JP2016218521A - Authentication system, electronic device, authentication method and authentication program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To secure security upon a remote operation of electronic devices.SOLUTION: A connection permit reception unit 111 is configured to receive an instruction permitting a connection from an information processing device, and a registration unit 116 is configured to, when log-in information is received from the information processing device in a state having the connection permitted, register authentication information corresponding to the information processing device in a permission list permitting the log-in. A connection prohibit reception unit 112 is configured to receive an instruction prohibiting the connection from the information processing device not registered in the permission list, and an authentication processing unit 118 is configured to, when the log-in information is received from the information processing device in a state having the connection prohibited, implement authentication processing, using the received log-in information and the registration information registered in the permission list. A log-in reply unit 119 is configured to reply permission of the log-in with respect to the information processing device when authentication is succeeded by the authentication processing, and when the authentication is failed, reply prohibition of the log-in with respect to the information processing device.SELECTED DRAWING: Figure 4

Description

  The present invention relates to an authentication system, an electronic device, an authentication method, and an authentication program.

  2. Description of the Related Art Conventionally, a technique for connecting an electronic device such as an image forming apparatus to a network and using it remotely from an information processing apparatus such as a PC (Personal Computer) is known for the purpose of improving convenience. For example, in such a technique, a Web server is incorporated in an electronic device, and a remote operation of the electronic device is realized by performing a login operation on the information processing apparatus using a Web screen generated by the electronic device. Yes.

  However, the conventional technique has a problem that it is difficult to ensure security. Specifically, in the prior art, information on a user who can log in is preset in an electronic device, and anyone can log in in the initial state, so there is a possibility that a third party may log in illegally. is there.

  The present invention has been made in view of the above, and an object of the present invention is to ensure security when remotely operating an electronic device without causing troublesome operations.

  In order to solve the above-described problems and achieve the object, an authentication system according to the present invention includes a connection permission receiving unit that receives an instruction to permit connection from an information processing apparatus that operates an electronic device, and the connection is permitted. When login information is received from the information processing apparatus in a state, a registration unit that registers authentication information corresponding to the information processing apparatus in permission information that permits login, and an information processing apparatus that is not registered in the permission information A connection prohibition accepting unit that accepts an instruction to prohibit connection from the server, and when login information is accepted from the information processing apparatus in a state in which the connection is prohibited, the login information received and the permission information are registered. An authentication process control unit that controls execution of an authentication process using the authentication information and the information processing apparatus when the authentication process is successful by the authentication process. And performs response to allow login, and a login response unit that performs response denying login to the information processing apparatus when the authentication fails.

  According to one aspect of the present invention, there is an effect that it is possible to ensure security when remotely operating an electronic device without causing troublesome operations.

FIG. 1 is a diagram illustrating a system configuration example of an authentication system according to the first embodiment. FIG. 2 is a block diagram illustrating a hardware configuration example of the information processing apparatus according to the first embodiment. FIG. 3 is a block diagram illustrating a hardware configuration example of the electronic device according to the first embodiment. FIG. 4 is a block diagram illustrating a functional configuration example of the electronic device and the information processing apparatus according to the first embodiment. FIG. 5 is a diagram illustrating a configuration example of the operation display unit according to the first embodiment. FIG. 6 is a diagram illustrating an example of a permission list according to the first embodiment. FIG. 7 is a diagram illustrating an example of a login screen according to the first embodiment. FIG. 8 shows a flow of authentication processing when logging in to an electronic device from an information processing device not registered in the permission list in a state where connection of a remote device not registered in the permission list according to the first embodiment is prohibited It is a sequence diagram which shows the example of. FIG. 9 is a sequence diagram illustrating an example of the flow of authentication processing when logging in to the electronic apparatus from the information processing apparatus in a state where the connection of the remote apparatus according to the first embodiment is permitted. FIG. 10 shows a flow of authentication processing when logging in to an electronic device from an information processing device registered in the permission list in a state where connection of a remote device not registered in the permission list according to the first embodiment is prohibited It is a sequence diagram which shows the example of. FIG. 11 is a block diagram illustrating a functional configuration example of the electronic device and the information processing apparatus according to the second embodiment. FIG. 12 is a diagram illustrating an example of a permission list according to the second embodiment. FIG. 13 shows a flow of authentication processing when logging in to an electronic device from an information processing device not registered in the permission list in a state where connection of a remote device not registered in the permission list according to the second embodiment is prohibited It is a sequence diagram which shows the example of. FIG. 14 is a sequence diagram illustrating an example of the flow of authentication processing when logging in to the electronic device from the information processing device in a state where the connection of the remote device according to the second embodiment is permitted. FIG. 15 shows a flow of authentication processing when logging in to an electronic device from an information processing device registered in the permission list in a state where connection of a remote device not registered in the permission list according to the second embodiment is prohibited It is a sequence diagram which shows the example of. FIG. 16 is a block diagram illustrating a functional configuration example of the electronic device and the information processing apparatus according to the third embodiment. FIG. 17 is a diagram illustrating a configuration example of the operation display unit according to the third embodiment. FIG. 18 is a diagram illustrating a configuration example of the operation display unit according to the third embodiment.

  Embodiments of an authentication system, an electronic device, an authentication method, and an authentication program according to the present invention will be described below with reference to the accompanying drawings. In addition, this invention is not limited by the following embodiment. It should be noted that the embodiments can be appropriately combined as long as the contents are not contradictory.

(Embodiment 1)
[System Configuration According to Embodiment 1]
The system configuration of the authentication system according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram illustrating a system configuration example of an authentication system according to the first embodiment.

