JP2001320366A - System for supplying information to portable information terminal - Google Patents

Abstract

PROBLEM TO BE SOLVED: To take countermeasures against wire tapping in a communication channel, unauthorized access and by pretending to be someone else as a security attack to a system since FTP, HTTP and SMTP on a public Internet line might become the objects of attack and to remove the risk that an unauthorized accessing person keys in a password at random and attacks, views around hands and attacks later and steals the password and makes access. SOLUTION: The purpose is achieved by the input of a plaintext password to a portable information terminal, a URL by a keyword with long term of validity generated by random numbers and FTP by ciphered data of a word.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method for supplying information to a portable information terminal using a portable telephone or the like in maintenance and monitoring support services in the industrial field.

[0002]

2. Description of the Related Art In recent years, the fusion of the Internet and a telephone communication network has been remarkable, and the number of contracted i-mode mobile phones released as a telephone capable of the Internet in Japan has been rapidly increasing. Has begun. Utilizing such a general consumer system in the research and development of the Internet application in the FA field also makes the low price and lightness very attractive. Therefore, the inventors are also developing a system using such a system.

[0003] Such an i-mode portable telephone may be regarded as an Internet-compatible portable information terminal, and its features are as follows. A WWW page described in compact HTML can be displayed. Pages written in HTML can also be displayed. The screen size is from 6 to text
A display of 10 rows × 8 digits is possible, and the graphic is a monochrome GIF (501 series) of about 100 dots square, or a color and animation GIF (502 series). Furthermore, WWW pages are 2K per page
Up to bytes are possible. 50 e-mails can be stored, and up to 250 double-byte characters can be sent and received per mail.

FIG. 13 is a block diagram of a conventional robot monitoring system using an i-mode mobile phone. When there is a monitoring target including a robot, first, when a normal or abnormal occurrence or a sign from the robot system occurs, a monitoring is performed. Know the beginning of the phenomenon in the subject with an i-mode mobile phone, and then
It is about making decisions about the behavior of the observer.

In the figure, 1 is a robot, 2 is a robot controller, 3 is a provider personal computer that executes a provider function, 4 is a kernel personal computer that executes a kernel function, and 5 is a client personal computer that performs monitoring. Reference numeral 6 denotes an Ethernet used as a local LAN, reference numeral 7 denotes an ISDN router for connecting the local LAN 6 to the Internet, and reference numeral 8 denotes the Internet. Reference numeral 9 denotes a WWW server connected to the Internet, which is operated by an Internet service provider, and sends information to the i-mode mobile phone 12 according to the WWW protocol. 10
Is a gateway server operated by a mobile telephone company, 11
Is a wireless packet network, 12 is an i-mode mobile phone, and 1
3 is a mobile notebook computer.

In the figure, the lower left end is the robot 1 and the robot controller 2 (hereinafter referred to as RC) to be monitored.
All devices including this RC2 are connected to the local LAN (E
interconnected via the Internet (thernet) 6. RC
The data from 2 is a provider personal computer 3 by protocol.
Transported to After this, RC2 up to client PC 5
Monitoring data arrives. In this client personal computer 5, add-in software for writing data to Excel cells is installed, and a predetermined cell value in Excel is updated at a constant cycle. On the other hand, an Excel macro (VBA: Visual BASIC for App)
L) at regular intervals (for example, every minute)
At the TP, an ISP (Intern) on the Internet 8
and an algorithm for sending a data group to the WWW server 9 of the Internet Service (ET Service Provider). Further, at another cycle, a macro program that branches conditionally according to the value of the cell reflecting the error occurrence state of the robot controller 2 is executed, and when an error occurs, an e-mail describing the fact is generated. An algorithm to be transmitted to the mobile phone 12 is described. The generated e-mail passes through a group of ISPs (not shown) on the Internet,
And is delivered to the i-mode mobile phone 12.

[0007] When browsing data via the WWW, following a relay point from the i-mode portable telephone 12 side, DoCoMo
The route is as follows: the company wireless packet network 11 → the gateway 10 → the WWW server 9 of the ISP being used.

