JP5453785B2 - Authentication system, authentication server, authentication method, and program - Google Patents

Description

  The present invention relates to an authentication system, an authentication server, an authentication method, and a program suitable for preventing unauthorized access.

  Online systems that provide services to users using a network, such as Internet banking and online shopping, have become widespread. The user accesses the online system using a personal computer or a mobile phone. In a typical online system, if the input user information (for example, user name, password, account number, and other personal information) matches the previously registered user information, access is permitted and the service can be used. .

  While the above online system has become widespread, a third party with malicious intent has installed a program (so-called “key logger”) that records input from the keyboard on a personal computer, etc., resulting in leakage of recorded user information to the outside In addition, there is a damage caused by a fraud called phishing that prepares a fake website very similar to the real thing to guide users and obtain user information illegally. For this reason, security measures are indispensable for building an online system.

  For example, in Patent Document 1, as a security measure for remote access using a mobile phone, an individual identification number of a mobile phone accessing a login Uniform Resource Identifier (URI), an individual identification number of a mobile phone registered in advance, An authentication system is disclosed that permits login when the two match.

  In addition, a system that makes it difficult for a malicious third party to illegally use a password even if the password is stolen has been constructed by using a one-time password generator whose password changes at regular intervals.

JP 2006-338161 A

  However, the authentication system of Patent Document 1 is premised on an online service for mobile phones, and since mobile phones generally have a small screen size, they are often inferior in operability to personal computers and are inconvenient for users. In addition, in order to employ an authentication system that uses a one-time password generator, there is a problem in that development costs and maintenance costs increase.

  The present invention solves such a problem, and an object thereof is to provide an authentication system, an authentication server, an authentication method, and a program suitable for preventing unauthorized access.

In order to achieve the above object, an authentication system according to a first aspect of the present invention is an authentication system having a first user terminal, a second user terminal, and an authentication server,
The authentication server is
A user ID for identifying a user, browser information indicating a browser type and version used when displaying an authentication page for accepting an input of the user ID from the user on the first user terminal, a password, and the second A storage unit that stores the identification information assigned in advance to the user terminal in association with the information;
The first user terminal is
A display unit for displaying the authentication page;
A first input receiving unit that receives an input of the user ID from the user,
A first transmission unit that transmits the user ID received by the first input reception unit and the type and version of the browser used for displaying the authentication page by the display unit to the authentication server;
With
The second user terminal is
A second input receiving unit for receiving an input of a password from the user;
A second transmission unit for transmitting the password is accepted by the second input receiving unit, the identification information that is pre-assigned to the second user terminal to the authentication server,
With
The authentication server further includes:
A first receiver that receives from the first user terminal the user ID and the type and version of the browser used to display the authentication page by the display ;
From the second user terminal indicated by the identification information associated with the user ID of the first receiving unit has received, the second receiving and password the accepted, and the identification information that is pre-assigned to the second user terminal A receiver,
And password associated with the user ID Ru Tei stored in the storage unit in which the first reception unit receives, the password for the second reception unit receives the match, and the first reception unit receives and Tei Ru identification information stored in the storage unit in association with the user ID, the identification information matches the second receiving unit receives, and, associated with the user ID that the first reception unit receives If the browser type and version indicated by the browser information stored in the storage unit match the browser type and version received by the first receiving unit , the user has been successfully authenticated. And an authentication determination unit that determines that the user authentication has failed in other cases,
A determination result notifying unit for notifying the first user terminal of a determination result by the authentication determining unit;
It is characterized by providing.

An authentication server according to a second aspect of the present invention is an authentication server connected via a network to a first user terminal and a second user terminal used by a user,
A user ID for identifying the user; browser information indicating a browser type and version used when displaying an authentication page for accepting input of the user ID from the user on the first user terminal; a password; A storage unit that stores identification information for identifying two user terminals in advance in association with identification information that is assigned in advance to the second user terminal ;
A first receiving unit that receives from the first user terminal the user ID input by the user and the type and version of the browser used to display the authentication page by the first user terminal;
A second unit configured to receive a password input from the user and identification information assigned in advance to the second user terminal from the second user terminal indicated by the identification information associated with the user ID received by the first receiving unit; Two receivers;
And password associated with the user ID Ru Tei stored in the storage unit in which the first reception unit receives, the password for the second reception unit receives the match, and the first reception unit receives and Tei Ru identification information stored in the storage unit in association with the user ID, the identification information matches the second receiving unit receives, and, associated with the user ID that the first reception unit receives If the browser type and version indicated by the browser information stored in the storage unit match the browser type and version received by the first receiving unit , the user has been successfully authenticated. And an authentication determination unit that determines that the user authentication has failed in other cases,
A determination result notifying unit for notifying the first user terminal of a determination result by the authentication determining unit;
It is characterized by providing.

