JP2019179519A - Network system and authentication method therefor - Google Patents

Abstract

To provide a network system capable of achieving high reliability to an existing protocol and a low security risk.SOLUTION: A first communication device includes: first acquisition means for acquiring first information; first transmission means for transmitting the first information to a second communication device; second acquisition means for acquiring second information different from the first information; first creation means for creating third information by executing irreversible arithmetic processing for the first information and the second information; and second transmission means for transmitting the third information to the second communication device. The second communication device includes: first reception means for receiving the first information transmitted by the first transmission means; third acquisition means for acquiring the second information; second creation means for creating fourth information by executing the same irreversible arithmetic processing as for the first creation means; and authentication means for executing authentication processing by determining whether or not the third information meets the fourth information.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a network system and a network system authentication method.

  Patent Document 1 discloses a network application system in which a user identifier ID and a password PW are transmitted from a client, and the server performs user authentication by confirming that the corresponding ID and PW exist. And PW are encrypted with the public key Kp of the public key server and transmitted to the server, and the server retrieves the ID and PW by decrypting it with its own private key Ks. In addition, the server transmits a random number R to the client at the beginning of authentication, and the client encrypts the ID, PW, and received random number R with the public key Kp and transmits the encrypted random number R to the server. A technique for confirming that 'is the same as the previously transmitted random number R is disclosed.

  Also, in Patent Document 2, a user registers in advance a combination of dynamic factor IDs that are elements of a dynamic password such as an exchange rate and weather, and the dynamic factor ID is extracted from the received user ID. Fluctuation information is acquired using a network, and a dynamic password is generated. A technique is disclosed in which a generated dynamic password is compared with a received password, and when the passwords match, the identity is authenticated.

  Further, in Patent Document 3, a first password character string is received from a user, and one or a plurality of character string generation rules having a corresponding reference character position of the first password character string are received. The password string, the string generation rule, and the corresponding reference character position of the first password string are associated with the user's login credentials, and the first password string associated with the user is received for authentication. And the second password string is based on the partial password string and one or more string generation rules, and the corresponding reference character position of the partial password string, all associated with the user. Generated and compared to the second password string and if they match, the user is authenticated. It discloses a technique that.

JP 07-325785 A JP 2003-196238 A JP 2017-111809 A

  By the way, in order to permit a device on the network to be connected only to a specific partner, an authentication mechanism that holds a password and certificate data in each device is used. However, as the number of devices on the network increases, the management cost of shared data for authentication increases and appropriate maintenance becomes difficult. As a result, there are problems that the passwords of many devices are the same, or that the passwords have not been changed even after the introduction, and that operations with a high security risk of unauthorized use due to password leakage are likely to be invited.

  In addition, there is an authentication method using a dynamic password that does not hold a password for each device in order to avoid the complexity of authentication information management. However, even if the password is dynamic, if the password generation algorithm is fixed, there is a problem that it is difficult to cope with a case where vulnerability is found in authentication.

  Further, the method of receiving parameters from the server for each session and using them in the encoding parameters has a problem that it cannot be used by clients for existing protocols such as TELNET and FTP.

  The present invention has been made in view of the above situation, and an object of the present invention is to provide a network system and a network system authentication method that have high reliability with existing protocols and low security risk.

In order to solve the above-described problem, the present invention provides a network system having at least a first communication device and a second communication device, wherein the first communication device acquires first information, and first First transmission means for transmitting information to the second communication device, second acquisition means for acquiring second information different from the first information, and the first information and the second information A first generation unit configured to generate third information by performing an irreversible calculation process; and a second transmission unit configured to transmit the third information to the second communication device. The apparatus includes: a first receiving unit that receives the first information transmitted by the first transmitting unit; a third acquiring unit that acquires the second information; and the first information and the second information. The same irreversible arithmetic processing as that of the first generation means is performed. And a second generation means for generating fourth information, and an authentication means for executing an authentication process by determining whether or not the third information and the fourth information match. Features.
According to such a configuration, it is possible to realize a network system having high reliability with existing protocols and low security risk.

In addition, the present invention is characterized in that the first information is a login ID, and the second information is network information.
According to such a configuration, security risk can be reduced by using network information in addition to the login ID.