With the above configuration, it is possible to realize a system for browsing event notifications such as occurrence of a failure by e-mail and browsing some operation status of the controller 2 at any time on the WWW.

[0009]

The conventional method of supplying information to a portable information terminal has the following problems.

[0010] A WWW page that can be searched in the i-mode needs to have a WWW server on the Internet. Having a self-managed server solves these problems, but requires protection against an illegal attack on the server itself. That is,
For the WWW server 9, not the owner of the robot,
In general, access from an i-mode mobile phone 12 belonging to a party other than a management company who does not know who or who is unknown is naturally desired to be denied. For this reason, a combination of a login user name and a password is determined in advance for a person who is permitted to access from the i-mode mobile phone 12, and the combination is stored on the WWW server side. Enter the combination of
It is usually performed to authenticate the data held by the WW server. As shown in the figure, a login user name is displayed in a field 15 of the liquid crystal panel 14, and a password is displayed in a field 16.

In the WWW user authentication system, Ba
Although the sic authentication method and the Digest authentication method are stipulated, there is a problem with the password management on the WWW server 9 side.
It is likely that the use of t authentication is not permitted. Also, in these authentication methods, when a password is to be input, the field 16 in FIG.
As shown in (1), one character entered is displayed as "*", so that it is not clear what character is being entered. This is fine for an ordinary personal computer keyboard, but a desired character is selected by pressing one button 17 multiple times like a mobile phone (for example, if you want to enter C, switch to the lowercase letter input mode. And press the number 1 three times to A →
(B → C, etc.), the invisible of the selected character makes the input difficult.

Further, it is difficult for a general user to identify an i-mode mobile phone that has accessed his / her WWW server. In addition, it is necessary to transfer the data indicating the operating state from the production equipment group, for example, the robot 1 to the WWW server 9, but the FTP (File Tra) is transmitted from the personal computer 5 to the WWW server 9.
nsfer Protocol). In this case, the FTP protocol is not normally encrypted, and there is a problem that data is stolen if wiretapping is performed in the middle of a communication path from the personal computer 5 to the WWW server 9.

In other words, security for the system
As an attack, eavesdropping on a communication path, unauthorized access and falsification by spoofing are conceivable. For example, Public
It is necessary to take countermeasures because FTP, HTTP, and SMTP on the public Internet line in the middle of the communication path marked WAN may be targeted for attack. It also eliminates the dangers of unauthorized access by attacking the user by properly entering a password, attacking at a later date by using a password in the town, and stealing the password by eavesdropping. There is a need. However, current i-mode mobile phones cannot easily take countermeasures.

The present invention has been made in order to solve the above-described problems. In an information providing method for a portable information terminal according to the present invention, for example, a so-called CGI (Common Gateway Interface) is used.
ace), a password is input, and a URL (Uniform Resource L
ocator) is composed of long character strings, and responds to dictionary attacks that attempt to randomly detect possible URLs.
The purpose is to increase security while maintaining ease of use by combining measures such as responding to Alibaba attacks that attempt to perform the same key operation by stealing the hands that are being operated, and countering wiretapping of the communication path. Things.

[0015]

According to a first aspect of the present invention, there is provided a system for supplying information to a portable information terminal, comprising: a portable information terminal for exchanging information with a server via the Internet; The server is provided with means for inputting a password by a field and performing password authentication.

Further, the information supply method to the portable information terminal according to the second configuration of the present invention provides a portable information terminal which exchanges information with a server via the Internet, a password to a text attribute or a text attribute. The server is provided with means for inputting and displaying according to a password attribute and performing password authentication.

Further, the information supply method to the portable information terminal according to the third configuration of the present invention is such that a password is inputted to the portable information terminal which exchanges information with a server via the Internet. Means for authenticating;
The server is provided with means for generating a keyword using a random number after password authentication, and the keyword is used as a part of a URL used in subsequent access.

According to a fourth aspect of the present invention, there is provided a method for supplying information to a portable information terminal according to the third aspect of the present invention, wherein a means for counting the number of accesses by a keyword and a predetermined count are reached. In some cases, the server is provided with means for rejecting subsequent access.