An authentication method according to a third aspect of the present invention includes a storage unit, and is executed by an authentication server connected via a network to a first user terminal and a second user terminal used by a user. Because
The storage unit includes a user ID for identifying the user, browser information indicating a browser type and version used when displaying an authentication page for accepting an input of the user ID from the user on the first user terminal; The password and the identification information for identifying the second user terminal and the identification information assigned in advance to the second user terminal are stored in advance in association with each other.
A first receiving step of receiving, from the first user terminal , a user ID input from the user and a type and version of a browser used for displaying the authentication page by the first user terminal;
A second password is received from the second user terminal indicated by the identification information associated with the user ID received in the first receiving step, and the identification information assigned in advance to the second user terminal is received. Two receiving steps;
Wherein the password that you Tei stored in the storage unit in association with the user ID received in the first reception step, and the password received at the second receiving step matches, and were received in the first receiving step and Tei Ru identification information stored in the storage unit in association with the user ID, and the identification information received by the second receiving step matches, and, associated with the user ID that the first reception unit receives If the browser type and version indicated by the browser information stored in the storage unit match the browser type and version received by the first receiving unit , the user has been successfully authenticated. And an authentication determination step of determining that the user authentication has failed in other cases,
A determination result notifying step of notifying the first user terminal of the determination result of the authentication determining step;
It is characterized by providing.

A program according to a fourth aspect of the present invention is a computer connected to a first user terminal and a second user terminal used by a user via a network.
A user ID for identifying the user; browser information indicating a browser type and version used when displaying an authentication page for accepting input of the user ID from the user on the first user terminal; a password; A storage unit that stores identification information that identifies two user terminals in advance in association with identification information that is assigned in advance to the second user terminal ;
A first receiver that receives from the first user terminal the user ID input by the user and the type and version of the browser used to display the authentication page by the first user terminal;
A second unit configured to receive a password input from the user and identification information assigned in advance to the second user terminal from the second user terminal indicated by the identification information associated with the user ID received by the first receiving unit; 2 receivers,
And password associated with the user ID Ru Tei stored in the storage unit in which the first reception unit receives, the password for the second reception unit receives the match, and the first reception unit receives and Tei Ru identification information stored in the storage unit in association with the user ID, the identification information matches the second receiving unit receives, and, associated with the user ID that the first reception unit receives If the browser type and version indicated by the browser information stored in the storage unit match the browser type and version received by the first receiving unit , the user has been successfully authenticated. And an authentication determination unit that determines that the user authentication has failed otherwise.
A determination result notifying unit for notifying the first user terminal of a determination result by the authentication determining unit;
It is made to function as.

  According to the present invention, an authentication system, an authentication server, an authentication method, and a program suitable for preventing unauthorized access can be provided.

Example 1
Examples of the present invention will be described. The present embodiment is an example in which the present invention is applied to processing for personal authentication in an Internet banking system.

  FIG. 1 is a diagram illustrating a configuration of an authentication system 1 according to the present embodiment. The authentication system 1 includes a personal computer 100, an authentication server 200, a communication network 300A, a communication network 300B, a portable terminal 400, and an authentication database 500.

  Communication network 300A is typically the Internet. However, a local area network (LAN), a wide area network (WAN), a dedicated line, or the like may be used.

  Communication network 300B is typically a mobile phone line. Communication networks 300A and 300B are connected to each other and can transmit and receive data.

  Communication network 300A and communication network 300B are connected via a gateway that mutually converts protocols.

  First, the hardware configuration of the personal computer 100 will be described. As shown in FIG. 2, the personal computer 100 includes a control unit 101, a storage unit 102, an input reception unit 103, an I / F (Interface) 104, an image processing unit 105, an audio processing unit 106, and a communication unit 107.

  The control unit 101 includes a CPU (Central Processing Unit) and the like, controls the operation of the personal computer 100 as a whole, and is connected to each component to exchange control signals and data. In addition, the control unit 101 uses arithmetic operations such as addition / subtraction / division / multiplication / division, logical operations such as logical sum, logical product, and logical negation, bit, etc., using an ALU (Arithmetic Logic Unit) for a storage area that can be accessed at high speed as a register. Bit operations such as sum, bit product, bit inversion, bit shift, and bit rotation can be performed. For example, the control unit 101 executes a client-side application of the Internet banking system.

  The storage unit 102 includes a ROM (Read Only Memory), a RAM (Random Access Memory), a hard disk device, and the like. In the ROM, programs and various data necessary for operation control of the entire personal computer 100 are recorded. The RAM temporarily stores data and programs. The control unit 101 provides a variable area in the RAM, performs an operation by directly operating the ALU on the value stored in the variable, or temporarily stores the value stored in the RAM in the register and then stores the value in the register. The calculation is performed, and the calculation result is written back to the memory. The hard disk device stores an operating system, software for browsing web pages (hereinafter referred to as “web browser”), arbitrary data created by the user, and the like.

  The input receiving unit 103 includes input devices such as a keyboard and a mouse. The user can input an arbitrary instruction input, data, or the like by operating the input device.

  The I / F 104 includes a drive device that reads and writes data from an information recording medium such as a DVD-ROM (Digital Versatile Disk-Read Only Memory) and a CD-ROM (Compact Disc-Read Only Memory).

