JP2002152195A - Server and method for authentication and recording medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a mechanism which easily performs user authentication with higher reliability. SOLUTION: After performing user authentication at a request from a portable telephone set 10, the authentication server 30 issues an access password which is temporarily usable and sends it to the portable telephone set 10. When the portable telephone set 10 accesses an IP server 50, user authentication is carried out by using the access password.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to an authentication server for performing user authentication using a password, an authentication method, and a recording medium.

[0002]

2. Description of the Related Art Mobile phones have become more sophisticated, and recently, mobile phones capable of accessing the Internet have been developed. On the other hand, the construction of a service provider that provides various services to this type of mobile phone is also being rapidly established.

[0003] When a user enjoys various services from a server using a mobile phone, usually,
A user authentication process is performed. In a conventional user authentication method, a password and a user ID are assigned to each user in advance, and the user is authenticated by confirming the password and the user ID input to the mobile phone by the user.

[0004]

However, in the conventional method, if a user's password or user ID is stolen by a third party, an unauthorized third party can receive network services. Had. The present invention has been made under such a background, and an object of the present invention is to provide an authentication server, an authentication method, and a recording medium for easily performing highly reliable user authentication.

[0005]

In order to solve the above-mentioned problems, the invention according to claim 1 provides a communication terminal which is connected to a user of the communication terminal when the communication terminal accommodated in the closed network accesses a server on the open network. An authentication server installed in the closed network to authenticate the user, wherein a password input to the communication terminal by the user matches a password assigned to the communication terminal and stored in advance. A first authentication means for performing a first user authentication based on whether the first
Issuing means for issuing an access password temporarily usable by the user when the validity of the user is confirmed by user authentication of the user; storage means for storing the issued access password; and Delivery means for delivering the access password to the communication terminal via the closed network; and an access password input to the communication terminal by the user and transferred from the communication terminal via a server on the open network. Receiving means for receiving a password, a second authentication means for performing a second user authentication based on whether the stored access password matches the received access password, and a server on the open network. Transmission means for transmitting the result of the second user authentication. The features.

[0006] According to a second aspect of the present invention, when a communication terminal accommodated in a closed network accesses a server on an open network, an authentication installed in the closed network to authenticate a user of the communication terminal. A server, a first authentication unit that performs user authentication by determining whether a password input to the communication terminal by the user matches a password assigned to the communication terminal and stored in advance, The first
Issuing means for issuing an access password temporarily usable by the user when the validity of the user is confirmed by user authentication of the user; storage means for storing the issued access password; and Delivering means for delivering the access password to the communication terminal via the closed network, receiving means for receiving the access password input from the user to the communication terminal and transmitted from the communication terminal, A second authentication unit that performs a second user authentication based on whether the received access password matches the received access password.

[0007] The invention described in claim 3 is the first or second invention.
In the authentication server according to the above, the access password can be used only for one time of the second user authentication, and when the validity of the user is confirmed by the second authentication means, the access password is stored. And a deletion means for deleting the access password in question.

According to a fourth aspect of the present invention, in the authentication server according to any one of the first to third aspects, the access password has an expiration date within which the user can use the access password. The storage means stores the access password and the expiration date of the access password in association with each other.
Is characterized in that it is determined whether or not the access password used for the second user authentication has expired.

According to a fifth aspect of the present invention, in the authentication server according to any one of the first to fourth aspects, the communication terminal is a mobile communication terminal that performs wireless communication, and the closed network is the mobile communication terminal. And the open network is the Internet.

According to a sixth aspect of the present invention, when a communication terminal accommodated in a closed network accesses a server on an open network, an authentication server installed in the closed network authenticates a user of the communication terminal. Performing a first user authentication based on whether a password input to the communication terminal by the user matches a password assigned to the communication terminal and stored in advance. ,
When the validity of the user is confirmed by the first user authentication, issuing a temporarily usable access password for the user; storing the issued access password; Delivering the set access password to the communication terminal via the closed network; and an access password input to the communication terminal by the user and transferred from the communication terminal via the server on the open network. Receiving the password, performing a second user authentication based on whether the stored access password matches the received access password, and performing the second user authentication on a server on the open network. Transmitting the result of user authentication of And wherein the door.

