JP2002312326A - Multiple authentication method using electronic device with usb interface - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a multiple authentication method capable of easily controlling an account and a password, securing high security level, and being applied to various authentication subjects such as a server and a device. SOLUTION: This multiple authentication method uses an electronic device with an USB interface composed of an account ID authenticating process for reading an account ID from a registry file 15b or a storage means 15a of a target computer 15 and checking the same by the electronic device 10, the computer authentication process, the completion of authentication status information indicating an event that the authentication is completed in both authentication processes, and an access and use rights authentication requiring process for transmitting the account and the password written in a memory unit 10a to the computer 15 as the target of the electronic device or the server 20 or the device 22 connected to the computer 15 by the electronic device 10.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a server computer such as a web server or an ASP server, various devices such as a printer, and an authentication method for authenticating whether or not an application program started in the device can be accessed through a computer, and more particularly to a USB key. A plurality of authentication methods using an electronic device having a USB interface.

[0002]

2. Description of the Related Art E-commerce sites have been launched in all types of industries and industries as if they were cut off, and recently there has been a strong impression that computers and networks connecting them are overflowing in the streets, not as companies or individuals. As described above, the security management of computer systems including networks has been regarded as important in the current situation where a general individual easily touches a computer and a network environment easy for anyone to use is being prepared. Therefore, attention is focused on an authentication technique for preventing unauthorized access to a computer or a network and associated theft, alteration, or destruction of data.

In the conventional authentication technology, authentication is executed by inputting a combination of a user ID and a password in order to confirm that the user is a legitimate user when using a multi-user computer system or network system. It had been. When a user logs in to a computer system or network and enters user ID and password data, it is confirmed (authenticated) whether the data is registered in the access authority list in advance, and the user is authenticated. Only then will the use of the system be permitted. At this time, the access right of the level registered in the access right list is given to the user.

[0004]

However, another problem newly emerged in the authentication by the conventional method as described above. For example, if you want to prevent malicious third parties from stealing or analyzing passwords and so on, you may change your account or password too frequently or increase the number of digits significantly.
There is a problem that the management becomes difficult for the user himself. It is very troublesome to manually enter such a large number of passwords every time authentication is performed, and it is extremely difficult to reliably store frequently changed passwords, etc., for a wide variety of authentication targets. Business. Even more, if the authentication step and the number of digits are large, it would be almost impossible to manage the information only in the user's own memory.

In this case, a personal identification number or the like is entered in a memo pad or the like for each type of authentication or each time it is changed, and it must first be referred to at first. There is a risk of plagiarism. For this reason, such techniques may be applied to businesses that only deal with less sensitive data, or require a low level of security, such as a single person using a computer to play in a closed room. It will be limited to the scene.

The input operation of the password or the like is performed using an input / output interface such as a keyboard attached to a computer. For example, character data of characters and symbols typed there is recorded with time, and A program that allows the user to later reproduce the typing situation at that time, or sends fake Web screen data to the target computer by impersonating the target server, extracting the account and password entered there and stealing it There are also cases where it is crowded.

On the other hand, the account and password once entered by the user on his / her computer are stored in a browser or O
It can be stored in the computer by a password storage function such as S. It is easy for a third party to find out the registry files used by this function, and if the computer is stolen, it can access and use various servers and application programs without knowing any password etc. There is also a risk that they will be lost. In any case, there are many security loopholes, whether or not you have to manually enter your account and password.

[0008] The present invention has been made in view of such circumstances, and manages accounts and passwords easily while ensuring a high security level.
US that can be widely applied to various authentication targets such as servers, devices, and application programs
An object is to provide a multiple authentication method using a B key.