  The image processing unit 105 processes the data read from the storage unit 102 or the like by an image arithmetic processor (not shown) included in the control unit 101 or the image processing unit 105, and then includes a frame memory included in the image processing unit 105. (Not shown). The image information recorded in the frame memory is converted into a video signal at a predetermined synchronization timing and output to a monitor connected to the image processing unit 105. Thereby, various image displays are possible.

  The audio processing unit 106 converts the digital audio data read from the storage unit 102 or the like into an analog audio signal, and outputs audio from the connected speaker.

  The communication unit 107 includes a NIC (Network Interface Card) for connecting the personal computer 100 to the communication network 300A. Alternatively, the communication unit 107 conforms to a 10BASE-T / 100BASE-T standard used when configuring a LAN, an analog modem for connecting to the Internet using a telephone line, or an ISDN (Integrated Services Digital Network) modem. , An ADSL (Asymmetric Digital Subscriber Line) modem, a cable modem for connecting to the Internet using a cable television line, and an interface (not shown) that mediates between these and the control unit 101 .

  The user can access the website that provides, for example, an internet banking service by operating the personal computer 100 having the above-described configurations and using a browser. A user who is permitted to connect in an authentication process described later can use an internet banking service such as account transfer and balance confirmation.

  Next, the hardware configuration of the authentication server 200 will be described. As illustrated in FIG. 3, the authentication server 200 includes a control unit 201, a storage unit 202, and a communication unit 203.

  The control unit 201 includes a CPU and the like, and controls each unit of the authentication server 200 according to an operating system, other programs, and the like stored in the storage unit 202. The control unit 201 executes, for example, a server side application of the internet banking system. The control unit 201 receives a request for connection to the Internet banking system from the personal computer 100, and performs an authentication process described later. If it is determined that the connection is permitted as a result of the authentication, the personal computer 100 that has requested connection is permitted to connect to the Internet banking system, and the Internet banking service is provided to the user of the personal computer 100.

  The storage unit 202 includes a storage device such as a RAM, a ROM, and a hard disk device. For example, the storage unit 202 stores an operating system and program for controlling the entire authentication server 200, a user information table 510 read from the authentication database 500, and the like.

  The communication unit 203 includes a communication device such as a NIC, a router, or a modem. The communication unit 203 communicates with the personal computer 100 and the portable terminal 400 under the control of the control unit 201.

  In addition, an authentication database 500 is connected to the authentication server 200, and the control unit 201 can read data from the authentication database 500 and update the authentication database 500 as needed. Details of the configuration of the authentication database 500 will be described later.

  The authentication server 200 having the above configuration starts an authentication process described later in response to an authentication request from the personal computer 100.

  Next, the hardware configuration of the mobile terminal 400 will be described. In this embodiment, the mobile terminal 400 is a mobile phone. As shown in FIG. 4, the mobile terminal 400 includes a control unit 401, a storage unit 402, an input reception unit 403, an external memory I / F 404, an image processing unit 405, an audio processing unit 406, a wireless processing unit 407, a display 421, a speaker. 422, a microphone 423, and an antenna 424.

  The control unit 401 controls the entire portable terminal 400 according to an operating system and a control program stored in the storage unit 402. The control unit 401 transmits a control signal and data to each unit, or receives a response signal and data from each unit.

  The storage unit 402 is composed of a storage device such as a ROM, a RAM, or a flash memory. The storage unit 402 stores an operating system, software such as a web browser, data input from a user, and the like.

  In addition, the storage unit 402 stores an individual identification number 460 previously assigned to the mobile terminal 400. The individual identification number 460 is information that can uniquely identify the mobile terminal 400, and is information that can be added to an HTTP (HyperText Transfer Protocol) header. The individual identification number 460 is typically defined using alphabets and numbers, and is assigned in advance from the mobile phone service provider (mobile phone operator or manufacturer).

  The input receiving unit 403 includes various operation keys such as numeric keys, cursor keys, and power keys. The user can input an arbitrary instruction input, data, or the like by operating the input device. When the user presses the operation key, the input receiving unit 403 outputs a key code signal corresponding to the operation key to the control unit 107. The control unit 401 determines the operation content based on the key code signal.

  The external memory I / F 404 is connected to a removable external memory 450 to input / output data.

  The image processing unit 405 processes the image data by the image calculation processor provided in the control unit 401 or the image processing unit 405 and then records the processed data in an output buffer (not shown) provided in the image processing unit 405. The image information recorded in the output buffer is converted into an image signal at a predetermined synchronization timing, and is output to the display 421 connected to the image processing unit 405. Thereby, various image displays are possible. For example, the display 421 includes an LCD (Liquid Crystal Display), an organic EL (Electro-Luminescence) display, or the like.

  When the portable terminal 400 serves as a transmitter, the voice processing unit 406 collects a user's uttered sound or the like by the microphone 423 and converts the sound into a voice signal by an A / D (Analog / Digital) converter included in the voice processing unit 406. Output audio signals. In addition, when the mobile terminal 400 serves as a receiver, the voice processing unit 406 outputs a call sound demodulated by a D / A (Digital / Analog) converter included in the voice processing unit 406 from the speaker 422.