In the invention, it is preferable that the first information is a login ID, and the second information includes at least date information.
According to such a configuration, the security risk can be further reduced by using different date and time information for each authentication.

Further, the present invention is characterized in that each means related to the first communication device is realized by a plug-in program, and each means related to the second communication device is also realized by a plug-in program.
According to such a configuration, the information used for authentication can be easily changed by implementing the plug-in program to enhance the credibility with the existing system and changing the plug-in program.

Further, the present invention is characterized in that the irreversible arithmetic processing is processing by a hash function.
According to such a configuration, irreversible arithmetic processing can be easily realized.

Further, the present invention provides a network system authentication method including at least a first communication device and a second communication device, wherein the first communication device acquires a first information, a first acquisition step, A first transmission step for transmitting to the second communication device, a second acquisition step for acquiring second information different from the first information, and an irreversible operation for the first information and the second information By performing processing, the first generation step of generating third information, and the second transmission step of transmitting the third information to the second communication device, the second communication device, For the first receiving step for receiving the first information transmitted by the first transmitting step, the third acquiring step for acquiring the second information, the first information and the second information, Same as the first generation step The second generation step of generating the fourth information by performing the irreversible arithmetic processing, and the authentication step of executing the authentication processing by determining whether or not the third information and the fourth information match And having.
According to such a method, it is possible to realize an authentication method for a network system that has high reliability with existing protocols and low security risk.

  ADVANTAGE OF THE INVENTION According to this invention, it becomes possible to provide the authentication method of a network system and a network system with high reliability with the existing protocol and a low security risk.

It is a figure which shows the structural example of the network system which concerns on 1st Embodiment of this invention. It is a block diagram which shows the structural example of the client shown in FIG. It is a block diagram which shows the structural example of the server shown in FIG. It is a signal flow figure for demonstrating operation | movement of a prior art example. It is a signal flow figure for demonstrating operation | movement of 1st Embodiment of this invention. 3 is a flowchart for explaining an example of processing executed by a client shown in FIG. 2. It is a flowchart for demonstrating an example of the process performed with the server shown in FIG. It is a signal flow figure for demonstrating operation | movement of 2nd Embodiment of this invention.

  Next, an embodiment of the present invention will be described.

(A) Description of Configuration of First Embodiment of the Present Invention FIG. 1 is a diagram illustrating a configuration example of a network system according to the first embodiment of the present invention. In the example illustrated in FIG. 1, the network system 1 includes a client 10, the Internet 20, and a server 30.

  Here, the client 10 is, for example, a computer that is operated by an administrator, accesses the server 30 via the Internet 20, and exchanges information with the server 30. The client 10 functions as a device for managing a large number of servers 30 (for example, existing in the order of several hundreds).

  The Internet 20 is, for example, a global information communication network in which a plurality of computer networks are interconnected.

  The server 30 is a computer having a function of providing a predetermined service in response to a request from the client 10. The server 30 has, for example, a large number (for example, in the order of several hundreds) and functions as a network relay device. The client 10 can access a plurality of servers 30, read information stored in these servers 30, and change setting information of the servers 30.

  FIG. 2 is a diagram illustrating a configuration example of the client 10 illustrated in FIG. In the example of FIG. 2, the client 10 includes a central processing unit (CPU) 11, a read only memory (ROM) 12, a random access memory (RAM) 13, a nonvolatile storage unit 14, a communication unit 15, and an interface (I / F). 16, a bus 17, an input device 18, and an output device 19.

  Here, the CPU 11 controls each unit of the apparatus based on programs stored in the ROM 12 and the nonvolatile storage unit 14.

  The ROM 12 is a non-volatile semiconductor storage device that stores basic programs and data executed by the CPU 11.

  The RAM 13 is a volatile semiconductor memory device that temporarily stores programs being executed by the CPU 11 and data being calculated.

  The nonvolatile storage unit 14 is a storage device that stores a program executed by the CPU 11. The nonvolatile storage unit 14 (or RAM 13) stores a program for executing an authentication process with the server 30.

  The communication unit 15 performs control when communicating with the server 30 via the Internet 20.