[0011] According to a seventh aspect of the present invention, when a communication terminal accommodated in a closed network accesses a server on an open network, an authentication server installed in the closed network authenticates a user of the communication terminal. Performing a first user authentication based on whether a password input to the communication terminal by the user matches a password assigned to the communication terminal and stored in advance, and Issuing an access password that can be temporarily used by the user when the validity of the user is confirmed by the first user authentication; and storing the issued access password; The issued access password is sent to the communication terminal via the closed network. Sending, receiving an access password input to the communication terminal by the user and transmitted from the communication terminal, and determining whether the stored access password matches the received access password. Performing a second user authentication depending on whether or not, and within a Rose network, comprising a password input to the communication terminal by the user and a password assigned to the communication terminal and stored in advance. I do.

The invention according to claim 8 is the invention according to claim 6 or 7.
In the authentication method described in 1, the access password is usable only for one time of the second user authentication, and when the validity of the user is confirmed by the second user authentication, the access password is stored. And a step of deleting the access password that has been set.

According to a ninth aspect of the present invention, in the authentication method according to any one of the sixth to eighth aspects, the access password has an expiration date within which the user can use the access password. The step of storing the access password is performed by storing the access password and the expiration date of the access password in association with each other, and the step of performing the second user authentication comprises: It is characterized in that it is determined whether or not the password has expired.

The invention according to claim 10 is the invention according to claims 6 to 9
Wherein the communication terminal is a mobile communication terminal that performs wireless communication, the closed network is a mobile communication network that accommodates the mobile communication terminal, and the open network is the Internet. It is characterized by.

[0015] The invention described in claim 11 is the invention according to claims 6-1.
The present invention provides a computer-readable recording medium storing a program for causing a computer to execute the authentication method described in any one of (1) and (2).

[0016]

Embodiments of the present invention will be described below with reference to the drawings. However, the present invention is not limited to such an embodiment, and various changes can be made within the scope of the technical idea. A: Configuration First, the configuration of the embodiment will be described. (1) Overall System Configuration FIG. 1 is a block diagram showing an overall system configuration according to an embodiment of the present invention. As shown in FIG. 1, the system includes a mobile phone 10, a mobile packet communication network 20, an authentication server 30, an Internet 40, and an IP (Informat).
ion provider) server 50 is the main configuration.

The mobile telephone 10 receives a call service of a mobile telephone network (not shown) and also performs a wireless communication with a base station 21 of a mobile packet communication network 20 to receive a data communication service of the network 20. The mobile phone 10 is equipped with a document browsing software, a so-called browser, thereby displaying a homepage provided by the IP server 50 via the mobile packet communication network 20 and the Internet 40,
Various services are provided.

The mobile packet communication network 20 includes a base station 21,
Switching center (not shown), packet subscriber processing unit (not shown)
And a communication line (not shown) connecting them, and provides the mobile phone 10 with a packet-based data communication service. This mobile packet communication network 20
Is connected to the Internet 40 via the gateway 22, and bidirectional data transfer is possible between these two networks. A large number of base stations 21 are installed at predetermined intervals in a communication service area of the mobile packet communication network 20, and perform wireless communication with the mobile phones 10 located in each wireless cell.

The IP server 50 provides various homepages and services to the mobile phone 10 via the Internet 40 and the mobile packet communication network 20. More specifically, the IP server 50 transmits the HTML (Hypertext Markup Language) that can be referred to using the browser of the mobile phone 10.
e) Format data is retained, and services such as distribution of various contents, online trading, mobile banking, and PIM (Personal Information Manager) are provided in response to a request from the mobile phone 10 displaying this page.