  When the mobile terminal 400 serves as a transmitter, the wireless communication unit 407 modulates the audio signal input by the microphone 423 and converted by the A / D converter included in the audio processing unit 406, and uses the antenna 424 to transmit the other party (receiving side). ). When the portable terminal 400 is a receiver, the antenna 424 is used to receive an audio signal or the like and demodulate the input audio signal. The demodulated audio signal is input to the audio processing unit 406.

  The wireless communication unit 407 communicates with a communication satellite such as GPS (Global Positioning System), and position information (specifically, latitude and longitude) of the mobile terminal 400 based on a predetermined signal transmitted from the communication satellite. And the acquired position information is input to the control unit 401. Further, based on an instruction from the control unit 401, a signal indicating the acquired position information is transmitted to the base station using a radio wave of a predetermined frequency using the antenna 424.

  Next, the configuration of the authentication database 500 will be described. FIG. 5 is a diagram illustrating a configuration example of the user information table 510 stored in the authentication database 500. The authentication database 500 stores a user information table 510 in which a user ID 511, an individual identification number 512, an address 513, and a password 514 are associated with each other.

  The user ID 511 is information for identifying the user, and is typically defined using alphabets, numbers, symbols, and the like. The user ID 511 may be a character string that can be arbitrarily set by the user, or an email address owned by the user may be used as the user ID.

  The registered individual identification number 512 is the individual identification number 470 acquired from the mobile terminal 400. The control unit 401 acquires the individual identification number 470 from the portable terminal 400 and stores it as the registered individual identification number 512 in the user information registration process described later. Further, the control unit 401 collates the individual identification number 470 transmitted from the portable terminal 400 with the registered individual identification number 512 registered in the user information table 510 in an authentication process described later.

  The address 513 is an e-mail address (e-mail box) registered in advance by the user for e-mail using the mobile terminal 200.

  The password 514 is a character string that can be freely set by the user using alphabets, numbers, symbols, and the like. The user can change the password 514.

  When the control unit 201 of the authentication server 200 receives a request to change one or more of the user ID 511, the registered individual identification number 512, the address 513, and the password 514 stored in the user information table 510, the control unit 201 receives the user according to the received request. The information table 510 is updated.

  The authentication database 500 may be stored in the storage unit 202 of the authentication server 200 or may be stored in a storage device of another database server (not shown). In the authentication database 500, data other than the above may be stored in association with the user ID 511.

(User information registration process)
Next, user information registration processing according to the present embodiment will be described with reference to the flowchart of FIG. This user information registration process is performed when a registered individual identification number 512 and / or an address 513 and / or a password 514 is newly registered in the user information table 510, or when already registered contents are changed. This is processing performed in the mobile terminal 400 and the registration server 200.

  First, the control unit 401 of the portable terminal 400 receives an instruction to update the user information table 510 from the user (step S601). The user of the portable terminal 400 can input an instruction to update the user information table 510 by starting a web browser using an operation key provided in the input receiving unit 403 and connecting to the Internet banking system.

  The control unit 401 of the portable terminal 400 controls the wireless communication unit 407 and information including form data for registering user information, image data to be displayed on the display 421, and the like (hereinafter referred to as “user registration page”). Is transmitted to the authentication server 200 (step S602).

  More specifically, the control unit 401 transmits packet data including a request for acquiring a user registration page to a gateway connected to the communication network 300B. The gateway that has received the packet data performs protocol conversion, and transmits the converted packet data to the authentication server 200. Hereinafter, in the data transmission / reception between the portable terminal 400 and the authentication server 200, communication via the gateway is performed in the same manner. However, for simplification of description, “data is transmitted from the portable terminal 400 to the authentication server 200”. To express.

  The control unit 201 of the authentication server 200 receives packet data including a request for obtaining a user registration page (step S603).

  In response to the request, the control unit 201 of the authentication server 200 reads the user registration page from the storage unit 202 and transmits the read user registration page to the mobile terminal 400 (step S604).

  The control unit 401 of the portable terminal 400 receives the user registration page from the authentication server 200 (step S605).

  Further, the control unit 401 of the mobile terminal 400 displays the image data included in the received user registration page on the display 421 as shown in FIG. 7A, for example (step S606).

  FIG. 7A shows an example of a screen for registering new user information. The user can input an arbitrary user ID, password, and address (e-mail address) using the operation keys.

  FIG. 7B is an example of a screen for changing registered user information. The user adds a check mark to an item to be changed among the user ID, password, and address, and the user ID before the change (user ID currently registered), the user ID after the change (user ID that desires to be registered), and / or Or, password before change (currently registered password) and password after change (password to register) and / or e-mail address before change (e-mail address currently registered) and changed e-mail Enter your email address (the email address you wish to register for).

  The control unit 401 of the portable terminal 400 accepts input of a user ID, a password, and an address (Step S607). The user ID, password, and address input here are registered in the user information table 510.