[0009]

SUMMARY OF THE INVENTION The present invention has been made to achieve the above object, and a first invention is a computer and various servers and devices connected thereto,
For a user of the application program started in the computer or the server or device, a USB terminal connectable to a USB port of the computer, and authentication information such as an account and a password required to authenticate the user. Using an electronic device having a USB interface including the stored memory unit and a control chip set for controlling the exchange / verification of the authentication information with the computer via the USB terminal, it is determined whether the electronic device can be used. An authentication method, wherein an account can be generated from a password set in association with a user of each computer, which has been written to a memory unit of the electronic device and a storage unit and a registry file of the computer. D, the electronic device reads the account ID written in the storage means or the registry file of the computer from the storage means or the registry file of the computer into which the electronic device is inserted, and reads the read account ID and the memory of the electronic device itself. An account ID authentication process for checking an account ID that can be generated from a password stored in the unit, and authenticating whether the account ID itself matches or not; a memory unit of the electronic device; a storage unit and a registry file of the computer; Out of account IDs that can be generated from a personal identification number set in association with the user for each computer that has been written to the The electronic device reads the account ID from the storage means of the computer into which the electronic device is inserted, compares the read account ID with an account ID generated from a password stored in a memory unit of the electronic device itself, and compares the account ID with the computer. A computer authentication process for authenticating the legitimacy of individual correspondence with the device, authentication completion status information indicating an event that authentication has been completed in the account ID authentication process and the computer authentication process, various servers and devices connected to the computer, An account and a password set in each of the application programs started in the computer or the server and written in the memory unit of the electronic device; And an access / use right authentication requesting step of transmitting to the computer or the server or the device and requesting authentication of the access right and the use right of the server, the device and the application program. Had multiple authentication methods.

According to a second aspect of the present invention, in the first aspect, the last connection information, which is written in a memory unit of the electronic device and is the last legitimate access by the computer corresponding to the electronic device to the server, is stored in the access unit. -A multiple authentication method using an electronic device having a USB interface, wherein the electronic device is transmitted to the computer or the server or device in a use right authentication request process.

According to a third aspect of the present invention, in the first or second aspect, an additional number is stored in the electronic device and the computer in addition to the password, and an account ID or an account ID is obtained from the password and the additional number.
A plurality of authentication methods using an electronic device having a USB interface, wherein an account ID is generated in the account ID authentication step and the computer authentication step.

[0012]

DESCRIPTION OF THE PREFERRED EMBODIMENTS === US as an Electronic Device
Structure of B key === USB (Universal Serial Bus) is a serial interface standard for personal computers, and the computer automatically recognizes the connection between the computer and a device (USB device) conforming to the standard. A plug-and-play function and a hot plug function that allows a USB connector to be connected and disconnected while a personal computer or device is turned on are enabled. Also,
Since a certain amount of power can be secured from the connected computer, etc., the size of the device itself can be reduced, and in combination with the ease of connection processing described above, it is extremely excellent in terms of ease of handling. I have. The USB key as an electronic device used in the present invention has the above-described functions and is designed to be able to execute authentication processing in a plurality of stages.

FIG. 1 is an explanatory diagram showing an example of the external shape of the USB key 10 and a usage form. The USB key 10 used in the multiple authentication method of the present invention has a USB terminal 11 that can be connected to a USB port 16 provided in various computers 15 such as a personal computer as shown in the figure, and an end portion of the USB terminal 11. And a casing 12 having various shapes and sizes, such as sticks, which are easy to hold and easy to carry by a person and which can protect the internal electronic unit from impact or the like.

On the other hand, inside the casing 12, a memory unit storing authentication information such as an account and a password necessary for authenticating the user of the computer 15 is provided.
And a control chip set for controlling the exchange / verification processing of the authentication information with the computer 15 via the SB terminal 11. An IC chip set or the like in which both are integrated can also be assumed. The casing 1
2 and the memory unit are structurally connected, and the casing 1
If the memory unit (or memory contents) is broken when prying open 2, security will be further improved. Of course, it is preferable that the authentication information written in the memory unit is encrypted.

=== System Configuration for Realizing the Present Invention ==
= FIG. 2 is an explanatory diagram showing an example of a system configuration for realizing the multiple authentication method of the present invention. Hereinafter, a system configuration for actually operating the multiple authentication method using the USB key 10 will be described. Here, an ASP (Application Service Provider) that provides various application programs to the member's computer 15 via the Internet 25 is provided by a server 20 that allows only members who have contracted in advance.
der). When the server 20 plays a role as an ASP, it is a matter of course that the member must be authenticated to verify the legitimacy of the accessing person. On the other hand, the members need to sequentially cope with the authentication processing required each time the server 20 is accessed. Therefore, a multiple authentication method using an electronic device having a USB interface (e.g., a USB key) of the present invention is applied to this situation, and management of accounts and passwords set in the server 20 and application programs provided therein is simplified. And secure a high security level.

