JP2016115162A - Authentication system, authentication terminal device, registration terminal device, authentication method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a system for authenticating a terminal device efficiently, and a method.SOLUTION: An authentication system 1 includes a registration terminal device 10, an authentication terminal device 30, and an authenticated terminal device 20. The registration terminal device 10 includes a communication section 112 which transmits an authentication ID acquired in advance to the authentication terminal device 30 and the authenticated terminal device 20. The authenticated terminal device 20 includes an authentication request section 212 which issues an authentication request specifying an authentication ID and unique information of the authenticated terminal device 20, to the authentication terminal device 30. The authentication terminal device 30 includes: a storage section 320 which stores authentication information formed by associating the unique information of the authenticated terminal device 20 acquired in advance with the authentication ID transmitted from the communication section 112 of the registration terminal device 10; and an authentication section 311 which authenticates the authenticated terminal device 20, on the basis of whether the authentication information includes a combination of the authentication ID specified in the authentication request and the unique information of the authenticated terminal device 20 specified in the authentication request, on receipt of the authentication request from the authenticated terminal device 20.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an authentication system, an authentication terminal device, a registration terminal device, an authentication method, and a program.

  Two-factor authentication is used as one method of user authentication when using a system or application. One element of the two-factor authentication is terminal-specific information such as a MAC address (Media Access Control address) and a terminal ID (Identification) of a terminal used by the user.

  Japanese Patent Application Laid-Open No. 2003-133867 discloses that “a calculation unit that calculates a first irreversible value from a first character string and a machine identification number uniquely assigned by a predetermined calculation method, a first password, and the first password A client unit including an authentication request including an irreversible value, a second personal identification number of the client terminal, a second identification number calculated from the machine identification number and the first character string. A storage unit that stores an irreversible value of the first secret number and the first irreversible value included in the authentication request when the authentication request is received from the client terminal, An authentication system comprising: an authentication unit that authenticates the client terminal when the second personal identification number and the second irreversible value of the client terminal stored in the storage unit match. Concerning Techniques have been disclosed.

JP 2012-113549 A

  When the terminal is authenticated by the authentication server, it is necessary to register the terminal specific information in advance in the authentication server and transmit the terminal specific information to the authentication server every time authentication is requested. It is inefficient to have one subject, such as an authentication server, manage information such as device-specific information and perform setting processing to guarantee the validity of authority. It is.

  In the technique disclosed in Patent Document 1, the server performs management of terminal-specific information and processing for guaranteeing authority validity, and does not improve efficiency.

  The present invention has been made in view of the above points, and an object thereof is to efficiently authenticate a terminal device.

  In order to solve the above problem, an authentication system of the present invention is an authentication system having a registration terminal device, an authentication terminal device, and an authenticated terminal device connected via a network, wherein the registration terminal device is A communication unit that transmits an authentication ID acquired in advance to the authentication terminal device and the authenticated terminal device, wherein the authenticated terminal device identifies the authentication ID and unique information of the authenticated terminal device An authentication request unit that makes a request to the authentication terminal device is provided, and the authentication terminal device stores authentication information in which the unique information acquired in advance is associated with the authentication ID transmitted from the communication unit of the registration terminal device When the authentication terminal side storage unit that receives the authentication request from the authenticated terminal device, the authentication ID specified in the authentication request and the unique specified in the authentication request Wherein the combination of the distribution comprises an authentication unit authenticating the prover terminal device based on whether included in the authentication information.

  In order to solve the above problem, the communication unit of the registration terminal device according to the present invention transmits an encrypted authentication ID, which is the encrypted authentication ID, to the authenticated terminal device. The authentication request unit performs the authentication request specifying the encrypted authentication ID, and the authentication unit of the authentication terminal device is configured to decrypt the encrypted authentication ID specified in the authentication request. And the unique information may be authenticated when the authentication information includes the authentication information.

  In order to solve the above problem, the authentication terminal device according to the present invention is such that the authentication ID transmitted by the communication unit of the registration terminal device corresponds to the authentication ID included in the authentication request, and An authentication information generation unit that generates the authentication information by associating the authentication ID with the unique information included in the authentication request when the unique information is not associated with the authentication ID in the authentication information. It is good.

  In order to solve the above-described problem, the registration terminal device of the present invention provides issue ID management information in which an ID of the registration terminal device and a password are associated with each authentication ID issued by the ID issuing unit. A registration terminal side storage unit for storing, and the authenticated terminal device includes an ID issuance request unit that performs an authentication ID issuance request specifying the ID and password of the registration terminal device to the registration terminal device, When the communication unit of the registered terminal device accepts the authentication ID issue request, the communication unit associated with the combination of the ID of the registered terminal device and the password specified in the authentication ID issue request is associated with the issued ID management information. The authentication ID may be transmitted to the authenticated terminal device.

  Moreover, in order to solve the said subject, the said to-be-authenticated terminal apparatus of this invention is equipped with the specific information acquisition part which acquires the said specific information using the data acquisition information transmitted from the said registration terminal apparatus, The said registration terminal apparatus When the combination of the ID of the registered terminal device specified by the authentication ID issuance request and the password is included in the issuance ID management information, the communication unit transmits the data acquisition information to the authenticated terminal device. It is good also as transmitting.

  In order to solve the above-mentioned problem, the registration terminal device of the present invention includes an encryption unit that encrypts the authentication ID with a secret key, and the authentication terminal device encrypts with a public key corresponding to the secret key. A decryption unit that decrypts the converted authentication ID may be provided.

  In order to solve the above problem, the authentication request unit of the authenticated terminal device of the present invention makes the authentication request specifying the hashed unique information, and the authentication unit of the authentication terminal device has a hash The authenticated terminal device may be authenticated using the converted unique information.

  In order to solve the above problems, an authentication system of the present invention is an authentication system including a registration terminal device, an authentication terminal device, and an authenticated terminal device connected via a network, and the registration terminal device A communication unit that transmits an authentication ID acquired in advance to the authentication terminal device, and transmits the first unique information that is unique information received from the authenticated terminal device and the authentication ID to the authenticated terminal device. And the authenticated terminal device identifies the second unique information, which is the unique information of the authenticated terminal device, and the first unique information and the authentication ID transmitted by the communication unit An authentication request unit that makes a request to the authentication terminal device, and the authentication terminal device stores the authentication ID transmitted from the communication unit of the registration terminal device as authentication information When the memory unit and the authentication request are received from the authenticated terminal device, the authentication ID specified in the authentication request exists in the authentication information, and the first unique information specified in the authentication request is An authentication unit that authenticates the authenticated terminal device when corresponding to the second unique information.

  In order to solve the above-mentioned problem, the authentication terminal device of the present invention includes a decryption unit that decrypts the encrypted first unique information and the encrypted authentication ID, and the registration terminal device The communication unit transmits the encrypted first unique information and the encrypted authentication ID to the authenticated terminal device, and the authentication request unit of the authenticated terminal device is encrypted The authentication request specifying the first unique information and the encrypted authentication ID is performed, and the authentication unit of the authentication terminal device includes the authentication ID decrypted by the decryption unit in the authentication information In addition, if the first unique information decrypted by the decryption unit corresponds to the second unique information, the authenticated terminal device may be authenticated.