  The control unit 401 of the portable terminal 400 reads the individual identification number 460 stored in the storage unit 402 in advance. Then, the control unit 401 controls the wireless communication unit 407 to transmit the read individual identification number 460 and the user ID, password, and address received in step S607 to the authentication server 200 (step S608). The control unit 401 stores the individual identification number 460 in the HTTP extension header and transmits it.

  The control unit 401 of the portable terminal 400 encrypts the user ID, password, and address using a predetermined encryption algorithm, or uses a protocol such as SSL (Secure Sockets Layer) to obtain the user ID, password, and address. It is desirable to send.

  The control unit 201 of the authentication server 200 receives the individual identification number 460, user ID, password, and address from the portable terminal 400 (step S609).

  Then, the control unit 201 of the authentication server 200 uses the individual identification number 460, the user ID, the password, and the address received in step S609 as the registered individual identification number 512, the user ID 511, the password 514, and the address 513 in the user information table 510, respectively. (Step S610).

  If the received user ID is the same as another user ID already registered, the control unit 201 returns to step 604 and accepts the input of the user ID again.

  When the control unit 201 changes the user information, the received old user ID and the user ID 511 registered in the user information table 510 and / or the received old password and the password registered in the user information table 510 are used. 514 and / or whether or not the received old e-mail address matches the address ID 513 registered in the user information table 510, and if they match, the new user ID and / or new address and / or password Then, the user information table 510 is updated, and if they do not match, the process returns to step S604 to accept the input of the user ID and the like again.

(Authentication process)
Next, the authentication processing of the present embodiment will be described with reference to the flowcharts of FIGS. The authentication process is started when an instruction to connect to the Internet banking system is given by the user of the personal computer 100. 8 and 9, the personal computer 100 is abbreviated as “PC”.

  First, the user starts a web browser, accesses a website that operates the Internet banking system, and inputs an instruction to connect to the Internet banking system to the personal computer 100. The control unit 101 of the personal computer 100 receives an instruction to connect to the Internet banking system from the user (step S801).

  The control unit 101 of the personal computer 100 acquires information (hereinafter referred to as “authentication page”) including form data for performing authentication necessary for using the Internet banking service, image data displayed on the display 421, and the like. Packet data including the request is transmitted to the authentication server 200 (step S802).

  The control unit 201 of the authentication server 200 receives packet data including a request for acquiring an authentication page (step S803).

  In response to the request, the control unit 201 of the authentication server 200 reads the authentication page from the storage unit 202, and transmits the read authentication page to the personal computer 100 (step S804).

  The control unit 101 of the personal computer 100 receives the authentication page from the authentication server 200 (step S805).

  Further, the control unit 101 of the personal computer 100 controls the image processing unit 105 to display the image data included in the received authentication page on the monitor as shown in FIG. 10 (step S806).

  In addition, the control unit 101 of the personal computer 100 receives an input of a user ID (step S807).

  FIG. 10 is an example of a screen that accepts an instruction to start authentication of the Internet banking system. The user can input a user ID into the text box 1001 using a keyboard or the like. When the authentication start button 1002 is pressed, the control unit 101 proceeds to the process of step S808. When the cancel button 1003 is pressed, the control unit 101 ends the authentication process.

  When the authentication start button 1002 is pressed, the control unit 101 of the personal computer 100 transmits packet data including the user ID received in step S807 to the authentication server 200 (step S808).

  The control unit 101 of the personal computer 100 desirably transmits the user ID to the authentication server 200 by encrypting the user ID using a predetermined encryption algorithm or using a protocol such as SSL.

  The control unit 201 of the authentication server 200 receives packet data including a user ID from the personal computer 100 (step S809).

  Next, the control unit 201 of the authentication server 200 searches the user information table 510 to determine whether or not there is a user ID 511 that matches the received user ID. The address 513 associated with the ID 511 is read out. Then, the control unit 201 controls the communication unit 203 to transmit packet data including a URL (Uniform Resource Locator) of a page that accepts password input, using the read address 513 as a transmission destination (step S810). Typically, this packet data is transmitted in the form of an email.

  The control unit 401 of the portable terminal 400 receives packet data including the URL of a page that accepts password input (step S811). For example, as illustrated in FIG. 11A, the control unit 401 displays a URL or the like included in the received packet data on the display 421.

  The URL specified here includes identification information (hereinafter referred to as “authentication request ID”) 1150 generated by the control unit 201 of the authentication server 200 for each authentication request. For example, upon receiving packet data in step S811, the control unit 201 randomly generates a unique authentication request ID 1150. Then, the control unit 201 temporarily stores the generated authentication request ID 1150 in the storage unit 202 of the authentication server 200 in association with the user ID 511.

  When receiving a request to access the displayed URL, the control unit 401 of the mobile terminal 400 displays a password input screen specified by the URL, as shown in FIG. And the control part 401 receives the input of a password from a user (FIG. 9; step S901).

  FIG. 11B is an example of a password input screen. The user can input a password in the text box 1101 using an operation key or the like. When the send button 1102 is pressed, the control unit 401 proceeds to the process of step S902. When the cancel button 1103 is pressed, the control unit 401 ends the authentication process.

