific information and authentication key to the authentication server;
Means for performing authentication processing by comparing the device-specific information and the first authentication key and pre-registered information with the stored user information in the server;
Means for receiving, from the server, information including a second authentication key newly randomly generated when it is determined that the authentication is permitted at the server;
An authentication system comprising: means for rewriting the first authentication key stored in the non-data storage area with the received second authentication key. A system for connecting a plurality of information processing devices communicating via a public network,
The information processing apparatus includes a unit that forms an encrypted communication path for each application using a pre-authenticated approval key.