  In order to solve the above-mentioned problem, the registration terminal device according to the present invention stores, for each authentication ID, an issuance ID management information in which an ID of the registration terminal device and a password are associated with each other. The authenticated terminal device includes an ID issue request unit that issues an authentication ID issue request specifying the ID and password of the registered terminal device to the registered terminal device, and the communication unit of the registered terminal device When the authentication ID issuance request is accepted, the authentication ID associated with the issuance ID management information for the combination of the ID of the registered terminal device and the password specified in the authentication ID issuance request, The unique information received from the authentication terminal device may be transmitted to the authenticated terminal device.

  In order to solve the above problem, the authenticated terminal device of the present invention includes a unique information acquisition unit that acquires the second unique information using data acquisition information transmitted from the registered terminal device, The communication unit of the registered terminal device, when the combination of the ID of the registered terminal device specified by the authentication ID issue request and the password is included in the issued ID management information, the data acquisition information The second unique information transmitted to the terminal device and acquired by the unique information acquisition unit may be received.

In order to solve the above problem, the registration terminal device of the present invention includes an encryption unit that encrypts the authentication ID and the first unique information with a secret key,
The authentication unit of the authentication terminal device authenticates the authenticated terminal device using the encrypted authentication ID and the first unique information decrypted using the public key corresponding to the secret key. It may be characterized by.

  In order to solve the above problem, the authentication terminal device of the present invention includes the first unique information of the authenticated terminal device acquired in advance and the authentication ID acquired from the registered terminal device connected via the network. When receiving from the authenticated terminal device an authentication request specifying the authentication terminal side storage unit for storing the associated authentication information, the second unique information of the authenticated terminal device connected via the network, and the authentication ID An authentication unit that authenticates the authenticated terminal device based on whether or not the combination of the received second unique information and the authentication ID is included in the authentication information.

  In order to solve the above-mentioned problem, the registration terminal device of the present invention stores registration ID management information in which an ID of the registration terminal device and a password are associated with an authentication ID acquired in advance. A communication unit that receives an authentication ID issuance request that specifies the ID and password of the registered terminal device from an authentication target terminal device connected via a network, and the communication unit receives the authentication ID issuance request An encryption unit that encrypts the authentication ID associated with the combination of the ID of the registered terminal device and the password specified in the authentication ID issuance request, and the communication unit is configured by the encryption unit. An encrypted encrypted authentication ID and data acquisition information used by the authenticated terminal device to acquire unique information are transmitted to the authenticated terminal device; And transmits the authentication ID to the authentication terminal device connected via a network.

  In order to solve the above-mentioned problem, the registration terminal device of the present invention stores registration ID management information in which an ID of the registration terminal device and a password are associated with an authentication ID acquired in advance. And an authentication ID issuance request that specifies the ID and password of the registered terminal device from the authenticated terminal device connected via the network, and the ID of the registered terminal device specified in the authentication ID issue request When the combination of the password and the password is in the issued ID management information, the communication unit transmits data acquisition information used by the authenticated terminal device to acquire unique information to the authenticated terminal device, The combination of the ID and password of the registered terminal device specified in the authentication ID issue request and the authentication I related in the issue ID management information And an encryption unit that encrypts the unique information of the authenticated terminal device acquired using the data acquisition information, and the communication unit is a cipher encrypted by the encryption unit. The authentication authentication ID and encrypted unique information are transmitted to the authenticated terminal device, and the authentication ID is transmitted to the authentication terminal device connected via the network.

  In order to solve the above problem, an authentication method of the present invention is an authentication method used in an authentication system having a registration terminal device, an authentication terminal device, and an authenticated terminal device connected via a network. The registration terminal device has a communication procedure for transmitting an authentication ID acquired in advance to the authentication terminal device and the authenticated terminal device, and the authentication terminal device is transmitted from the registration terminal device in the communication procedure. An authentication information storage procedure for storing in the storage unit authentication information in which the authentication ID is associated with the previously acquired unique information, and the authenticated terminal device includes the authentication ID and the unique information of the authenticated terminal device. And an authentication request procedure for making an authentication request specifying the authentication terminal device, and the authentication terminal device receives the authentication request from the authenticated terminal device, An authentication procedure for authenticating the authenticated terminal device based on whether the authentication information includes a combination of the authentication ID specified in the authentication request and the specific information specified in the authentication request. Features.

  In order to solve the above problem, an authentication method of the present invention is an authentication method used in an authentication system having a registration terminal device, an authentication terminal device, and an authenticated terminal device connected via a network. The registration terminal device transmits an authentication ID acquired in advance to the authentication terminal device, and the first unique information, which is unique information received from the authenticated terminal device, and the authentication ID are transmitted to the authenticated terminal device. A communication procedure for transmitting, wherein the authentication terminal device has an authentication information storage procedure for storing the authentication ID transmitted from the communication unit of the registration terminal device in a storage unit as authentication information, and the authenticated terminal The apparatus sends an authentication request specifying the second unique information, which is the unique information of the authenticated terminal device, and the first unique information and the authentication ID transmitted by the communication unit, An authentication request procedure for the authentication terminal device, and when the authentication terminal device receives the authentication request from the authenticated terminal device, the authentication ID specified in the authentication request exists in the authentication information. And an authentication procedure for authenticating the authenticated terminal device when the first specific information specified in the authentication request corresponds to the second specific information.

  In order to solve the above problems, a program according to the present invention is a program for causing a computer to function as a registration terminal device, from an authenticated terminal device connected via a network, an ID and a password of the registration terminal device. A communication procedure that accepts an authentication ID issuance request that identifies the authentication ID, and an issuance ID that associates the ID of the registered terminal device and the password with the authentication ID acquired in advance when the authentication ID issuance request is accepted in the communication procedure An encryption procedure for encrypting the authentication ID related to the combination of the ID of the registered terminal device and the password specified in the authentication ID issuance request with reference to management information; In the procedure, the encrypted authentication ID encrypted in the encryption procedure and the authenticated terminal device have unique information Transmits a data acquisition information used to obtain the relative said prover terminal device, and transmits the authentication ID to the connected authentication terminal apparatus via the network.

  In order to solve the above problems, a program according to the present invention is a program for causing a computer to function as a registration terminal device, from an authenticated terminal device connected via a network, an ID and a password of the registration terminal device. When the authentication ID issuance request is received, the issuance ID management information in which the ID of the registered terminal device and the password are associated with the previously acquired authentication ID is referred to, and the authentication ID issuance request is identified. When the combination of the ID of the registered terminal device and the password is in the issued ID management information, the data acquisition information used by the terminal device to be authenticated to acquire unique information is transmitted to the terminal device to be authenticated. A communication procedure to be performed, and a combination of the ID and password of the registered terminal device specified in the authentication ID issuance request An encryption procedure for encrypting the authentication ID related in the issued ID management information and the unique information of the authenticated terminal device acquired using the data acquisition information, and In the communication procedure, the encrypted authentication ID and the encrypted unique information encrypted in the encryption procedure are transmitted to the authenticated terminal device, and the authentication terminal device connected via the network An authentication ID is transmitted.

  ADVANTAGE OF THE INVENTION According to this invention, it can authenticate with respect to a terminal device efficiently.