  When the send button 1102 is pressed, the control unit 401 of the mobile terminal 400 acquires the individual identification number 460 stored in the storage unit 402, and the acquired individual identification number 460 and the password received in step S901. The wireless communication unit 407 is controlled and transmitted to the authentication server 200 (step S902).

  Here, the control unit 401 transmits the individual identification number 460 stored in the HTTP extension header of the transmission packet.

  It is desirable that the control unit 401 of the portable terminal 400 transmits the password by encrypting the password using a predetermined encryption algorithm or using a protocol such as SSL (Secure Sockets Layer).

  The control unit 201 of the authentication server 200 receives the password and the individual identification number 460 from the portable terminal 400 (step S903).

  Next, the control unit 201 of the authentication server 200 acquires the password 514 associated with the user ID 511 corresponding to the authentication request ID 1150 (that is, the user ID 511 that requested the authentication) from the user information table 510, and the acquired password 514 Then, it is determined whether or not the password received in step S903 matches (step S904).

  If it is determined that the passwords do not match (step S904; NO), the control unit 201 of the authentication server 200 notifies the personal computer 100 that access is not permitted (step S905). The control unit 101 of the personal computer 100 notifies the user of the authentication failure (step S906), and ends the authentication process.

  On the other hand, when it is determined that the passwords match (step S904; YES), the control unit 201 of the authentication server 200 acquires the registered individual identification number 512 associated with the user ID 511 corresponding to the authentication request ID 1150 from the user information table 510. Further, it is further determined whether or not the acquired registered individual identification number 512 matches the individual identification number received in step S903 (step S907).

  When it is determined that the individual identification numbers do not match (step S907; NO), the control unit 201 of the authentication server 200 notifies the personal computer 100 that access is not permitted (step S905). The control unit 101 of the personal computer 100 notifies the user of the authentication failure (step S906), and ends the authentication process.

  On the other hand, if it is determined that the individual identification numbers match (step S907; YES), the control unit 201 of the authentication server 200 notifies the personal computer 100 that access is permitted (step S908), and provides the Internet banking service. Start (step S909).

  The control unit 101 of the personal computer 100 that has received the notification that the access is permitted notifies the user of the authentication success (step S910) and starts providing the Internet banking service (step S911).

  For example, the control unit 101 of the personal computer 100 changes the displayed web browser screen to a service screen as shown in FIG. 12 by a server push from the authentication server 200.

  As described above, in this embodiment, since authentication is performed using the address 513 or the registered individual identification number 512 stored in advance in the authentication server 200, which is information that can be found only on a genuine website, the malicious second There is an effect that unauthorized authentication becomes difficult by the three parties.

  In this embodiment, since it is necessary to access the authentication server 200 using two types of communication networks 300A and 300B and use different DNS (Domain Name System) in the authentication process, DNS spoofing can be prevented. There is an effect. For example, the user can visually check whether the URL indicating the password input screen shown in FIG. 11A is valid.

  Furthermore, by checking the individual identification number 470, it is necessary to access from a specific portable terminal 400, and the portable terminal 400 registered in advance by the user substantially plays the role of a “key”. For this reason, even if a password is guessed or a password is obtained illegally by social engineering, there is an effect that unauthorized access can be made difficult.

(Example 2)
Next, a second embodiment of the present invention will be described. In this embodiment, the type and version of the web browser used by the user are further used for authentication.

  FIG. 13 is a diagram illustrating a configuration example of the user information table 1300 according to the present embodiment. The user information table 1300 further stores browser information 1301 in association with the user ID 511.

  Browser information 1301 is information indicating the type and version of the web browser used by the user on the personal computer 100.

  In step S808 of the authentication process, the control unit 101 of the personal computer 100 transmits information indicating the type and version of the web browser used to display the authentication page in step S806 to the authentication server 200 together with the user ID.

  For example, the control unit 101 transmits packet data storing information indicating the type and version of the web browser in HTTP_USER_AGENT of the HTTP header.

  In step S809 of the authentication process, the control unit 201 of the authentication server 200 stores the received information indicating the type and version of the web browser in the browser information 1301 in association with the user ID 511. This browser information 1301 is used after the authentication process executed next time.

  In the authentication process, when the passwords match and the individual identification numbers match (step S907; YES), the control unit 201 of the authentication server 200 further controls the browser associated with the user ID 511 corresponding to the authentication request ID. Information 1301 is acquired from the user information table 510, and it is further determined whether or not the acquired browser information 1301 matches the information indicating the type and version of the web browser received in step S809.

  If it is determined that they do not match, the control unit 201 of the authentication server 200 notifies the personal computer 100 that access is not permitted (step S905). The control unit 101 of the personal computer 100 notifies the user of the authentication failure (step S906), and ends the authentication process.

  On the other hand, if it is determined that they match, the control unit 201 of the authentication server 200 notifies the personal computer 100 that access is permitted (step S908), and starts providing an internet banking service (step S909).