Further, the information supply method to the portable information terminal according to the fifth configuration of the present invention is a method of supplying information to a portable information terminal which exchanges information with a server via the Internet. The server is provided with means for decrypting the data and sending it to the portable information terminal.

[0020] Further, the information supply method to the portable information terminal according to the sixth configuration of the present invention is the same as the first configuration of the invention, except that the server uses both the input password and the ID unique to the portable information terminal. Is used to perform access authentication.

[0021]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiment 1 FIG. 1 is a diagram for explaining a method of supplying information to a portable information terminal according to Embodiment 1 of the present invention. In the figure, 1 is a robot, 2 is a robot controller, 3 is a provider personal computer that executes a provider function, 4 is a kernel personal computer that executes a kernel function, and 5 is a client personal computer that performs monitoring. Reference numeral 6 denotes Ethernet (registered trademark) used as a local LAN, 7 denotes an ISDN router for connecting the local LAN 6 to the Internet, and 8 denotes the Internet. Reference numeral 9 denotes a WWW server connected to the Internet, which is operated by an Internet service provider, and incorporates an operation program described later.
10 is a gateway server operated by a mobile phone company,
Reference numeral 11 denotes a wireless packet network, and reference numeral 12 denotes an i-mode mobile phone, which shows the configuration of password authentication shown in FIG. 1
3 is a mobile notebook computer.

With the above configuration, it is possible to realize a system in which some of the operation states of the robot controller 2 are browsed by the WWW information terminal function incorporated in the i-mode portable telephone 12 at any time.

Therefore, in the above-described password authentication according to the present invention, a CGI form is used. As shown in FIG. 2, the attributes of both the field 15 for inputting the login user name and the field 16 for inputting the password in the CGI form are text attributes, so that even if the password is input, it is displayed as “*”. Instead, the input characters are displayed.

FIG. 3 shows an input program using the CGI form. In step 24, a text attribute is specified. This can be set in the CGI directory of the WWW server 9 of the ISP, and its URL can be called from the i-mode mobile phone 12.

The input program using the CGI form shown in FIG. 3 operates as shown in FIG. 4 (operation of the WWW server in the first embodiment). That is, the program of FIG. 3 defines the operation from the waiting for a request 20 from the client to the transmission of the authentication page 21 in relation to the flow of FIG. As shown in step 22 of the program, ac. c
The operation described in gi is performed according to steps 22 to 2 shown in FIG.
6 is supported.

At this time, the display on the i-mode portable telephone 12 is shown in the field 16 in FIG. 2 as described above.

By generating HTML that can be viewed only by a user who has been successfully authenticated, important contents can be shown only to users who are permitted to access.

Also, in the first embodiment, HTT which is a communication protocol between the WWW server 9 and the mobile phone 12 is used.
The GET method of P has been described.
The T method has the same effect as in the first embodiment.

Although the robot 1 is assumed to be monitored, any device can be used as long as it can send data representing a phenomenon in the monitored object to the network.

Furthermore, although the i-mode portable telephone 12 is used, EzWeb or SZ having an information system similar to WWW
It also functions in the case of kyWeb or the like. In addition, simple information can be easily viewed with the i-mode mobile phone 12,
If you want to get more detailed information, connect the mobile PC 13 to ISDN
You may make it connect to a router.

Embodiment 2 In the first embodiment, the combination of the login user input field 15 and the password input field 16 is displayed on the screen of the i-mode mobile phone 12, and the user inputs a character string. However, as shown in FIG. 5, the input character string is displayed as it is, a login name input field 15 is displayed, the input character string is displayed as it is, a password input field 16A, and the input character string is The password input field 16B indicated by “*” may be provided so that the user may enter any password input field. If you can input from a keyboard such as a personal computer keyboard, which is one key per character, it is effective for eavesdropping, so select the one where "*" is displayed, and it will be displayed as it is when inputting with a mobile phone etc. The input can be made easier by choosing one. Note that the input program using the CGI form in the present embodiment is similar to the input form shown in FIG.
= "password" NAME = "password"><p> This can be realized by adding the description. The procedure of the operation in the WWW server 9 is the same as that in the first embodiment shown in FIG. According to such a configuration, in the password authentication page,
Since the server is provided with a means for inputting and displaying a password using a text attribute or a password attribute and performing password authentication, a secure person and an easy-to-use one can be selected according to time and case.