It is a block diagram which shows an example of a function structure of the authentication system in 1st Embodiment. It is a figure which shows an example of the issue ID management information in 1st Embodiment. It is a figure which shows an example of the authentication information in 1st Embodiment. It is a figure which shows the hardware structural example of the registration terminal device in 1st Embodiment. It is a sequence diagram which shows an example of the agent ID issuance preparation process in 1st Embodiment. It is a sequence diagram which shows an example of the agent ID issuing process in 1st Embodiment. It is a sequence diagram (the 1) which shows an example of the authentication process in 1st Embodiment. It is a sequence diagram (the 2) which shows an example of the authentication process in 1st Embodiment. It is a figure which shows an example of the authentication information in 2nd Embodiment. It is a sequence diagram which shows an example of the agent ID issuing process in 2nd Embodiment. It is a sequence diagram which shows an example of the authentication process in 2nd Embodiment.

  (First embodiment)

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a block diagram illustrating an example of a functional configuration of the authentication system according to the first embodiment.

  In the authentication system 1 according to the present invention, a registration terminal device 10, an authenticated terminal device 20, and an authentication terminal device 30 are connected via a network 40. A plurality of authentication terminal devices 30 may be connected to the registration terminal device 10, and a plurality of authenticated terminal devices 20 may be connected to one authentication terminal device 30.

  The registered terminal device 10 is, for example, a PC (Personal Computer) or the like and has a function of guaranteeing the validity of the authenticated terminal device 20. Specifically, the registration terminal device 10 issues an authentication ID to a legitimate authenticated terminal device 20. Hereinafter, the authentication ID will be described as an agent ID. Based on the agent ID, the authenticated terminal device 20 is authenticated. The registered terminal device 10 transmits necessary information to the authenticated terminal device 20 and the authenticated terminal device 30 so that the authenticated terminal device 30 can authenticate the authenticated terminal device 20.

  The authenticated terminal device 20 is an electronic device such as a PC or a smartphone, and is operated by a user who performs an operation requiring authentication.

  The authentication terminal device 30 is an electronic device such as a PC or a smartphone, for example, and authenticates one or more authenticated terminal devices 20. The authentication terminal device 30 is operated by an operating entity different from the registration terminal device 10, for example. The authentication terminal device 30 may be operated by the same operating entity as the authenticated terminal device 20 or may be operated by another operating entity, but is authenticated on-premises by being operated by the same operating entity. You can enjoy the function about.

  The registered terminal device 10 includes a control unit 110 and a storage unit 120. The control unit 110 performs control related to the granting of authority to the authenticated terminal device 20. The storage unit 120 stores information used for control by the control unit 110.

  The control unit 110 includes an ID (IDentifier) issuing unit 111, a communication unit 112, and an encryption unit 113. The ID issuing unit 111 issues an agent ID as an identifier for identifying the authority to be granted to the authenticated terminal device 20. The agent ID is generated in advance for each authenticated terminal device 20 based on an input via the input device 14 described later. The ID issuing unit 111 issues an agent ID based on the issue request from the authenticated terminal device 20.

  The communication unit 112 receives an agent ID issuance request from the authenticated terminal device 20, and transmits an encrypted agent ID in response to the agent ID issuance request. The communication unit 112 also transmits the agent ID to the authentication terminal device 30. The agent ID to be transmitted is an agent ID issued to the authenticated terminal device 20 to be authenticated by the authentication terminal device 30. The communication unit 112 transmits agent software, which is data acquisition information for acquiring unique information, to the authenticated terminal device 20, details of which will be described later. Note that the communication unit 112 may include the agent ID encrypted in the agent software and transmit it to the authenticated terminal device 20. The encryption unit 113 encrypts the agent ID using the secret key, and generates an encrypted agent ID.

  The storage unit 120 stores issue ID management information 121. The issue ID management information 121 is information in which management information such as the presence / absence of issue of the generated agent ID to the authenticated terminal device 20 is recorded.

  The authenticated terminal device 20 includes a control unit 210 and a storage unit 220. The control unit 210 controls authority issuance requests for the registration terminal device 10 and authentication requests for the authentication terminal device 30. The storage unit 220 stores information used for control by the control unit 210.

  The control unit 210 includes an ID issue request unit 211, an authentication request unit 212, and a unique information acquisition unit 213. The ID issue request unit 211 makes an agent ID issue request specifying the ID and password of the registered terminal device 10 acquired in advance to the registered terminal device 10. The authentication request unit 212 makes an authentication request specifying the encrypted agent ID received from the registered terminal device 10 and the unique information of the authenticated terminal device 20 to the authentication terminal device 30.

  The unique information acquisition unit 213 acquires the unique information of the authenticated terminal device 20 using the data acquisition information transmitted from the registered terminal device 10. The unique information is, for example, a MAC address.

  The storage unit 220 stores data acquisition information 221. The data acquisition information 221 is a program as agent software received from the registered terminal device 10. The agent software has a function of acquiring unique information of the authenticated terminal device 20. By starting the agent software, the authentication request unit 212 and the unique information acquisition unit 213 are constructed.

  The authentication terminal device 30 includes a control unit 310 and a storage unit 320. The control unit 310 performs control related to authentication of the authenticated terminal device 20. The storage unit 320 stores information used for control of the control unit 310.

  The control unit 310 includes an authentication unit 311, an authentication information generation unit 312, and a decryption unit 313. The authentication unit 311 performs authentication for the authentication request received from the authenticated terminal device 20. Specifically, when the combination of the agent ID and the unique information included in the authentication request is included in the authentication information stored in the storage unit 320, the authenticated terminal device 20 is authenticated.

  The authentication information generation unit 312 generates authentication information using the agent ID received from the registered terminal device 10 and the unique information received from the authenticated terminal device 20. The decryption unit 313 has a public key for decrypting the information encrypted by the encryption unit 113 using the secret key, and decrypts the encrypted agent ID transmitted from the authenticated terminal device 20. The public key is transmitted in advance from, for example, the communication unit 113 of the registration terminal device 10.

  The storage unit 320 stores authentication information 321. The authentication information 321 is information in which the agent ID is associated with the unique information of the authenticated terminal device 20, and the authenticated terminal device 20 is authenticated based on the authentication information 321.

  In the present embodiment, an agent ID that identifies the authority that the registered terminal device 10 grants to the authenticated terminal device 20 is issued. Further, the authenticating terminal device 30 manages the unique information of the authenticated terminal device 20 in association with the agent ID, and authenticates the authenticated terminal device 20 based on the information, whereby the authenticity of the authenticated terminal device 20 is verified. Guaranteed. As a result, information management and authentication can be appropriately performed using the authority granting authority and the authentication authority performing authentication.

  Next, information stored in each storage unit will be described.

  FIG. 2 is a diagram illustrating an example of the issue ID management information 121 according to the first embodiment. The issued ID management information 121 is information that associates the agent ID 121a, the registration authority ID 121b, the registration authority password 121c, and the issued flag 121d.

  The agent ID 121a is an identifier for identifying the authority given to the authenticated terminal device 20 by the registered terminal device 10. The registration authority ID 121b is an identifier for identifying the registered terminal device 10 in which the agent ID 121a is registered. The registration authority password is a password required when the authenticated terminal device 20 requests the registration terminal device 10 to give an agent ID. The issued flag 121d is information indicating whether or not the agent ID has been issued to the authenticated terminal device 20.