  The I / F 16 inputs information output from the input device 18 and outputs information to the output device 19.

  The bus 17 is a connection line group for mutually connecting the CPU 11, the ROM 12, the RAM 13, the nonvolatile storage unit 14, the communication unit 15, and the I / F 16, and enabling exchange of information among them.

  The input device 18 is configured by, for example, a keyboard or a pointing device, and generates and outputs information according to the operation of the administrator.

  The output device 19 is configured by, for example, an LCD (Liquid Crystal Display) or the like, and displays text information and image information.

  FIG. 3 is a diagram illustrating a configuration example of the server 30 illustrated in FIG. 1. As illustrated in FIG. 3, the server 30 includes a CPU 31, a ROM 32, a RAM 33, a nonvolatile storage unit 34, a communication unit 35, an I / F 36, and a bus 37.

  Here, the CPU 31 controls each unit of the apparatus based on programs stored in the ROM 32 and the nonvolatile storage unit 34.

  The ROM 32 is a non-volatile semiconductor storage device that stores basic programs and data executed by the CPU 31.

  The RAM 33 is a volatile semiconductor memory device that temporarily stores programs being executed by the CPU 31 and data being calculated.

  The nonvolatile storage unit 34 is a storage device that stores a program executed by the CPU 31. The communication unit 35 performs control when communication is performed with the client 10 via the Internet 20.

  For example, the I / F 36 is connected to an input device or the like as necessary, and appropriately changes the information expression format when exchanging information with the I / F 36.

  The bus 37 is a connection line group for mutually connecting the CPU 31, the ROM 32, the RAM 33, the nonvolatile storage unit 34, the communication unit 35, and the I / F 36, and enabling exchange of information among them.

(B) Description of Operation of First Embodiment of the Invention Next, operation of the first embodiment of the present invention will be described. In the following, after explaining the operation of the prior art, the operation of the first embodiment of the present invention will be explained.

  FIG. 4 is a diagram for explaining the operation of the prior art. When the client 10 accesses the server 30 and performs authentication processing, the client 10 first makes a connection request (connect) to the server 30 (P1).

  As a result, the server 30 requests the client 10 to input a login ID (Identification) (P2). As a result, in the client 10, the administrator operates the input device 18, inputs a login ID, and transmits it via the communication unit 15. In this example, “guest” is input and transmitted as the login ID (P3).

  Receiving the login ID, the server 30 requests the client 10 for a password (P4). As a result, in the client 10, the administrator operates the input device 18 to input a password and transmits it. In this example, “passwords” is input and transmitted as the password (P5).

  The server 30 that has received the password executes an authentication process for confirming the validity of the accessing administrator. More specifically, the server 30 searches the nonvolatile storage unit 34 for an ID corresponding to the ID received from the client 10. When the corresponding ID is found, the password stored in association with the ID is acquired. Then, the acquired password and the password received from the client 10 are collated, and if they match, it is determined that the administrator's validity has been authenticated, and the access of the client 10 is accepted (accept) (P6). . As a result, for example, information can be exchanged between the client 10 and the server 30.

  By the way, in the conventional authentication method as described above, since the ID and password are transmitted from the client 10 to the server 30, for example, a malicious third party may obtain the information illegally. . In addition, since the administrator of the client 10 needs to store the ID and password for each server 30, the management of these information is complicated. Further, since the server 30 needs to store the ID and password, for example, when hacking or the like by a malicious third party is performed, the ID and password may be obtained illegally.

  Therefore, in the first embodiment of the present invention, the authentication process is executed without transmitting the password and without the server 30 storing the password. Below, operation | movement of 1st Embodiment is demonstrated with reference to FIG.

  Note that the authentication process shown in FIG. 5 is implemented as a plug-in program, for example. Such a plug-in program is distributed from the client 10 to the server 30, for example, and the authentication process shown in FIG. 5 is realized by the client 10 and the server 30 mounting and executing the same plug-in program. Can do. The plug-in program describes the authentication process, which will be described later, and also describes the procedure for generating a password and the information from which the password is generated. By changing the plug-in program, The authentication process and the information from which the password is generated can be changed. Hereinafter, the operation will be described on the premise that the plug-in program is already installed in the client 10 and the server 30.