  As shown in FIG. 1, the authentication system 1 includes an electronic device 100 and an information processing apparatus 200. Each device is not limited to the illustrated number, and a plurality of devices may exist. Each device can be connected to a network such as the Internet via a LAN (Local Area Network) or the like. In the present embodiment, it is assumed that electronic device 100 is a target device for remote operation by information processing device 200. Hereinafter, a case where the electronic device 100 is an image forming apparatus such as an MFP (Multi-Function Printer) will be described as an example. The case where the information processing apparatus 200 is a remote apparatus such as a PC (Personal Computer) will be described as an example.

  In the configuration described above, electronic device 100 normally prohibits connection of a remote device and provides a period during which connection of the remote device is permitted by a predetermined operation or the like. The user performs an operation of inputting login information from a login screen displayed on a display device connected to the information processing apparatus 200 in order to remotely operate the electronic device 100 using the information processing apparatus 200. The information processing apparatus 200 is connected to the electronic device 100 via an HTTP (Hypertext Transfer Protocol), and transmits the input login information to the electronic device 100. The electronic device 100 registers authentication information corresponding to the information processing device 200 in the permission list when the login information is received from the information processing device 200 in a state where the connection of the remote device is permitted. The permission list includes information on remote devices that are permitted to log in. Further, for the sake of convenience, the expression “permission list” is used. However, the information on the remote device that permits login is not limited to being stored in a tabular form such as the permission list. In the state where the connection of the remote device is permitted, the information processing device 200 that has transmitted the login information is permitted to log in to the electronic device 100.

  Further, when login information is received from the information processing apparatus 200 in a state where connection of a remote device that is not registered in the permission list is prohibited, the electronic device 100 is registered in the received login information and the permission list. The execution of the authentication process using the authenticated authentication information is controlled. In response to the authentication process, the electronic device 100 makes a response to permit the login to the information processing apparatus 200 when the authentication is successful, and rejects the login to the information processing apparatus 200 when the authentication fails. To do. If login is permitted, the information processing apparatus 200 can remotely operate the electronic device 100.

  In the present embodiment, the state where the connection is permitted is an authentication different from the login information that can be used in the subsequent authentication process, assuming that the authentication process using the login information is performed. The state where information can be registered in the permission list. The state where connection is prohibited refers to a state where connection of a remote device whose authentication information is not registered in the permission list is prohibited. In the present embodiment, “prohibition” is a concept including permission / denial, permission not allowed, not accepted, and the like.

  That is, the authentication system 1 registers the authentication information of the information processing device 200 that has attempted to connect to the electronic device 100 in a state where the connection of the remote device is permitted, in the permission list, and the electronic device 100 in a state where the connection of the remote device is prohibited. The authentication processing of the information processing apparatus 200 that has attempted to connect to is performed using the permission list. As a result, the authentication system 1 can ensure security when the electronic device 100 is remotely operated without causing troublesome operations.

[Hardware Configuration of Information Processing Apparatus According to Embodiment 1]
Next, the hardware configuration of the information processing apparatus 200 according to Embodiment 1 will be described with reference to FIG. FIG. 2 is a block diagram illustrating a hardware configuration example of the information processing apparatus 200 according to the first embodiment.

  As shown in FIG. 2, the information processing apparatus 200 includes a CPU (Central Processing Unit) 202, a RAM (Random Access Memory) 203, a ROM (Read Only Memory) 204, a communication I / F 205, and a display I / F 206. And an operation I / F 207. The above units are connected by a bus 201.

  The CPU 202 controls the overall operation of the information processing apparatus 200. The CPU 202 controls the overall operation of the information processing apparatus 200 by executing a program stored in the ROM 204 or the like using the RAM 203 or the like as a work area. The ROM 204 stores a program for realizing processing by the information processing apparatus 200. The RAM 203 is a work area when executing a program stored in the ROM 204 or the like. The communication I / F 205 is an interface that controls communication with the electronic device 100 or the like. A display I / F 206 is an interface that is connected to the display device and controls the display device according to control by the CPU 202. An operation I / F 207 is an interface that is connected to an operation device such as a mouse or a keyboard and controls the operation device according to control by the CPU 202.

[Hardware Configuration of Electronic Device According to Embodiment 1]
Next, the hardware configuration of the electronic device 100 according to the first embodiment will be described with reference to FIG. FIG. 3 is a block diagram illustrating a hardware configuration example of the electronic device 100 according to the first embodiment. As described above, in the present embodiment, the case where electronic device 100 is an image forming apparatus such as an MFP is taken as an example.

  As shown in FIG. 3, an electronic device 100 as an MFP has a configuration in which a controller 10 and an engine unit 60 are connected via a PCI bus. The controller 10 is a controller that controls the entire electronic device 100 and controls drawing, communication, and various inputs. The engine unit 60 is a printer engine or the like that can be connected to a PCI bus, and is, for example, a monochrome plotter, a 1-drum color plotter, a 4-drum color plotter, a scanner, or a fax unit. The engine unit 60 includes an image processing part such as error diffusion and gamma conversion in addition to a so-called engine part such as a plotter.

  The controller 10 includes a CPU 11, a north bridge (NB) 13, a system memory (MEM-P) 12, a south bridge (SB) 14, a local memory (MEM-C) 17, an ASIC 16, a hard disk drive (HDD) ) 18, and the north bridge 13 and the ASIC 16 are connected via an AGP (Accelerated Graphics Port) bus 15. The MEM-P 12 further includes a ROM 12a and a RAM 12b.

  The CPU 11 performs overall control of the electronic device 100, has a chip set including the north bridge 13, the MEM-P 12, and the south bridge 14, and is connected to other devices via the chip set. The north bridge 13 is a bridge for connecting the CPU 11, the MEM-P 12, the south bridge 14, and the AGP bus 15, and includes a memory controller, a PCI master, and an AGP target that control reading and writing to the MEM-P 12. .