  The combination of the registration authority ID 121b and the registration authority password 121c is unique to the agent ID 121a. In the agent ID issue request transmitted from the authenticated terminal device 20, the registration authority ID 121b and the registration authority password 121c are specified, and the agent ID 121a corresponding to the agent ID issue request is uniquely determined.

  In the issued ID management information 121 shown in FIG. 2, since the issued flag 121d is “not issued” for the agent ID 121a of “AAA0001”, the authority related to the agent ID 121a of “AAA0001” is still authenticated. Is not issued.

  FIG. 3 is a diagram illustrating an example of the authentication information 321 according to the first embodiment. The authentication information 321 is information that associates the agent ID 321a with the unique information 321b.

  The agent ID 321a is an identifier for identifying the authority to be given to the authenticated terminal device 20, and corresponds to the agent ID 121a of the issue ID management information 121. The unique information 321b is information unique to the authenticated terminal device 20, and is information that can identify the authenticated terminal device 20.

  FIG. 4 is a diagram illustrating a hardware configuration example of the registration terminal device 10 according to the first embodiment. The registration terminal device 10 includes an arithmetic device 11, a memory 12, an external storage device 13, an input device 14, an output device 15, a communication device 16, and a storage medium drive device 17, and each component is a bus. Connected by.

  The arithmetic device 11 is a central arithmetic device such as a CPU (Central Processing Unit), and executes processing according to a program recorded in the memory 12 or the external storage device 13. In the registered terminal device 10, the processing is performed by the arithmetic device 11 that operates according to the program read out on the memory 12 or the external storage device 13. Each processing unit constituting the control unit 110 realizes each function by the arithmetic device 11 executing a program.

  The memory 12 is a storage device such as a RAM (Random Access Memory) or a flash memory, and functions as a storage area from which programs and data are temporarily read. The external storage device 13 is a storage medium capable of writing and reading, such as an HDD (Hard Disk Drive), a CD-R (Compact Disc-Recordable), a DVD-RAM (Digital Versatile Disk-Random Access Memory), and a storage medium drive. Device. The function of the storage unit 120 is realized by the memory 12 or the external storage device 13. The function of the storage unit 120 may be realized by a storage device connected via the communication device 16.

  The input device 14 is a device that receives an input operation from a user, and is, for example, a touch panel, a keyboard, a mouse, a microphone, or the like. The output device 15 is a device that performs an output process of data stored in the registration terminal device 10, and is, for example, a display device such as an LCD (Liquid Crystal Display) or a printer.

  The communication device 16 is a device for connecting the registration terminal device 10 to the network 40, and is a communication device such as a LAN (Local Area Network) card. The storage medium driving device 17 is a device that inputs and outputs information from a portable medium 38 such as a CD (Compact Disk) or a DVD (Digital Versatile Disk).

  In addition, the process of each component of the registration terminal device 10 may be executed by one hardware, or may be executed by a plurality of hardware. The processing of each component of the registration terminal device 10 may be realized by one program or a plurality of programs.

  Since the authenticated terminal device 20 and the authentication terminal device 30 have the same hardware configuration as that of the registration terminal device 10, the description of the hardware configuration of the authenticated terminal device 20 and the authentication terminal device 30 is omitted.

  Hereinafter, the flow of processing in the present embodiment will be described using a sequence diagram.

  FIG. 5 is a sequence diagram illustrating an example of an agent ID issuance preparation process according to the first embodiment. This process is started when, for example, the registration terminal device 10 receives an input of the number of agent IDs to be newly issued (for example, 3000) via the input device 14.

  First, the ID issuing unit 111 generates issue ID management information 121 (step S11). The control unit 110 of the registered terminal device 10 generates agent IDs for the number of newly issued issues and records them in the issued ID management information 121 as agent IDs 121a. Using the above example, 3000 agent IDs are generated and stored in the issued ID management information 121 as agent IDs 121a. The ID issuing unit 111 generates a registration authority ID 121 b and a registration authority password 121 c for each agent ID 121 a and stores them in the issue ID management information 121. The ID issuing unit 111 associates information indicating “not issued” as the issued flag 121d with the generated agent ID 121a.

  It should be noted that in an area (not shown) of the storage unit 120 of the registered terminal device 10, information for identifying the contact information of the authenticated terminal device 20 that issues the agent ID and the authentication terminal device 30 that authenticates each authenticated terminal device 20. And contact information are stored. The contact address is, for example, an e-mail address.

  Next, the communication unit 112 transmits the registration station ID and the registration station password to the authenticated terminal device 20 (step S12). The communication unit 112 refers to the above-described area and sets the agent ID 121a scheduled to be issued to the authenticated terminal device 20 to the contact information of each authenticated terminal device 20 issuing the agent ID (issued ID management information). 121) transmit the associated registration authority ID 121b and registration authority password 121c. In the above example, the registration authority ID 121b and the registration authority password 121c are transmitted to each of the 3000 authenticated terminal devices 20.

  Next, the communication unit 112 transmits an agent ID to the authentication terminal device 30 (step S13). The communication unit 112 refers to the storage unit 120 and identifies the authentication terminal device 30 that authenticates the authenticated terminal device 20 that has transmitted the registration station ID 121b and the registration station password 121c in step S12. The communication unit 112 transmits the agent ID 121a generated in step S11 to the identified authentication terminal device 30.

  Next, the authentication information generation unit 312 of the authentication terminal device 30 generates authentication information 321 (step S14). The authentication information generation unit 312 generates authentication information 321 having the agent ID transmitted in step S13 as a record of the agent ID 321a. If the number of agent IDs transmitted from the registered terminal device 10 in step S13 is 3000, the authentication information generation unit 312 generates 3000 records in the authentication information 321 and stores the received agent ID as the agent ID 321a. Thereafter, the authentication information generation unit 312 ends the processing of this sequence.

  FIG. 6 is a sequence diagram illustrating an example of an agent ID issuance process according to the first embodiment. This process is started, for example, in response to the process of step S21 in which the authenticated terminal device 20 receives an input of a registration authority ID and a registration authority password. It is assumed that the agent ID issuance preparation process shown in FIG. 5 has already been performed before the start of this process.

  First, the ID issuance request unit 211 of the authenticated terminal device 20 receives an input of a registration authority ID and a registration authority password (step S21). In step S <b> 13 shown in FIG. 5, the registration station ID 121 b and the registration station password 121 c are transmitted from the registration terminal device 10 to the authenticated terminal device 20. The ID issue request unit 211 of the authenticated terminal device 20 accepts input of the registration authority ID 121b and the registration authority password 121c via the input device of the authenticated terminal device 20.

  Next, the ID issue request unit 211 transmits an agent ID issue request to the registered terminal device 10 (step S22). The ID issuance request unit 211 generates an agent ID issuance request that specifies the registration authority ID 121b and the registration authority password 121c received in step S21, and transmits them to the registration terminal device 10.

  Next, the ID issuing unit 111 of the registered terminal device 10 specifies the agent ID corresponding to the registered station ID and the registered station password, and changes the issued flag (step S23). Specifically, the ID issuing unit 111 refers to the issued ID management information 121 stored in the storage unit 120 using the registration authority ID 121b and the registration authority password 121c specified in the agent ID issue request. The ID issuing unit 111 identifies the record corresponding to the combination of the registration authority ID 121b and the registration authority password 121c, and changes the information indicating “not issued” from the information indicating “not issued” to the issued flag 121d of the record. And change.

