JP2004326763A - Password change system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a management server capable of using a same password for a plurality of application servers when any of the plurality of application servers fails to change its password in the plurality of application servers which authenticate validity of a user with the same password. <P>SOLUTION: When changing the password, if any of the application servers fails to change its password, the management server changes the password of an application server of which password has already changed back to its original password. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

The present invention relates to a password change system.

2. Description of the Related Art Conventionally, when providing a plurality of services to a user, it has been widely performed that each application program that provides the service authenticates the validity of the user using the same password.
As described above, when the same password is used for a plurality of services, the user often needs to change the password in order to ensure security.

  Patent Document 1 discloses a password changing method for a plurality of services using the same password. According to this password change method, the password management device sequentially activates each application program that provides a service, and instructs a password change. At this time, a failure may occur in which one of the plurality of application programs cannot change the password normally.

The case where the password cannot be changed normally may be, for example, a power failure such as a hardware failure or an instantaneous interruption of an external disk of the system, or a connection failure of a network cable.
If such a failure occurs, the password management device will prompt the user to change the password again for the application program that cannot change the password normally when the user restarts the application program to use the corresponding service. Prompt for the operation.

Therefore, it is possible to maintain the consistency of the passwords for a plurality of services, triggered by the restart of the application program.
Japanese Patent Application Laid-Open No. 2000-169777

However, the method of Patent Document 1 has a problem that the password of the service for which the password change has failed is not kept the same as the password of another service until the next application is started.
Therefore, the present invention has been made in view of such a problem, and even when any one of a plurality of application devices fails to change a password, a management server device that can unify the passwords of the plurality of application devices, It is an object to provide an application device and a password change system.

  In order to achieve the above object, the present invention provides a management server device that instructs a plurality of application devices that provide each service to one user authenticated by one password to update the password, First means for attempting to update the password of the application device, second means for determining whether or not the password can be updated for each application device, and at least one application device determined to be impossible. A third means for setting the passwords of all the application devices before updating.

According to the above configuration, even when it is determined that there is an application device that is determined to be unable to update the password by the second means, the passwords of all the application devices are set to those before the update, It is possible to keep the passwords of a plurality of application devices unified.
The management server device may further include fourth means for receiving a request for updating the password from the user device, and the first means may attempt to update the password based on the received update request. .

With this configuration, the management server device can attempt to update the password based on the user's intention.
In the management server device, the first unit instructs all application devices to update passwords, and the second unit determines whether the password update has failed for each application device. The third means, when it is determined that the update has failed for at least one application device, instructs another application device whose password has been successfully updated to restore the password before the update to the other application device. I do.

  According to this, the second determining means determines whether or not the password update of any of the application devices has failed, and the third determining means determines that the password updating of at least one application device has failed. In such a case, the password is instructed to restore the password before the update to the application device that has succeeded in updating the password. Therefore, even if any of the application devices fails to update the password, all the application devices are updated. Passwords can be unified quickly.

In the present invention, the fourth means receives the update request including the new password and the old password of the user, and the first means determines the new password and the old password included in the received update request. An update instruction including the update instruction is generated, and the generated update instruction is transmitted to all application apparatuses.
According to this configuration, the fourth means receives an instruction for updating the password including the new password from a user. Thereby, the user himself can specify an arbitrary new password.

  Further, in the present invention, the second means includes a response receiving unit that receives a response indicating success or failure of updating the password from each application device, and, when the received response indicates success, A determination unit that determines that the update of the password has failed for the application apparatus when the received response indicates that the update of the password has succeeded, and the received response indicates a failure.

According to this configuration, the response receiving unit receives a response from each application device, and the determination unit determines that the password change of the application device has failed if the response indicates failure. This makes it possible to accurately detect a failure in updating the password of each application device.
Also, in the present invention, the second means may include a timer for measuring an elapsed time with the lapse of time, and at the time of transmission of the update instruction by the first means, the elapsed time measured by the timer. An initialization unit for resetting to an initial value, a waiting unit for waiting for a response indicating success or failure of updating the password from each application device, and determining whether the measured elapsed time is greater than a predetermined threshold value A determination unit for determining, when the elapsed time is determined to be equal to or smaller than the threshold value by the determination unit, and when a response from each application device is received by the standby unit, and the response indicates success, It is determined that the update of the password has been successful for the application device, and that the update of the password has failed for the application device otherwise. A management server apparatus which comprises a tough.

According to this configuration, even if the threshold value is exceeded, the determination unit determines that the password change has failed if the response is not received. Therefore, it is possible to reduce unnecessary waiting time exceeding the threshold value.
In the present invention, the first means instructs all application devices to prepare for updating the password, and the second means determines whether or not the preparation for updating the password has not been completed for each application device. The third means, when it is determined that the update preparation is not completed for at least one application apparatus, sends the update preparation instruction to another application apparatus that has completed the update preparation. The management server device is characterized by being canceled.

  According to this configuration, if at least one application device that has not been prepared for the password update exists, the preparation for the password update of the application device that has been prepared for the password update is canceled. Thereby, the password update of each application device is not executed until the preparation of the password update of all the application devices is completed, so that useless writing to the hard disk can be avoided.

In the present invention, the fourth means receives the update request including the new password and the old password of the user, and the first means determines the new password and the old password included in the received update request. An update preparation instruction including the update preparation instruction is generated, and the generated update preparation instruction is transmitted to all application apparatuses.
According to this configuration, the fourth means receives an instruction for updating the password including the new password from a user. Thereby, the user himself can specify an arbitrary new password.

  Further, in the management server device of the present invention, the second means may include a response receiving unit that receives a response indicating completion or incomplete preparation for updating the password from the application device, and a case where the received response indicates completion. A determination unit that determines that the preparation for updating the password is completed for the application device, and determines that the preparation for updating the password is not completed for the application device when the received response indicates incomplete. It is characterized by including.

According to this configuration, the response receiving unit receives a response from each of the application devices, and the determination unit determines that the password change preparation of the application device is incomplete when the response indicates incomplete. This makes it possible to accurately detect the incomplete preparation of the password update of each application device.
In the present invention, the second means includes a timer unit for measuring an elapsed time with the passage of time, and an elapsed time measured by the timer unit at the time of transmitting the instruction to prepare for update by the first means. An initialization unit for resetting to an initial value, a waiting unit for waiting for a response indicating completion or incompletion of preparation for updating the password from the application device, and whether or not the measured elapsed time is greater than a predetermined threshold A determination unit that determines whether the elapsed time is equal to or smaller than the threshold value, and a response from the application device is received by the standby unit, and the response indicates completion. A determination unit that determines that the preparation for updating the password has been completed, and in other cases, determines that the preparation for updating the password has not been completed.

According to this configuration, if the response is not received even if the threshold is exceeded, it is determined that the password change has failed, so that useless waiting time above the threshold can be reduced.
The management server device according to the present invention further includes a message transmission unit that transmits a message to the effect of returning to the original password to the user device when it is determined that the password cannot be updated by the second unit. It is characterized by including.

According to this configuration, the message transmission unit transmits the message to the user device, so that the user can know that the password to be used is before the update.
The management server device further includes a management storage unit that stores whether or not each application device is under maintenance, and the first unit is configured to store a password when there is no application device under maintenance. Attempt to update.

According to this configuration, the first means attempts to update the password when there is no application device under maintenance, so that the password update of the application device under maintenance prevents the password change of other application devices from being prevented. Can be avoided.
In addition, the first means stops updating the password when there is an application device under maintenance, and the management server device further includes a password when the updating of the password is stopped by the first means. Message transmitting means for transmitting a message to the effect that the updating of the user device is stopped to the user device.

According to this configuration, the message transmitting unit transmits a message to the effect that the updating of the password is interrupted to the user device, so that the user can surely know that the password cannot be updated.
Further, in the present invention, the application device is connected to the management server device via a first network, and the user device is connected to the management server device via a second network that is not connected to the first network. It is characterized by being connected to a management server device.

According to this configuration, since the application device and the user device are connected via the management server device, the management server device monitors communication between the application device and the user device. Can be.
In the present invention, the first network and the second network are intranets.

According to this configuration, the application device and the user device are connected to the management server device via different intranets, respectively, so that the configuration can be easily made using a technology popularized on the Internet.
Further, in the present invention, the management server device and each application device are connected via a dedicated line, and when updating a password, the management server device is connected via the dedicated line, Information for updating a password is transmitted and received between each application device, and when providing each service, the management server device communicates with the user device via a first and second network. The transmission and reception of information related to the service may be relayed with the application device.

According to this configuration, when updating the password, the management server device transmits and receives information for updating the password to and from each application device via the dedicated line. Since communication using a dedicated line has little risk of eavesdropping by a third party, it is possible to omit encryption processing for transmitting and receiving information when updating a password.
Also, when providing each service, the management server device relays the transmission and reception of the information on the service between the user device and each application device via the first and second networks. Therefore, transmission and reception of information for updating a password and transmission and reception of information related to the service do not affect each other.

  Further, the application device and the user device according to the present invention are connected to the management server device via a network, and the management server device further includes a type of an application and a type of the application device on the network. Using a storage unit that stores a correspondence table that associates the position information, a receiving unit that receives, from the user device, type information indicating an application and processing information indicating the content of processing, and using the correspondence table. The information processing apparatus may include an obtaining unit that obtains the position information of the application device corresponding to the received type information, and a transmitting unit that transmits the processing information to the application device indicated by the obtained position information.

  According to this configuration, the acquiring unit acquires the position information of the application device corresponding to the type information using the correspondence table, and the transmitting unit transmits the user information to the application device indicated by the position information. And transmitting the processing information received from the device. Thereby, the management server device can accurately transfer the processing information transmitted from the user device to the application device.

Further, the network may be the Internet.
According to this configuration, the management server device can transfer the processing information between the user device located at a remote place and each application device via the Internet.
According to the present invention, the updated new password is an initial password initially assigned to the user, the first means attempts to update all application devices to the initial password, and the second means The third means determines whether or not the update to the initial password is impossible for the application device, and updates the passwords of all the application devices when there is at least one application device determined to be impossible. It is also a management server device characterized by the above.

According to this configuration, the first means attempts to update to the initial password. Thus, even when the user cannot specify a new password, the user can try to update the password.
The present invention relates to an application device for providing a service to one user authenticated by one password and updating a password in accordance with an instruction from a management server device, wherein an old password storage means for storing a password before update An authentication password storage unit that stores a password used for user authentication, a receiving unit that receives, from the management server device, a restoration instruction for restoring the password to the one before updating, and receiving the restoration instruction. A writing unit that reads a password before update from an old password storage unit and overwrites the read password on an authentication password storage unit.

According to this configuration, when the restoration instruction is received from the management server device, the password before update is read from the old password storage unit stored in the old password storage unit, and the read password is overwritten on the authentication password password storage unit. According to the instruction from the management server device, the password for authentication can be promptly changed to the password before update.
Further, the application device transmits and receives information on the service to and from a user device of a user via the management server device.

According to this configuration, the application device transmits / receives information to / from the user terminal via the management server device. Access from anyone other than the user can be avoided.
The application apparatus according to the present invention is characterized in that when maintenance is being performed, the application server notifies the management server apparatus of the fact.

According to this configuration, the application apparatus notifies the management server apparatus in advance that maintenance is being performed, so the management server apparatus recognizes in advance that the application apparatus is being maintained, The transmission of the information and the transmission of the instruction to the application device can be stopped or postponed.
The application device is connected to the management server device via a first network, and the user device is connected to the management server device via a second network that is not connected to the first network. It is characterized by having.

According to this configuration, since the application device and the user device are connected via the management server device, the management server device monitors communication between the application device and the user device. Can be.
Further, the application device and the management server device are connected via a dedicated line, and when updating a password, the management server device communicates with the management server via the dedicated line. It may also be characterized in that information for updating a password is transmitted and received, and when each service is provided, information on the service is transmitted and received via the first and second networks.

According to this configuration, since the application device uses the dedicated line for transmitting and receiving the information regarding the password update, eavesdropping by a third party is difficult to be performed, and communication security is high.
Further, since the first network and the second network are used for transmitting and receiving information relating to each service, transmission / reception of information relating to password update and transmission / reception of information relating to the service do not affect each other.

Further, the application device and the user device according to the present invention are connected to the management server device via the Internet.
According to this configuration, since the application device and the user device are connected to the management server device via the Internet, the application device, the user device, and the management server device are respectively located at remote locations. Can send and receive information.

  The present invention instructs a user terminal device, a plurality of application devices that provide each service to one user terminal device authenticated by one password, and an update of the password to the application device. A password updating system including a management server device, wherein the management server device attempts to update passwords of all application devices, and determines whether or not the password cannot be updated for each application device. And at least one application device that is determined not to be available, and a third device that sets the passwords of all application devices to those before updating, and each application device includes: Old password storage means for storing the password before update, and user authentication Authentication password storing means for storing a password to be used, receiving means for receiving a restoration instruction for restoring the password to that before updating from the management server device, and receiving the restoration instruction, updating the old password storing means Writing means for reading the previous password and overwriting the read password in the authentication password storage means.

With this configuration, even when it is determined that any one of the plurality of application devices cannot update the password, the passwords of all the application devices are set to those before updating, thereby unifying the passwords of all the application devices. Can be kept.
In the present invention, the terminal device and each application device transmit and receive information via the management server device.

According to this configuration, the application device transmits / receives information to / from the user terminal via the management server device. Access from anyone other than the user can be avoided.
Further, the application device is connected to the management server device via a first network, and the user device is connected to the management server device via a second network that is not connected to the first network. It is characterized by being connected.

According to this configuration, since the application device and the user device are connected via the management server device, the management server device monitors communication between the application device and the user device. Can be.
Further, in the password update system, the first network and the second network are intranets.

According to this configuration, the application device and the user device are connected to the management server device via different intranets, respectively, so that the configuration can be easily made using a technology popularized on the Internet.
In the password update system, the management server device and each application device are connected via a dedicated line, and when updating a password, the management server device is connected via the dedicated line. Information for updating a password may be transmitted and received to and from the management server, and when each service is provided, information related to the service may be transmitted and received via the first and second networks.

According to this configuration, since the application device uses the dedicated line for transmitting and receiving the information regarding the password update, eavesdropping by a third party is difficult to be performed, and communication security is high.
Further, since the first network and the second network are used for transmitting and receiving information relating to each service, transmission / reception of information relating to password update and transmission / reception of information relating to the service do not affect each other.