Before such a service is provided,
The authentication server 30 executes an authentication process for the user of the mobile phone 10, and provides the service only to the user whose validity is confirmed. This authentication process
In addition to the conventional mechanism of user authentication (hereinafter, referred to as first user authentication), user authentication (hereinafter, referred to as second user authentication) utilizing that the mobile packet communication network 20 is a closed network is performed. is there. In the second authentication, the authentication server 30 issues a password that can be temporarily used by the user (hereinafter, referred to as an access password), and delivers the password to the mobile phone 10 via the mobile packet communication network 20. Next, the IP by the mobile phone 10
When accessing the server 50, the authentication server 30 performs the second user authentication using the access password input to the mobile phone 10 by the user, whereby the access is permitted.

(2) Configuration of Mobile Phone 10 Next, the configuration of the mobile phone 10 will be described with reference to the block diagram shown in FIG. As shown in FIG. 1, the mobile phone 10 includes a transmission / reception unit 11, a control unit 12, a user interface unit 13, and a bus 14 connecting these components to each other.

The transmission / reception unit 11 includes an antenna and a communication control circuit (not shown), and is connected to the base station 2 of the mobile packet communication network 20.
1 and performs wireless communication. The user interface unit 13
It comprises a liquid crystal display for displaying various information, a keypad for the user to perform various input operations, a microphone and a speaker for the user to talk. The control unit 12 controls each unit of the mobile phone 10, and includes a CPU 12
1, a ROM 122 and an SRAM 123.
Various control programs and the like are stored in the ROM 122, and the CPU 121 reads out these control programs and executes control processing. The control programs in the ROM 122 include, in addition to the browser described above, a mailer for sending and receiving e-mails, an authentication request program for requesting the authentication server 30 to perform user authentication, and the like. The authentication request program includes screen data for receiving an access password issuance request as described later, and a telephone number for calling the authentication server 30. The SRAM 123 is used as a work area of the CPU 121, caches a home page provided from the IP server 50,
It stores contents downloaded from e-mail and received e-mail.

(3) Configuration of Authentication Server 30 Next, the configuration of the authentication server 30 will be described. FIG.
3 is a block diagram illustrating a configuration of the authentication server 30. As shown in the figure, the authentication server 30 includes a communication unit 31 and a CP.
U32, ROM 33, RAM 34, hard disk drive 35, timer 36, and bus 37 interconnecting these
Consists of

The communication section 31 comprises a connection interface with the mobile packet communication network 20 and a communication control circuit.
Data communication is performed with the mobile phone 10 and the IP server 50 via the Internet. Various control programs and the like are stored in the ROM 33, and the CPU 32 reads out these control programs and executes control processing. At this time, the RAM 34
Used as a work area of the CPU 32.

The hard disk drive 35 has a storage area called a user information storage section 35a, and stores an authentication program 35b and an access password table 35c. The user information storage unit 35a stores the mobile phone 10
This is an area for storing information about the user in a database and storing it. In this user information storage unit 35a,
As shown in the format diagram of FIG. 4, a user name, a subscriber number (that is, a telephone number of the mobile phone 10), a password,
User IDs and the like are stored in association with each other.
“Password” is a character string assigned to each user when subscribing to the packet communication service, and is used for the first user authentication described above. “User ID” is identification information assigned to identify each user of the mobile phone 10. However, the user ID is not provided for the purpose of identifying each user by the authentication server 30 itself, but is used when the IP server 50 and the authentication server 30 exchange information about the user.
The 0 side is used to identify each user. In the mobile packet communication network 20, it is possible to identify the user of each mobile phone 10 by a subscriber number (telephone number of the mobile phone 10). It is not desirable from the viewpoint of security to transmit the information. For this reason, when transmitting and receiving information about the user inside and outside the mobile packet communication network 20, the user ID is used.
Is used to specify each user.