  Next, the encryption unit 113 of the registered terminal device 10 encrypts the agent ID with a secret key (step S24). The encryption unit 113 identifies the agent ID 121a in the record of the issue ID management information 121 identified in step S23 and encrypts it with the secret key.

  Next, the ID issuing unit 111 includes the encrypted agent ID in the agent software (step S25). The agent software is a program for acquiring unique information of the authenticated terminal device 20. The ID issuing unit 111 incorporates the encrypted agent ID into the agent software.

  In order to include the encrypted agent ID in the agent software, for example, the agent software installer may be included as a text file, or the agent software installer may include a dynamic link library. It may be bundled as a character string resource using. Further, for example, a character string directly written into the installer may be compiled.

  Next, the communication unit 112 transmits the agent software including the encrypted agent ID in step S25 to the authenticated terminal device 20 (step S26).

  Next, the ID issue request unit 211 of the authenticated terminal device 20 installs the agent software transmitted from the registered terminal device 10 (step S27). The ID issue request unit 211 thereafter ends the processing of this sequence.

  Next, an example of an authentication process performed on the authenticated terminal device 20 in the authentication terminal device 30 will be described.

  FIG. 7 is a sequence diagram (part 1) illustrating an example of the authentication process according to the first embodiment. This process is a process executed when the terminal apparatus 20 to be authenticated makes a first authentication request. The authentication process performed in the second and subsequent authentication requests will be described with reference to FIG. This process is started when an input for starting the agent software is received in the authenticated terminal device 20, for example. It is assumed that the agent ID issuing process shown in FIG. 6 has already been executed before the start of this process.

  First, the control unit 210 of the authenticated terminal device 20 activates agent software (step S31). The activated agent software includes the encrypted agent ID by the processing of the ID issuing unit 111 in step S25 described above. With the activation of the agent software, the authentication request unit 212 and the unique information acquisition unit 213 are constructed.

  Next, the unique information acquisition unit 213 acquires unique information (step S32). The unique information acquisition unit 213 acquires unique information of the authenticated terminal device 20.

  Next, the authentication request unit 212 of the authenticated terminal device 20 transmits an authentication request specifying the unique information and the encryption agent ID to the authentication terminal device 30 (step S33). The authentication request unit 212 generates an authentication request specifying the unique information obtained in step S32 and the encrypted agent ID included in the agent software, and transmits the authentication request to the authentication terminal device 30.

  Next, the decryption unit 313 of the authentication terminal device 30 decrypts the encrypted agent ID with the public key (step S34). The decryption unit 313 identifies the encrypted agent ID included in the authentication request, decrypts the encrypted agent ID using a public key that is held in advance, and obtains the agent ID.

  Next, the authentication unit 311 determines whether the agent ID is in the authentication information 321 (step S35). The authentication unit 311 determines whether or not the agent ID obtained in step S34 is in the authentication information 321. Here, since the agent ID generated in step S11 is recorded in the authentication information 321 as the agent ID 321a in step S14, it is determined that the agent ID is in the authentication information 321.

  In step S34, when the authentication unit 311 does not determine that the received agent ID is in the authentication information 321, the authentication unit 311 ends the processing of this sequence.

  Next, the authentication unit 311 determines whether there is unique information related to the agent ID (step S36). Specifically, the authentication unit 311 determines whether there is unique information 321b associated with the agent ID 321a obtained in step S34 in the authentication information 321. Here, although the agent ID is generated in the registered terminal device 10, since the generation of the authentication information 321 is not completed, the authentication unit 311 determines that there is no unique information related to the agent ID. When it is determined that there is no unique information, the authentication request is handled as the first time. If the authentication request is for the second time or later, the processing after step S46 is executed instead of the processing after step S36, which will be described in detail later.

  Next, the authentication information generation unit 312 associates the unique information 321b with the agent ID 321a of the authentication information 321 (step S37). The authentication information generation unit 312 generates authentication information 321 in which the unique information specified in the authentication request transmitted from the authenticated terminal device 20 in step S33 is associated as the unique information 321b with respect to the agent ID 321a obtained in step S34. To do.

  Next, the authenticating unit 311 transmits information indicating that the authenticated terminal device 20 has been authenticated to the authenticated terminal device 20 (step S38). Thereafter, the authentication information generation unit 312 ends the process of this flowchart.

  Note that the information indicating that the authenticated terminal device 20 has been authenticated, transmitted from the authentication terminal device 30 in step S38, is stored, for example, in an area (not shown) of the storage unit 220 of the authenticated terminal device 20. When the authenticated terminal apparatus 20 uses a function permitted for the authenticated terminal apparatus 20, the area is referred to.

  Further, after the generation of the authentication information 321 performed in step S <b> 37, an authentication request may be made again from the authenticated terminal device 20 to the authentication terminal device 30. In this case, when information indicating that the authentication information has been generated is transmitted from the authentication terminal device 30 to the authenticated terminal device 20 after step S37, the authentication request unit 212 of the authenticated terminal device 20 again transmits the information to the authentication terminal device 30. In response to this, an authentication request is transmitted.

  FIG. 8 is a sequence diagram (part 2) illustrating an example of the authentication process according to the first embodiment. This process is a process executed when the terminal apparatus 20 to be authenticated makes a second and subsequent authentication requests. In other words, the process shown in this figure is executed when the authenticated terminal apparatus 20 further receives an input for starting the agent software after the authentication process shown in FIG. 7 is performed. The processing performed from step S41 to step S45 is the same as the processing performed from step S31 to step S35, and thus the description thereof is omitted.

  Next, the authentication unit 311 of the authentication terminal device 30 determines whether there is unique information related to the agent ID (step S46). The authentication unit 311 refers to the authentication information 321 using the agent ID included in the authentication request transmitted from the authenticated terminal device 20 in step S43 and decrypted in step S44, and the unique information associated with the agent ID 321a It is determined whether or not there is 321b. Here, in the authenticated terminal device 20 that has transmitted the authentication request in step S43, the processing in step S37 in FIG. 7 has already been performed, and the unique information 321b has already been associated with the agent ID 321a in the authentication information 321. Yes. Therefore, the authentication unit 311 determines that there is unique information related to the agent ID.

  Next, the authentication unit 311 determines whether or not the unique information associated with the agent ID matches the unique information specified in the authentication request (step S47). The authentication unit 311 determines whether or not the unique information 321b associated with the agent ID 321a specified in the authentication request in the authentication information 321 matches the unique information specified in the authentication request. Here, description will be made assuming that the authentication unit 311 determines that the unique information related to the agent ID matches the unique information related to the authentication request.

  If the unique information 321b of the authentication information 321 and the unique information specified in the authentication request do not match, the authenticated terminal device 20 that has transmitted the authentication request is registered as the authentication information 321 in the process shown in FIG. Since it is different from the terminal device 20 to be authenticated, the authentication unit 311 does not authenticate the terminal device 20 to be authenticated and ends the processing shown in this sequence.

  Next, the authentication unit 311 transmits information indicating that authentication has been performed to the authenticated terminal device 20 (step S48). Thereafter, the authentication unit 311 ends the process of this sequence diagram.