Embodiment 3 FIG. As described above in the embodiment, in the WWW server 9 that is accessed from the i-mode mobile phone 12, for example, in the first embodiment,
It has been described that important information is disclosed after authentication is performed in the method as described in 2. In these embodiments, information that can be displayed on one page is presented after successful access authentication. However, instead, when there are multiple WWW pages describing information that can be disclosed,
It is usual to feed a so-called index (table of contents). However, URLs to important confidential information ahead of such an index are described, and it is too time-consuming to perform password authentication every time an index is selected and displayed.

In order to avoid this, a method called a cookie is used in a personal computer WWW browser, but a cookie is not currently provided as a function in an i-mode portable telephone and cannot be used. In the present invention,
The configuration is such that individual access authentication is avoided while presenting the index after successful access authentication.

In the i-mode portable telephone 12, FIG.
As shown in (1), after successful access authentication, a menu is displayed, and the user selects one of them. Each of these is important information. For example, when the status menu is selected, as the specific information on the status monitoring as shown in FIG. 6B, the normal status True, the professional running True, and the emergency stop False , Etc. are displayed. Similarly, when I / O monitoring is selected as a menu, detailed information shown in FIG. 6C is displayed, and when maintenance history is selected as a menu, detailed information shown in FIG. 6D is displayed.

At this time, the WWW server 9 operates as shown in FIG. The basic idea is that an HTML data file containing important data is copied to a file having a file name consisting of a character string determined by a random number each time, and a URL indicating the copied file is stored in the i-mode mobile phone 12. It is transferred as an index.

For example, any one of the uppercase letters AZ is selected by random numbers, and is connected to the end of the keyword character string until the specified length is reached. For example, concatenate until it has 128 characters.

Then, the extension .HTM is added to the keyword.
L is linked to form a URL. Original important data or
Original.HTML is copied to a file called keyword.HTML, and HTML data in which the keyword .HTML is anchor-designated is sent to the i-mode mobile phone 12.

At this time, if the keyword is set to 100 characters or more, even if it is seen by a peeper, it cannot be instantly remembered, and even if accessed by a personal computer WWW browser, it is not directly displayed on the screen and the peeping is prevented. Can be. Also,
The URL memo of the i-mode mobile phone is too long to be stored, and no illegal access is obtained even if the mobile phone is stolen or dropped.

Embodiment 4 For example, in the method of generating a URL with a random number as in the third embodiment, it is possible to almost prevent an unauthorized access attack in which a malicious URL is entered, but it may happen to happen. For this reason, in the present invention, as shown in FIG. 8, the WWW server 9 is provided with a table for storing the accessed URL and the number of times the URL has been accessed.
The number of accesses for each URL is managed, and if the access is made a predetermined number of times, for example, five times, an operation of deleting the file in the WWW server 9 indicated by the URL is performed.

The operation of the WWW server 9 is shown in FIG. 9 (operation of the WWW server according to the fourth embodiment).

Even if unauthorized access continues to be received by this method, the URL will eventually become inaccessible. The authorized user has a means of knowing the correct URL by means such as access authentication, and there is no disadvantage.

Although the number of accesses is assumed to be five, this can be determined by determining how many times indexing is performed when comparing information several times via the index described in the above embodiment. good. When we made a prototype with a robot system, we often went back and forth about three times, so we set aside five times for extra time. If you make it too large, you will end up being attacked forever.

It should be noted that although it cannot be used at present, when a cookie can be used on a mobile phone in the future, when an i-mode mobile phone accesses an authentication page, it is generated with a random number or time each time. A cookie combining the key and the URL of important information is sent to the i-mode mobile phone. As a result, when the i-mode mobile phone subsequently comes to access important information, the WWW server 9 requests to show the cookie sent in advance, and the WWW server records the number of times the cookie has been viewed.
By denying access when the number of times exceeds a predetermined number, the present invention functions exactly the same.