  In the password update system according to the present invention, the application device and the user device are connected to the management server device via a network, and the management server device further includes an application type and a Storage means for storing a correspondence table for associating positional information on a network; receiving means for receiving, from the user device, type information indicating an application and processing information indicating the content of processing; and An acquisition unit for acquiring position information of an application device corresponding to the received type information, and a transmission unit for transmitting the processing information to an application device indicated by the acquired position information. You may do it.

  According to this configuration, the acquiring unit acquires the position information of the application device corresponding to the type information using the correspondence table, and the transmitting unit transmits the user information to the application device indicated by the position information. And transmitting the processing information received from the device. Thereby, the management server device can accurately transfer the processing information transmitted from the user device to the application device.

Further, the network is the Internet.
According to this configuration, since the application device and the user device are connected to the management server device via the Internet, the application device, the user device, and the management server device are respectively located at remote locations. Can send and receive information.

1. Embodiment 1
Hereinafter, Embodiment 1 of the present invention will be described in detail with reference to the drawings.
1.1 Overview of Password Change System As shown in FIG. 1, the password change system according to the present invention includes a user terminal 100, a first application server 200a, a second application server 200b, a third application server 200c, and a fourth application server 200d. And a management server 600. Each device is connected to the Internet 20.

The first application server 200a to the fourth application server 200d provide services of travel expense settlement, vacation application, meeting room reservation, and employee purchase, respectively.
The management server 600 and the first to fourth application servers 200a to 200d store in advance user IDs of valid users.
The user uses the services provided by the first application server 200a to the fourth application server 200d via the Internet 20 and the management server 600 using the user terminal 100.

At this time, the user terminal 100 transmits the user ID and password of the user to the management server 600.
The management server 600 and the first to fourth application servers 200a to 200d verify the user ID and the password, and authenticate that the user of the user terminal 100 is a valid user. Provide services to prepare.

In addition, the management server 600 receives the instruction to change the password from the user terminal 100, and receives the current password and the new password from the user terminal 100. The management server 600 sequentially transmits the received new password to the first application server 200a to the fourth application server 200d, and instructs a change of the password.
Here, when the password change is not performed normally in any of the first application server 200a to the fourth application server 200d, the management server 600 sends the current password to the application server whose password change has already been completed. And instruct them to change their passwords to their current passwords.

In the following description, when the first application server 200a to the fourth application server 200d are not particularly distinguished and when the first application server 200a to the fourth application server 200d are common, they are simply referred to as the application server 200.
1.2 User terminal 100
As shown in FIG. 2, the user terminal 100 includes a transmission / reception unit 101, an authentication unit 103, a control unit 107, a storage unit 110, an input unit 112, and an image display unit 113.

The user terminal 100 includes a microprocessor, a RAM, a ROM, and a hard disk (not shown). Computer programs are stored in the RAM, ROM, and hard disk, and the user terminal 100 fulfills its functions by the microprocessor operating according to these computer programs.
(1) Storage unit 110
The storage unit 110 includes a hard disk, a RAM, and a ROM, and stores various information.

As an example, as shown in FIG. 3, an application number table 120, a terminal ID 130, a secret key 135, a public key certificate 136, a CRL (Certificate Revocation List) 137, and a certificate authority public key 138 are stored.
The application number table 120 is a table that associates services provided by the application server 200 and the management server 600 with application numbers assigned to the respective services. The application number “001” is an identification number indicating a travel expense settlement service, and the application number “002” is an identification number indicating a vacation application service. The application number “003” is an identification number indicating a conference room reservation service, and the application number “004” is an identification number indicating an employee purchase service. The application number “005” is an identification number indicating a service provided by the management server, such as a login process and a password change.

The terminal ID 130 is identification information unique to the user terminal 100.
The public key certificate 136 certifies the validity of the public key paired with the private key 135, and includes a certificate ID, the public key, and signature data from a certificate authority. The signature data of the certificate authority is generated by applying a signature generation algorithm S to the public key using the secret key of the certificate authority. Here, the certificate authority is a third-party organization and issues a public key certificate of each device belonging to the password change system. The signature generation algorithm S is, for example, an ElGamal signature on a finite field. Since the ElGamal signature is publicly known, the description is omitted.

The CRL 137 includes the certificate ID of a revoked public key certificate issued by a certificate authority.
The certificate authority public key 138 is a public key that is paired with the certificate authority private key.
(2) Transmission / reception unit 101
The transmission / reception unit 101 transmits and receives information between an external device connected to the Internet 20 and the control unit 107 and the authentication unit 103.

The transmission / reception unit 101 stores the IP addresses of the user terminal 100 and the management server 600.
Various types of information transmitted and received by the transmission / reception unit 101 are in the form of a packet 140 shown in FIG. The packet 140 includes a destination address 141, a source address 142, and a data part 143. The destination address is the IP address of the destination, and the source address 142 is the IP address of the source. The data unit 143 includes, for example, an application number 146, a terminal ID 147, and data 148.

The application number 146 corresponds to the type of service provided by the first application server 200a to the fourth application server and the management server 600, and is the same as the application number included in the application number table 120.
When the transmission / reception unit 101 receives the data unit 143 including the application number 146, the terminal ID 147, and the data 148 from the control unit 107 and receives a transmission instruction, the transmission / reception unit 101 transmits the IP address of the user terminal 100 to the received data unit 143 as a transmission source address. After setting, the IP address of the management server 600 is set as the transmission destination address and transmitted.

  Here, the application number 146, the terminal ID 147, and the data 148 included in the data section 143 are listed for ease of description, but in reality, the data section 143 has a variable length but a maximum bit length. If the data section 143 exceeds the maximum bit length, the data section 143 is divided, and a transmission destination address and a transmission source address are set for each of the divided data sections 143 and transmitted.

(3) Input unit 112
The input unit 112 is connected to peripheral devices such as a keyboard and a mouse, receives an operation of the peripheral device by a user, and outputs operation instruction information corresponding to the received operation to the control unit 107.
(4) Control unit 107
The control unit 107 controls various types of information processing executed by the user terminal 100 by the processor operating according to the computer program.

In the present application, the control unit 107 receives various operation instruction information from the input unit 112. Based on the received operation instruction information, a login process, use of various services, a password change process, and the like are performed.
In the course of these processes, login screen data, terminal menu screen data, terminal settlement screen data, terminal settlement completion screen data, terminal password change screen data, terminal change completion screen data, It receives screen data such as terminal change failure screen data, terminal forced termination screen data, etc., various services, password change, mutual authentication, and various information related to encryption processing, and processes the received various screen data and various information.

  During the above processing, the information transmitted from the control unit 107 to the management server 600 via the transmission / reception unit 101 is in the form of a packet 140 shown in FIG. The control unit 107 reads the terminal ID 130 from the storage unit 110, extracts an application number from the application number table 120, and generates a data unit 143 including the read terminal ID 130, the extracted application number, and various information. The generated data section 143 is output to the transmission / reception section 101, and transmission is instructed.

In the following description, the generation of the data section 143 will be simplified, and will be simply expressed as an application number, a terminal ID, and various information.
Hereinafter, a login process, a process of using various services, and a process of changing a password will be described.
(Login process)
When receiving the operation instruction information indicating the electronic application from the input unit 112, the control unit 107 instructs the authentication unit 103 to perform mutual authentication with the management server 600.

  Mutual authentication by the authentication unit 103 is established, a terminal common key is received from the authentication unit 103, and the received terminal common key is stored. Next, login screen data is received from the management server 600 via the transmission / reception unit 101, a login screen 151 is generated from the received login screen data, and the generated login screen 151 is output to the image display unit 113. The display of the login screen 151 is instructed. The login screen 151 shown in FIG. 5 is an example of a screen displayed here. The login screen data is data for generating the login screen 151 and is described in HTML.

Next, the input and the input of the user are received via the input unit 112. Upon receiving the operation instruction information indicating that the send button 154 has been pressed, the password and the terminal common key entered in the password box 153 are output to the encryption processing unit 108 to instruct encryption. Next, the encrypted password is received from the encryption processing unit 108, and the application number “005” and the terminal ID 130 are read from the storage unit 110. The read application number “005”, the terminal ID 130, the received encrypted password, and the user ID input to the user ID box 152 are output to the transmitting / receiving unit 101, and transmission to the management server 600 is instructed.
(Use of various services)
Next, terminal menu screen data is received from the management server 600, a menu screen 161 is generated from the received terminal menu screen data, and the generated menu screen 161 is output to the image display unit 113. Instruct display. FIG. 5 is an example of the menu screen 161 displayed here. The terminal menu screen data is data for generating the menu screen 161 and is described in HTML.

Next, operation instruction information indicating that the buttons 162 to 166 displayed on the menu screen 161 have been pressed is received from the input unit 112.
The control unit 107 receives operation instruction information indicating that the button 162, 163, 164, or 165 has been pressed from the input unit 112, and performs processing of travel expense settlement, vacation application, meeting room reservation, or employee purchase service, respectively. Start.

Here, as an example, only the use of the travel expense settlement service will be specifically described.
When receiving the operation instruction information indicating the press of the button 162 from the input unit 112, the control unit 107 extracts the application number “001” from the application number table 120 of the storage unit 110, reads the terminal ID 130, and reads the extracted application number. “001” and the read terminal ID 130 are transmitted to the management server 600 via the transmission / reception unit 101, and a service start is requested.

Next, the control unit 107 receives the wait message, the terminal forced termination screen data, or the terminal settlement screen data from the management server 600 via the transmission / reception unit 101. The terminal forced termination screen data and the terminal settlement screen data are data for generating the forced termination screen 321 and the settlement screen 171 and are described in HTML.
When the wait message is received, the wait message received via the image display unit 113 is displayed on the monitor. Next, the menu screen 161 is displayed on the monitor via the image display unit 113, and the process is started from the reception of the menu selection. Start over.

When the terminal forced termination screen data is received, a forced termination screen 321 is generated from the received terminal forced termination screen data, the generated forced termination screen 321 is output to the image display unit 113, and the display of the forced termination screen 321 is instructed. Then, the process ends. The forced termination screen 321 shown in FIG. 8 is an example of the screen displayed here.
Upon receiving the terminal settlement screen data, the terminal generates a settlement screen 171 from the received terminal settlement screen data, outputs it to the generated settlement screen 171 image display unit 113, and instructs the display of the settlement screen 171. FIG. 6 is an example of the settlement screen 171 displayed here.

  Next, an input from the user is received via the input unit 112. Operation instruction information indicating that the send button 173 on the settlement screen 171 has been pressed is received from the input unit 112, and the input data and the terminal common key input on the settlement screen 171 are output to the encryption processing unit 108 and encrypted. Instruct. Data 149 shown in FIG. 4 is an example of input data output here, and includes a destination, a transportation name, a fee, and the like.

The encrypted input data is received from the encryption processing unit 108, the application number “001” and the terminal ID 130 are read from the storage unit 110, and the read application number “001”, the terminal ID 130, and the received encrypted input data are transmitted to the transmission / reception unit. The data is transmitted to the management server 600 via the server 101.
Next, from the management server 600, the terminal settlement end screen data is received, a settlement end screen 181 is generated from the received terminal settlement end screen data, and the generated settlement end screen 181 is output to the image display unit 113. Instruct display. The settlement end screen 181 shown in FIG. 6 is an example of the screen displayed here. The terminal settlement end screen data is data for generating a settlement end screen, and is described in HTML.

Next, operation instruction information indicating that the menu button 182 or the logout button 183 on the settlement end screen 181 is pressed is received from the input unit 112.
Upon receiving operation instruction information indicating that the menu button 182 has been pressed, the image display unit 113 is instructed to display the menu screen 161 and accepts menu selection.
Upon receiving the operation instruction information indicating that the logout button 183 has been pressed, the control unit 107 generates a logout notification, reads the application number “005” and the terminal ID from the storage unit 110, and reads the read application number “005” and the terminal. The ID and the logout notification are transmitted to the management server 600 via the transmission / reception unit 101, and the process ends.
(Change Password)
Upon receiving the operation instruction information indicating that the button 166 on the menu screen 161 has been pressed, the control unit 107 generates a password change instruction requesting a password change, and stores the application number “005” and the terminal ID 130 from the storage unit 110. The read application number “005”, the terminal ID 130, and the generated password change instruction are transmitted to the management server 600 via the transmission / reception unit 601.

  Next, terminal password change screen data is received from the management server 600 via the transmission / reception unit 101. A password change screen 191 is generated from the received terminal password change screen data, and the generated password change screen 191 is output to the image display unit 113 to instruct display. FIG. 7 is an example of the password change screen 191 displayed here. The terminal password change screen data is data for generating the password change screen 191 and is described in HTML.

Next, an input from the user is received via the input unit 112. In the following description, the password entered in the blank 192 by the user is referred to as the current password, and the password entered in the blanks 193 and 194 is referred to as the new password.
When receiving the operation instruction information indicating that the send button 195 has been pressed from the input unit 112, the received current password, new password, and terminal common key are output to the encryption processing unit 108, and encryption is instructed. Next, the encrypted current password and the encrypted new password are received from the encryption processing unit 108. The management server reads the application number “005” and the terminal ID 130 from the storage unit 110, and transmits the read application number “005”, the terminal ID 130, the received encrypted current password and the encrypted new password via the transmission / reception unit 101 to the management server. Send to 600.

Next, terminal change completion screen data, terminal change failure screen data, or terminal forced termination screen data is received from the management server 600. The terminal change completion screen data and the terminal change failure screen data are data for generating the change completion screen 301 and the change failure screen 311, respectively, and are described in HTML, for example.
When the terminal forced termination screen data is received, a forced termination screen 321 is generated from the received terminal forced termination screen data, the generated forced termination screen 321 is displayed on the monitor via the image display unit 113, and the process ends. .

When the terminal change completion screen data is received, a change completion screen 301 is generated from the received terminal change completion screen data, and the generated change completion screen 301 is displayed on the monitor via the image display unit 113. FIG. 7 shows an example of the change completion screen 301 displayed here.
Next, a button operation of the user is received via the input unit 112. When the operation instruction information indicating that the menu button 302 on the change completion screen 301 is pressed is received from the input unit 112, the display unit 113 instructs the image display unit 113 to display the menu screen 161 and returns to the menu selection by the user.

Upon receiving the operation instruction information indicating that the logout button 303 has been pressed, the control unit 107 generates a logout notification, reads the application number “005” and the terminal ID 130 from the storage unit 110, and reads the read application number “005” and the terminal The ID 130 and the logout notification are transmitted to the management server 600 via the transmission / reception unit 101, and the process ends.
Upon receiving the terminal change failure screen data, the control unit 107 generates a change failure screen 311 from the received terminal change failure screen data, and displays the generated change failure screen 311 on the monitor via the image display unit 113. . FIG. 8 shows an example of the change failure screen 311 displayed here. Next, a button operation of the user is received via the input unit 112. When the operation instruction information indicating that the menu button 312 on the change failure screen 311 is pressed is received from the input unit 112, the image display unit 113 is instructed to display the menu screen 161 and the process returns to the reception of the menu selection.