  After the authentication process is completed, it is determined that the authenticated terminal device 20 has a legitimate authority, and thus it is possible to use a function permitted for the authenticated terminal device 20 having the authority. For example, a function that is guaranteed in a terminal having a legitimate authority, such as a browser that allows the authenticated terminal apparatus 30 to be permitted to the authenticated terminal apparatus 20 can be used in the authenticated terminal apparatus 20. The apparatus 20 can be used.

  Note that the agent software may acquire the operating status of virus vaccine software, firewall software, or P2P (Peer to Peer) software when activated in the authenticated terminal device 20. In this case, information indicating the operation status is included in the authentication request transmitted from the authenticated terminal device 20 to the authentication terminal device 30. Before the authentication terminal device 30 determines whether or not the authentication information 321 of the authenticated terminal device 20 is present, if the operating status is a predetermined status, information indicating a warning is transmitted to the authenticated terminal device 20, Information indicating that the authentication is not performed may be transmitted to stop the authentication process.

  In the above-described embodiment, the unique information of the authenticated terminal device 20 is specified in the authentication request transmitted from the authenticated terminal device 20. However, a hash value generated using the unique information as a key using a hash function set in advance in the authenticated terminal device 20 instead of the unique information may be included in the authentication request. In this case, the authentication information 321 stored in the storage unit 320 of the authentication terminal device 30 is associated with a hash value of unique information with respect to the agent ID 321a. When the authentication terminal device 30 receives an authentication request after the second time, the authentication of the authenticated terminal device 20 is performed by comparing the hash value included in the authentication request with the hash value in the authentication information 321. It may be.

  In the present embodiment, authentication of the authenticated terminal device 20 and management of the unique information are performed by an authentication terminal device 30 that is a subject different from the registered terminal device 10 that guarantees the validity of the authenticated terminal device 20. Since the registration terminal device 10 that guarantees the validity transmits the agent ID to the authentication terminal device 30 and the authenticated terminal device 20, the registration terminal device 10 does not need to manage the unique information. Also, registration of the unique information to the authentication terminal device 30 can be easily performed by using agent software, and a high skill is not required for the administrator. Thereby, it can authenticate efficiently.

  In addition, by making the registered terminal device 10 function as an external server in cloud computing and installing the authentication terminal device 30 in the same internal group as the authenticated terminal device 20, unique information that is highly confidential information is externally provided. There is no need to transmit, which is also useful in terms of security.

  (Second Embodiment)

  Next, a second embodiment will be described. In the first embodiment, the authentication terminal device 30 manages the unique information of the authenticated terminal device 20 as the authentication information 321. However, in the second embodiment, the authentication terminal device 30 does not manage the unique information of the denial-of-reply terminal device. . Hereinafter, differences from the above-described embodiment will be described, and description of overlapping points will be omitted.

  FIG. 9 is a diagram illustrating an example of the authentication information 321 according to the second embodiment. The authentication information 321 has an agent ID. Note that, unlike the first embodiment, the authentication information 321 does not include unique information of the authenticated terminal device 20. The authentication information generation unit 312 of the authentication terminal device 30 generates the authentication information 321 using the agent ID transmitted from the registration terminal device 10 in the agent ID issuance preparation process described above.

  FIG. 10 is a sequence diagram illustrating an example of an agent ID issuance process according to the second embodiment. Note that the agent ID issuance preparation process described with reference to FIG. 5 is performed prior to this process, similar to the first embodiment.

  The ID issuance request unit 211 of the authenticated terminal device 20 receives an input of a registration authority ID and a registration authority password (step S51). Since the processing performed from step S51 to step S53 is the same as the processing performed from step S21 to step S23, description thereof is omitted.

  Next, the communication unit 112 of the registered terminal device 10 transmits agent software to the authenticated terminal device 20 (step S54). The agent software has a function of acquiring unique information of the authenticated terminal device 20, but differs from the first embodiment in that the encryption agent ID is not included.

  Next, the control unit 210 of the authenticated terminal device 20 installs agent software transmitted from the registered terminal device 10 (step S55). This process is the same as the process performed in step S27 shown in FIG. When the agent software is activated, an authentication request unit 212 and a unique information acquisition unit 213 are constructed.

  Next, the unique information acquisition unit 213 acquires unique information (step S56). This process is the same as the process performed in step S32 shown in FIG.

  Next, the unique information acquisition unit 213 transmits the unique information acquired in step S55 to the registered terminal device 10 (step S57). The unique information is encrypted as necessary.

  Next, the encryption unit 113 of the registered terminal device 10 encrypts the unique information and the identified agent ID with a secret key (step S58). The encryption unit 113 encrypts the unique information transmitted from the authenticated terminal device 20 in step S57 and the agent ID 121a included in the record of the issued ID management information 121 specified in step S53, using a secret key. .

  Next, the communication unit 112 transmits the encrypted agent ID encrypted in step S58 and the encrypted unique information to the authenticated terminal device 20 (step S59).

  Next, the ID issue request unit 211 of the authenticated terminal device 20 stores the encryption agent ID and the encryption unique information (step S60). Specifically, the ID issue request unit 211 stores the encrypted agent ID and the encrypted unique information transmitted from the registered terminal device 10 in step S59 in an area (not shown) of the storage unit 220. The ID issuance request unit 211 thereafter ends the process of this sequence diagram.

  FIG. 11 is a sequence diagram illustrating an example of an authentication process according to the second embodiment. Before this process is started, the agent ID issuing process shown in FIG. 10 has already been executed. This process is started when an input for starting the agent software is received in the authenticated terminal device 20, for example.

  The control unit 210 of the authenticated terminal device 20 starts the agent software (step S61). Since the processing performed from step S61 to step S62 is the same as the processing performed from step S31 to step S32, description thereof is omitted.

  Next, the authentication request unit 212 transmits an authentication request specifying the acquired unique information, the encrypted agent ID, and the encrypted unique information to the authentication terminal device 30 (step S63). Specifically, the authentication request unit 212 generates an authentication request that specifies the unique information acquired in step S62 and the encrypted agent ID and encrypted unique information stored in the storage unit 220 in step S60. It transmits to the authentication terminal device 30.

  Next, the decryption unit 313 of the authentication terminal device 30 decrypts the encrypted agent ID and the encrypted unique information with the public key (step S64). The decryption unit 313 has a public key corresponding to the secret key used when encrypting the agent ID in step S58 shown in FIG. The decryption unit 313 decrypts the encryption agent ID and the encryption unique information using the public key.

  Next, the authentication unit 311 determines whether or not the agent ID is in the authentication information 321 (step S65). The authentication unit 311 refers to the authentication information 321 using the encrypted agent ID decrypted in step S64, and determines whether or not the decrypted encrypted agent ID is included in the authentication information 321. Here, description will be given assuming that the authentication unit 311 determines that the agent ID is included in the authentication information 321. If the decrypted encrypted agent ID is not included in the authentication information 321, the authentication unit 311 ends the process of this sequence diagram.