The server 20 connects to an information communication network such as the Internet 25 as described above,
Act as a server, web server and email server. Also, individual data of those who have made a contract with the operator of the server 20 and become members are cataloged and managed. This individual data is managed by attaching an account to each member, and a relational table based on the account, such as a name, a contract content, a transaction history, a password, and the like is created. Various information in this relation table may be stored in an appropriate memory of the USB key 10 in some cases.

In addition, it has a database 21 storing application programs to be provided to members, and manages the database. The application programs stored here may be programs that perform financial engineering calculations and scientific and technological calculations with complex know-how, payroll calculations and tax processing in companies, etc. It is. Such an application program is executed in response to a request sent from the member's computer 15 to the server 20 through the Internet 25. The member transmits only data necessary for execution to the server 20, For example, it is possible to receive only processing results obtained by complicated and enormous calculations executed by the server 20. Of course, in addition to the function of the ASP, such as using an application program, a function of using various devices such as the printer 22 and the camera may be set.

The computer 15 accesses the server 20 via the Internet 25 or the like.
Since the right to use the computer 15 is determined by determining a personal identification number or the like for each user (member), it is necessary to perform an authentication operation for confirming the presence or absence of the right to use when starting the computer. Whether to set the right to use only one person or a plurality of persons to use one computer 15 can be easily controlled by issuing how many authentication information such as a password. In addition, an appropriate storage means 15a such as a hard disk drive is provided, and various applications such as an OS, a browser, and mail software are installed therein. Generally, the storage unit 15a stores a registry file 15b for storing information such as various environment settings, designation of drivers, association of applications, and the like. In the present invention, a password set for each user is recorded in the storage unit 15a and the registry file 15b.

The USB port 16 of the computer 15
Is connected to the computer 15. The USB key 10 is connected to the computer 15 via the USB terminal 11, and exchanges an account ID generated from a password written in the memory unit 10a with the computer 15 for collation.

The computer 15 is not limited to a general personal computer or the like, but may be a mobile phone or a TV set having an Internet connection function.
Various computer devices such as a fax machine can be applied on condition that USB connection is possible.

=== Implementation Procedure === FIG. 3 is a flowchart showing the actual procedure of the multiple authentication method of the present invention. As described above, assuming that the server 20 functions as an ASP server, a procedure for implementing the multiple authentication method of the present invention will be described below. First, the ASP that runs the server 20
It is necessary to set authentication information for each registered member who has contracted with the trader (step s200). The necessary authentication information is an account, a password, and a password. For account and password, see Server 2
0, which is used for logging in to the server when the member's computer 15 logs in, and a usage right confirmation for confirming each usage right of an application program used through the server 20, a database 21 storing the application program, and a device such as a printer 22. There is one for. On the other hand,
The personal identification number is set for each member, and is used for confirming the correspondence between the right to use the computer 15 and the USB key 10 used by the user.

The personal identification number is encrypted so as not to be easily diverted even if read, and is written to the storage means 15a and the registry file 15b of the computer 15 (step s201). Next, the password and the account password for server login and use right confirmation set in step s200 are registered in the memory unit 10a of the USB key 10 (step s202). The legitimate use relationship between the member who is the holder of the USB key 10 and the computer 15 used by the member is later authenticated by the account ID generated from the password.

If the computer 15 corresponding to the USB key 10 has at least once made a legitimate access to the server 20, the final connection information (for example, the last cookie information) is stored in the storage unit 15a of the computer 15, for example. Of the USB key 10 and write to the memory unit 10a of the corresponding USB key 10 (step s2).
03). In the case of the first access to the server 20, it is preferable that the writing process of the final connection information is exempted by the unique information provided in the USB key 10 in advance. With the steps so far, setting of information necessary for authentication such as an account, a password, a password, and a cookie, and writing to each device are completed.