  In FIG. 5, when a connection request [connect] is made from the client 10 to the server 30 (P1), the server 30 requests the client 10 to input a login ID (P2).

  The client 10 displays a text box or the like for inputting the login ID on the LCD as the output device 19 and receives input from the keyboard as the input device 18. For example, when “guest” is input as the login ID, “guest” is transmitted from the client 10 to the server 30 (P3).

  As the login ID, unique information assigned to the administrator is used, or the administrator has access authority to the server 30 (for example, authority to only download information, authority to change settings). Etc.) or unique information assigned to each terminal of the client 10 may be used. Of course, other information may be used.

  When receiving the login ID, the server 30 requests the client 10 to transmit the password (P4).

  The client 10 calculates the password by calculation. In the first embodiment, based on the contents described in the plug-in program, the client 10 determines the login ID (“guest” in this example) based on the following formula (1), and the client 10 at that time The password is calculated by processing the IP address (hereinafter referred to as “client IP”) and the IP address of the server 30 at that time (hereinafter referred to as “server IP”) by a predetermined hash function. In Expression (1), H () represents a hash function that performs hash processing on the information in parentheses and returns a hash value.

pass = H (login ID, client IP, server IP) (1)

  Through the above processing, the client 10 obtains, for example, “a0b1c2d3e4f5a6b7c8d9” as the password. Such a password is transmitted from the client 10 to the server 30 (P5).

  In the server 30, the password is calculated by calculation in the same manner as the client 10. In the first embodiment, the server 30 is based on the content described in the plug-in program shared with the client 10 and based on the above-described formula (1), the login ID (“guest” in the present example), The password is calculated by processing the client IP of the client 10 at that time and the server IP of the server 30 at that time by a predetermined hash function. As a result, for example, “a0b1c2d3e4f5a6b7c8d9” is obtained as the password.

  The server 30 compares the password obtained by its own calculation with the password received from the client 10, and determines whether or not they match. If they match, it determines that the authentication has succeeded. In this example, the password obtained by the calculation of the client and the password received from the client 10 are both “a0b1c2d3e4f5a6b7c8d9”. (P6).

  When the authentication is successful, the client 10 downloads information stored in the server 30 according to the access authority given to the login ID (for example, the access authority of the administrator having the login ID), The setting of the server 30 can be changed.

  As described above, in the first embodiment of the present invention, since a fixed password is not transmitted from the client 10 to the server 30, it is possible to prevent the password from leaking to a malicious third party.

  In the first embodiment of the present invention, since the server 30 does not store the password, the password can be prevented from leaking to a malicious third party.

  In the first embodiment of the present invention, since the password is calculated from the IP address, the password becomes unfixed by using the IP address that may change depending on the connection timing. Access by impersonation of a third party can be prevented.

  In the first embodiment of the present invention, the same procedure as that of the conventional login method is performed. Therefore, for example, a TELNET (Teletype Network) defined by RFC854 can be used, which reduces the development cost. Can be reduced.

  In the first embodiment of the present invention, since the program for executing the authentication process shown in FIG. 5 is shared and implemented as a plug-in program, by changing the plug-in program, The information from which the password is generated can be easily changed. Thereby, a security risk can be reduced. When there are a large number of servers 30, the authentication process of all the servers 30 can be changed at once by changing the plug-in program.

  Next, an example of processing executed by the client 10 shown in FIG. 1 will be described with reference to FIG. When the processing of the flowchart shown in FIG. 6 is started, the following steps are executed.

  In step S <b> 10, the CPU 11 accesses (connection request) the server 30 via the communication unit 15.

  In step S11, the CPU 11 acquires its own IP address and sets it as the client IP.

  In step S12, the CPU 11 acquires the IP address of the server 30 and sets it as the server IP.

  In step S <b> 13, the CPU 11 waits for a login ID request from the server 30.

  In step S <b> 14, the CPU 11 displays, for example, a text box on the LCD as the output device 19 and receives the login ID from the keyboard as the input device 18.

  In step S <b> 15, the CPU 11 transmits the login ID input in step S <b> 14 to the server 30 via the communication unit 15.