  Next, the authentication unit 311 determines whether or not the acquired unique information matches the decrypted encrypted unique information (step S66). Specifically, the authentication unit 311 determines whether or not the unique information acquired by the unique information acquisition unit 213 in step S62 and identified in the authentication information 321 matches the encrypted unique information decrypted in step S64. Determine. Here, it is assumed that it is determined that the unique information specified in the authentication information 321 matches the encrypted unique information. If the authentication unit 311 does not determine that the acquired unique information matches the decrypted encrypted unique information, the authenticated terminal device 20 from which the agent ID is issued in the agent ID issuing process shown in FIG. Therefore, the processing of this sequence diagram is terminated.

  Next, the authenticating unit 311 transmits information indicating that the authenticated terminal device 20 has been authenticated to the authenticated terminal device 20 (step S67). The process performed in this step is the same as the process performed in step S38 shown in FIG. The authentication unit 311 then ends the process of this sequence diagram.

  In the present embodiment, the registration terminal device 10 and the authentication terminal device 30 do not manage the unique information of the authenticated terminal device 20. The encryption unique information encrypted by the registered terminal device 10 is issued to the authenticated terminal device 20 together with the encryption agent ID. When the terminal apparatus 20 to be authenticated makes an authentication request to the authentication terminal apparatus 30, an authentication request specifying the unique information acquired by the agent software, the encrypted unique information, and the encrypted agent ID is made. Thereby, it is possible to determine whether or not the authenticated terminal device 20 that has issued the agent ID matches the authenticated terminal device 20 that has issued the authentication request. In other words, neither the registration terminal device 10 nor the authentication terminal device 30 manages the unique information of the authenticated terminal device 20, and the registration terminal device 10 that guarantees the legitimacy of the terminal, and the authentication terminal device that performs authentication 30 can be used for efficient authentication processing.

  As mentioned above, although each embodiment and modification which concern on this invention have been demonstrated, this invention is not limited to an example of above-described embodiment, Various modifications are included. For example, the above-described exemplary embodiment has been described in detail for easy understanding of the present invention, and the present invention is not limited to the one having all the configurations described here. A part of the configuration of an example of an embodiment can be replaced with the configuration of another example. Moreover, it is also possible to add the structure of another example to the structure of an example of a certain embodiment. In addition, for a part of the configuration of an example of each embodiment, another configuration can be added, deleted, or replaced. Each of the above-described configurations, functions, processing units, processing means, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit. In addition, the control lines and information lines in the figure indicate what is considered necessary for the description, and do not necessarily indicate all of them. It can be considered that almost all configurations are connected to each other.

1: authentication system, 10: registration terminal device, 11: arithmetic device, 12: memory, 13: external storage device, 14: input device, 15: output device, 16: communication device, 17: storage medium drive device, 18: Media: 20: terminal device to be authenticated, 30: authentication terminal device, 40: network, 110: control unit, 111: ID issuing unit, 112: communication unit, 113: encryption unit, 120: storage unit, 121: issue ID Management information 210: Control unit 211: ID issue request unit 212: Authentication request unit 213: Unique information acquisition unit 220: Storage unit 221: Data acquisition information 310: Control unit 311: Authentication unit 312 : Authentication information generation unit, 313: decryption unit, 320: storage unit, 321: authentication information

Claims (19)