As shown in the format diagram of FIG. 5, the access password table 35c stores an access password issued in response to a request from the mobile phone 10 to a user ID assigned to the mobile phone 10 and the use of the access password. Store it in association with the term.

The authentication program 35b performs the first user authentication using the password stored in the subscriber information storage section 35a, and executes the access password table 35.
This is a program for performing a second user authentication process using the access password stored in c.

B: Operation Next, the operation of the embodiment having the above configuration will be described. (1) Operation of Entire System First, the operation of the entire system until the mobile phone 10 accesses the IP server 50 and receives a desired service will be described with reference to a sequence diagram shown in FIG. As mentioned above, the user of the mobile phone 10
Prior to accessing the server 50, it is necessary to undergo authentication processing by the authentication server 30. Therefore, when the user performs a predetermined operation using the keypad of the mobile phone 10,
The mobile phone 10 receives this operation (step Sa).
1) Screen data for issuing an access password is read from the SRAM 123 and displayed on the liquid crystal panel (step Sa2).

This display screen is provided with a field for inputting a password. When the user inputs a password (here, "1111") assigned to himself / herself in this field, the portable telephone 10
Accepts this input operation (step Sa3).

Next, the portable telephone 10 is connected to the SRAM 12
3, the telephone number of the authentication server 30 is read, the server 30 is called, and a request signal requesting issuance of an access password is transmitted (step Sa4). The request signal includes the password “1111” input by the user and the mobile phone 1 using the calling number notification function.
0 telephone number (that is, subscriber number) "090-1111-
1111 "is included.

Upon receiving the request signal, the authentication server 30 performs a first user authentication by executing a user authentication process described later. More specifically,
Password “1111” and subscriber number “090-111”
1-1111 ”and the user information storage unit 3
The first user authentication is performed depending on whether or not it is stored in 5a. When the validity of the user is confirmed, an access password is issued (step Sa5). here,
It is assumed that “ab1234” shown in FIG. 5 has been issued.

Next, the authentication server 30 transmits the issued access password “ab1234” to the mobile phone 10 in the form of an e-mail (step Sa6). Since the delivery of the access password is performed via the closed network called the mobile packet communication network 20, there is little danger of eavesdropping and tampering, and the confidentiality required for the password is maintained. .

When the mobile phone 10 receives the e-mail including the access password, it displays this on the liquid crystal display (step Sa7). The user can know the access password “ab1234” by referring to this display.

Next, the user enters the URL of the desired IP server 50 in order to start accessing the desired IP server 50.
(Uniform Resorce Locator) is input to the mobile phone 10. The specification of the URL is not limited to the operation of inputting a character string indicating the URL, but the access is instructed by the user selecting a character string linked to the IP server 50 by the HTML A tag. You may. The mobile phone 10 receives a user operation (Step Sa8), and transmits a request signal including the specified URL to the IP server 50 (Step Sa9).

On the other hand, upon receiving the request signal, the IP server 50 transmits an HTML page for performing the second user authentication using the access password to the mobile phone 10.
(Step Sa10).

When the portable telephone 10 receives the HTML page, it interprets this and displays it on the liquid crystal display.
A field for inputting a user ID and an access password is provided on this page, and a message is displayed to prompt the user to perform an input operation in the field. The user enters his or her user ID “abcdef” in these fields and the access password “ab1234” delivered from the authentication server 30 at step Sa6 and displayed on the liquid crystal display.
Enter The mobile phone 10 receives an input operation of the user (step Sa11), and transmits a request signal including the input user ID and access password to the IP server 50 (step Sa12).

Upon receiving the request signal, the IP server 50 receives the user ID “abc” from the request signal.
def "and the access password" ab1234 "are detected, and a request signal for requesting the second user authentication is transmitted to the authentication server 30 (step Sa13). This request signal contains the detected user ID and access password.