  The MEM-P 12 is a system memory used as a memory for storing programs and data, a memory for developing programs and data, a drawing memory for printers, and the like, and includes a ROM 12a and a RAM 12b. The ROM 12a is a read-only memory used as a memory for storing programs and data. The RAM 12b is a writable and readable memory used as a program and data development memory, a printer drawing memory, and the like. The south bridge 14 is a bridge for connecting the north bridge 13 to a PCI device and peripheral devices. The south bridge 14 is connected to the north bridge 13 via a PCI bus, and a network interface unit and the like are also connected to the PCI bus.

  The ASIC 16 is an IC (Integrated Circuit) for image processing having hardware elements for image processing, and has a role of a bridge for connecting the AGP bus 15, the PCI bus, the HDD 18, and the MEM-C 17. The ASIC 16 includes a PCI target and an AGP master, an arbiter (ARB) that forms the core of the ASIC 16, a memory controller that controls the MEM-C 17, and a plurality of DMACs (Direct Memory) that rotate image data by hardware logic or the like. Access Controller) and a PCI unit that performs data transfer between the engine unit 60 via the PCI bus. An FCU (Facsimile Control Unit) 30, a USB (Universal Serial Bus) 40, and an IEEE 1394 (the Institute of Electrical and Electronics Engineers 1394) interface 50 are connected to the ASIC 16 via a PCI bus. The operation display unit 20 is directly connected to the ASIC 16.

  The MEM-C 17 is a local memory used as a copy image buffer and a code buffer, and an HDD (Hard Disk Drive) 18 is a storage for storing image data, programs, font data, and forms. It is. The AGP bus 15 is a bus interface for a graphic accelerator card that has been proposed to speed up graphic processing. The AGP bus 15 directly accesses the MEM-P 12 with high throughput, thereby speeding up the graphic accelerator card.

[Functional configuration of each device according to Embodiment 1]
Next, the functional configuration of each apparatus according to Embodiment 1 will be described with reference to FIG. FIG. 4 is a block diagram illustrating a functional configuration example of the electronic device 100 and the information processing apparatus 200 according to the first embodiment.

  As shown in FIG. 4, the electronic device 100 includes an operation display control unit 110, a connection permission reception unit 111, a connection prohibition reception unit 112, a communication unit 113, a screen generation unit 114, and a screen transmission control unit 115. A registration unit 116, a storage unit 117, an authentication processing control unit 118, and a login response unit 119. The operation display control unit 110, the connection permission reception unit 111, the connection prohibition reception unit 112, the screen generation unit 114, the screen transmission control unit 115, the registration unit 116, the authentication processing control unit 118, and the login response unit 119 are software (programs). It may be realized or may be realized by a hardware circuit.

  The operation display control unit 110 controls input processing and display processing in the operation display unit 20. As a function of the operation display control unit 110, the connection permission reception unit 111 receives an instruction to permit connection from the information processing apparatus 200 that remotely operates the electronic device 100. Similarly, as one function of the operation display unit 110, the connection prohibition receiving unit 112 prohibits connection from the information processing apparatus 200 that is not registered in the permission list that is a list of remote devices that permit login to the electronic device 100. Accept instructions to do. As one aspect, an instruction to permit or prohibit connection is accepted according to an operation on the operation display unit 20.

  FIG. 5 is a diagram illustrating a configuration example of the operation display unit 20 according to the first embodiment. For example, as shown in FIG. 5, the operation display unit 20 displays a connection permission touch key and a connection prohibition touch key in addition to touch keys for initial settings of a copy, a scanner, a printer, a network, and the like. The The connection permission touch key is pressed when an instruction to permit connection from the information processing apparatus 200 is issued. The connection prohibition touch key is pressed when an instruction to prohibit connection from the information processing apparatus 200 not registered in the permission list is issued. When the connection permission touch key is pressed and the connection permission receiving unit 111 receives an instruction to permit connection, the connection of the remote device is permitted. On the other hand, when the connection prohibition receiving unit 112 receives an instruction to prohibit connection due to the pressing of the connection prohibition touch key, connection of a remote device that is not registered in the permission list is prohibited. As for the connection of the remote device, the connection may be prohibited even if the connection prohibition touch key is not pressed when a certain time has elapsed after the connection permission touch key is pressed.

  The communication unit 113 controls transmission / reception of various information. The screen generation unit 114 generates a login screen for inputting login information when a login request is received from the information processing apparatus 200 via the communication unit 113. The screen transmission control unit 115 transmits the login screen generated by the screen generation unit 114 to the information processing apparatus 200 that has made the login request via the communication unit 113. The screen transmission control unit 115 is an example of a “screen transmission unit”. Thus, the information processing apparatus 200 that has made the login request receives the login screen from the electronic device 100. Then, the information processing apparatus 200 displays a login screen and transmits the login information to the electronic device 100 in response to the input of the login information.

  The registration unit 116 registers authentication information corresponding to the information processing apparatus 200 in the permission list when login information is received from the information processing apparatus 200 in a state where the connection of the remote apparatus is permitted. More specifically, the registration unit 116 receives login information from the information processing apparatus 200 via the communication unit 113 in a state where the connection permission receiving unit 111 receives an instruction to permit connection of a remote device. And the registration part 116 performs the authentication process using the login name and password which are contained in login information. The authentication process using the login name and password is performed by collating with the login name and password stored in advance in the storage unit 117 or an external storage device. If the authentication process fails, login is rejected. Note that the authentication processing may be realized by executing an authentication processing program that performs login name and password verification.

  Subsequently, the registration unit 116 registers the authentication information including the login name included in the login information and the IP address of the information processing apparatus 200 in the permission list for the information processing apparatus 200 that has been successfully authenticated. That is, the information processing apparatus 200 transmits its own IP address to the electronic device 100 together with the login information when transmitting the login information. The permission list is stored by the storage unit 117. FIG. 6 is a diagram illustrating an example of a permission list according to the first embodiment. As shown in FIG. 6, the permission list includes information on the login name and the IP address. For example, the permission list includes a login name “admin” and an IP address “192.168.10.10.”.