An authentication system having a registration terminal device, an authentication terminal device, and an authenticated terminal device connected via a network,
The registration terminal device
A communication unit that transmits an authentication ID acquired in advance to the authentication terminal device and the authenticated terminal device;
The authenticated terminal device is:
An authentication request unit that performs an authentication request specifying the authentication ID and unique information of the authenticated terminal device to the authentication terminal device;
The authentication terminal device
An authentication terminal-side storage unit that stores authentication information in which the unique information acquired in advance and the authentication ID transmitted from the communication unit of the registered terminal device are associated;
When the authentication request is received from the authenticated terminal device, based on whether the authentication information includes a combination of the authentication ID specified in the authentication request and the unique information specified in the authentication request. An authenticating unit for authenticating the authenticated terminal device;
An authentication system comprising:
The authentication system according to claim 1,
The communication unit of the registered terminal device transmits an encrypted authentication ID that is the encrypted authentication ID to the authenticated terminal device,
The authentication request unit of the authenticated terminal device performs the authentication request specifying the encrypted authentication ID,
When the authentication information includes a combination of the authentication ID obtained by decrypting the encrypted authentication ID specified in the authentication request and the unique information, the authenticated terminal includes: An authentication system characterized by authenticating a device.
The authentication system according to claim 1 or 2,
The authentication terminal device
When the authentication ID transmitted by the communication unit of the registered terminal device corresponds to the authentication ID included in the authentication request, and the unique information is not associated with the authentication ID in the authentication information, An authentication system comprising: an authentication information generation unit that generates the authentication information by associating the authentication ID with the unique information included in the authentication request.
The authentication system according to any one of claims 1 to 3,
The registration terminal device
For each authentication ID, a registration terminal-side storage unit that stores issuance ID management information that associates the ID of the registration terminal device with a password,
The authenticated terminal device is:
An ID issuance request unit that performs an authentication ID issuance request that specifies the ID and password of the registration terminal device to the registration terminal device;
When the communication unit of the registered terminal device accepts the authentication ID issue request, the communication unit is associated in the issued ID management information with the combination of the ID of the registered terminal device and the password specified in the authentication ID issue request. And transmitting the authentication ID to the authenticated terminal device.
The authentication system according to claim 4,
The authenticated terminal device includes a unique information acquisition unit that acquires the unique information using data acquisition information transmitted from the registered terminal device,
The communication unit of the registered terminal device receives the data acquisition information when the issued ID management information includes a combination of the ID of the registered terminal device specified by the authentication ID issue request and the password. An authentication system that transmits to an authentication terminal device.
An authentication system according to any one of claims 1 to 5,
The registered terminal device includes an encryption unit that encrypts the authentication ID with a secret key,
The authentication terminal device includes a decryption unit that decrypts the authentication ID encrypted with a public key corresponding to the secret key.
The authentication system according to any one of claims 1 to 6,
The authentication request unit of the authenticated terminal device performs the authentication request specifying the hashed unique information,
The authentication system of the authentication terminal device authenticates the authenticated terminal device using the hashed unique information.
An authentication system having a registration terminal device, an authentication terminal device, and an authenticated terminal device connected via a network,
The registration terminal device
A communication unit that transmits an authentication ID acquired in advance to the authentication terminal device, and transmits the first unique information that is unique information received from the authenticated terminal device and the authentication ID to the authenticated terminal device;
The authenticated terminal device is:
An authentication request specifying the second unique information, which is unique information of the authenticated terminal device, and the first unique information and the authentication ID transmitted by the communication unit, is made to the authentication terminal device. With an authentication request
The authentication terminal device
An authentication terminal-side storage unit that stores the authentication ID transmitted from the communication unit of the registered terminal device as authentication information;
When the authentication request is received from the authenticated terminal device, the authentication ID specified in the authentication request is present in the authentication information, and the first specific information specified in the authentication request is the second specific information. An authentication unit that authenticates the authenticated terminal device when corresponding to the information;
An authentication system comprising:
The authentication system according to claim 8,
The authentication terminal device includes a decryption unit that decrypts the encrypted first unique information and the encrypted authentication ID,
The communication unit of the registered terminal device transmits the encrypted first unique information and the encrypted authentication ID to the authenticated terminal device,
The authentication request unit of the authenticated terminal device performs the authentication request specifying the encrypted first unique information and the encrypted authentication ID,
The authentication unit of the authentication terminal device includes the authentication ID decrypted by the decryption unit in the authentication information, and the first unique information decrypted by the decryption unit is the second unique An authentication system for authenticating the authenticated terminal device when corresponding to information.
The authentication system according to claim 8 or 9, wherein
The registration terminal device
For each authentication ID, a registration terminal-side storage unit that stores issuance ID management information that associates the ID of the registration terminal device with a password,
The authenticated terminal device is:
An ID issuance request unit that performs an authentication ID issuance request that specifies the ID and password of the registration terminal device to the registration terminal device;
When the communication unit of the registered terminal device accepts the authentication ID issue request, the communication unit is associated in the issued ID management information with the combination of the ID of the registered terminal device and the password specified in the authentication ID issue request. And transmitting the authentication ID and the first unique information received from the terminal device to be authenticated to the terminal device to be authenticated.
The authentication system according to claim 10,
The authenticated terminal device includes a unique information acquisition unit that acquires the second unique information using data acquisition information transmitted from the registered terminal device,
The communication unit of the registered terminal device receives the data acquisition information when the issued ID management information includes a combination of the ID of the registered terminal device specified by the authentication ID issue request and the password. An authentication system characterized by receiving the second specific information transmitted to the authentication terminal device and acquired by the specific information acquisition unit.
The authentication system according to any one of claims 8 to 11,
The registered terminal device includes an encryption unit that encrypts the authentication ID and the first unique information with a secret key,
The authentication unit of the authentication terminal device authenticates the authenticated terminal device using the encrypted authentication ID and the first unique information decrypted using the public key corresponding to the secret key. An authentication system characterized by:
An authentication terminal storage unit that stores authentication information in which the first unique information of the authenticated terminal device acquired in advance and the authentication ID acquired from the registration terminal device connected via the network are stored;
When an authentication request specifying the second unique information of the authenticated terminal device and the authentication ID connected via the network is received from the authenticated terminal device, the received second unique information and the authentication ID Authenticating the terminal device to be authenticated based on whether the authentication information includes a combination of:
An authentication terminal device comprising:
A registration terminal-side storage unit that stores issued ID management information in which an ID of the registration terminal device and a password are associated with the authentication ID acquired in advance;
A communication unit that accepts an authentication ID issue request specifying the ID and password of the registered terminal device from an authenticated terminal device connected via a network;
When the communication unit accepts the authentication ID issuance request, an encryption unit encrypts the authentication ID associated with the combination of the ID of the registered terminal device and the password specified in the authentication ID issuance request. Prepared,
The communication unit transmits an encrypted authentication ID encrypted by the encryption unit and data acquisition information used by the authenticated terminal device to acquire unique information to the authenticated terminal device. A registration terminal apparatus, wherein the authentication ID is transmitted to an authentication terminal apparatus connected via the network.
A registration terminal-side storage unit that stores issued ID management information in which an ID of the registration terminal device and a password are associated with the authentication ID acquired in advance;
An authentication ID issue request specifying the ID and password of the registered terminal device is received from an authenticated terminal device connected via a network, and the ID and password of the registered terminal device specified in the authentication ID issue request A communication unit that transmits to the authenticated terminal device data acquisition information that is used by the authenticated terminal device to acquire unique information,
The combination of the ID of the registered terminal device and the password specified in the authentication ID issue request, the authentication ID related in the issue ID management information, and the authenticated terminal device acquired using the data acquisition information An encryption unit for encrypting the unique information, and
The communication unit transmits the encrypted authentication ID and the encrypted unique information encrypted by the encryption unit to the authenticated terminal device, and to the authentication terminal device connected via the network A registration terminal device that transmits the authentication ID.
An authentication method used in an authentication system having a registration terminal device, an authentication terminal device, and an authenticated terminal device connected via a network,
The registration terminal device has a communication procedure for transmitting an authentication ID acquired in advance to the authentication terminal device and the authenticated terminal device,
The authentication terminal apparatus stores an authentication information in which a storage unit stores authentication information in which the authentication ID transmitted from the registration terminal apparatus in the communication procedure is associated with the acquired unique information of the authenticated terminal apparatus. Have
The authenticated terminal device has an authentication request procedure for making an authentication request specifying the authentication ID and unique information of the authenticated terminal device to the authenticated terminal device,
When the authentication terminal apparatus receives the authentication request from the authenticated terminal apparatus, the authentication information includes a combination of the authentication ID specified in the authentication request and the unique information specified in the authentication request. An authentication method comprising: an authentication procedure for authenticating the terminal device to be authenticated based on whether or not
An authentication method used in an authentication system having a registration terminal device, an authentication terminal device, and an authenticated terminal device connected via a network,
The registration terminal device transmits an authentication ID acquired in advance to the authentication terminal device, and transmits first unique information, which is unique information received from the authenticated terminal device, and the authentication ID to the authenticated terminal device. Has a communication procedure
The authentication terminal device has an authentication information storage procedure for storing the authentication ID transmitted in the communication procedure of the registration terminal device in a storage unit as authentication information,
The authenticated terminal device sends an authentication request specifying the second unique information, which is the unique information of the authenticated terminal device, and the first unique information and the authentication ID transmitted by the communication unit. Having an authentication request procedure for the authentication terminal device;
When the authentication terminal apparatus receives the authentication request from the authenticated terminal apparatus, the authentication ID specified in the authentication request is present in the authentication information, and the first unique information specified in the authentication request An authentication method comprising: an authentication procedure for authenticating the terminal device to be authenticated when the device corresponds to the second specific information.
A program for causing a computer to function as a registered terminal device,
A communication procedure for receiving an authentication ID issue request specifying the ID and password of the registered terminal device from an authenticated terminal device connected via a network;
When the authentication ID issuance request is accepted in the communication procedure, with reference to the issuance ID management information in which the ID of the registered terminal device and the password are associated with the previously obtained authentication ID, the authentication ID issuance request An encryption procedure for encrypting the authentication ID associated with the combination of the ID of the registered terminal device and the password, and
In the communication procedure, an encrypted authentication ID encrypted in the encryption procedure and data acquisition information used by the authenticated terminal device to acquire unique information are transmitted to the authenticated terminal device. A program for transmitting the authentication ID to an authentication terminal device connected via the network.
A program for causing a computer to function as a registered terminal device,
When an authentication ID issuance request specifying the ID and password of the registered terminal device is received from the authenticated terminal device connected via the network, the ID and password of the registered terminal device are acquired with respect to the previously acquired authentication ID. And the issuance ID management information, and the issued ID management information includes a combination of the ID of the registered terminal device and the password specified in the authentication ID issuance request. A communication procedure for transmitting data acquisition information used for acquiring unique information to the authenticated terminal device;
The combination of the ID and password of the registered terminal device specified in the authentication ID issue request, the authentication ID related in the issue ID management information, and the authenticated terminal device acquired using the data acquisition information An encryption procedure for encrypting the unique information;
In the communication procedure, the encrypted authentication ID and the encrypted unique information encrypted in the encryption procedure are transmitted to the authenticated terminal device, and the authenticated terminal device connected via the network A program for transmitting the authentication ID.

Images