Thereafter, the member who has started the computer 15 (step s204) tries to access the server 20. This member is the activated computer 1
5 USB port 16 and own USB key 10
Is inserted (step s205). The OS of the computer 15 starts to recognize the USB key 10 inserted into the USB port 16 by the plug and play function. Then, the USB key 10 that has been recognized and incorporated into the system by the computer 15 accesses the storage unit 15a or the registry file 15b of the computer 15. Then, an account ID is extracted from the password recorded therein, and is compared with an account ID generated from a password stored in its own memory unit 10a (step s206: account ID authentication process).

The account ID itself generated from the password by the collation of the password is checked for a match or mismatch. Further, an account ID that can be generated from the password is extracted and collated from the storage unit 10a (step s207: computer authentication process). These steps s206, s2
USB key 1 by checking account ID in 07
The authenticity of the correspondence between 0 and the computer 15 and the validity of the account ID are authenticated. If an account ID mismatch is found in any of the steps, the control chipset of the USB key 10 sends the O
An instruction is issued to restrict the power supply control function and various input functions incorporated in S, and the use of the computer 15 by an unauthorized person is stopped.

When the authentication in the account ID authentication process and the computer authentication process is completed normally (step s208), authentication completion status information indicating the completion event is issued by the USB key 10 or the computer 15 (step s209). The authentication completion status information is obtained by, for example, compressing and encrypting text data indicating that a match has been found in the registry file and storage means of the corresponding computer with respect to an account ID generated from a password set for a member. Is what it is. The issuance of this information means that the relationship between the USB key 10 and the computer 15 has been authenticated in terms of the legitimacy of the member who is the user and the legitimacy of the account ID derived from the password. In other words, it indicates a situation in which a user who has no problem in terms of right uses the predetermined computer 15 properly.

USB that issued authentication completion status information
The key 10 transmits the authentication completion status information, the account and password written in its own memory unit 10a, and the cookie information to a server 20 or a device connected to the computer 15 to which the USB key is inserted by the Internet 25. (Step s210). This allows these servers and devices to
Upon receiving the transmitted information such as the account, the collation work with the account etc. held by itself is started. This is set as an authentication request for the access right and the use right (step s211: access / use right authentication request process).

The server 20 reads the authentication completion status information and recognizes which member is trying to access the computer from which computer. At the same time, if the account password for server login and the matching of the cookie information are authenticated, access is permitted. In this embodiment, since the server 20 functions as an ASP server, account / password authentication for the right to use various application programs stored in the storage unit 21 of the server 20 is also performed. When all the authentications on the server 20 are completed normally, an access / use right authentication notification is transmitted to the computer 15. Computer 15
The USB key 10 receives the access / use right authentication notification (step s212), and the authentication is completed (step s213).

In the above-described account ID authentication step and the computer authentication step, the account IDs to be matched or unmatched may be exactly the same in both steps, or may be account IDs having different origins in each step. May be used.

Further, in addition to the password, another accessory number is stored in the electronic device and the computer, and an account ID or an account ID and an accessory ID are generated from the password and the accessory number, and the account ID is generated.
It is also preferable that the account ID is collated in the D authentication process and the computer authentication process.

=== Other Embodiments === In addition to the multi-authentication which integrates various authentication means, in addition to the one using the account ID generated from the account and the password and the personal identification number as in the above-described embodiment, at the time of login, It is also conceivable to apply a combination of various authentication means such as a token for automatically generating a password, a digital certificate, and biometric authentication (fingerprint or iris scanning). In any case, these authentication information may be stored in the USB key memory unit.

[0032]

As described above, according to the multiple authentication method using the electronic device having the USB interface of the present invention, the account or password is frequently changed, or the account or password having a large number of digits is authenticated. It is possible to prevent a malicious third party from stealing or analyzing a password or the like without manually inputting the password every time. Moreover, no matter how frequently the accounts and passwords are changed, and the number of digits is large and complicated, the accounts and passwords are stored in the memory unit of the electronic device. It can be easily used and managed without being aware of its complexity.