Upon receiving the request signal, the authentication server 30 performs a second user authentication by executing a user authentication process described later (step Sa1).
4). More specifically, the second user authentication is performed based on whether the user ID “abcdef” and the access password “ab1234” are stored in the access password table 35c in association with each other. And
The authentication server 30 returns an authentication result to the IP server 50 (Step Sa15).

The IP server 50 determines whether or not access by the mobile phone 10 is possible with reference to the authentication result (step Sa16). Here, it is determined that access is possible, and IP server 50 provides a desired service to mobile phone 10 (step Sa17).

(2) Operation of CPU 32 of Authentication Server 30 Next, the operation of the CPU 32 of the authentication server 30 will be described in detail. The processing of the CPU 32 is described below.
It is roughly divided into a user authentication process for performing user authentication and a timer management process for managing the expiration date of the B-access password.

(2) -A. FIG. 7 shows a main routine of a user authentication process executed by the CPU 32. Referring to FIG.
Determines whether any event has been received (step Sb1). Here, an access password issuance request received from the mobile phone 10 (step Sa4 shown in FIG. 6), a second user authentication request received from the IP server 50 (step Sa13 shown in FIG. 6), an access password expiration time-out , Three events are assumed. When any of these events is received (step Sb1; Yes), the CPU 32
The process proceeds to a process corresponding to the event (step Sb
2).

(2) -A-. Issuance of Access Password First, a case where the authentication server 30 receives an access password issuance request from the mobile phone 10 will be described.
In this case, the routine shown in FIG. 8 is started. First, C
The PU 32 uses the subscriber number notified by the calling number notification function of the mobile phone 10 as a key to store the user information storage unit 3.
5a, and performs first user authentication based on whether the password obtained as a result of the search matches the password transmitted from the mobile phone 10 (step Sc).
1).

Next, the CPU 32 determines whether or not the result of the first user authentication is OK (step Sc2). Here, assuming that the validity of the user has been confirmed (Step Sc2; Yes), the processing of the CPU 32 proceeds to the next. If the validity of the user is not confirmed due to an incorrect password or the like (Step Sc2; No),
The PU 32 transmits an error notification including a message to that effect to the mobile phone 10 (Step Sc3), and returns to Step Sb1 of the main routine shown in FIG.

When the validity of the user is confirmed, the CPU 3
2 issues an access password based on a predetermined algorithm described in the authentication program 35b (step Sc4). Then, the CPU 32 stores the issued access password together with the expiration date and the user ID on the access password table 35c (step Sc5).

Next, the CPU 32 requests a timer management process to be described later to register a timer for the access password issued as described above (step S).
c6). When the above processing is performed, the processing of the CPU 32 returns to step Sb1 of the main routine shown in FIG.

(2) -A-. Next, a case where the authentication server 30 receives a user authentication request using an access password from the IP server 50 will be described. In this case, the routine shown in FIG. 9 is started. First, the CPU 32 searches the access password table 35c using the user ID notified from the IP server 50 as a key, and determines whether the access password obtained as a result of the search matches the access password notified from the IP server 50. Thus, the second user authentication is performed (step Sd1).

Here, assuming that the authenticity of the user has been confirmed by the above-mentioned authentication processing (step Sd2; Yes),
The process of the CPU 32 proceeds to the next. If the validity of the user is not confirmed because the access password is incorrect or the access password to be authenticated is deleted from the access password table 35c due to a timeout (step Sd2; N).
o), the CPU 32 transmits an error notification to that effect to the IP server 50 (step Sd3), and returns to the main routine of FIG.

Next, the CPU 32 notifies the IP server 50 that the validity of the user has been confirmed (step Sd).
4). Then, the CPU 32 requests a timer management process, which will be described later, to erase time with respect to the access password used in the authentication process (step Sd).
5).