  In step S <b> 16, the CPU 11 applies the hash function shown in the above formula (1) to the login ID, the server IP, and the client IP, and uses the obtained hash value as a password.

  In step S <b> 17, the CPU 11 waits for a password request from the server 30.

  In step S <b> 18, the CPU 11 transmits the password calculated by the hash function to the server 30. As a result, the server 30 performs an authentication process.

  In step S19, the CPU 11 determines whether or not the authentication is successful. If it is determined that the authentication is successful (step S19: Y), the process proceeds to step S20, and otherwise (step S19: N). Ends the process.

  In step S <b> 20, the CPU 11 executes a process for transmitting / receiving information to / from the server 30. For example, information can be exchanged with the server 30 or settings of the server 30 can be changed based on the access authority given to the user ID.

  Next, processing executed by the server 30 shown in FIG. 1 will be described with reference to FIG. When the processing of the flowchart shown in FIG. 7 is started, the following steps are executed.

  In step S30, the CPU 31 determines whether or not there is an access from the client 10. If it is determined that there is an access (step S30: Y), the CPU 31 proceeds to step S31, and otherwise (step S30: N). The process ends.

  In step S31, the CPU 31 acquires the IP address of the client 10 and sets it as the client IP.

  In step S32, the CPU 31 acquires its own IP address and uses it as the server IP.

  In step S33, the CPU 31 requests the client 10 to transmit a login ID. As a result, the process proceeds from step S13 in FIG. 7 to step S14, and the login ID is input and transmitted.

  In step S <b> 34, the CPU 31 receives the login ID transmitted from the client 10.

  In step S35, the CPU 31 applies the hash function shown in the above-described formula (1) to the login ID, the server IP, and the client IP, and uses the obtained hash value as a password.

  In step S36, the CPU 31 requests the client 10 to transmit a password. As a result, the process proceeds from step S17 in FIG. 6 to step S18, and the password is transmitted from the client 10.

  In step S <b> 37, the CPU 31 receives the password transmitted from the client 10.

  In step S38, the CPU 31 determines whether or not the password calculated in step S35 matches the password received from the client 10 in step S37. If it is determined that they match (step S37: Y), the process proceeds to step S39. In other cases (step S37: N), the process ends.

  In step S <b> 39, the CPU 31 executes a process for transmitting / receiving information to / from the client 10. For example, based on the access authority given to the user ID, it is possible to transmit information to the client 10 or to permit a change in setting.

  According to the above processing, the operation described with reference to FIG. 5 can be realized.

(C) Description of Second Embodiment of the Present Invention Next, a second embodiment of the present invention will be described. The configuration of the second embodiment is the same as that of the first embodiment shown in FIGS. 1 to 3, but the authentication process executed in the client 10 and the server 30 is different. In the following, the operation will be described focusing on the different parts.

  FIG. 8 is a diagram for explaining the operation of the second embodiment. The second embodiment differs from the first embodiment in information used to generate a password. More specifically, the second embodiment is characterized in that the system name and date / time information are used in addition to the login ID, client IP, and server IP in the first embodiment. For example, the domain name of the client 10 or the server 30 can be used as the system name. Of course, other information may be used. In addition, as date information, for example, information such as the year, month, date, and time can be used.

  That is, in the second embodiment, the client 10 is based on the content described in the plug-in program, and based on the following equation (2), the login ID, the client IP of the client 10 at that time, and the server 30 By processing the server IP at the time, the system name (for example, the domain name of the client 10 or the server 30), and the date and time information (for example, “2018/3/10 10:40”) by a predetermined hash function, Calculate the password. In Expression (2), H () denotes a hash function that returns the hash value by hashing the information in parentheses, as in Expression (1).

pass = H (login ID, client IP, server IP, system name, date and time information) (2)

  In the second embodiment, since the system name is added as the information that is the source of the password, the robustness of the system can be further enhanced by increasing the number of information.

  In the second embodiment, date information is used. Since the date and time information is always different depending on the access time, the password can be a dynamic password that dynamically changes, so that the security risk can be further reduced.