  Note that the control unit 201 of the authentication server 200 stores in advance browser information 1301 for designating a web browser used by the user in accordance with a user registration instruction.

  According to the present embodiment, if the web browser used by the user in the past and the web browser used by the user are not the same, the authentication is not successful, so that unauthorized access by a third party can be made difficult. Increases effectiveness. Further, storing information indicating the type of operating system used in the personal computer 100 in the browser information 1301 further increases the effect of preventing unauthorized access.

  The present invention is not limited to the above-described embodiments, and various modifications and applications are possible. Moreover, it is also possible to freely combine the constituent elements of the above-described embodiments.

  The present invention can be implemented by being incorporated not only in the Internet banking system but also in various systems such as an online shopping system, a mailing system, and other membership system web systems.

  A computer-readable program such as a memory card, a CD-ROM, a DVD, or an MO (Magneto Optical disk) can be used for operating a computer as the personal computer 100, the authentication server 200, or the portable terminal 400. The program may be stored and distributed in a recording medium, installed in another computer, operated as the above-described means, or the above-described steps may be executed.

  Furthermore, the program may be stored in a disk device or the like included in a server device on the Internet, and may be downloaded onto a computer by being superimposed on a carrier wave, for example.

  As described above, according to the present invention, it is possible to provide an authentication system, an authentication server, an authentication method, and a program suitable for preventing unauthorized access.

It is a figure which shows the structure of an authentication system. It is a figure for demonstrating the structure of a personal computer. It is a figure for demonstrating the structure of an authentication server. It is a figure for demonstrating the structure of a portable terminal. It is a figure for demonstrating the structure of a user information table. It is a flowchart for demonstrating a user information registration process. (A) It is a figure which shows the structural example of the screen which registers user information. (B) It is a figure which shows the structural example of the screen which changes user information. It is a flowchart for demonstrating an authentication process. It is a flowchart (continuation) for demonstrating an authentication process. It is a figure which shows the structural example of the screen which starts an authentication process. (A) It is a figure which shows the structural example of the screen which displays URL. (B) It is a figure which shows the structural example of a password input screen. It is a figure which shows the structural example of the screen which started the service after successful authentication. In Example 2, it is a figure for demonstrating the structure of a user information table.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Authentication system 100 Personal computer 101 Control part 102 Memory | storage part 103 Input reception part 104 I / F (interface)
105 image processing unit 106 audio processing unit 107 communication unit 200 authentication server 201 control unit 202 storage unit 203 communication unit 300A, 300B communication network 400 portable terminal 401 control unit 402 storage unit 403 input reception unit 404 external memory I / F
405 Image processing unit 406 Audio processing unit 407 Wireless communication unit 421 Display 422 Speaker 423 Microphone 424 Antenna 450 External memory 460 Individual identification number 500 Authentication database 510, 1300 User information table 511 User ID
512 Registered individual identification number 513 Address 514 Password 1001 Text box 1002 Authentication start button 1003 Cancel button 1101 Text box 1102 Send button 1103 Cancel button 1150 Authentication request ID
1301 Browser information

Claims (8)