Next, the CPU 32 deletes the access password used in the authentication processing from the access password table 35c, and returns to step Sb1 of the main routine shown in FIG. 7 (step Sd6).

(2) -A-. Timeout Next, a case where the expiration date of the access password has arrived due to the timeout will be described. In this case, FIG.
Is started, the CPU 32 deletes the time-out access password from the access password table 35c (step Se1), and then returns to step Sb1 of the main routine shown in FIG.

(2) -B. Timer Management Process Next, an operation in which the CPU 32 executes the time management process will be described. FIG. 11 is a flowchart illustrating a timer management process executed by the CPU 32. In the figure, first, the CPU 32 determines whether or not a timeout has occurred in any of the access passwords on the access password table 35c with reference to the timer 36 and the expiration date field of the access password table 35c (step Sf1). ).

Here, if a timeout occurs in any of the access passwords (step Sf1; Y)
es), the process of the CPU 32 proceeds to the next. The CPU 32
The time-out access password is notified to the above-described user authentication process (step Sf).
2).

Next, the CPU 32 determines whether or not an event has occurred. The event here means either timer registration by the processing of step Sc6 in FIG. 8 or timer erasure by the processing of step Sd5 in FIG. If the event that has occurred is a timer registration, the CPU 32 starts time counting for the access password stored in step Sc5 of FIG. 8 (step Sf5). If the event that has occurred is the timer erasure, the CPU 32 proceeds to step Sd1 in FIG.
The time count for the access password used in is stopped (step Sf6). When the above processing is performed, the processing of the CPU 32 returns to step Sf1.

As described above, according to the embodiment, since the access password is delivered to the user using the mobile packet communication network 20, the confidentiality of the password is maintained. Further, since this access password is a temporary password with a limited expiration date, even if it is stolen by a third party and used for unauthorized access, the unauthorized use is limited to a relatively short-term use. be able to.

C: Modification As described above, the present invention is not limited to the above-described embodiment.
The following various changes are possible. (1) Access Route from Mobile Phone 10 to IP Server 50 In the embodiment, the IP server 50 receives an access request from the mobile phone 10 and requests the authentication server 30 for authentication processing in response to the access request. Was. However, the present invention is not limited to this, and the following procedure may be used.
When accessing the IP server 50 after receiving the access password, the mobile phone 10 first accesses the authentication server 30. Here, the user inputs the URL of the IP server 50 together with the access password, and requests the second user authentication and access to the IP server 50. After performing the authentication using the access password, the authentication server 30 permits the connection establishment between the mobile phone 10 and the IP server 50, and the mobile phone 10 accesses the IP server 50. This eliminates the need for the IP server 50 to use the user ID because the IP server 50 does not need to perform a process of requesting the authentication server 30 to perform authentication.

(2) Embodiment of the Mobile Phone 10 In the embodiment, the mobile phone is used as the terminal used by the user, but the present invention is not limited to this. In short, it is housed in a closed network such as a mobile packet communication network,
In addition, any communication terminal that can access a communication node on an open network such as the Internet may be used.
For example, a LAN (Local A
rea Network) and a personal computer equipped with a function of performing wireless communication via a wireless communication network.
DA (Personal Digital Assistants) or the like may be used.

(3) Installation Form of Authentication Server 30 The authentication server 30 may be provided in the mobile packet communication network 20 and may be provided on, for example, the gateway 22 or on the base station. . Authentication server 3
The function of issuing an access password of 0 and the function of authenticating with the access password need not be provided on one node, but may be provided on different nodes.

(4) Mode of User ID In the embodiment, it is not desirable from the viewpoint of security to output the subscriber number (telephone number of the mobile phone 10) to the outside of the mobile packet communication network 20.
D was used. However, the subscriber number may be used if the subscriber's permission has been obtained or if an environment in which security is maintained by encryption technology or the like is established. In the second authentication, it is not always necessary to use the user ID, and the authentication may be performed only by the access password. In this case, the IP server 50
Is notified only of the access password input by the user. Then, the authentication server 30 determines the legitimacy of the user based on whether or not a password that matches the notified access password is stored in the access password table 35c. By doing so, the authentication server 30 displays on the access password table 35c
Only the access password and the expiration date need to be stored in association with each other, and there is no need to store the user ID.