Upon receiving the operation instruction information indicating that the logout button 313 is pressed, the control unit 107 generates a logout notification, reads the application number “005” and the terminal ID 130 from the storage unit 110, and reads the read application number “005” and the terminal The ID 130 and the logout notification are transmitted to the management server 600 via the transmission / reception unit 101, and the process ends.
(5) Authentication unit 103
The authentication unit 103 performs mutual authentication with the external device using the secret key 135 and the public key certificate 136 prior to communication between the control unit 107 and the external device, and only when the mutual authentication succeeds, the control unit The communication between the external device 107 and the external device is permitted, and the same terminal common key as the external device is generated. Here, the external device is, specifically, the management server 600.

(6) Encryption processing unit 108
The encryption processing unit 108 receives various information and the terminal common key from the control unit 107, and is instructed to encrypt. When receiving the instruction for encryption, the information processing apparatus 100 generates encryption information by applying the encryption algorithm E1 to the various information received using the received terminal common key, and outputs the generated encryption information to the control unit 107.

The various types of information that the encryption processing unit 108 receives from the control unit 107 are, specifically, a password, input information, a current password, and a new password.
Further, it receives various types of encryption information and a terminal common key from the control unit 107, and is instructed to decrypt. Upon receiving the decryption instruction, the encryption processing unit performs a decryption algorithm D2 on the received encrypted information using the terminal common key, and generates various types of information.

Here, the decryption algorithm D2 is an algorithm for decrypting a cipher text generated by the encryption algorithm E2, and the encryption algorithms E1 and E2 use a common key cryptosystem such as the DES cryptosystem as an example. The DES encryption method is well-known and will not be described.
(7) Image display unit 113
The image display unit 113 is connected to an external monitor.

The image display unit 113 receives various screens from the control unit 107 and is instructed to display the screens. An image signal is generated from the received screen, a vertical synchronization signal and a horizontal synchronization signal are generated, and the image signal is output to a monitor in accordance with the generated vertical synchronization signal and the horizontal synchronization signal.
1.3 Application server 200
The first application server 200a to the fourth application server 200d provide various services to the user terminal 100. In the present embodiment, the first application server 200a provides a travel expense settlement, the second application server 200b provides a vacation application, the third application server 200c provides a conference room reservation, and the fourth application server 200d provides an employee purchase service. provide.

As shown in FIG. 9, the application server 200 includes a transmission / reception unit 201, an authentication unit 203, a control unit 207, an encryption processing unit 208, an information storage unit 210, an input unit 212, and a display unit 213.
The application server 200 includes a microprocessor (not shown), a RAM, a ROM, and the like. Computer programs are stored in the RAM and ROM, and the application server 200 achieves its functions by the microprocessor operating according to the procedures indicated by these computer programs.

(1) Information storage unit 210
The information storage unit 210 includes a hard disk unit, and stores a password table 221, an application login table 231, a private key 242, a public key certificate 243, a CRL 244, and a certificate authority public key 245, as shown in FIG. ing. Further, although not specifically illustrated, various programs and image data for executing services provided by the application server 200 are stored.

  As shown in FIG. 11, the password table 221 includes a plurality of pieces of password information 223, 224, 225,..., And each piece of password information includes a user ID, a name, and a password. The user ID has a one-to-one correspondence with a valid user of the application server 200, and the name is the name of the user corresponding to the user ID. The password is a character string or a number string for determining whether the user corresponding to the user ID is a valid user of the application server 200.

The application login table 231 includes a plurality of pieces of login information 232, 233,... As shown in FIG. Each piece of login information includes a user ID, a name password, and a terminal ID.
The user ID corresponds to the user who has completed password authentication by the application server 200 and is currently using the service provided by the application server 200, and the name and password are the name and password of the user corresponding to the user ID. It is. The terminal ID is identification information unique to the user terminal currently used by the user.

The public key certificate 243 certifies the validity of the public key paired with the private key 242, and includes a certificate ID, the public key, and signature data from a certificate authority.
The CRL 244 and the certificate authority public key 245 are the same as the CRL 137 and the certificate authority public key 138 stored in the user terminal 100, and thus the description is omitted.
(2) Transmission / reception unit 201
The transmission / reception unit 201 stores the IP address of the application server 200 and the IP address of the management server 600.

The transmission / reception unit 201 transmits / receives information between the control unit 207 and the authentication unit 203 and the management server 600.
Various types of information transmitted and received by the transmission / reception unit 201 between the control unit 207 and the management server 600 are in the form of a packet 140 shown in FIG. The control unit 207 receives the data unit 143 including the application number, the terminal ID, and various information, and is instructed to transmit.

When instructed to transmit by the control unit 207, the IP address of the application server 200 is set as the transmission source in the received data unit 143, and the IP address of the application server 200 is set as the transmission destination and transmitted.
Further, the transmission / reception unit 201 refuses to receive information from an external device other than the management server 600. Specifically, it checks whether or not the source address included in the received packet is the IP address of management server 600, and deletes the received packet if it is not the IP address of management server 600.

(3) Input unit 212 and display unit 213
The input unit 212 receives input of information and instructions by the operator, and outputs to the control unit 207 the received information and operation instruction information corresponding to the received instructions.
The display unit 213 displays various information under the control of the control unit 207.
(4) Control unit 207
The control unit 207 controls various types of information processing executed by the application server 20000 by the processor operating according to the computer program.

  The control unit 207 receives the public key certificate from the management server 600, outputs the received public key certificate to the authentication unit 203, and instructs mutual authentication with the management server 600. When the mutual authentication by the authentication unit 203 is successful and the server common key is received from the authentication unit 203, the received server common key is stored. Secret communication is performed using the stored server common key, and information is transmitted and received safely in each process described below.

  In addition, the control unit 207 stores an application number indicating a service provided by the application server 200 itself. In the following processing, when transmitting information via the transmission / reception unit 201, the stored application number and A data unit 143 including the terminal ID of the user terminal 100 used by the user to be processed and information to be transmitted is generated, and the generated data unit 143 is output to the transmission / reception unit 201. In the following description, the generation of the data section 143 is omitted, and is simply expressed as an application number, a terminal ID, and various information.

The control unit 207 receives the application number of the application server 200, the terminal ID, the user ID, the encrypted password, and the service start request from the management server 600. Further, it receives an application number, a terminal ID, and a logout notification from the management server 600.
The control unit 207 receives, from the management server 600, an application number, a terminal ID, a user ID, an encrypted current password, an encrypted new password, and a password change instruction corresponding to the application server 200. Further, the management server 600 receives an application number corresponding to the application server 200, a user ID, an encrypted current password, an encrypted new password, and a password recovery instruction.

The following describes the service providing process, the password change process, the password recovery process, and the logout process performed by the control unit 207.
(I) Service Provision Processing In the service provision processing, the control unit 207 generates the login information 232 including the terminal ID of the user terminal 100 that is received together with the various information every time various information is received from the management server 600. , It is confirmed that the user exists in the application login table 231 and that the user of the user terminal 100 has logged in. In the following description of service provision, description of confirmation of login at the time of reception will be omitted.

When the control unit 207 receives the application number, the terminal ID of the user terminal 100 used by the user to be processed, the user ID, the encrypted password, and the service start request from the management server 600, Start processing. Here, as an example, a travel expense settlement service provided by the first application server 200a will be described.
The control unit 207 outputs the received encrypted password and the server common key generated by the mutual authentication to the encryption processing unit 108, and instructs decryption. When the password is received from the encryption processing unit 208, it is determined whether or not there is password information including the received user ID and password in the password table 221. When determining that the password information including the received user ID and the password does not exist in the password table 221, the control unit 207 determines whether the password stored in the management server 600 and the password stored in the first application server 200 a are stored. A password error signal indicating that they do not match and the received user ID are transmitted to management server 600, and the service providing process ends.

  If it is determined that the password information 223 including the received user ID and the password is present, the password information 223 including the received user ID and the password received from the encryption processing unit 208 is selected. Next, login information 232 is generated from the received terminal ID, the extracted terminal ID, and the selected password information 223, and the generated login information 232 is added to the application login table 231 and written.

  Next, the control unit 207 reads out the settlement screen data from the information storage unit 210, extracts the user ID and name from the login information 232, and uses the readout settlement image data and the extracted user ID and name for the terminal. Generate payment screen data. Next, the terminal ID is extracted from the login information 232, and the application number “001” stored in the control unit 207 itself, the extracted terminal ID, and the generated terminal adjustment screen data are managed via the transmission / reception unit 201. Send it to server 600.

Next, application number “001”, terminal ID, and encrypted input data are received from management server 600. The received encrypted input data and the server common key are output to the encryption processing unit 208 to instruct decryption. The input data is received from the encryption processing unit 108, and based on the received input data, the user's travel expenses are settled.
When the travel expense settlement process is completed, the settlement end screen data is read from the information storage unit 210, the terminal settlement end screen data is generated from the read settlement end screen data and the login information 232, and the application number “001” and login are performed. The terminal ID included in the information 232 and the generated terminal settlement end screen data are transmitted to the management server 600, and the travel expense settlement service is terminated.

(Ii) The password change control unit 207 transmits, from the management server 600, the application number corresponding to the application server 200, the terminal ID of the user terminal 100 used by the user whose password is to be changed, the user ID, and the encryption. Upon receiving the actual password, the encrypted new password, and the instruction to change the password, the received terminal ID is temporarily stored.

  Next, the received encrypted current password, encrypted new password, and server common key are output to the encryption processing unit 208 to instruct decryption. The current password and the new password are received from the encryption processing unit 208, and the password information 223 including the received current password and the received user ID is selected from the password table 221. Next, the password of the selected password information 223 is rewritten with a new password.

When the rewriting ends normally, the control unit 207 generates an end signal “1”. When rewriting fails due to a hard disk failure or the like, an end signal “0” is generated, and the application number of the application server 200 itself, the terminal ID temporarily stored, and the generated end signal are transmitted via the transmitting / receiving unit 201, The password is transmitted to the management server 600, and the password change process ends.
(Iii) Password recovery processing When receiving an application number, a terminal ID, a user ID, an encrypted current password, an encrypted new password, and a password recovery instruction corresponding to the application server 200 from the management server 600, the terminal ID is temporarily stored. Remember. Next, the control unit 207 outputs the received encrypted current password, encrypted new password, and server common key to the encryption processing unit 208 and instructs decryption.

The current password and the new password are received from the encryption processing unit 208, and password information 223 including the received new password and the received user ID is selected from the password table 221. The password contained in the selected password information 223 is rewritten to the received current password.
When the password rewriting ends normally, an end signal “1” is generated. If the password rewriting fails, an end signal “0” is generated. Next, the application number corresponding to the application server 200 itself, the terminal ID temporarily stored, and the generated end signal are transmitted to the management server 600 via the transmission / reception unit 201, and the process ends.

(Iv) Logout processing Upon receiving the application number, the terminal ID of the user terminal 100, and the logout notification from the management server 600 via the transmission / reception unit 201, the control unit 207 includes the terminal ID received in the application login table 231. Search for the login information 232. If the login information including the received terminal ID does not exist in the application login table 231, the logout process ends.

If the login information 232 including the received terminal ID exists in the application login table 231, the login information 232 including the received terminal ID is deleted, and the logout process ends.
(5) Authentication unit 203
The authentication unit 203 performs mutual authentication with the external device using the secret key 242 and the public key certificate 243 prior to the communication between the control unit 207 and the external device. Only when the mutual authentication is successful, the control unit The communication between the external device 207 and the external device is permitted, and the same server common key as the external device is generated. Here, the external device is, specifically, the management server 600.

(6) Encryption processing unit 208
The encryption processing unit 208 receives various information and the server common key from the control unit 207, and is instructed to encrypt. When receiving the encryption instruction, the information processing unit 207 applies the encryption algorithm E4 to the received information using the received server common key, generates encryption information, and outputs the generated encryption information to the control unit 207.

Also, the control unit 207 receives various types of encrypted information and the server common key, and is instructed to decrypt. When receiving the decryption instruction, the received encryption information is subjected to a decryption algorithm D3 using the received server common key to generate information, and the generated information is output to the control unit 207.
The encryption information that the encryption processing unit 208 receives from the control unit 207 is, specifically, an encrypted password, encrypted input data, an encrypted current password, and an encrypted new password.

Here, the decryption algorithm D3 is an algorithm for decrypting the cipher text generated by the encryption algorithm E3, and the encryption algorithms E3 and E4 are, for example, a common key cryptosystem such as the DES cryptosystem.
1.4 Management Server 600
As shown in FIG. 13, the management server 600 includes a transmission / reception unit 601, an authentication unit 603, a password change unit 606, a control unit 607, an encryption processing unit 608, a password recovery unit 614, a change determination unit 609, a change result notification unit 615, It comprises an information storage unit 610, an input unit 612, and a display unit 613.

The management server 600 includes a microprocessor, a RAM, a ROM, and a hard disk (not shown). A computer program is stored in the RAM, the ROM, and the hard disk, and the management server 600 achieves its functions by the microprocessor operating according to the computer program.
(1) Information storage unit 610
The information storage unit 610 is composed of a hard disk unit. As an example, as shown in FIG. 14, a password table 621, a login table 631 routing table 641, a password change table 651, a secret key 661, a public key certificate 662, a CRL 663, The certificate authority public key 664 is stored.

The password table 621 has the same configuration as the password table 221 stored in the application server 200, and a description thereof will be omitted.
As shown in FIG. 15, the login table 631 includes a plurality of pieces of login information 632, 633, 634,..., And each piece of login information includes a user ID, a name, a password, a terminal ID, and a processing status.

  The user ID corresponds to the user who has completed password authentication by the management server 600 and is currently using various services, and the name and password are the name and password of the user indicated by the user ID. The terminal ID is identification information unique to the user terminal currently used by the user indicated by the user ID. The processing status indicates the type of processing performed between the user terminal indicated by the terminal ID, the management server 600, and the application server 200. When the password change processing is being performed, “the password is being changed”. Is set to “Normal” when the processing related to various services is performed.