  When the login information is received from the information processing apparatus 200 in a state where the connection of the remote device that is not registered in the permission list is prohibited, the authentication processing control unit 118 is registered in the received login information and the permission list. The execution of the authentication process using the authentication information is controlled. More specifically, the authentication processing control unit 118 receives an instruction for prohibiting connection of a remote device that is not registered in the permission list by the connection prohibition receiving unit 112, and receives the information processing device via the communication unit 113. 200 receives login information. Then, the authentication processing control unit 118 determines whether or not the IP address received together with the login information is registered in the permission list, and notifies the login response unit 119 of the determination result. For example, the determination result is authentication success if the IP address is registered in the permission list, and authentication failure if the IP address is not registered in the permission list. In such determination, it may be further determined whether or not the login name is registered in addition to the IP address.

  The login response unit 119 makes a response to permit the login to the information processing device 200 when the authentication is successful by the authentication process, and sends a response to reject the login to the information processing device 200 when the authentication fails. Do. More specifically, when the authentication is successful based on the determination result of the authentication process notified by the authentication process control unit 118, the login response unit 119 notifies the information processing apparatus 200 via the communication unit 113. Response to allow login. On the other hand, the login response unit 119 rejects login to the information processing apparatus 200 via the communication unit 113 when the authentication fails based on the determination result of the authentication process notified by the authentication process control unit 118. To respond.

  As illustrated in FIG. 4, the information processing apparatus 200 includes an operation reception unit 210, a display control unit 211, a login request unit 212, a storage unit 213, a login information transmission control unit 214, and a communication unit 215. And a login response reception control unit 216. The operation reception unit 210, the display control unit 211, the login request unit 212, the login information transmission control unit 214, and the login response reception control unit 216 may be implemented by software (program) or a hardware circuit. good.

  The operation reception unit 210 receives various operations using a mouse, a keyboard, and the like. For example, the operation reception unit 210 receives an operation for a login request to the electronic device 100, an operation for inputting login information on the login screen, an operation for transmitting login information to the electronic device 100, and the like. The display control unit 211 performs control for displaying various screens on the display device. For example, the display control unit 211 displays a login screen responded from the electronic device 100 in response to a login request received by the operation reception unit 210, displays in response to input of login information, and transmits login information. It controls the display of information related to permission or denial of login returned from the electronic device 100. Note that a login screen in response to a login request, information on login permission or rejection in response to transmission of login information, and the like are returned from the electronic device 100 via the communication unit 215.

  The login request unit 212 makes a login request to the electronic device 100. For example, the login request unit 212 makes a login request to the electronic device 100 via the communication unit 215 in response to an operation for a login request received by the operation receiving unit 210. The information processing apparatus 200 accepts a login screen response from the electronic device 100 in response to the login request from the login request unit 212. FIG. 7 is a diagram illustrating an example of a login screen according to the first embodiment. As illustrated in FIG. 7, the login screen includes a UI for inputting a login name and password, a login button for transmitting login information to the electronic device 100, and a cancel button for canceling the login operation. Is displayed. When the login screen is displayed after the login request is made, the user inputs the login name and password and presses the login button. Thereby, login information and an IP address are transmitted to the electronic device 100. The IP address is stored in the storage unit 213.

  The login information transmission control unit 214 performs control for transmitting login information to the electronic device 100. For example, the login information transmission control unit 214 transmits the login information to the electronic device 100 via the communication unit 215 when the login information is received by the operation reception unit 210. The login response reception control unit 216 performs control for receiving information regarding permission or denial of login to the electronic device 100. For example, after the login information is transmitted by the login information transmission control unit 214, the login response reception control unit 216 receives information related to login permission or rejection from the electronic device 100 via the communication unit 215. The login result to the electronic device 100 is displayed and output on the display device in accordance with the control by the display control unit 211.

[Authentication Processing Sequence According to Embodiment 1]
Next, the flow of the authentication process according to the first embodiment will be described with reference to FIG. 8, FIG. 9, and FIG. FIG. 8 illustrates an authentication process when logging in to the electronic device 100 from the information processing apparatus 200 not registered in the permission list in a state where the connection of the remote apparatus not registered in the permission list according to the first embodiment is prohibited. It is a sequence diagram which shows the example of the flow of.

  As shown in FIG. 8, the information processing apparatus 200 makes a login request to the electronic device 100 (step S101). In response to the login request from the information processing apparatus 200, the electronic device 100 generates a login screen for inputting login information (step S102). Then, electronic device 100 transmits the generated login screen to information processing device 200 (step S103). When the information processing apparatus 200 displays the received login screen and accepts input of login information, the information processing apparatus 200 transmits the login information and the IP address to the electronic device 100 (step S104).

  When receiving the login information and the IP address, the electronic device 100 executes an authentication process for determining whether or not the IP address is registered in the permission list (step S105). Here, since the electronic device 100 is in a state in which connection of a remote device that is not registered in the permission list is prohibited, the electronic device 100 does not register the login name or IP address of the information processing device 200 in the permission list, and the information Since the IP address of the processing device 200 is not registered in the permission list, it is determined to reject the login. Thereby, the electronic device 100 transmits information indicating that the login is rejected to the information processing apparatus 200 (step S106). As a result, the information processing apparatus 200 displays and outputs on the display device that the login is rejected.

  FIG. 9 is a sequence diagram illustrating an example of the flow of authentication processing when logging in to the electronic apparatus 100 from the information processing apparatus 200 in a state where the connection of the remote apparatus according to the first embodiment is permitted.

  As shown in FIG. 9, electronic device 100 accepts an instruction to permit connection of a remote device by pressing a connection permission touch key or the like (step S201). The information processing apparatus 200 makes a login request to the electronic device 100 (step S202). In response to the login request from the information processing apparatus 200, the electronic device 100 generates a login screen for inputting login information (step S203). Then, electronic device 100 transmits the generated login screen to information processing device 200 (step S204). When the information processing apparatus 200 displays the received login screen and receives an input of login information, the information processing apparatus 200 transmits the login information and the IP address to the electronic device 100 (step S205).