(5) Notification Form of Access Password In the embodiment, the access password of the mobile phone 10 is notified by e-mail, but the form of this e-mail is not only Internet mail and short mail, but also SMS ( Various forms such as a message delivery service called short message service) can be applied.
Further, the notification is not necessarily limited to the e-mail format, and the notification may be performed by another transmission method.

[0060]

As described above, according to the present invention, a temporarily usable access password is delivered to a user using a closed network, and when accessing a server on an open network, the user is provided with the access password. Since authentication is performed, highly reliable user authentication can be easily realized.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a configuration of an entire system according to an embodiment of the present invention.

FIG. 2 is a block diagram showing a configuration of the mobile phone according to the embodiment.

FIG. 3 is a block diagram illustrating a configuration of an authentication server according to the embodiment.

FIG. 4 is a format diagram showing an example of contents stored in a user information storage unit of the authentication server in the embodiment.

FIG. 5 is a format diagram showing an example of contents stored in an access password table of the authentication server in the embodiment.

FIG. 6 is a sequence diagram illustrating an operation of the entire system in the embodiment.

FIG. 7 is a diagram illustrating a configuration of the authentication server according to the embodiment;
5 is a flowchart illustrating an operation of executing a main routine of a user authentication process.

FIG. 8 is a block diagram illustrating a configuration of the authentication server according to the embodiment;
It is a flowchart which shows the operation | movement which performs a user authentication process.

FIG. 9 is a block diagram illustrating a configuration of the authentication server according to the embodiment;
It is a flowchart which shows the operation | movement which performs a user authentication process.

FIG. 10 shows a CPU of an authentication server according to the embodiment.
Is a flowchart showing an operation of executing a user authentication process.

FIG. 11 is a diagram illustrating a CPU of an authentication server according to the embodiment;
Is a flowchart showing the operation of executing the time management process.

[Explanation of symbols]

DESCRIPTION OF SYMBOLS 10 ... Mobile telephone (communication terminal) 11 ... Transmission / reception part, 12 ... Control part, 121 ... CPU, 122 ... ROM 123 ... SRAM 13 ... User interface, 20 ... Mobile packet communication network (closed network), 21: base station, 22: gateway, 30: authentication server, 31: transmission / reception unit (delivery means, reception means, transmission means), 32 ... CPU (first authentication means, issuing means, second authentication means), 33 ROM, 34 RAM, 35 hard disk device (storage means), 40 Internet (open network) ), 50 ... IP server.

Continued on the front page (51) Int.Cl. ⁷ Identification symbol FI Theme coat II (Reference) H04Q 7/04 D (72) Inventor Kenju Takayama 2-1-1 Nagatacho, Chiyoda-ku, Tokyo NTT Corporation・ F-term (reference) in T-DOCOMO 5B085 AA01 AA08 5J104 AA07 AA16 EA03 KA01 KA06 KA21 MA02 NA05 NA38 5K067 AA34 BB04 BB21 EE04 EE10 HH22 HH24

Claims (11)