As shown in FIG. 16, the routing table 641 includes a plurality of pieces of route information 642, 643,..., And each piece of route information includes an application number, a host name, an IP address, and a port number.
The application number corresponds to the first application server 200a to the fourth application server 200d, and is identification information indicating a service provided by each application server. This is the same as the application number included in the application number table 120 stored in the user terminal 100. The host name is identification information for identifying the application server 200 corresponding to the application number. The IP address is an IP address indicating the location of the application server on the network, and the port number is a destination port number specified when the management server 600 transmits information to the application server 200.

As shown in FIG. 17, the password change table 651 includes a plurality of pieces of change information 652, 653, 654,. Each change information includes a user ID, a current password, and a new password.
The user ID is identification information assigned to a valid user of the application server 200 and the management server 600. The current password is a password used by the user at the time of performing the password change process, and the new password is a new password set by the user in the password change process. Specifically, the current password is a character string input to the blank 192 in the password change screen 191 shown in FIG. 7, and the new password is a character string input to the blanks 193 and 194.

The public key certificate 662 certifies the validity of the public key paired with the private key 661, and includes a certificate ID, the public key, and signature data from a certificate authority.
The CRL 663 and the certificate authority public key 664 are the same as the CRL 137 and the certificate authority public key 138 stored in the user terminal 100, and thus description thereof will be omitted.
Although not specifically shown, the information storage unit 610 stores various screen data.

(2) Transmission / reception unit 601
The transmitting / receiving unit 601 stores the terminal ID of the user terminal 100 and the IP address of the user terminal 100 in association with each other. Also, the IP address of the management server 600 is stored.
The transmission / reception unit 601 transmits / receives information between each unit in the management server 600 and an external device.

Various types of information transmitted and received by the transmission / reception unit 601 are in the form of the packet 140 shown in FIG. 4 as an example.
The transmission / reception unit 601 receives the data number 143 including the application number, the terminal ID of the user terminal 100, and various information from the control unit 607, the password change unit 606, or the password recovery unit 614, and is instructed to transmit.

  When instructed by the control unit 607 to transmit to the user terminal 100, the transmission source is set to the IP address of the management server 600, and the transmission destination is set to the IP address of the user terminal 100 based on the terminal ID. The data section 143 is transmitted. Also, when receiving information from the control unit 607 or the password changing unit 606 and instructing transmission to the application server 200, it selects route information from the routing table 641 based on the application number, and obtains the IP address and the IP address from the selected route information. The port number is extracted, the destination address is set to the extracted IP address, the source is set to the IP address of the management server 600, and the destination port number is set to the extracted port number and transmitted.

(3) Input unit 612 and display unit 613
The input unit 612 receives input of information and instructions by the operator, and outputs to the control unit 607 the received information and operation instruction information corresponding to the received instructions.
The display unit 613 displays various information according to an instruction from the control unit 607.
(4) Password change unit 606
The password change unit 606 receives the application number, the terminal ID, the user ID, the encrypted current password, and the encrypted new password from the control unit 607, and is instructed to change the password. When a password change is instructed from the control unit 607, a password change process described below is performed. In the following description, generation of the data section 143 is omitted, and is simply referred to as output of an application number, a terminal ID, and various information.
(Password change processing)
Upon receiving the application number, the terminal ID, the encrypted current password, and the encrypted new password from the control unit 607, the password change unit 606 receives a password change instruction from the control unit 607, and instructs the application server 200 to change the password. A change instruction is generated, and the received user ID, application number, user ID, encrypted current password, encrypted new password, and generated password change instruction are output to the transmitting / receiving unit 601 and transmission to the application server 200 is instructed.

Simultaneously with the transmission, the password change unit 606 generates a change instruction transmitted signal indicating that the password change instruction has been transmitted to the application server 200, and generates the generated change instruction transmitted signal, the application number received from the control unit 607, and the terminal. The ID and the change determination unit 609 are output.
(5) Password recovery unit 614
The password recovery unit 614 receives the application number, the terminal ID, the user ID, the encrypted current password, and the encrypted new password from the control unit 607, and is instructed to recover the password.

Further, the change determination unit 609 instructs retransmission of the password recovery instruction.
When password recovery is instructed from the control unit 607, a password recovery process described below is started. In the following description, generation of the data unit 143 will not be described, and will be simply referred to as output of an application number, a terminal ID, and various information.
(Password recovery process)
Upon receiving the application number, the terminal ID, the user ID, the encrypted current password, and the encrypted new password from the control unit 607, the password recovery unit 614 transmits the password to the application server 200 when instructed to recover the password. , And temporarily stores the received application number, terminal ID, encrypted current password, encrypted new password, and generated password recovery instruction. Next, the received application number, the terminal ID, the encrypted current password, the encrypted new password, and the generated password recovery instruction are output to the transmission / reception unit 601 and the transmission to the application server 200 corresponding to the application number is instructed.

Simultaneously with the transmission, the password recovery unit 614 generates a recovery transmitted signal indicating that the password recovery instruction has been transmitted to the application server 200, and changes the generated recovery transmitted signal, the stored application number, and the terminal ID. Output to the determination unit 609.
When instructed by the change determination unit 609 to retransmit the password recovery instruction, the password recovery unit 614 reads out the stored application number, terminal ID, encrypted current password, encrypted new password, and password recovery instruction. Then, the read application number, terminal ID, encrypted current password, encrypted new password, and password recovery instruction are retransmitted via the transmission / reception unit 601.

At the same time as the retransmission, a restoration transmission completed signal is output to the change determination unit 609.
(6) Change determination unit 609
The change determination unit 609 includes a time counter that measures an elapsed time as time elapses and a number counter that counts the number of times of transmitting a password recovery instruction.
Further, the change determination unit 609 stores a maximum waiting time and a limited number of times in advance. The maximum waiting time is the upper limit value “1 second” of the waiting time from when the password change unit 606 or the password recovery unit 614 transmits the password change instruction or the password recovery instruction to when the end signal is received. If the end signal is not received after the maximum wait time after transmitting the password change instruction, a change end signal “0” indicating the failure of the password change is generated. If the end signal is not received after the transmission of the password recovery instruction for the maximum waiting time, the password recovery unit 614 is instructed to retransmit the password recovery instruction.

The limited number of times is the maximum value “3 times” of the number of times that the password recovery instruction can be transmitted to one application server 200. When the number of transmissions of the password recovery instruction exceeds “3”, a recovery end signal “0” indicating failure of password recovery is generated.
The change determination unit 609 receives the change instruction transmission completed signal, the application number, and the terminal ID from the password change unit 606.

The change determination unit 609 receives a recovery instruction transmitted signal, an application number, and a terminal ID from the password recovery unit 614. Also, it receives only the recovery instruction transmission completion signal from password recovery unit 614.
The following describes (i) password change determination processing and (ii) password recovery determination processing performed by the change determination unit 609.

(I) Password Change Judgment Process Upon receiving the change instruction transmitted signal, the application number, and the terminal ID from the password change unit 606, the change judgment unit 609 temporarily stores the received application number and terminal ID therein. I do.
At the same time as receiving the change instruction transmission completed signal, the timer initializes the time counter to 0 and starts measuring the elapsed time.

  Next, when an end signal is received from the application server 200 via the transmission / reception unit 601, the received end signal is determined. If the end signal is “1”, it indicates that the password change of the application server 200 is successful. A change end signal “1” is generated. If it determines that the received end signal is “0”, it generates a change end signal “0” indicating that the password change of the application server 200 has failed.

If no end signal has been received from the application server 200, the value of the time counter is compared with the maximum waiting time. When it is determined that the time counter has not exceeded the maximum wait time, the comparison between the time counter and the maximum wait time is repeated until an end signal is received or the time counter exceeds the maximum wait time.
When determining that the value of the time counter has exceeded the maximum time, the change determination unit 609 determines that the password change of the application server 200 has failed, and generates a change end signal “0”.

Next, the control unit 607 outputs the stored application number, terminal ID, and generated change end signal.
(Ii) Password recovery determination process Upon receiving the recovery instruction transmitted signal, the application number, and the terminal ID from the password recovery unit 614, the change determination unit 609 temporarily stores the received application number and terminal ID therein. Then, the counter is initialized to zero.

At the same time as receiving the restoration instruction transmission completion message, the password changing unit 606 initializes the time counter to 0 and starts measuring the elapsed time.
When receiving only the recovery instruction transmission completion signal from the password recovery unit 614, the initialization of the number counter is not performed, the time counter is initialized to 0, and the measurement of the elapsed time is started.
Next, when an end signal from the application server 200 is received via the transmission / reception unit 601, the received end signal is determined. If the end signal is “1”, the password recovery of the application server 200 is successful. Is generated.

If it determines that the received end signal is "0", it increments the number counter by one. Next, the value of the number counter is compared with the limit number. If it is determined that the number counter has not exceeded the limit number, the password recovery unit 614 is instructed to retransmit the password recovery instruction.
When the end signal has not been received from the application server 200, the time counter is compared with the maximum waiting time. If it is determined that the time counter has not exceeded the maximum wait time, the comparison between the time counter and the maximum wait time is repeated until an end signal is received or the elapsed time exceeds the maximum wait time.

When it is determined that the time counter has exceeded the maximum waiting time, 1 is added to the number counter. Next, the number counter and the limit number are compared. If the number-of-times counter is within the limit number, it instructs the password recovery unit 614 to retransmit the password recovery instruction.
If the number counter determines that the number of times has exceeded the limit, a recovery end signal “0” indicating that password recovery has failed is generated.

After generating the recovery end signal, the control unit 607 outputs the stored application number, terminal ID, and the generated recovery end signal to the control unit 607.
(7) Control unit 607
The control unit 607 controls various types of information processing executed by the management server 600 by causing the processor to operate according to a computer program.

The control unit 607 stores the application server 200 and an application number indicating a service provided by the application server 200 in association with each other.
The control unit 607 receives a public key certificate from the user terminal 100 via the transmission / reception unit 601.
When the public key certificate is received from the user terminal 100, the received public key certificate is output to the authentication unit 603, and an instruction for mutual authentication is issued. The mutual authentication by the authentication unit 603 ends, and the terminal common key is received. By performing confidential communication using the received terminal common key, processing described below is securely performed with the user terminal 100.

  Information transmitted and received by the control unit 607 via the transmission / reception unit 601 is in the form of a packet 140 as shown in FIG. The control unit 607 determines the received application number, and determines whether the device that provides the service that the user intends to use is the application server 200 or the management server 600. When transmitting various information, the control unit 607 transmits the data including the information to be transmitted, the terminal ID of the user terminal 100 used by the user to be processed, and the application number corresponding to the device that executes the processing. It generates the unit 143 and outputs the generated data unit 143 to the transmitting / receiving unit 601 to instruct transmission. Here, the devices that execute the processing are the application server 200 and the management server 600.

In the processing performed by the control unit 607 described below, the description of the generation of the data unit 143 as described above is omitted, and simply expressed as an application number, a terminal ID, and various information.
The control unit 607 performs user login processing, relay processing of various services, password change control, password recovery control, and logout processing. The following describes the user login processing, relay processing of various services, password change control, password recovery control, and logout processing.

(I) User Login Processing When the mutual authentication by the authentication unit 603 is completed, the control unit 607 receives the terminal common key from the authentication unit 603 and stores the received terminal common key. The control unit 607 reads the login screen data from the information storage unit 610 and transmits the read login screen data to the user terminal 100 via the transmission / reception unit 601.

  Next, the application number “005”, the terminal ID, the user ID, and the encrypted password are received from the user terminal 100, and the received encrypted password and the terminal common key are output to the encryption processing unit 608 to instruct decryption. . When the password is received from the encryption processing unit 608, the password table 621 is searched for password information including the received user ID and the received password. When it is determined that there is no password information including the received user ID and the received password, the login screen data is transmitted to the user terminal 100 again.

  If it is determined that there is password information including the received user ID and the received password, password information including the received user ID and the received password is selected. The login information 632 is generated based on the received terminal ID and the selected password information, and the generated login information 632 is added to the login table 631 and written. At this time, the processing status is set to “normal”. Thus, it is determined that the login process has been completed.

In the subsequent processing, every time various information is received from the user terminal 100, it is confirmed that the login information 632 including the terminal ID to be received together with the various information exists in the login table 631, and the use of the user terminal 100 is checked. That the person is logged in. In the following description, a detailed description of confirmation of login has been omitted.
Next, the menu screen data is read from the information storage unit 610, terminal menu screen data is generated based on the read menu image data and the user ID and name included in the written login information 632, and the generated terminal menu data is generated. The screen data is transmitted to the user terminal 100 via the transmission / reception unit 601. Next, an application number, a terminal ID, and a service start request or an application number, a terminal ID, and a password change instruction are received from the user terminal 100 via the transmission / reception unit 601. When an application number, a terminal ID, and a service start request are received, relay processing between the user terminal 100 and the application server 200 is performed. When an application number, a terminal ID, and a password change instruction are received, password change processing and password recovery processing are performed.

(Ii) Relay processing of various services Upon receiving the application number and the terminal ID service start request, the control unit 607 relays between the application server 200 indicated by the received application number and the user terminal 100 in the procedure described below. Perform processing.
Here, a relay process between the first application server 200a and the user terminal 100 will be described.

The control unit 607 confirms that the user of the user terminal 100 has logged in, and instructs the authentication unit 603 to perform mutual authentication with the application server 200a. After the mutual authentication by the authentication unit 603 ends, the server unit 603 receives the server common key from the authentication unit 603 and stores the received server common key.
Next, the login information 632 including the received terminal ID is selected in the login table 631, and the user ID and the password are extracted from the selected login information 632. The extracted password and the server common key are output to the encryption processing unit 608 to instruct the encryption of the password. Next, an encrypted password is received from the encryption processing unit 608. The application number “001” received from the user terminal 100, the terminal ID, the service start request, the read user ID, and the encrypted password received from the encryption processing unit 608 are output to the transmission / reception unit 601 and transmitted to the first application server 200a. Is sent.

Next, the control unit 607 transmits the application number “001”, the terminal ID, the password error signal, the user ID or the application number “001”, the terminal ID, and the terminal settlement screen data from the application server 200a via the transmission / reception unit 601. Receive.
Upon receiving the application number “001”, the terminal ID, the password error signal, and the user ID, the control unit 607 reads the forced termination screen data from the information storage unit 610. Next, the user ID and name are extracted from the received login information 632 including the user ID.
The terminal forced termination screen data is generated based on the read forced termination screen data, the extracted user ID, and the name, and the received terminal ID and the generated terminal forced termination screen data are transmitted to the user via the transmission / reception unit 601. Transmit to terminal 100. Next, an error screen 331 is generated from the received user ID and error screen data, and output to the display unit 613 to notify the operator of the management server 600 that a password mismatch has occurred.