In order to store a password and the like in the memory of the electronic device, unlike a case where the password or the like is recorded on a medium having visibility such as a memo pad, a notebook, and a notebook, a situation in which the password is easily viewed does not occur. In other words, there is no danger that if a password or the like is encrypted and recorded in a file in the personal computer and the password is forgotten before the personal computer is started, the password cannot be used. Of course, the danger of typing information being recorded in the input / output interface such as a keyboard, and the danger of a fake server impersonating the target server extracting and stealing the account and password entered on the Web screen are all eliminated.

Further, the above effects are obtained, for example, starting from the start of the computer, using the application programs and data stored in the computer, connecting to a communication line to access a predetermined server via the Internet, and accessing the server. It is achieved through multiple levels of authentication, such as database access and application use, and its simplicity of use and management and high security are consistent.

In other words, if the accounts and passwords required for each of these steps are stored in the memory unit of the electronic device, it is possible to perform a plurality of reliable authentications before proceeding to the next step only after each authentication step has been completed normally. On the other hand, the execution is automated and performed very quickly because no work is required on the user. Therefore, the multiple authentication method of the present invention can be applied in various situations irrespective of the level of security required for each computer or network, and the authentication target can be applied from computers, servers and devices to application programs. Indeed, it is a wide range.

An electronic device having a USB interface that can easily manage accounts and passwords, ensures a high security level, and is widely applicable to various authentication targets such as servers, devices, and application programs. Can be provided.

[Brief description of the drawings]

FIG. 1 is an explanatory diagram showing an example of the external shape and usage of a USB key.

FIG. 2 is an explanatory diagram showing an example of a system configuration for realizing the multiple authentication method of the present invention.

FIG. 3 is a flowchart showing the actual procedure of the multiple authentication method of the present invention.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 10 Electronic device (USB key) 10a Memory unit 15 Computer (insertion destination computer) 15a Storage means 15b Registry file 20 Server 22 Device (printer)

Claims (3)

[Claims] A USB terminal connectable to a USB port of the computer, for a computer and various servers and devices connected thereto, and for a user of an application program started on the computer or the server or device; A memory unit that stores authentication information such as an account and a password necessary for authenticating the user, and a control chip set that controls a process of sending and receiving the authentication information to and from the computer via the USB terminal. An authentication method for judging the use of an electronic device having a USB interface, wherein the computer has written and processed a memory unit of the electronic device and a storage unit and a registry file of the computer. Account ID that can be generated from the user and associated with the set personal identification number for each data
The electronic device reads out the account ID written in the storage means or the registry file of the computer from the storage means or the registry file of the computer into which the electronic device is inserted, and reads the read account ID and the memory unit of the electronic device itself. An account ID authentication step of comparing an account ID that can be generated from a password stored in the electronic device, and authenticating whether or not the account ID itself matches, a memory unit of the electronic device, a storage unit of the computer, and a registry file. An account ID that can be generated from a password that has been written to the computer and set in association with the user for each computer
The electronic device reads out the account ID written in the storage unit or the registry file from the storage unit of the computer into which the electronic device is inserted, and stores the read account ID and the memory unit of the electronic device itself. A computer authentication process for verifying the validity of the individual correspondence between the computer and the electronic device by comparing an account ID that can be generated from a personal identification number, and authentication completion indicating an event in which the authentication in the account ID authentication process and the computer authentication process is completed Status information and the information set in each of the various servers and devices connected to the computer, and the application programs started in the computers and servers, and written in the memory unit of the electronic device. An access / use right authentication requesting process in which the electronic device transmits a count and a password to the computer or the server or device into which the electronic device is inserted, and requests authentication for access rights and use rights for these servers, devices and application programs. And a multi-authentication method using an electronic device provided with a USB interface. 2. In the access / use right authentication requesting process, final connection information written in a memory unit of the electronic device and finally accessed by a computer corresponding to the electronic device to a server is referred to as the computer. The method according to claim 1, wherein the plurality of authentication methods are transmitted to the server or the device. 3. An account ID or an account ID and an accessory ID are generated from the password and the accessory number in the electronic device and the computer, and another accessory number is stored in the electronic device and the computer in addition to the password. 3. The multiple authentication method using an electronic device having a USB interface according to claim 1, wherein an account ID is collated in a computer authentication process.