  When the electronic device 100 receives the login information or the IP address, the electronic device 100 executes an authentication process using the login information and permits the connection of the remote device, and registers the login name and the IP address in the permission list (step S206). Then, electronic device 100 transmits information indicating that login is permitted to information processing device 200 (step S207). As a result, the information processing apparatus 200 displays and outputs on the display device that the login is permitted. In addition, electronic device 100 accepts an instruction to prohibit connection of the remote device by pressing a connection prohibition touch key or the like (step S208). As described above, the prohibition of the connection of the remote device may be performed after a predetermined time from the time when the connection of the remote device is permitted.

  FIG. 10 illustrates an authentication process when logging in to the electronic device 100 from the information processing apparatus 200 registered in the permission list in a state where the connection of the remote apparatus not registered in the permission list according to the first embodiment is prohibited. It is a sequence diagram which shows the example of the flow of this.

  As shown in FIG. 10, the information processing apparatus 200 makes a login request to the electronic device 100 (step S301). In response to the login request from the information processing apparatus 200, the electronic device 100 generates a login screen for inputting login information (step S302). Then, electronic device 100 transmits the generated login screen to information processing device 200 (step S303). When the information processing apparatus 200 displays the received login screen and accepts input of login information, the information processing apparatus 200 transmits the login information and the IP address to the electronic device 100 (step S304).

  When the electronic device 100 receives the login information or the IP address, the electronic device 100 executes an authentication process for determining whether the IP address is registered in the permission list (step S305). Here, electronic device 100 is in a state in which connection of a remote device that is not registered in the permission list is prohibited, but permits the login because the IP address of information processing device 200 is registered in the permission list. To decide. Thereby, electronic device 100 transmits information indicating that login is permitted to information processing device 200 (step S306). As a result, the information processing apparatus 200 displays and outputs on the display device that the login is permitted. Thereafter, remote operation from the information processing apparatus 200 to the electronic device 100 can be realized.

  The authentication system 1 registers the authentication information of the information processing apparatus 200 in the permission list when the login information is accepted in a state in which the connection of the remote apparatus is permitted, and the authentication registered in the permission list in subsequent connections. Login permission / rejection is determined by collating with information. As a result, as an effect of the first embodiment, the authentication system 1 can provide a secure network connection from a remote device without causing troublesome operations.

(Embodiment 2)
In the second embodiment, a detailed description of the description overlapping that of the first embodiment may be omitted. For example, the system configuration of the authentication system according to the second embodiment is the same as the system configuration shown in FIG. 1, and the hardware configuration of the information processing apparatus 200a according to the second embodiment is the same as the hardware configuration shown in FIG. Similarly, the hardware configuration of the electronic device 100a according to the second embodiment is the same as the hardware configuration illustrated in FIG.

  In the first embodiment, the case where the IP address or the like transmitted from the information processing apparatus 200 is registered in the permission list as authentication information has been described. The authentication information registered in the permission list may be information generated on the electronic device 100 side. Therefore, in the second embodiment, a case will be described in which information generated on the electronic device 100 side is registered in the permission list as authentication information.

[Functional configuration of each apparatus according to Embodiment 2]
The functional configuration of each device according to Embodiment 2 will be described with reference to FIG. FIG. 11 is a block diagram illustrating a functional configuration example of the electronic device 100a and the information processing apparatus 200a according to the second embodiment. In the second embodiment, the same reference numerals are given to the same configurations as the functional configurations of the devices according to the first embodiment, and the detailed description thereof may be omitted. Specifically, a registration unit 116a, a storage unit 117a, an authentication processing control unit 118a, a login response unit 119a, an identification information generation unit 120a, a storage unit 213a, a login information transmission control unit 214a, and a login response reception control unit described below. Functions, configurations, and processes other than 216a are the same as those in the first embodiment.

  As illustrated in FIG. 11, the electronic device 100a includes an operation display control unit 110, a connection permission reception unit 111, a connection prohibition reception unit 112, a communication unit 113, a screen generation unit 114, and a screen transmission control unit 115. The registration unit 116a, the storage unit 117a, and the authentication processing control unit 118a include a login response unit 119a and an identification information generation unit 120a. The operation display control unit 110, the connection permission reception unit 111, the connection prohibition reception unit 112, the screen generation unit 114, the screen transmission control unit 115, the registration unit 116a, the authentication processing control unit 118a, the login response unit 119a, and the identification information generation unit 120a It may be realized by software (program) or a hardware circuit.

  The identification information generation unit 120a generates identification information for identifying the information processing device 200 when login information is received from the information processing device 200 in a state where the connection of the remote device is permitted. More specifically, the identification information generation unit 120a succeeds in the authentication process using the login name and password by the registration unit 116a in a state where the connection permission reception unit 111 receives an instruction to permit connection of the remote device. Recognize that. Then, the identification information generation unit 120a generates identification information (for example, HTTP cookie) for identifying the information processing apparatus 200a that has been successfully authenticated. The generated HTTP cookie is notified to the registration unit 116a and the login response unit 119a. Among these, the login response unit 119a transmits an HTTP cookie to the information processing apparatus 200a together with information indicating that login is permitted. The login response unit 119a is an example of an “identification information transmission unit”. The information processing apparatus 200a that has received the HTTP cookie thereafter transmits the HTTP cookie together with the login information when logging in to the electronic device 100a.