Upon receiving the application number “001”, the terminal ID, and the terminal adjustment screen data, the received application number “001”, the terminal ID, and the terminal adjustment screen data are transmitted to the user terminal 100 via the transmission / reception unit 601. .
Next, the application number “001”, the terminal ID, and the encrypted input data are received from the user terminal 100 via the transmission / reception unit 601. It is confirmed that the user of the user terminal 100 has logged in based on the received terminal ID.

Next, the received encrypted input data and the terminal common key are output to the encryption processing unit 608 to instruct the decryption of the encrypted input data. The input data is received from the encryption processing unit 608. Next, it outputs the received input data and the server common key to the encryption processing unit 608, and instructs encryption of the input data. The encrypted input data is received from the encryption processing unit 608.
Next, the control unit 607 transmits the application number “001”, the received terminal ID, and the encrypted input data received from the encryption processing unit 608 to the first application server 200a via the transmission / reception unit 601.

Next, the application number “001”, the terminal ID, and the terminal settlement screen data are received from the application server 200a via the transmission / reception unit 601. The received application number “001”, the terminal ID, and the terminal settlement end screen data are transmitted to the user terminal 100.
(Iii) Password change control The control unit 607 performs password change control in the order of the reception process, the password change instruction, and the result notification. Hereinafter, the reception process, the password change instruction, and the result notification process will be described.

(Iii-a) Reception Processing The control unit 607 receives the application number “005”, the terminal ID, and the password change instruction from the user terminal 100 via the transmission / reception unit 601. Next, it is confirmed that the user of the user terminal 100 has logged in.
Next, password change screen data is read from the information storage unit 610, terminal password change screen data is generated based on the read password change screen data and the login information 632, and the generated terminal password change screen data is transmitted and received. The data is transmitted to the user terminal 100 via the unit 601.

Next, an application number “005”, a terminal ID, an encrypted current password, and an encrypted new password are received from the user terminal 100 via the transmission / reception unit 601. The control unit 607 selects the login information 632 including the received terminal ID, and rewrites the processing status of the selected login information 632 to “Password is being changed”.
Next, the received encrypted current password, the encrypted new password, and the terminal common key are output to the encryption processing unit 608 to instruct the decryption of the encrypted current password and the encrypted new password. The generated current password and new password are received from the encryption processing unit 608.

  Next, the user ID is read from the rewritten login information 632, and the presence or absence of password information including the read user ID and the received current password is confirmed on the password table 621. When it is determined that there is no password information including the read user ID and the received current password, the password change screen is transmitted again to the user terminal 100 via the transmission / reception unit 601 to prompt the user to re-enter the current password and the new password. .

  If it is determined that the password information including the read user ID and the received current password exists in the password table 621, then the password change information 652 including the read user ID is selected from the password change table 651. The current password included in the selected password change information 652 is rewritten with the current password received from the encryption processing unit 608, and the new password included in the selected password change information is rewritten with the new password received from the encryption processing unit 608.

(Iii-b) Password Change Process Next, the control unit 607 changes the password of the first application server 200a to the fourth application server 200d according to the procedure described below.
The control unit 607 instructs the authentication unit 603 to perform mutual authentication with the first application server 200a. The mutual authentication by the authentication unit 603 ends, and the server common key is received from the authentication unit 603 and stored. Next, the current password and the new password are extracted from the password change information 652, and the extracted current password, the new password, and the server common key generated by the mutual authentication between the first application server 200a are output to the encryption processing unit 608. Then, the current password and the new password are instructed to be encrypted.

  Next, an encrypted current password and an encrypted new password are received from the encryption processing unit 608. The user ID is extracted from the password change information 652. Next, the control unit 607 converts the application number “001” corresponding to the first application server 200a, the terminal ID of the user terminal 100, the extracted user ID, the received encrypted current password and the encrypted new password into a password changing unit. Output to 606 to instruct password change.

Next, an application number “001”, a terminal ID, and a change end signal are received from the change determination unit 609. If the received change end signal is “1” indicating that the password change was successful, it is determined that the password change of the first application server 200a was successful.
If it is determined that the received change end signal is “0”, it is determined that the password change of the first application server 200a has failed, the password change of the second application server 200b and thereafter is stopped, and the process proceeds to the password recovery control. Move.

If it is determined that the password change of the first application server 200a is successful, similarly, the mutual authentication, the encryption of the current password and the new password, the instruction of the password change, and the procedure of acquiring the change end signal are performed in the same manner. Change the password of.
If the password change of the second application server 200b is successful, the password change of the third application server 200c is performed similarly, and if the password change is unsuccessful, the password changes of the third application server 200c and the fourth application server 200d are stopped. Then, the process proceeds to the password recovery process.

If the password change of the third application server 200c is successful, the password change of the fourth application server 200d is subsequently performed. If the password change is unsuccessful, the password change of the fourth application server 200d is stopped, and the process proceeds to the password recovery process.
If the password change of the fourth application server 200d is successful, the following result notification is performed. If the password change is unsuccessful, a password recovery process is performed.

(Iii-c) Result Notification When the password changes of the first application server 200a to the fourth application server 200d are all successful, the control unit 607 sets the password change unit 606 in the password table 621 stored in the information storage unit 610. Then, the password information including the user ID output to the user is selected, and the password included in the selected password information is rewritten with the new password. Next, the login information 632 including the output user ID is selected from the login table 631, and the password included in the selected login information 632 is rewritten with the new password.

Next, a completion signal indicating the completion of the password change is generated, the user ID and the name are extracted from the rewritten login information 632, and the generated completion signal, the user ID, and the terminal ID are output to the change result notification unit 615. , And instructs the user terminal 100 to report the result.
Next, the processing status of the login information 632 is rewritten to “normal”.
(Iv) Password recovery processing If the password change of any of the application servers 200 fails during the password change processing described in (iii) above, the control unit 607 performs the password recovery processing.

  Specifically, the control unit 607 determines the application server 200 in which the password change has failed, based on the application number received together with the change end signal “0” from the change determination unit 609. If it is determined that the password change processing of the first application server 200a to the third application server 200c is successful and the password change processing of the fourth application server 200d is unsuccessful, the application is changed in the order of the third application server 200c to the first application server 200a. The server performs password recovery processing, and then performs failure notification processing.

When it is determined that the password change processing of the first application server 200a and the second application server 200b is successful and the password change processing of the third application server 200c is unsuccessful, the application is changed in the order of the second application server 200b to the first application server 200a. The server performs password recovery processing, and then performs failure notification processing.
When it is determined that the password change process of the first application server 200a is successful and the password change process of the second application server 200c is unsuccessful, the first application server 200a performs the application server password recovery process, and then notifies the failure. Perform processing.

If it is determined that the password change process of the first application server 200a has failed, only the failure notification process is performed.
If the password recovery processing of the application server fails in any of the application servers 200, an error processing is performed.
The details of the password recovery processing, the failure notification processing, and the error processing of the application server will be described below.

(Iv-a) Password Recovery Process of Application Server The control unit 607 extracts the current password and the new password from the password change information 652, and extracts the extracted current password, new password, and the server common key of the corresponding application server 200. Output to the encryption processing unit 608 to instruct encryption of the current password and the new password. The encrypted current password and the encrypted new password are received from the encryption processing unit 608, the application number corresponding to the application server 200, the terminal ID of the user terminal 100, the user ID included in the password change information 652, and the received encrypted current password. The password and the encrypted new password are output to the password change unit 606 to instruct the password recovery.

Next, an application number, a terminal ID, and a recovery end signal are received from the password changing unit 606. If the received recovery end signal is “1” indicating successful password recovery, it is determined that the password recovery of the application server 200 corresponding to the received application number is successful, and the password recovery or failure of the next application server 200 is failed. Perform notification processing.
If the received recovery end signal is “0” indicating that the password recovery has failed, it is determined that the password recovery of the corresponding application server 200 has failed.

If it is determined that the password recovery of the application server 200 has failed, the recovery processing and the failure notification processing of the other application servers 200 are not performed, and the error processing described later is performed.
(Iv-b) Failure Notification Processing The control unit 607 generates a failure signal indicating failure of the password recovery, selects the login information 632 including the terminal ID received from the change determination unit 609, and determines the user from the selected login information 632. The ID and name are extracted, and the generated failure signal and the extracted user ID and name are output to the change result notifying unit 615, and a result notification is instructed.

Next, the processing status of the login information 632 is rewritten to “normal”, and the processing ends.
(Iv-c) Error Processing When the control unit 607 determines that the password recovery processing of any of the application servers 200 has failed, the control unit 607 reads the forced termination screen data from the information storage unit 610, and reads the forced termination screen data and the login. The terminal forced termination screen data is generated based on the user ID and the name included in the information 632, and the generated terminal forced termination screen data is transmitted to the user terminal 100 via the transmission / reception unit 601.

Next, error screen data is read from the information storage unit 610, an error screen 331 is generated from the read error screen data and the user ID included in the login information 632, and the generated error screen 331 is displayed on the display unit 613. Informs the error occurrence. FIG. 18 is an example of the error screen 331 displayed here.
(V) Logout processing The control unit 607 receives the application number “005”, the terminal ID, and the logout notification from the user terminal 100 via the transmission / reception unit 601. When the logout notification is received, the terminal ID and the logout notification are transmitted to the first application server 200a to the fourth application server 200d via the transmission / reception unit 601. Next, the login information 632 including the received terminal ID is deleted from the login table 631.

(8) Change result notification unit 615
The change result notification unit 615 receives a completion signal, a user ID, a terminal ID, and a result notification instruction from the control unit 607.
Further, the control unit 607 receives a failure signal, a user ID, a name, and a result notification instruction from the control unit 607.
Upon receiving the completion signal, the user ID, the terminal ID, and the result notification instruction, the change result notification unit 615 reads the change completion screen data from the information storage unit 610, and reads the read change completion screen data, the received user ID, the name, and the like. And generates terminal change completion screen data, and transmits the generated terminal change completion screen data to the user terminal 100.

Upon receiving the failure signal, the user ID, the terminal ID, and the result notification instruction, the change result notifying unit 615 reads the change failure screen data from the information storage unit 610, and reads the read update failure screen data, the received user ID, and the received name. , The terminal change failure screen data is generated, and the generated terminal change failure screen data is transmitted to the user terminal 100 via the transmission / reception unit 601.
(9) Authentication unit 603
The authentication unit 603 performs mutual authentication with an external device connected to the Internet 20 according to an instruction from the control unit 607, and generates a common key.

Here, the external devices are the user terminal 100 and the application server 200, and share a terminal common key with the user terminal 100, and share each application server and the server common key with each application server 200. Share.
(10) Encryption processing unit 608
The encryption processing unit 608 encrypts and decrypts various types of information according to instructions from the control unit 607.

  Specifically, the control unit 607 receives the encrypted password and the terminal common key, the encrypted input data and the terminal common key, or the encrypted current password, the encrypted new password, and the terminal common key. A decryption algorithm D1 is applied to the received encrypted password, the encrypted input data, the encrypted current password, and the encrypted new password using the received terminal common key to generate a password, and the generated password is output to the control unit 607. I do.

Further, it receives the password and the server common key, the input data and the server common key, or the current password, the new password and the server common key. Using the received server common key, an encryption algorithm E3 is applied to the received password, input data, current password, and new password to generate an encrypted password, encrypted input data, an encrypted current password, and an encrypted new password. The generated encrypted password, the encrypted input data, the encrypted current password, and the encrypted new password are output to the control unit 607.
1.5 Operation of Password Change System The operation of the password change system will be described below.

(1) Processing by User Terminal 100 Processing by the user terminal 100 will be described with reference to flowcharts shown in FIGS. Although not specifically shown, in the following operation, when transmitting and receiving various information between devices, the application number of the application server 200 or the management server 600 that executes processing and the terminal ID of the user terminal 100 Is transmitted and received with various information.

The user terminal 100 receives the button operation of the user (Step S101), and upon receiving the button operation indicating the electronic application, moves the process to Step S102. When a button operation indicating other processing is received, other processing is performed (step S100).
The user terminal 100 performs mutual authentication with the management server 600 and shares a terminal common key (step S102).

When the mutual authentication with the user terminal 100 is completed, the management server 600 reads the login screen data (Step S103), and transmits the read login screen data to the user terminal 100 (Step S104).
The user terminal 100 receives the login screen data from the management server 600, generates a login screen 151 from the received login screen data, and displays it on the monitor (Step S105). Next, the input of the user ID and the password by the user is received (step S107), and the received password is encrypted using the terminal common key to generate an encrypted password (step S108). The user ID and the generated encrypted password are transmitted to the management server 600 via the Internet 20 (Step S109).

  The management server 600 receives the user ID and the encrypted password via the Internet 20, decrypts the received encrypted password using the terminal common key, and generates a password (step S111). Next, the presence or absence of password information including the received user ID and password is confirmed in the password table 621 (step S112). If there is no password information including the received user ID and password, authentication failure is determined ( (NO in step S113), the process is repeated from step S103. If there is password information including the received user ID and password, it is determined that authentication is successful (YES in step S113), and based on the received user ID and password information including the password and the received terminal ID of the user terminal 100. The login information 632 is generated and added to the login table 631 and written (step S115).

Next, menu screen data is read from the information storage unit 610, and terminal menu screen data is generated based on the read menu screen data and the login information 632 added to the login table 631 (step S116). The user menu screen data is transmitted to the user terminal 100 via the Internet 20 (step S117).
The user terminal 100 receives the terminal menu screen data via the Internet 20, generates a menu screen 161 from the received terminal menu screen data, and displays the menu screen 161 on the monitor (step S121). Next, the menu selection by the user is received (step S122).

When a password change is selected by a user's button operation (step S122), the process proceeds to a password change process (step S127).
When the user selects the travel expense settlement (step S122), the application number “001” is read (step S123). When a vacation application is selected by the user (step S122), the application number “002” is read (step S124). When the user selects the conference room reservation (step S122), the application number “003” is read (step S125). When the user selects the employee purchase (step S122), the application number “004” is read (step S126). Next, the read application number and the service start request are transmitted to the management server 600 (step S128).

  The management server 600 receives the application number and the service start request from the user terminal 100 via the Internet 20. The login information 632 including the terminal ID received together with the service start request is selected, and it is confirmed whether or not the processing status included in the selected login information 632 is "normal" (step S131). If it is determined that the processing status is not “normal” (NO in step S131), the wait message is read from the information storage unit 610 (step S146), and the read wait message is transmitted to the user terminal 100 via the Internet 20 (step S131). S147).