(C) Description of Modified Embodiment Each of the above embodiments is an example, and it is needless to say that the present invention is not limited to the case described above. For example, in each of the above embodiments, as shown in FIG. 1, one client 10 and one server 30 are illustrated, but a plurality of clients 10 and a plurality of servers 30 are provided. Also good. In particular, there may be a large number (for example, several hundred units) of servers 30.

  In each of the embodiments described above, the server 30 permits the transmission and reception of information for the client 10 that has accessed, if the authentication is successful. For example, the server 30 identifies the client 10 that permits the access. And the black list for specifying the client 10 that is not permitted to access are stored in the nonvolatile storage unit 34, and whether or not the client 10 can be accessed is determined based on the authentication result together with the information. You may make it do.

  Moreover, the information used as the origin which produces | generates a password with a hash function shown in the above each embodiment is an example to the last, Comprising: You may make it produce | generate a password using information other than illustrated.

  In each of the above embodiments, the plug-in program for executing the authentication process has been described on the assumption that it has already been implemented. For example, the plug-in program can be a session between the client 10 and the server 30. It may be changed every time. Alternatively, it may be changed at a predetermined cycle (for example, one week, one month, etc.). Further, the plug-in program may be changed according to an instruction from the administrator.

  Further, when changing the plug-in program, for example, authentication using the conventional login ID and password shown in FIG. 4 is performed, and it is authenticated that the administrator is authorized to change the plug-in program. In addition, the plug-in program may be changed.

  In addition, the information on which the password is generated may be changed according to the access authority. For example, in the case of a low access authority, the types of information from which passwords are generated may be reduced, and in the case of a high access authority, the types of information from which passwords are generated may be increased. . Further, the frequency of changing the plug-in program described above may be changed frequently in the case of high access authority.

  In the first embodiment described above, the login ID and the IP addresses of the client 10 and the server 30 are used as information from which the password is generated. However, network information other than the IP address is used. May be. For example, MAC (Media Access Control) may be used instead of the IP address. Of course, other network information may be used.

  6 and 7 are examples, and the present invention is not limited to these flowcharts.

1 Network system 10 Client 11 CPU
12 ROM
13 RAM
14 Non-volatile storage unit 15 Communication unit 16 I / F
17 Bus 18 Input Device 19 Output Device 20 Internet 30 Server 31 CPU
32 ROM
33 RAM
34 Nonvolatile storage unit 35 Communication unit 36 I / F
37 bus

Claims (6)

In a network system having at least a first communication device and a second communication device,
The first communication device is
First acquisition means for acquiring first information;
First transmission means for transmitting the first information to the second communication device;
Second acquisition means for acquiring second information different from the first information;
First generation means for generating third information by performing irreversible arithmetic processing on the first information and the second information;
Second transmission means for transmitting the third information to the second communication device,
The second communication device is
First receiving means for receiving the first information transmitted by the first transmitting means;
Third acquisition means for acquiring the second information;
A second generation unit that generates fourth information by performing the same irreversible arithmetic processing as the first generation unit on the first information and the second information;
Authentication means for executing authentication processing by determining whether or not the third information and the fourth information match,
A network system characterized by this. The first information is a login ID;
The second information is network information.
The network system according to claim 1. The first information is a login ID;
The second information includes at least date information.
The network system according to claim 1. Each means according to the first communication device is realized by a plug-in program,
Each means related to the second communication device is also realized by a plug-in program.
The network system according to any one of claims 1 to 3, wherein:   The network system according to any one of claims 1 to 4, wherein the irreversible calculation process is a process using a hash function. In an authentication method for a network system having at least a first communication device and a second communication device,
The first communication device is
A first acquisition step of acquiring first information;
A first transmission step of transmitting the first information to the second communication device;
A second acquisition step of acquiring second information different from the first information;
A first generation step of generating third information by performing irreversible arithmetic processing on the first information and the second information;
A second transmission step of transmitting the third information to the second communication device,
The second communication device is
A first receiving step of receiving the first information transmitted by the first transmitting step;
A third acquisition step of acquiring the second information;
A second generation step of generating fourth information by performing the same irreversible arithmetic processing as in the first generation step on the first information and the second information;
An authentication step of executing an authentication process by determining whether or not the third information and the fourth information match.
An authentication method for a network system.

Images