  The registration unit 116a registers authentication information including the generated identification information in the permission list. More specifically, the registration unit 116a sends authentication information including the login name included in the login information and the HTTP cookie generated by the identification information generation unit 120a to the information processing apparatus 200a that has been successfully authenticated. Register to the allow list. That is, in this embodiment, the information processing apparatus 200a does not have to transmit its own IP address to the electronic device 100a when transmitting login information. The permission list is stored by the storage unit 117a. FIG. 12 is a diagram illustrating an example of a permission list according to the second embodiment. As shown in FIG. 12, the permission list includes information on the login name and the HTTP cookie. For example, the permission list includes a login name “admin” and an HTTP cookie “remote12345”.

  When the login information is received from the information processing apparatus 200a in a state where the connection of the remote device that is not registered in the permission list is prohibited, the authentication processing control unit 118a is registered in the received login information and the permission list. The execution of the authentication process using the authentication information is controlled. More specifically, the authentication processing control unit 118a receives an instruction for prohibiting connection of a remote device that is not registered in the permission list by the connection prohibition receiving unit 112, and receives the information processing device via the communication unit 113. Login information is accepted from 200a. Then, the authentication processing control unit 118a determines whether or not the HTTP cookie received together with the login information is registered in the permission list, and notifies the login response unit 119a of the determination result. For example, if the HTTP cookie is registered in the permission list, the determination result is an authentication success, and if the HTTP cookie is not registered in the permission list, the determination is an authentication failure. In such a determination, it may be further determined whether or not a login name or an IP address is registered in addition to the HTTP cookie.

  As shown in FIG. 11, the information processing apparatus 200a includes an operation receiving unit 210, a display control unit 211, a login request unit 212, a storage unit 213a, a login information transmission control unit 214a, and a communication unit 215. And a login response reception control unit 216a. The operation reception unit 210, the display control unit 211, the login request unit 212, the login information transmission control unit 214a, and the login response reception control unit 216a may be realized by software (program) or may be realized by a hardware circuit. good.

  The login information transmission control unit 214a performs control for transmitting login information to the electronic device 100a. For example, the login information transmission control unit 214a transmits the login information to the electronic device 100a via the communication unit 215 when the login information is received by the operation reception unit 210. At this time, if the HTTP cookie is stored in the storage unit 213a, the login information transmission control unit 214a transmits the HTTP cookie together with the login information to the electronic device 100a. The login response reception control unit 216a receives information regarding permission or rejection of login from the electronic device 100a via the communication unit 215 after the login information is transmitted by the login information transmission control unit 214a. The login response reception control unit 216a stores the received HTTP cookie in the storage unit 213a when the HTTP cookie is received.

[Authentication Processing Sequence According to Second Embodiment]
Next, the flow of the authentication process according to the second embodiment will be described with reference to FIGS. FIG. 13 shows an authentication process when logging in to the electronic device 100a from the information processing apparatus 200a not registered in the permission list in a state where the connection of the remote apparatus not registered in the permission list according to the second embodiment is prohibited. It is a sequence diagram which shows the example of the flow of.

  As shown in FIG. 13, the information processing apparatus 200a makes a login request to the electronic device 100a (step S401). In response to the login request from the information processing apparatus 200a, the electronic device 100a generates a login screen for inputting login information (step S402). Then, the electronic device 100a transmits the generated login screen to the information processing apparatus 200a (Step S403). When the information processing apparatus 200a displays the received login screen and accepts input of login information, the information processing apparatus 200a transmits the login information to the electronic device 100a (step S404). Here, since the HTTP cookie is not provided from the electronic device 100a, the HTTP cookie is not transmitted.

  When receiving the login information, the electronic device 100a executes an authentication process (step S405). Here, in the authentication process, since connection of a remote device that is not registered in the permission list is prohibited, generation of an HTTP cookie for the information processing device 200a and registration in the permission list are not performed. In the authentication process, since the HTTP cookie is not transmitted from the information processing apparatus 200a, it is determined to refuse the login. Thereby, the electronic device 100a transmits information indicating that login is rejected to the information processing apparatus 200a (step S406). As a result, the information processing apparatus 200a displays on the display device that the login has been rejected.

  FIG. 14 is a sequence diagram illustrating an example of the flow of authentication processing when logging in to the electronic device 100a from the information processing device 200a in a state where the connection of the remote device according to the second embodiment is permitted.

  As shown in FIG. 14, the electronic device 100a accepts an instruction to permit connection of the remote device by pressing a connection permission touch key or the like (step S501). The information processing apparatus 200a makes a login request to the electronic device 100a (step S502). In response to the login request from the information processing apparatus 200a, the electronic device 100a generates a login screen for inputting login information (step S503). Then, the electronic device 100a transmits the generated login screen to the information processing apparatus 200a (Step S504). When the information processing apparatus 200a displays the received login screen and accepts input of login information, the information processing apparatus 200a transmits the login information to the electronic device 100a (step S505).

  When the electronic device 100a receives the login information, the electronic device 100a executes an authentication process using the login information and permits connection of the remote device. Therefore, the electronic device 100a generates an HTTP cookie for the information processing device 200a, generates a login name, The registered HTTP cookie is registered in the permission list (step S506). Then, the electronic device 100a transmits information indicating that login is permitted and the generated HTTP cookie to the information processing apparatus 200a (step S507). As a result, in the information processing apparatus 200a, the fact that login is permitted is displayed on the display device, and the received HTTP cookie is stored in the storage unit 213a. Also, the electronic device 100a accepts an instruction to prohibit connection of the remote device by pressing the connection prohibition touch key or the like (step S508).

  FIG. 15 illustrates an authentication process when logging in to the electronic device 100a from the information processing device 200a registered in the permission list in a state where connection of a remote device that is not registered in the permission list according to the second embodiment is prohibited. It is a sequence diagram which shows the example of the flow of this.

  As shown in FIG. 15, the information processing apparatus 200a makes a login request to the electronic device 100a (step S601). In response to the login request from the information processing apparatus 200a, the electronic device 100a generates a login screen for inputting login information (step S602). Then, the electronic device 100a transmits the generated login screen to the information processing apparatus 200a (step S603). When the information processing apparatus 200a displays the received login screen and accepts the input of login information, the information processing apparatus 200a acquires HTTP cookie from the storage unit 213a and transmits the login information and HTTP cookie to the electronic device 100a (step S604). .