The user terminal 100 receives the wait message from the management server 600, and displays the received wait message (Step S148).
If it is determined that the processing status of the selected login information 632 is “normal” (YES in step S131), then the received application number is determined (step S132), and if it is determined that the application number is “002”. (002 in Step S132), the communication with the second application server 200b is started. When it is determined that the application number is “003” (003 in step S132), communication with the third application server 200c is started. When it is determined that the application number is “004” (004 in step S132), communication with the fourth application server 200d is started (step S135).

When it is determined that the application number is “001” (001 in step S132), communication with the first application server 200a is started. First, the management server 600 performs mutual authentication with the first application server 200a and shares a server common key (step S136).
Next, the user ID and the password included in the selected login information 632 are read (step S139), and the read password is encrypted using the server common key to generate an encrypted password (step S141). The received service start request, the application number “001”, the read user ID, and the generated encrypted password are transmitted to the first application server 200a (Step S142).

  The first application server 200a receives the service start request, the application number “001”, the user ID, and the encrypted password from the management server 600 via the Internet 20, and receives the received encrypted password using the server common key. Is decrypted to generate a password (step S151). The presence or absence of password information including the received user ID and the generated password is confirmed in the password table 221 (step S152). If there is no password information including the received user ID and the generated password, the authentication fails. (NO in step S153), a password error signal indicating that the password stored in the management server 600 does not match the password stored in the first application server 200a, the received user ID, Is transmitted to the management server 600 via the Internet 20 (step S166).

  The management server 600 receives the password error signal and the user ID from the first application server 200a, generates terminal forced termination screen data (step S167), and transmits the generated terminal forced termination screen data to the user terminal 100. (Step S168). Next, the management server 600 generates an error screen 331 (step S169), displays the generated error screen on the display unit 613, and notifies the operator of the occurrence of a password mismatch (step S171).

The user terminal 100 receives the terminal forced termination screen data from the management server 600 via the Internet 20, generates a forced termination screen 321 from the received terminal forced termination screen data, and monitors the generated forced termination screen 321. (Step S172), and the process ends.
When the password information 223 including the received user ID and the generated password exists in the password table 221, the first application server 200a determines that the authentication is successful (YES in step S153), and transmits the password information 223 and the service start request. The login information 232 is generated based on the received terminal ID and the received terminal ID, and the generated login information 232 is added to the application login table 231 and written (step S154).

Next, the first application server 200a generates terminal adjustment screen data (step S155), and transmits the generated terminal adjustment screen data to the management server 600 (step S156).
The management server 600 receives the terminal adjustment screen data from the first application server 200a via the Internet 20, and transmits the received terminal adjustment screen data to the user terminal 100 (Step S158).

  The user terminal 100 receives the terminal settlement screen data from the management server 600 via the Internet 20, generates a settlement screen 171 from the received terminal settlement screen data, and displays the screen on the monitor (step S159). Next, data input by the user is received (step S161), and the received input data is encrypted using the terminal common key to generate encrypted input data (step S162). Next, the generated encrypted input data is transmitted to the management server 600 (step S176).

  The management server 600 receives the encrypted input data from the user terminal 100 via the Internet 20 (Step S177), decrypts the received encrypted input data using the terminal common key, and generates the input data (Step S177). S177). Next, the generated input data is encrypted using the server common key to generate encrypted input data (step S179), and the generated encrypted input data is transmitted to the first application server 200a (step S181).

  The first application server 200a receives the encrypted input data via the Internet 20, decrypts the received encrypted input data using the server common key, and generates the input data (Step S182). Next, a travel expense settlement process is performed based on the generated input data (step S183). When the travel expense settlement processing is completed, the first application server 200a generates terminal settlement end screen data (step S184), and transmits the generated terminal settlement end screen data to the management server 600 (step S186).

The management server 600 receives the terminal settlement end screen data from the first application server 200a via the Internet 20, and transmits the received terminal settlement end screen data to the user terminal 100 (step S188).
The user terminal 100 receives the terminal payment end screen data from the management server 600 via the Internet 20, generates a payment end screen 181 from the received terminal payment end screen data, and displays it on the monitor (step S191). Next, when a button operation by the user is received (step S192), and a press of the menu button 182 is received, the process returns to step S121 to receive a menu selection.

Upon receiving the press of the logout button 183 (step S192), the user terminal 100 transmits a logout notification indicating logout to the management server 600 (step S193).
The management server 600 receives the logout notification from the user terminal 100 via the Internet 20, and transmits the received logout notification to the first application server 200a (Step S194). Next, the login information 632 including the terminal ID received as the logout notification is selected, and the selected login information 632 is deleted from the login table 631 (step S195). Although not shown, a logout notification is similarly transmitted to the second application server 200b to the third application server 200d.

  The first application server 200a receives a logout notification from the management server 600 via the Internet 20. The log-in information including the terminal ID received together with the log-out notification is searched, and if the log-in information 232 including the received terminal ID exists, the log-in information 232 is deleted from the application log-in table 231 (step S196). Similarly, in the second application server 200b to the fourth application server 200d, if the login information including the received terminal ID exists in the application login table stored therein, the login information is deleted.

(2) Password Change Processing by Management Server 600 The password change processing by the management server 600 will be described with reference to the flowcharts in FIGS. This is the details of step S127 in FIG.
The user terminal 100 reads the application number “005” (Step S300), and transmits the read application number “005” and a password change instruction to the management server 600 (Step S301).

The management server 600 receives the application number “005” and the password change instruction via the Internet 20. Upon receiving the password change instruction, terminal password change screen data is generated (step S302), and the generated terminal password change screen data is transmitted to the user terminal 100 (step S303).
The user terminal 100 receives the terminal password change screen data from the management server 600 via the Internet 20, generates a password change screen 191 from the received terminal password change screen data, and displays it on the monitor (step S304). . Next, the input of the current password and the new password by the user is received (step S306). Using the terminal common key, the received current password and new password are encrypted to generate an encrypted current password and an encrypted new password (step S307). Next, the generated encrypted current password and the encrypted new password are transmitted to the management server 600 (step S308).

  The management server 600 receives the encrypted current password and the encrypted new password from the user terminal 100 via the Internet 20. The login information 632 in the login table 631 is selected based on the terminal ID received together with the encrypted current password and the encrypted new password, and the processing status of the selected login information 632 is rewritten to “Password is being changed” (step S309).

  Next, the received encrypted current password and the encrypted new password are decrypted using the terminal common key to generate the current password and the new password (step S311). The user ID included in the rewritten login information 632 is read (step S312), and the presence or absence of password information including the read user ID and the generated current password is confirmed in the password table 621 (step S313).

If the password information including the read user ID and the generated current password does not exist in the password table 621, it is determined that the authentication has failed (NO in step S316), the process returns to step S302, and the terminal is returned again. Password change screen data.
If password information including the read user ID and the generated current password exists in the password table 621, it is determined that the authentication is successful (YES in step S316).

Next, password change information 652 including the read user ID and the generated current password is selected from the password change table 651 (step S317), and the current password and the new password included in the selected password change information 652 are generated. The password is rewritten with the new password (step S318).
Next, the password change process of the first application server 200a is performed (step S319). When the process is normally completed, the password change process of the second application server 200b is performed (step S321). The process moves to step S364 of the password recovery process shown. When the password change of the second application server 200b ends normally, the password change of the third application server 200c is performed (step S322). If the password change does not end normally, the process proceeds to step S363 in FIG. If the password change of the third application server 200c ends normally, the password change of the fourth application server 200d is performed (step S323). If not, the process moves to step S362 in FIG. If the password change of the fourth application server 200d has not been completed normally, the process moves to step S361 in FIG.

  When the password changes of the first application server 200a to the fourth application server 200d are all completed normally, the management server 600 selects the password information including the transmitted user ID from the password table 621, and sets the password included in the selected password information. With the new password. Further, the login information 632 including the transmitted user ID is selected from the login table 631, and the password included in the selected login information 632 is rewritten with the new password (step S326).

Next, terminal change completion screen data is generated (step S327), the generated terminal change completion screen data is transmitted to the user terminal 100 (step S328), and the processing status of the login information 632 is rewritten to "normal" (step S328). Step S329).
The user terminal 100 receives the terminal change completion screen data from the management server 600 via the Internet 20, generates a change completion screen 301 from the received terminal change completion screen data, and uses the generated change completion screen 301 as a monitor. It is displayed (step S331). Next, when a button operation by the user is received (step S332) and a press of the menu button 302 is received, the process returns to step S121 to display a menu screen.

Upon receiving the press of the logout button 303, a logout notification is transmitted to the management server 600, and the process ends (step S333).
The management server 600 receives a logout notification from the user terminal 100 via the Internet 20. The received logout notification is transmitted to the first application server 200a to the fourth application server 200d (step S336). Next, login information 632 is selected based on the terminal ID received together with the logout notification, and the selected login information 632 is deleted (step S334).

The application server 200 receives the logout notification from the management server 600, searches the application login table 231 for login information including the terminal ID received along with the logout notification, and logs in the login information including the login information including the received terminal ID. If exists, the login information is deleted (step S337).
(3) Password Change Process of Application Server 200 The password change process of each application server 200 will be described with reference to the flowcharts shown in FIGS. This is the details of step S319, step S321, step S322, and step S323 in FIG.

  The management server 600 performs mutual authentication with the application server 200 and generates a server common key (step S341). The user ID, the current password, and the new password are extracted from the password change information 652 rewritten in step S318, the extracted current password and the new password are encrypted using the server common key, and the encrypted current password and the encrypted new password are encrypted. Is generated (step S342). The extracted user ID, the generated encrypted current password, and the encrypted new password are transmitted to the application server 200, and an instruction to change the password is issued (step S343). Next, a time counter for measuring an elapsed time after transmitting the password change instruction is set to 0, and measurement of the elapsed time is started (step S344).

The application server 200 receives the user ID, the encrypted current password, and the encrypted new password from the management server 600 via the Internet 20, and is instructed to encrypt. Using the server common key, the received encrypted current password and the encrypted new password are decrypted to generate the current password and the new password (step S345).
The password information 223 including the received user ID is selected in the password table 221, and the password included in the selected password information 223 is rewritten with the new password (step S346). If it is determined that the password rewriting is successful (YES in step S347), an end signal “1” is generated (step S349). If it is determined that the password rewriting has failed (NO in step S347), an end signal “0” is generated (step S348).

Next, the generated end signal is transmitted to the management server 600 via the Internet 20 (step S351).
When receiving the end signal from the application server 200 (YES in step S355), the management server 600 determines the received end signal (step S356), and when determining that the end signal is “1”, changes the password of the application server 200. To end.

If it is determined that the end signal is “0” (“0” in step S356), the process proceeds to the password recovery process (step S359).
If an end signal has not been received from the application server 200 (NO in step S355), the value of the time counter is compared with the maximum waiting time (step S358), and if it is determined that the time counter has not exceeded the maximum waiting time. (NO in step S358), the process returns to step S355, and repeats the processes in steps S355 to S358 until an end signal is received from the application server 200 or the time counter exceeds the maximum waiting time.

If it is determined that the time counter has exceeded the maximum waiting time (YES in step S358), it is determined that the password change of the application server 200 has failed, and a password recovery process is performed (step S359).
(4) Password Recovery Processing by Management Server 600 The password recovery processing by the management server 600 will be described with reference to the flowchart in FIG. This is the details of step S359 in FIG.

  However, if the process of step S319 in FIG. 28 is in progress, the password recovery process starts from step S364. If the process in step S321 is being performed, the password recovery process is started from step S363. If the process is in step S322, the password recovery process is started from step S362. If the process of step S323 in FIG. 28 is being performed, the process of password recovery is started from step S361.

The management server 600 recovers the password of the third application server 200c (step S361), and if this ends normally, recovers the password of the second application server 200b (step S362). If the step S362 ends normally, the password of the first application server 200a is recovered (step S363).
When step S364 ends normally, the management server 600 generates terminal change failure screen data based on the change failure screen and the login information 632 (step S364), and displays the generated terminal change failure screen data on the user terminal. 100 (step S366).

  The user terminal 100 receives the terminal change failure screen data from the management server 600 via the Internet 20, generates a change failure screen 311 from the received terminal change failure screen data, and monitors the generated change failure screen 311. (Step S367). Next, when the button operation of the user is received (step S368) and the selection of the menu button 312 is received, the process proceeds to step S121.

When the selection of the logout button 313 is received, a logout notification is transmitted to the management server 600 (step S371).
The management server 600 receives the logout notification from the user terminal 100 via the Internet 20, selects the login information 632 based on the terminal ID received with the logout notification, and deletes the selected login information 632 (step S372).

  Although not specifically shown, the received logout notification is transmitted to the application server 200. The application server 200 receives the logout notification from the management server 600 via the Internet 20, searches the application login table 231 for the login information including the terminal ID received together with the logout notification, and checks the login information including the terminal ID. If so, delete the corresponding login information.

(5) Password Recovery Process of Application Server 200 The password recovery process of the application server 200 will be described with reference to the flowchart shown in FIG. This is the details of step S361, step S362, and step S363 in FIG.
The management server 600 sets the number counter for counting the number of times of transmitting the password recovery instruction to 0 (step S380). Next, the user ID, the current password, and the new password included in the password change information 652 are read out, the read current password and the new password are encrypted using the server common key, and the encrypted current password and the encrypted new password are encrypted. Is generated (step S381). Next, the read user ID, the generated encrypted current password, and the encrypted new password are transmitted to the application server 200 to instruct password recovery (step S382). Next, a time counter for measuring an elapsed time after transmitting the password recovery instruction is set to 0, and measurement of the elapsed time is started (step S383).
The application server 200 receives the user ID, the encrypted current password, and the encrypted new password from the management server 600 via the Internet 20, and receives a password recovery instruction. The encrypted current password and the encrypted password received using the server common key are decrypted to generate the current password and the new password (step S384). Next, password information including the received user ID and the generated new password is selected on the password table 221, and the password of the selected password information is rewritten with the current password (step S385).

If the password has been successfully rewritten (YES in step S386), an end notification “1” is generated (step S387). If the password rewriting has failed (NO in step S386), an end signal “0” is generated (step S388). Next, the generated end signal is transmitted to the management server 600 (step S389).
When receiving the end signal from the application server 200 via the Internet 20 (YES in step S391), the management server 600 determines the received end signal (step S392), and determines that the received end signal is “1”. With this, the password recovery of the application server 200 ends normally.