[Claims] 1. An authentication server installed in a closed network for authenticating a user of the communication terminal when a communication terminal accommodated in the closed network accesses a server on an open network, wherein the authentication server includes: A first authentication unit for performing a first user authentication based on whether or not a password input to the communication terminal and a password assigned to the communication terminal and stored in advance match; Issuing means for issuing an access password which can be temporarily used by the user when the validity of the user is confirmed by user authentication; storage means for storing the issued access password; and Delivery means for delivering an access password to the communication terminal via the closed network; Receiving means for receiving an access password input by the user to the communication terminal and transferred from the communication terminal via the server on the open network; the stored access password; and the received access A second authentication unit for performing a second user authentication based on whether or not the password matches with the password;
Transmitting means for transmitting a result of the user authentication of the authentication server. 2. An authentication server installed in the closed network for authenticating a user of the communication terminal when a communication terminal accommodated in the closed network accesses a server on the open network, wherein the authentication server includes: A first authentication unit for performing user authentication based on whether a password input to the communication terminal matches a password assigned to the communication terminal and stored in advance, and Issuance means for issuing an access password which can be temporarily used by the user when the validity of the user is confirmed; storage means for storing the issued access password; and Delivery means for delivering to the communication terminal via the closed network; Receiving means for receiving an access password input to the communication terminal by the user and transmitted from the communication terminal; and determining whether or not the stored access password matches the received access password. An authentication server, comprising: second authentication means for performing user authentication of (1). 3. The authentication server according to claim 1, wherein the access password can be used only for one time of the second user authentication, and the second authentication unit validates the user. An authentication server comprising: a deletion unit that deletes the stored access password when is confirmed. 4. The authentication server according to claim 1, wherein an expiration date for which the user can use the access password is determined for the access password, Storing the access password and the expiration date of the access password in association with each other, and determining whether the access password used for the second user authentication is within the expiration date. An authentication server characterized by the above-mentioned. 5. The authentication server according to claim 1, wherein the communication terminal is a mobile communication terminal that performs wireless communication, and the closed network is a mobile communication network that accommodates the mobile communication terminal. The authentication server, wherein the open network is the Internet. 6. An authentication method in which, when a communication terminal accommodated in a closed network accesses a server on an open network, an authentication server installed in the closed network authenticates a user of the communication terminal, Performing a first user authentication based on whether a password input to the communication terminal by the user matches a password assigned to the communication terminal and stored in advance, and the first user authentication When the validity of the user is confirmed by, a step of issuing an access password that the user can temporarily use, a step of storing the issued access password, and a step of storing the issued access password in the Delivering to the communication terminal via a closed network; Receiving an access password input by the user to the communication terminal and transferred from the communication terminal via the server on the open network; the stored access password; and the received access password. Performing a second user authentication based on whether or not the second and third parties match each other.
Transmitting the result of the user authentication. 7. An authentication method in which, when a communication terminal accommodated in a closed network accesses a server on an open network, an authentication server installed in the closed network authenticates a user of the communication terminal, Performing a first user authentication based on whether a password input to the communication terminal by the user matches a password assigned to the communication terminal and stored in advance, and the first user authentication When the validity of the user is confirmed by, a step of issuing an access password that the user can temporarily use, a step of storing the issued access password, and a step of storing the issued access password in the Delivering to the communication terminal via a closed network; Receiving an access password input by the user to the communication terminal and transmitted from the communication terminal; and determining whether or not the stored access password matches the received access password. Performing a user authentication and a password input to the communication terminal by the user in the Rose network, and a password assigned to the communication terminal and stored in advance. 8. The authentication method according to claim 6, wherein the access password is usable only for one time of the second user authentication, and the validity of the user is obtained by the second user authentication. When the authentication is confirmed, the authentication method comprises a step of deleting the stored access password. 9. The authentication method according to claim 6, wherein an expiration date for which the user can use the access password is determined for the access password, and The storing step stores the access password and the expiration date of the access password in association with each other, and the step of performing the second user authentication is that the access password used for the second user authentication is within the expiration date. An authentication method characterized in that it is determined whether or not the authentication is performed. 10. The authentication method according to claim 6, wherein the communication terminal is a mobile communication terminal that performs wireless communication, and the closed network is a mobile communication network that accommodates the mobile communication terminal. An authentication method, wherein the open network is the Internet. 11. A computer-readable recording medium storing a program for causing a computer to execute the authentication method according to claim 6.