  When the electronic device 100a receives the login information or the HTTP cookie, the electronic device 100a executes an authentication process for determining whether or not the HTTP cookie is registered in the permission list (step S605). Here, the electronic device 100a is in a state in which connection of a remote device that is not registered in the permission list is prohibited, but since the HTTP cookie transmitted from the information processing device 200a is registered in the permission list, the electronic device 100a does not log in. Decide to allow. Thereby, the electronic device 100a transmits information indicating that the login is permitted to the information processing apparatus 200a (step S606). As a result, the information processing apparatus 200a displays on the display device that the login is permitted. Thereafter, remote operation from the information processing apparatus 200a to the electronic apparatus 100a can be realized.

  When the first login is successful, the authentication system 1 registers identification information such as HTTP cookie generated by the electronic device 100a in the permission list as authentication information, and transmits it to the information processing apparatus 200a. In connection, login permission / denial is determined by collating with authentication information registered in the permission list. As a result, as an effect of the second embodiment, the authentication system 1 allows the electronic device 100a to perform a troublesome operation even when the IP address is not fixed in a DHCP (Dynamic Host Configuration Protocol) environment or the like. Can be secured when operating remotely.

(Embodiment 3)
In the third embodiment, a detailed description of the description overlapping that in the first embodiment may be omitted. For example, the system configuration of the authentication system according to the third embodiment is the same as the system configuration shown in FIG. 1, and the hardware configuration of the information processing apparatus 200 according to the third embodiment is the same as the hardware configuration shown in FIG. Similarly, the hardware configuration of the electronic device 100b according to Embodiment 3 is the same as the hardware configuration illustrated in FIG.

  In the third embodiment, management of a permission list will be described.

[Functional configuration of each device according to Embodiment 3]
The functional configuration of each device according to Embodiment 3 will be described with reference to FIG. FIG. 16 is a block diagram illustrating a functional configuration example of the electronic device 100b and the information processing apparatus 200 according to the third embodiment. In the third embodiment, the same reference numerals are given to the same configurations as the functional configurations of the devices according to the first embodiment, and the detailed description thereof may be omitted. Specifically, functions, configurations, and processes other than the operation display control unit 110b and the deletion unit 121b described below are the same as those in the first embodiment.

  As illustrated in FIG. 16, the electronic device 100b includes an operation display control unit 110b, a connection permission reception unit 111, a connection prohibition reception unit 112, a communication unit 113, a screen generation unit 114, and a screen transmission control unit 115. A registration unit 116, a storage unit 117, an authentication processing control unit 118, a login response unit 119, and a deletion unit 121b. Operation display control unit 110b, connection permission reception unit 111, connection prohibition reception unit 112, screen generation unit 114, screen transmission control unit 115, registration unit 116, authentication processing control unit 118, login response unit 119, and deletion unit 121b are software It may be realized by a (program) or a hardware circuit.

  The operation display control unit 110b performs control to display authentication information registered in the permission list on the display device. More specifically, the operation display control unit 110b accepts a user operation for displaying an IP address or the like registered in the permission list. Then, the operation display control unit 110b acquires the IP address registered in the permission list and causes the operation display unit 20 to display the acquired IP address. FIG. 17 is a diagram illustrating a configuration example of the operation display unit 20 according to the third embodiment. As shown in FIG. 17, the operation display unit 20 displays a “remote device IP address list” that is a list of IP addresses registered in the permission list.

  When the designation of authentication information to be deleted from the permission list is accepted, the deletion unit 121b deletes the specified authentication information from the permission list. More specifically, the deletion unit 121b selects at least one from the “remote device IP address list” displayed on the operation display unit 20, and performs an operation for deleting the authentication information including the selected IP address. When accepted by the display control unit 110b, the authentication information including the corresponding IP address is deleted from the permission list. FIG. 18 is a diagram illustrating a configuration example of the operation display unit 20 according to the third embodiment. As shown in FIG. 18, the operation display unit 20 displays a delete button for deleting an IP address registered in the allow list. The user selects at least one IP address from the “remote device IP address list” and presses the delete button. Thereby, the deletion unit 121b deletes the authentication information including the selected IP address from the permission list.

  As an effect of the third embodiment, the authentication system 1 displays the authentication information registered in the permission list, so that it can be easily confirmed whether the remote device is correctly registered or an unintended remote device is not registered. be able to. Further, as an effect of the third embodiment, since the authentication system 1 selectively deletes the authentication information registered in the permission list, unauthorized access using unnecessary authentication information can be suppressed.

(Embodiment 4)
Now, although the embodiment of the authentication system 1 according to the present invention has been described so far, it may be implemented in various different forms other than the above-described embodiment. Therefore, different embodiments of (1) configuration and (2) program will be described.

(1) Configuration Information including processing procedures, control procedures, specific names, various data, parameters, and the like shown in the above documents and drawings can be arbitrarily changed unless otherwise specified. Each component of the illustrated apparatus is functionally conceptual and does not necessarily need to be physically configured as illustrated. That is, the specific form of the distribution or integration of the devices is not limited to the illustrated one, and all or a part of the distribution or integration is functionally or physically distributed or arbitrarily in any unit according to various burdens or usage conditions. Can be integrated.

(2) Program The program executed by the electronic device 100 or the information processing apparatus 200 is, as one form, a file in an installable format or an executable format, a CD-ROM, a flexible disk (FD), a CD- The program is recorded on a computer-readable recording medium such as R and DVD (Digital Versatile Disk). Further, the program executed by the electronic device 100 or the information processing apparatus 200 may be provided by being stored on a computer connected to a network such as the Internet and downloaded via the network. Further, the program executed by the electronic device 100 or the information processing apparatus 200 may be provided or distributed via a network such as the Internet. In addition, a program executed by the electronic device 100 or the information processing apparatus 200 may be provided by being incorporated in advance in a ROM or the like.