If it is determined that the end signal is “0” (step S392), the process proceeds to step S396.
If an end signal has not been received from the application server 200 (NO in step S391), the value of the time counter is compared with the maximum waiting time (step S394), and if it is determined that the time counter has not exceeded the maximum waiting time. (NO in step S394), the process returns to step S391, and the processes in steps S391 to S394 are repeated until an end signal is received from the application server 200 or the time counter exceeds the maximum waiting time.

If it is determined that the time counter has exceeded the maximum waiting time (YES in step S394), 1 is added to the number counter (step S396), and the value of the number counter is compared with the limited number of times (step S397). If it does not exceed (NO in step S397), the process proceeds to step S382.
If it is determined that the number of times exceeds the limit (YES in step S397), it is determined that the password recovery has failed, terminal forced termination screen data is generated (step S398), and the generated terminal forced termination screen data is generated by the user. It transmits to terminal 100 (step S399).

Next, an error screen 331 is generated (step S402), and the generated error screen is displayed on the display unit 613 (step S403).
The user terminal 100 receives the terminal forced termination screen data from the management server 600 via the Internet 20. A forced termination screen 321 is generated from the received terminal forced termination screen data, displayed on the monitor (step S401), and the process is terminated.

(6) Mutual Authentication Processing The operation of mutual authentication between devices will be described with reference to FIGS.
Note that this mutual authentication method is an example, and another authentication method or key sharing method may be used. In addition, since mutual authentication is performed between the user terminal 100 and the management server 600 or between the management server 600 and the application server 200, both devices will be described as device A and device B here. In the above description, a common key generated by mutual authentication between the user terminal 100 and the management server 600 is a terminal common key, and a common key generated by mutual authentication between the management server 600 and the application server 200 is a server common key. It is called.

Here, Gen () is a key generation function, and Y is a system-specific parameter. It is assumed that the key generation function Gen () satisfies the relationship of Gen (x, Gen (z, Y)) = Gen (z, Gen (x, Y)). Since the key generation function can be implemented by any known technique, the details will not be described here.
The device A reads the public key certificate Cert_A (step S201), and transmits the read public key certificate Cert_A to the device B (step S202).

  The device B that has received the public key certificate Cert_A performs the signature verification algorithm V on the signature data Sig_CA of the certificate authority received and included in the public key certificate Cert_A using the public key PK_CA of the certificate authority ( Step S203). Here, the signature verification algorithm V is an algorithm for verifying the signature data generated by the signature generation algorithm S. If the result of the signature verification fails (NO in step S204), the process ends.

If the result of the signature verification is successful (YES in step S204), the device B reads the CRL (step S205) and determines whether the received ID number ID_A included in the public key certificate Cert_A is registered in the read CRL. It is determined whether or not it is (step S206). If it is determined that it has been registered (YES in step S206), the process ends.
When judging that it is not registered (NO in step S206), the device B reads the public key certificate Cert_B (step S207), and transmits the read public key certificate Cert_B to the device A.

The device A that has received the public key certificate Cert_B uses the public key PK_CA of the certificate authority to apply the signature verification algorithm V to the signature data Sig_CA of the certificate authority received and included in the public key certificate Cert_B to verify the signature ( Step S209). If the signature verification fails (NO in step S210), the process ends.
If the result of the signature verification is successful (YES in step S210), the device A reads the CRL (step S211) and determines whether the received ID number ID_B included in the public key certificate Cert_B is registered in the read CRL. It is determined whether or not it is (step S212). If it is determined that it has been registered (YES in step S212), the process ends. If it is determined that it has not been registered (NO in step S212), the process is continued.

The device B generates a random number Cha_B (step S213), and transmits the generated random number Cha_B to the device A (step S214).
The device A receives the random number Cha_B, performs a signature generation algorithm S on the received random number Cha_B using the secret key SK_A of the device A, generates signature data Sig_A (step S215), and transmits the generated signature data Sig_A to the device. B (step S216).

  Upon receiving the signature data Sig_A, the device B applies the signature verification algorithm V to the received signature data Sig_A and verifies the signature using the public key PK_A of the device A received in the public key certificate Cert_A (step). S217). If it is determined that the result of the signature verification is failure (NO in step S218), the process ends. If it is determined that the result of the signature verification is successful (YES in step S218), the process is continued.

The device A generates a random number Cha_A (step S219), and transmits the generated random number Cha_A to the device A (step S220).
The device B receives the random number Cha_A, performs a signature generation algorithm S on the received random number Cha_A using the secret key SK_B of the device B, generates signature data Sig_B (step S221), and transmits the generated signature data Sig_B to the device. A is transmitted to A (step S222).

  Upon receiving the signature data Sig_B, the device A performs the signature verification algorithm V on the received signature data Sig_B by using the public key PK_B of the device B received in the public key certificate Cert_B to verify the signature (step). S223). If it is determined that the result of the signature verification is failure (NO in step S224), the process ends. If it is determined that the result of the signature verification is successful (YES in step S224), a random number “a” is generated (step S225), and Key_A = Gen (a, Y) using the generated random number “a”. Is generated (Step S226), and the generated Key_A is transmitted to the device B (Step S227).

Upon receiving Key_A, the device B generates a random number “b” (Step S228), generates Key_B = Gen (b, Y) using the generated random number “b” (Step S829), and generates the generated Key_B. The data is transmitted to the device A (step S230).
Also, using the generated random number “b” and the received Key_A, Key_AB = Gen (b, Key_A) = Gen (b, Gen (a, Y)) is generated, and this is used as a common key (step S231). ).

The device A receives Key_B, generates Key_AB = Gen (a, Key_B) = Gen (a, Gen (b, Y)) from the generated random number “a” and the received Key_B, and uses this as a common key. (Step S232).
(7) Execution example of password change One execution example of password change will be described below with reference to FIG. Here, the current password “ozy12” of the user with the user ID “maeda” is changed to the new password “nwy56”. In the communication between the user terminal 100 and the management server 600 and the communication between the management server 600 and the application server 200, the current password and the new password are securely transmitted and received by secret communication using the terminal common key or the server common key. In the following description, the description of the encryption and decryption processing will be omitted for simplicity.

Each application server 200 before the change stores a password “ozy12” corresponding to the user ID “maeda” as shown in FIG.
In response to a password change instruction from the user terminal 100, the management server 600 transmits terminal password change screen data to the user terminal 100.
The user terminal 100 receives the terminal password change screen data, generates and displays the password change screen 191 from the received terminal password change screen data. The input of the current password “ozy12” and the new password “nwy56” by the user is received, and the received current password “ozy12” and the new password “nwy56” are transmitted to the management server 600.

The management server 600 receives the current password “ozy12” and the new password “nwy56” from the user terminal 100. Next, the received current password “ozy12” and the new password “nwy56” are transmitted to the first application server 200a to instruct the first application server 200a to change the password.
The first application server 200a rewrites the current password “ozy12” stored therein to the new password “nwy56” and transmits an end signal “1”.

  When receiving the end signal “1” indicating that the password change has been normally completed from the first application server 200a, the management server 600 similarly sends the current password “ozy12” and the new password “nwy56” to the second application server 200b. And sends an instruction to change the password, and receives an end signal “1”. At this time, the first application server 200a and the second application server 200b store the new password “nwy56” as shown in FIG. 37B, and the third application server 200c and the fourth application server 200d store the current password “nwy56”. ozy12 "is stored.

Next, the management server 600 transmits the current password “ozy12” and the new password “nwy56” to the third application server 200c, and instructs the third application server 200c to change the password.
Here, the third application server 200c fails to change the password, and transmits an end signal “0” to the management server 600.
When receiving the end signal “0” indicating that the password change has failed from the third application server 200c, the management server 600 sends the current password “ozy12” and the new password “nwy56” to the second application server 200b. Send and instruct password recovery. Next, the management server 600 receives, from the second application server 200b, an end signal “1” indicating that the password has been successfully recovered. Next, the first application server 200a is similarly instructed to recover the password, and receives an end signal “1” from the first application server 200a. With this, the password recovery is completed. At this time, each application server stores the current password “ozy12” as shown in FIG.

FIG. 37D shows the password stored in each application server when the password change of the third application server 200c and the fourth application server 200d is successful.
1.6 Summary As described above, according to the present embodiment, the management server 600 receives a password change instruction from the user terminal 100. The management server 600 securely receives the current password and the new password from the user terminal 100 by secret communication using the terminal secret key.

Next, the current password and the new password are securely transmitted to the first application server 200a by the secret communication using the server common key, and the change of the password is instructed. If the password change of the first application server 200a is successful, similarly, the change of the password is instructed in the order of the second application server 200a to the fourth application server 200d.
If the password change fails in any of the first application server 200a to the fourth application server 200d, the current password and the new password are transmitted to the application server for which the password change has already been completed to instruct the password recovery.

In this way, even if any of the plurality of application servers fails to change the password, the passwords of the plurality of application servers can be unified.
2. Embodiment 2
Hereinafter, a password change system according to the second embodiment will be described.
As shown in FIG. 38, the password change system includes a user terminal 100, internal user terminals 150, 160,..., A first application server 200a, a second application server 200b, a third application server 200c, a fourth application server 200d, It comprises a server 600b and a router 800.

The second to fourth application servers 200b to 200d and the management server 600b are connected to the bus 31 and form a bus-type LAN. The internal user terminals 150, 160, ... and the management server 600b are connected to the bus 32 and form a bus-type LAN. The buses 31 and 32 are, specifically, coaxial cables having a terminating device at both ends.
The management server 600b is further connected to the Internet via a router 800 having a firewall function.

The management server 600b, the second application server 200b to the fourth application server 200d, and the internal user terminals 150, 160,... Constitute, for example, a LAN in the same building.
The user terminal 100 and the first application server 200 are connected to the Internet 20.

As in the first embodiment, the management server 600b and the first to fourth application servers 200a to 200d store in advance a user ID of a valid user and a password in association with each other.
The first application server 200a to the fourth application server 200d respectively provide services such as travel expense settlement, vacation application, meeting room reservation, and employee purchase.

The user uses these services via the Internet 20 and the management server 600b using the user terminal 100. Also, these services can be used via the buses 31 and 32 using the internal user terminals 150, 160...
At this time, the user terminal 100 or the internal user terminals 150, 160,... Transmits the user ID and password of the user to the management server 600b.

  The management server 600b and the first to fourth application servers 200a to 200d verify the user ID and the password transmitted from the user terminal 100 or the internal user terminals 150, 160,. , 160... Are authenticated as valid users, and each application server provides its own service.

Also, the management server 600b receives a password change instruction, a current password, and a new password from the user terminal 100 or the internal user terminals 150, 160,. The management server 600b sequentially transmits the received new passwords to the first application server 200a to the fourth application server 200d, and instructs to change the password.
Here, when the password change is not performed normally in any of the first application server 200a to the fourth application server 200d, the management server 600b sends the current password to the application server whose password change has already been completed. And instruct them to change their passwords to their current passwords.

The specific configurations and operations of the user terminal 100 and the internal user terminals 150, 160,... Are the same as those of the user terminal 100 according to the first embodiment, and thus description thereof is omitted.
The specific configuration and operation of the first application server 200a to the fourth application server 200d are the same as those of the first application server 200a to the fourth application server 200d according to the first embodiment, and a description thereof will not be repeated.

As shown in FIG. 39, the management server 600b includes a transmission / reception unit 601b, an authentication unit 603, a password change unit 606, a control unit 607, an encryption processing unit 608, a password recovery unit 614, a change determination unit 609, a change result notification unit 615, It comprises an information storage unit 610, an input unit 612, and a display unit 613.
The transmission / reception unit 601b is connected to the buses 31 and 32 and the bus 35. The transmission / reception unit 601b transmits / receives information between the second application server 200b to the fourth application server 200d and each unit in the management server 600b via the bus 31, and transmits / receives information to / from the internal user terminal 150 via the bus 32. The information is transmitted and received between 160... And each unit in the management server 600b. In addition, information is transmitted and received between the user terminal 100, the first application server 200a, and each unit in the management server 600b via the bus 35, the router 20, and the Internet 20.

At this time, in transmitting and receiving information between the second application server 200b to the fourth application server 200d, the transmitting and receiving unit 601b selects the bus 31 and transmits and receives information to and from the internal user terminals 150, 160,. The bus 32 is selected. In transmitting and receiving information between the user terminal 100 and the first application server 200a, the bus 35 is selected.
Other specific operations of the transmission / reception unit 601b are the same as those in the first embodiment.

Specific operations and information of the authentication unit 603, the password change unit 606, the control unit 607, the encryption processing unit 608, the password recovery unit 614, the change determination unit 609, the change result notification unit 615, the input unit 612, and the display unit 613. The configuration of the storage unit 610 is the same as that of the first embodiment described with reference to FIG.
The router 800 has a firewall function, and passes or blocks various information transmitted from an external device connected to the Internet 20 to each device in the LAN. Specifically, it is determined whether or not the source and destination IP addresses and port numbers included in the packet received via the Internet satisfy predetermined conditions. Pass it, and if not, delete the received packet. Such a method is generally called packet filtering. The firewall function is an example, and another method may be used.

As described above, in the present embodiment, the firewall function of the router 800 protects each device connected to the management server 600b and the LAN from an attack by an unauthorized external device connected to the Internet 20. Can be.
3. Embodiment 3
Hereinafter, a password change system according to the third embodiment will be described.

As shown in FIG. 40, the password change system includes user terminals 170, 180,..., A first application server 200a to a fourth application server 200, and a management server 600c.
The first to fourth application servers 200a to 200d and the management server 600c are connected to the bus 33 and form a bus-type LAN. The user terminals 170, 180... And the management server 600c are connected to the bus 34 and form a bus-type LAN. Each of the buses 33 and 34 is a coaxial cable having a terminal device at both ends.

The management server 600c, the first to fourth application servers 200a to 200d, and the user terminals 170, 180,... Constitute, for example, a LAN in the same building.
The first application server 200a to the fourth application server 200d respectively provide services such as travel expense settlement, vacation application, meeting room reservation, and employee purchase.
The user uses one of the user terminals 170, 180,... And uses the services provided by the first application server 200 to the fourth application server 200d via the management server 600c.

At this time, the user terminal 170 used by the user transmits the user ID and password of the user to the management server 600c.
The management server 600c and the first to fourth application servers 200a to 200d verify the user ID and the password, and authenticate that the user of the user terminal 100 is a valid user. Provide services provided by

In addition, the management server 600c receives a password change instruction from the user terminal 170, and receives a current password and a new password from the user terminal 100. The management server 600c sequentially transmits the received new password to the first application server 200a to the fourth application server 200d, and instructs a change of the password.
Here, when the password change is not performed normally in any of the first application server 200a to the fourth application server 200d, the management server 600c sends the current password to the application server whose password change has already been completed. And instruct them to change their passwords to their current passwords.