Further, the cookie is sent to the UR in the WWW server 9.
There is also a method of creating a combination of L and the number of times of access (initial value 0) and sending it to the i-mode mobile phone 12. In this case, every time important information is accessed, the number of times of access in the cookie is increased by one and the new information is sent to the mobile phone 12. As a result,
Then, when the i-mode mobile phone comes to access important information, the WWW server 9 requests to show the cookie sent in advance, and the WWW server determines the number of accesses written in this cookie, By denying access, the invention works exactly the same.

Embodiment 5 FIG. FIG. 10 is a configuration diagram showing the fifth embodiment. In the fifth embodiment, as shown in FIG. 10, the original data HTML is generated by the personal computer 5, and then encrypted in the personal computer 5. As the encryption method, any common key method or public key method that can encrypt a file can be used.

Next, the encrypted data file is FT
The encrypted data is stored in the WWW server 9 using P.

On the other hand, the WWW server 9 holds a CGI program for decrypting the above-described encrypted data into plaintext data as shown in FIG. i-mode mobile phone 1
2, the decryption CGI program decrypts the data and sends it to the i-mode mobile phone 12.

The name of this decryption CGI program is de
code, U specified by i-mode mobile phone 12
RL is HTTP: // server / decode? bu
nsho1. This means that server is WW
A name that represents the W server 9 and is decoded by the WWW server 9
This indicates that the CGI program e is executed and the result is transferred.

The argument of the decode program is bu
nsho1 and the encrypted file name is buns
ho1.

As described above, the decode program reads the file "bunsho1", performs decoding, and sends the result to the i-mode portable telephone 12 in plain text. According to this configuration, it is possible to obtain an information providing method that is resistant to eavesdropping on the communication path between the monitoring target and the server.

The WWW server 9 uses SSL (Serv
erSocketLayer), the gateway 10 can be used by using it.
Up to encrypted data communication can be performed, and it is difficult to be deciphered even when passing through a route that may be eavesdropped, and thus it is resistant to eavesdropping.

From the gateway 10 to the i-mode mobile phone 1
Up to 2 is digital radio and resistant to eavesdropping.

Embodiment 6 FIG. FIG. 12 is a flowchart showing the configuration of the sixth embodiment. In addition to the combination of the login user name and the password, access authentication is performed using a unique identification number (ID) such as a telephone number of the accessing i-mode mobile phone 12 or a line contract number or a customer number. . When a client requests authentication, the authentication page is sent from the server 9 to the i-mode mobile phone 1.
2 and performs collation on the terminal-specific ID. As a result of the comparison, if the terminal-specific ID matches, the user name,
Verify password. As a result of the comparison, if the user name and the password match, the user can view the page with the information as a successfully authenticated user. According to such a configuration, if the system is constructed only with the identification number unique to the mobile phone, unauthorized access is obtained when the mobile phone itself is stolen, and this can be prevented. Also,
A plurality of people can share and use the terminal.

[0054]

According to the information supply method to the portable information terminal, which is the first configuration of the present invention, the password is all entered in the text field. In addition, there is an effect that an access authentication unit that can be used even on a lending server that does not allow Basic authentication, Digest authentication, or the like is provided.

Further, according to the information supply method to the portable information terminal according to the second configuration of the present invention, the password authentication page is provided with a means for inputting / displaying a password by a text attribute or a password attribute and performing password authentication. By providing the server, there is an effect that a safe person and an easy-to-use one can be selected according to time and case.

Further, according to the information supply method to the portable information terminal according to the third configuration of the present invention,
After password authentication, a keyword is generated with a random number and used as a part of the URL used in subsequent access. Therefore, by making the keyword long, for example, 128 characters or more, it is possible to take notes by handwriting. It can be garbled and hard to remember in an instant, and can no longer be displayed / recorded with a bookmark on a mobile phone. This has the effect of preventing inadvertent lowering of security, such as the possibility of prying eyes.