  The program executed by the electronic device 100 has a module configuration including the above-described units (connection permission reception unit 111, registration unit 116, connection prohibition reception unit 112, authentication processing control unit 118, login response unit 119). As the actual hardware, the CPU reads the program from the storage medium and executes it, so that the above-described units are loaded onto the main storage device, and the connection permission receiving unit 111, the registration unit 116, the connection prohibition receiving unit 112, and authentication processing control. The unit 118 and the login response unit 119 are generated on the main storage device.

  The program executed by the information processing apparatus 200 includes a module configuration including the above-described units (the operation receiving unit 210, the display control unit 211, the login request unit 212, the login information transmission control unit 214, and the login response reception control unit 216). As the actual hardware, the CPU reads the program from the storage medium and executes it, so that the above-described units are loaded on the main storage device, and the operation receiving unit 210, the display control unit 211, and the login request unit 212. The login information transmission control unit 214 and the login response reception control unit 216 are generated on the main storage device.

DESCRIPTION OF SYMBOLS 1 Authentication system 100 Electronic device 110 Operation display control part 111 Connection permission reception part 112 Connection prohibition reception part 113 Communication part 114 Screen generation part 115 Screen transmission control part 116 Registration part 117 Memory | storage part 118 Authentication process control part 119 Login response part 200 Information Processing device 210 Operation accepting unit 211 Display control unit 212 Login request unit 213 Storage unit 214 Login information transmission control unit 215 Communication unit 216 Login response reception control unit

JP 2002-281195 A Japanese Patent No. 4625346 Japanese Patent No. 4965767

Claims (8)

A connection permission receiving unit that receives an instruction to permit connection from an information processing apparatus that operates an electronic device;
A registration unit that registers authentication information corresponding to the information processing device in permission information that permits login when login information is received from the information processing device in a state where the connection is permitted;
A connection prohibition receiving unit that receives an instruction to prohibit connection from an information processing device that is not registered in the permission information;
Authentication that controls execution of authentication processing using the received login information and authentication information registered in the permission information when login information is received from the information processing apparatus in a state where the connection is prohibited A processing control unit;
A login response unit that makes a response that permits login to the information processing apparatus when authentication is successful and makes a response that denies login to the information processing apparatus when authentication fails by the authentication process; An authentication system comprising: The registration unit registers the authentication information including the IP address of the information processing apparatus in the permission information,
In the authentication process, it is determined whether or not the IP address of the information processing apparatus received from the information processing apparatus is registered in the permission information;
The log-in response unit responds to log in to the information processing device when registered in the permission information, and logs in the information processing device when not registered in the permission information. The authentication system according to claim 1, wherein a response to reject is performed. An identification information generation unit that generates identification information for identifying the information processing device when login information is received from the information processing device in a state where the connection is permitted;
An identification information transmitting unit that transmits the generated identification information to the information processing apparatus,
The registration unit registers the authentication information including the generated identification information in the permission information,
In the authentication process, it is determined whether or not the identification information of the information processing device received from the information processing device is registered in the permission information,
The log-in response unit responds to log in to the information processing device when registered in the permission information, and logs in the information processing device when not registered in the permission information. The authentication system according to claim 1, wherein a response to reject is performed. A display control unit that performs control to display the authentication information registered in the permission information on a display device;
4. The apparatus according to claim 1, further comprising: a deletion unit that deletes the specified authentication information from the permission information when specification of the authentication information to be deleted from the permission information is accepted. The authentication system according to one. A screen generation unit for generating a login screen for inputting the login information when a login request is received from the information processing apparatus;
The authentication system according to claim 1, further comprising: a screen transmission unit configured to transmit the generated login screen to the information processing apparatus. Electronic equipment,
A connection permission receiving unit that receives an instruction to permit connection from an information processing apparatus that operates the electronic device;
A registration unit that registers authentication information corresponding to the information processing device in permission information that permits login when login information is received from the information processing device in a state where the connection is permitted;
A connection prohibition receiving unit that receives an instruction to prohibit connection from an information processing device that is not registered in the permission information;
Authentication that controls execution of authentication processing using the received login information and authentication information registered in the permission information when login information is received from the information processing apparatus in a state where the connection is prohibited A processing control unit;
A login response unit that makes a response that permits login to the information processing apparatus when authentication is successful and makes a response that denies login to the information processing apparatus when authentication fails by the authentication process; An electronic device comprising: Receiving an instruction to permit connection from an information processing apparatus that operates an electronic device;
A step of registering authentication information corresponding to the information processing apparatus in permission information permitting login when login information is received from the information processing apparatus in a state where the connection is permitted;
Receiving an instruction to prohibit connection from an information processing apparatus not registered in the permission information;
A step of controlling execution of authentication processing using the received login information and authentication information registered in the permission information when login information is received from the information processing apparatus in a state where the connection is prohibited; When,
Performing a response permitting login to the information processing apparatus when authentication is successful by the authentication process, and performing a response rejecting login to the information processing apparatus when authentication fails. An authentication method characterized by that. Receiving an instruction to permit connection from an information processing apparatus that operates an electronic device;
A step of registering authentication information corresponding to the information processing apparatus in permission information permitting login when login information is received from the information processing apparatus in a state where the connection is permitted;
Receiving an instruction to prohibit connection from an information processing apparatus not registered in the permission information;
A step of controlling execution of authentication processing using the received login information and authentication information registered in the permission information when login information is received from the information processing apparatus in a state where the connection is prohibited; When,
A step of performing a response of permitting login to the information processing apparatus when authentication is successful by the authentication process, and performing a response of rejecting login to the information processing apparatus when authentication fails; An authentication program to be executed.

Images