An authentication system having a first user terminal, a second user terminal, and an authentication server,
The authentication server is
A user ID for identifying a user, browser information indicating a browser type and version used when displaying an authentication page for accepting an input of the user ID from the user on the first user terminal, a password, and the second A storage unit that stores the identification information assigned in advance to the user terminal in association with the information;
The first user terminal is
A display unit for displaying the authentication page;
A first input receiving unit that receives an input of the user ID from the user,
A first transmission unit that transmits the user ID received by the first input reception unit and the type and version of the browser used for displaying the authentication page by the display unit to the authentication server;
With
The second user terminal is
A second input receiving unit for receiving an input of a password from the user;
A second transmission unit for transmitting the password is accepted by the second input receiving unit, the identification information that is pre-assigned to the second user terminal to the authentication server,
With
The authentication server further includes:
A first receiver that receives from the first user terminal the user ID and the type and version of the browser used to display the authentication page by the display ;
From the second user terminal indicated by the identification information associated with the user ID of the first receiving unit has received, the second receiving and password the accepted, and the identification information that is pre-assigned to the second user terminal A receiver,
And password associated with the user ID Ru Tei stored in the storage unit in which the first reception unit receives, the password for the second reception unit receives the match, and the first reception unit receives and Tei Ru identification information stored in the storage unit in association with the user ID, the identification information matches the second receiving unit receives, and, associated with the user ID that the first reception unit receives If the browser type and version indicated by the browser information stored in the storage unit match the browser type and version received by the first receiving unit , the user has been successfully authenticated. And an authentication determination unit that determines that the user authentication has failed in other cases,
A determination result notifying unit for notifying the first user terminal of a determination result by the authentication determining unit;
An authentication system comprising: The authentication server is
When the first receiving unit receives the user ID from the first user terminal, the first receiving unit generates an authentication request ID for identifying that a request for starting authentication has been received from the user in association with the received user ID. A generator,
An authentication request ID notifying unit for notifying the second user terminal of an authentication request ID generated by the generating unit;
Further comprising
The second input receiving unit receives the password input from the user after the authentication request ID is notified from the authentication server.
The authentication system according to claim 1, wherein: The authentication request ID notification unit notifies the second user terminal of a URL (Uniform Resource Locator) including the generated authentication request ID,
The second transmission unit transmits the password received by the second input reception unit and the identification information assigned in advance to the second user terminal to the authentication server via the URL.
The authentication system according to claim 2, wherein: An authentication server connected via a network to a first user terminal and a second user terminal used by a user,
A user ID for identifying the user; browser information indicating a browser type and version used when displaying an authentication page for accepting input of the user ID from the user on the first user terminal; a password; A storage unit that stores identification information for identifying two user terminals in advance in association with identification information that is assigned in advance to the second user terminal ;
A first receiving unit that receives from the first user terminal the user ID input by the user and the type and version of the browser used to display the authentication page by the first user terminal;
A second unit configured to receive a password input from the user and identification information assigned in advance to the second user terminal from the second user terminal indicated by the identification information associated with the user ID received by the first receiving unit; Two receivers;
And password associated with the user ID Ru Tei stored in the storage unit in which the first reception unit receives, the password for the second reception unit receives the match, and the first reception unit receives and Tei Ru identification information stored in the storage unit in association with the user ID, the identification information matches the second receiving unit receives, and, associated with the user ID that the first reception unit receives If the browser type and version indicated by the browser information stored in the storage unit match the browser type and version received by the first receiving unit , the user has been successfully authenticated. And an authentication determination unit that determines that the user authentication has failed in other cases,
A determination result notifying unit for notifying the first user terminal of a determination result by the authentication determining unit;
An authentication server comprising: When the first receiving unit receives the user ID from the first user terminal, the first receiving unit generates an authentication request ID for identifying that a request for starting authentication has been received from the user in association with the received user ID. A generator,
An authentication request ID notifying unit for notifying the second user terminal of an authentication request ID generated by the generating unit;
Further comprising
The second receiving unit receives the password input from the user and the identification information assigned in advance to the second user terminal because the authentication request ID notifying unit sends the authentication request ID to the second user terminal. After notification,
The authentication server according to claim 4 , wherein: The authentication request ID notification unit notifies the second user terminal of a URL (Uniform Resource Locator) including the generated authentication request ID,
The second receiving unit receives a password input from the user and identification information assigned in advance to the second user terminal via the URL.
The authentication server according to claim 5 , wherein: An authentication method that is executed by an authentication server that has a storage unit and is connected to a first user terminal and a second user terminal used by a user via a network,
The storage unit includes a user ID for identifying the user, browser information indicating a browser type and version used when displaying an authentication page for accepting an input of the user ID from the user on the first user terminal; The password and the identification information for identifying the second user terminal and the identification information assigned in advance to the second user terminal are stored in advance in association with each other.
A first receiving step of receiving, from the first user terminal , a user ID input from the user and a type and version of a browser used for displaying the authentication page by the first user terminal;
A second password is received from the second user terminal indicated by the identification information associated with the user ID received in the first receiving step, and the identification information assigned in advance to the second user terminal is received. Two receiving steps;
Wherein the password that you Tei stored in the storage unit in association with the user ID received in the first reception step, and the password received at the second receiving step matches, and were received in the first receiving step and Tei Ru identification information stored in the storage unit in association with the user ID, and the identification information received by the second receiving step matches, and, associated with the user ID that the first reception unit receives If the browser type and version indicated by the browser information stored in the storage unit match the browser type and version received by the first receiving unit , the user has been successfully authenticated. And an authentication determination step of determining that the user authentication has failed in other cases,
A determination result notifying step of notifying the first user terminal of the determination result of the authentication determining step;
An authentication method comprising: A computer connected to the first user terminal and the second user terminal used by the user via a network,
A user ID for identifying the user; browser information indicating a browser type and version used when displaying an authentication page for accepting input of the user ID from the user on the first user terminal; a password; A storage unit that stores identification information that identifies two user terminals in advance in association with identification information that is assigned in advance to the second user terminal ;
A first receiver that receives from the first user terminal the user ID input by the user and the type and version of the browser used to display the authentication page by the first user terminal;
A second unit configured to receive a password input from the user and identification information assigned in advance to the second user terminal from the second user terminal indicated by the identification information associated with the user ID received by the first receiving unit; 2 receivers,
And password associated with the user ID Ru Tei stored in the storage unit in which the first reception unit receives, the password for the second reception unit receives the match, and the first reception unit receives and Tei Ru identification information stored in the storage unit in association with the user ID, the identification information matches the second receiving unit receives, and, associated with the user ID that the first reception unit receives If the browser type and version indicated by the browser information stored in the storage unit match the browser type and version received by the first receiving unit , the user has been successfully authenticated. And an authentication determination unit that determines that the user authentication has failed otherwise.
A determination result notifying unit for notifying the first user terminal of a determination result by the authentication determining unit;
A program characterized by functioning as

Images