Further, according to the information supply method to the portable information terminal according to the fourth configuration of the present invention, a means for counting the number of times of access by a keyword is provided. Is provided, there is an effect that unauthorized access can be denied thereafter.

Further, according to the information supply method to the portable information terminal according to the fifth configuration of the present invention, the server is provided with means for encrypting and transferring data to the server.
Since means for decrypting the encrypted data at I or the like and sending it to the mobile phone is provided, there is an effect that an information providing method resistant to wiretapping in a communication path between the monitoring target and the server is obtained.

Further, according to the information supply method to the portable information terminal according to the sixth configuration of the present invention, the access authentication is performed using both the input password and the ID unique to the portable information terminal. If the system is constructed only with the identification number unique to the mobile phone, unauthorized access is obtained when the mobile phone itself is stolen, and this has the effect of preventing this. In addition, there is an effect that a plurality of persons can share and use the terminal.

[Brief description of the drawings]

FIG. 1 is a diagram for explaining a method of supplying information to a portable information terminal according to Embodiment 1 of the present invention.

FIG. 2 is a configuration diagram showing a display state of the mobile terminal according to the first embodiment of the present invention.

FIG. 3 is a diagram showing an input program using a CGI form according to the first embodiment of the present invention.

FIG. 4 is a flowchart showing an authentication operation of the server according to the first embodiment of the present invention.

FIG. 5 is a diagram showing a configuration of password authentication according to a second embodiment of the present invention.

FIG. 6 is an explanatory diagram showing a display mode according to a third embodiment of the present invention.

FIG. 7 is a flowchart showing an operation of a server according to Embodiment 3 of the present invention.

FIG. 8 is an explanatory diagram showing a configuration of a server according to Embodiment 4 of the present invention.

FIG. 9 is a flowchart showing an operation of the server according to Embodiment 4 of the present invention.

FIG. 10 is a configuration diagram showing a fifth embodiment of the present invention.

FIG. 11 is a flowchart showing a decoding operation according to Embodiment 5 of the present invention.

FIG. 12 is a flowchart showing an authentication operation of a server according to Embodiment 6 of the present invention.

FIG. 13 is a configuration diagram of a conventional robot monitoring system using an i-mode mobile phone.

FIG. 14 is a configuration diagram showing a display state in a conventional portable terminal.

[Explanation of symbols]

1 robot, 2 robot controller, 3 provider personal computer, 4 kernel personal computer, 5 client personal computer, 6 Ethernet, 7 ISDN router,
8 Internet, 9 WWW server, 10 gateway server, 11 wireless packet network, 12 i-mode mobile phone, 13 mobile notebook computer.

 ──────────────────────────────────────────────────続 き Continued on the front page F term (reference) 5J104 AA07 KA01 MA01 NA01 NA05 PA01 PA07 5K030 GA15 HA08 HC01 HC09 HD03 JL01 JT03 JT06 JT09 LA07 LD19 MA06 5K101 KK13 LL12 PP03 RR22

Claims (6)

[Claims] Claims: 1. A portable information terminal for exchanging information with a server via the Internet, wherein the server is provided with means for inputting a password by a text field and performing password authentication. Supply method. 2. A portable information terminal for exchanging information with a server via the Internet, wherein the server is provided with a means for inputting and displaying a password using a text attribute or a password attribute and performing password authentication on the server. Information supply method to mobile information terminals. 3. A server for inputting a password and authenticating a password to a portable information terminal for exchanging information with a server via the Internet, and a means for generating a keyword with a random number after the password authentication. And a method of supplying information to a portable information terminal in which a keyword is used as a part of a URL used in subsequent access. 4. The information supply to a portable information terminal according to claim 3, wherein the server is provided with means for counting the number of times of access using a keyword, and means for rejecting subsequent access when a predetermined count is reached. method. 5. A portable information terminal for exchanging information with a server via the Internet, the portable information terminal having means for decrypting the transferred encrypted data and sending the decrypted data to the portable information terminal. Information supply method to mobile information terminals. 6. A portable information terminal for exchanging information with a server via the Internet is provided with means for performing access authentication using both an input password and an ID unique to the portable information terminal. Information supply method to portable information terminals.