The specific configuration and operation of the first application server 200a to the fourth application server 200d are the same as those of the first application server 200a to the fourth application server 200d of the first embodiment, respectively, and thus the description is omitted.
The specific configuration and operation of the user terminals 170, 180,...

As shown in FIG. 41, the management server 600c includes a transmission / reception unit 601c, an authentication unit 603, a password change unit 606, a control unit 607, an encryption processing unit 608, a password recovery unit 614, a change determination unit 609, a change result notification unit 615, It comprises an information storage unit 610, an input unit 612, and a display unit 613.
The transmission / reception unit 601c transmits / receives information between the first application server 200a to the fourth application server 200d and each unit in the management server 600c via the bus 33. Information is transmitted and received between the user terminals 170, 180,... And each unit inside the management server 600c via the bus 34.

At this time, in transmitting and receiving information to and from the first application server 200a to the fourth application server 200d, the transmitting and receiving unit 601c selects the bus 33, and transmits and receives information to and from the user terminals 170, 180. select.
The specific operation of the transmitting / receiving section 601c is the same as in the first embodiment.
Authentication unit 603, password change unit 606, control unit 607, encryption processing unit 608, password recovery unit 614, change determination unit 609, change result notification unit 615, specific operations of input unit 612 and display unit 613, information storage unit The configuration of 610 is the same as that of the management server 600c according to the first embodiment, and a description thereof will not be repeated.

  In the present embodiment, the application server 200 is connected to the user terminals 170 and 180 via the management server 600c. When the user uses the services provided by the application server 200 using the user terminals 170 and 180, various information transmitted and received always passes through the management server 600c. It becomes easier to detect unauthorized use of services by users.

Also, as in the present embodiment, in the case of a closed LAN or when performing the above-described service provision and communication related to password change only in a LAN protected by a firewall or the like, the mutual authentication by the authentication unit 603 is omitted. You can also. This makes it possible to more quickly perform the service providing process and the password changing process described above.
4. Other Modifications (1) Start of Password Change by Management Server In the first to third embodiments, the password change process is started by receiving a password change request from the user terminal or the internal user terminal. Alternatively, the management server 600 may prompt the user to change the password.

Specifically, the management server 600 stores in advance the maximum usage period of the password. The IP address of the user terminal used mainly by the user is stored in association with the user ID of the user. A password table 621b is stored in place of the password table 621.
The password table 621b includes a plurality of pieces of password information 622b, 623b, 624b,... As shown in FIG. Each password information includes a user ID, a name, a password, and an update date. The user ID, name, and password are the same as the user ID, name, and password included in the password table 621 according to the above-described embodiment, and a description thereof will not be repeated. The update date indicates the latest date when the password included in the password information was changed. For example, the update date indicates that the password included in the password information 622b was changed to “ozy12” on May 10, 200.

The management server 600 periodically checks the date of change included in each piece of password information, and sends the password to the user terminal stored in advance to the user who has not changed the password for more than the maximum usage period. Send a message notifying that the period of use has expired, and prompt for a password change.
(2) Forced Password Change In the above (1), a user who has not changed his / her password after the longest usage period may be forced to change his / her password when trying to use various services. .

  Specifically, in Embodiments 1 to 3 described above, when receiving the user ID and the encrypted password from the user terminal, the management server 600 first transmits the password information 622b including the received user ID in the password table 621b. select. The change date included in the selected password information 622b is read. On the read update date, a change term “200.6.9” is calculated by adding the longest usage period (for example, 30 days), and the calculated change term “200.6.9” is compared with the current date. If the management server 600 determines that the current date has exceeded the change deadline “200.6.9”, the management server 600 transmits terminal password change screen data to the user terminal, and if the password is not changed, the service is used. May not be possible.

(3) Inquiry to Application Server 200 In the first to third embodiments, the management server 600 simultaneously transmits the user ID, the encrypted current password, the encrypted new password, and the password change instruction to each application server 200. However, each application server 200 may be inquired in advance as to whether the password can be changed, and the password change may be instructed only when all the application servers 200 can change the password.

Specifically, the management server 600 first transmits the user ID, the encrypted current password, and the encrypted new password to the first application server 200a, and inquires whether the password can be changed.
When the first application server 200a receives the user ID, the encrypted current password, and the encrypted new password from the management server 600 and receives an inquiry as to whether the password can be changed, a response indicating whether the password can be changed is received. Generate a signal. If the password can be rewritten, a response signal “1” is generated. If the password cannot be rewritten due to a hard disk failure or the like, a response signal “0” is generated, and the generated response signal is transmitted to the management server 600.

The management server receives the response signal from the first application server 200a, and if the received response signal is “1”, the user ID, the encrypted current password, and the encrypted new password are similarly transmitted to the second application server 200b. And inquires whether the password can be changed. When a response signal “1” is received, a similar inquiry is made to the next application server 200.
When receiving the response signal “1” from all the application servers 200, the management server 600 instructs all the application servers 200 to change the password.

  Each application server 200 receives the password change instruction from the management server 600, decrypts the encrypted current password and the encrypted new password received in advance, generates the current password and the new password, and The password information including the ID and the generated current password is selected, and the password included in the selected password information is rewritten with the generated new password.

Next, the management server 600 transmits the terminal change completion screen data to the user terminal, and notifies that the password change has been completed normally.
If a response signal “0” is received from any of the application servers 200 during the inquiry as to whether the password can be changed, it is determined that the password of the corresponding application server 200 cannot be changed, and the password change has already been performed. The stop of the password change is notified to all the application servers 200 that have made the inquiry.

Next, terminal change failure screen data is transmitted to the user terminal to notify that the password change has failed.
(4) Judgment by Timeout In addition, in the above (3), when inquiring each application server 200 whether or not the password can be changed, the time since sending the inquiry is measured, and the maximum set in advance is set. If the response signal is not received even after the waiting time, it may be determined that the password of the corresponding application server 200 cannot be changed.

(5) Connection by Dedicated Line In the third embodiment, the password change system may include a dedicated line for password change.
Specifically, the management server 600 and each application server 200 are directly connected by a dedicated line. For providing a normal service, information is transmitted and received via the buses 33 and 34 as described in the third embodiment.

(6) Processing Status of Application Server 200 In the above first to third embodiments, it is assumed that the management server 600 stores the processing status of each application server 200 and stops the execution of password change in response to this. Is also good.
Specifically, the management server 600 stores a routing table 641b instead of the routing table 641.

  The routing table 641b includes a plurality of pieces of route information 642b, 643b,... As shown in FIG. Each piece of route information includes an application number, a host name, an IP address, a port number, and a processing status. The application number, the host name, the IP address, and the port number are the same as the application number, the host name, the IP address, and the port number included in the above-described routing table 641, and thus the description is omitted. The processing status indicates the processing status of the application server 200 indicated by the application number. The processing status “normal” indicates that the application server 200 indicated by the application number is performing a normal service providing process. The processing status “maintenance” indicates that the application server 200 indicated by the application number is under maintenance. If the processing status is “maintenance”, the management server 600 performs the process of changing the password of the corresponding application server 200. Is not possible.

The management server 600 transmits a monitoring signal to each application server 200 periodically.
Each application server 200 receives the monitoring signal from the management server 600, and returns a response signal “normal” if its processing state is normal. If the own processing status is under maintenance, a response signal “maintenance” is returned.
The management server 600 receives the response signal from each application server 200, and rewrites the processing status of the stored routing table 641b of each application server 200 based on the received response status.

Upon receiving the password change request from the user terminal or the internal user terminal, the management server 600 checks the processing status of the routing table 641b, and determines that the processing status of all the application servers 200 is "normal". The password change process as described above is started.
If there is at least one application server 200 whose processing status is not “normal”, it notifies the user terminal that the current password change cannot be accepted.

In addition, each application server 200 may voluntarily report its own processing status to the management server 600 regardless of the presence or absence of the monitoring signal from the management server 600.
(7) Storage of Current Password by Application Server In the first to third embodiments, the management server 600 stores the current password and the new password by using the password change table 651, but each application server 200 stores the current password and the new password. It may be.

In this case, the management server 600 transmits the user ID, the encrypted current password, and the encrypted new password in order from the first application server 200a to the fourth application server 200d, and instructs to change the password.
Each application server 200 receives the user ID, the encrypted current password, and the encrypted new password, decrypts the received encrypted current password and the encrypted new password, and selects password information including the user ID and the current password. Then, the password included in the selected password information is rewritten with the new password. If the rewriting is successful, an end signal “1” is transmitted to the management server. Next, the current password is stored in association with the rewritten password information.

The management server 600 receives the end signal from the application server 200, and if the received end signal is “1”, transmits the user ID, the encrypted current password, and the encrypted new password to the next application server 200.
When the received end signal is “0” or when the end signal is not received after a certain period of time, it is determined that the password change has failed, and the application server 200 that has already received the end signal “1” , Send password recovery instructions.

Upon receiving the password recovery instruction, the application server 200 rewrites the password of the rewritten password information to the stored current password.
(8) Change to Initial Password In the first to third embodiments, when the user forgets the password, the password may be changed to the initial password.

The initial password is a password initially assigned to the user by the administrator of the password change system, and is communicated to the user by e-mail, writing, or the like. As an example, a simple character string such as “0000” or the same character string as the user ID can be cited.
Specifically, the management server 600 stores an initial password of each user in advance.

The login screen 151 is further provided with a password forget button, and the user selects the password forget button when the user forgets the password.
When detecting the pressing of the password forget button, the user terminal notifies the management server 600 of the password forget.
Upon receiving the password forget notification from the user terminal, the management server 600 starts the password change process as described above. At this time, an initial password is transmitted to each application server 200 instead of the new password input by the user, and an instruction to change the password is issued.

  When the password change of all the application servers 200 succeeds, the user terminal is notified that the password has been changed to the initial password.

  The devices and systems of the present invention can be used business-wise, continuously and repeatedly in an industry that provides various services to users via a network. Further, each device, computer program, and recording medium constituting the present invention can be manufactured and sold in the electric appliance manufacturing industry in a business-wise manner, continuously and repeatedly.

It is a block diagram of a password change system. FIG. 2 is a block diagram illustrating a configuration of a user terminal 100. 4 shows an example of information stored in the storage unit 110. In the present embodiment, the form of information transmitted and received between devices is shown. 4 shows an example of a login screen and a menu screen displayed on a monitor connected to the user terminal 100. 7 shows an example of a settlement screen and a settlement end screen displayed on a monitor connected to the user terminal 100. 7 shows an example of a password change screen and a change completion screen displayed on a monitor connected to the user terminal 100. 7 shows an example of a change failure screen and a forced termination screen displayed on a monitor connected to the user terminal 100. FIG. 2 is a block diagram illustrating a configuration of an application server 200. 3 is an example of information stored in an information storage unit 210. 3 shows details of a password table 221. The details of the application login table 231 are shown. FIG. 3 is a block diagram showing a configuration of a management server 600. 9 shows an example of information stored in an information storage unit 610. The details of the login table 631 are shown. The details of the routing table 641 are shown. The details of the password change table 651 are shown. It is an example of an error screen displayed on the display unit 613 of the management server 600. 5 is a flowchart illustrating operations performed by the user terminal 100, the management server 600, and the application server 200. 5 is a flowchart illustrating operations performed by the user terminal 100, the management server 600, and the application server 200. Continued from FIG. 5 is a flowchart illustrating operations performed by the user terminal 100, the management server 600, and the application server 200. Continued from FIG. 5 is a flowchart illustrating operations performed by the user terminal 100, the management server 600, and the application server 200. Continued from FIG. 5 is a flowchart illustrating operations performed by the user terminal 100, the management server 600, and the application server 200. Continued from FIG. 5 is a flowchart illustrating operations performed by the user terminal 100, the management server 600, and the application server 200. Continued from FIG. 5 is a flowchart illustrating operations performed by the user terminal 100, the management server 600, and the application server 200. Continued from FIG. 5 is a flowchart illustrating operations performed by the user terminal 100, the management server 600, and the application server 200. Continued from FIG. 9 is a flowchart illustrating an operation of a password change process by the management server 600. 9 is a flowchart illustrating an operation of a password change process by the management server 600. Continued from FIG. 9 is a flowchart illustrating an operation of a password change process by the management server 600. Continued from FIG. 5 is a flowchart illustrating an operation of a password change process of the application server 200. 5 is a flowchart illustrating an operation of a password change process of the application server 200. Continued from FIG. 9 is a flowchart showing an operation of password recovery by the management server 600. 6 is a flowchart illustrating a password recovery operation of the application server 200. 6 is a flowchart illustrating a password recovery operation of the application server 200. Continued from FIG. 5 is a flowchart illustrating an operation of mutual authentication between two devices. 5 is a flowchart illustrating an operation of mutual authentication between two devices. Continued from FIG. 7 shows a password stored in each application server 200 during execution of a password change in the first embodiment. FIG. 9 is a configuration diagram showing a configuration of a second embodiment. FIG. 14 is a block diagram illustrating a configuration of a management server 600b according to the second embodiment. FIG. 14 is a configuration diagram showing a configuration of a third embodiment. FIG. 14 is a block diagram illustrating a configuration of a management server 600c according to the second embodiment. 14 shows details of a password table 621b in Modification Example (1). 15 shows details of a routing table 641b in the modification (6).

Explanation of reference numerals

100 user terminal 200a first application server 200b second application server 200c third application server 200d fourth application server 600 management server 600b management server 600c management server 601 transmission / reception unit 603 authentication unit 606 password change unit 607 control unit 608 encryption processing unit 609 Change determination unit 610 Information storage unit 614 Password recovery unit 615 Change result notification unit 800 Router

Claims (35)

A management server device that instructs a plurality of application devices that provide each service to one user authenticated by one password to update the password,
First means for attempting to update the passwords of all application devices;
Second means for determining whether or not updating of a password is possible for each application device;
Third means for setting the passwords of all the application devices before updating when at least one application device determined to be impossible exists. The management server device further comprises:
A fourth means for receiving a request for updating the password from the user device,
The management server device according to claim 1, wherein the first unit attempts to update a password based on the received update request. The first means instructs all application devices to update a password,
The second means determines whether the update of the password has failed for each application device,
The third means, when it is determined that the update of at least one application device has failed, instructs another application device whose password has been successfully updated to restore the password before the update. 3. The management server device according to claim 2, wherein: The fourth means receives the update request including the new password and the old password of the user,
The first means generates an update instruction including a new password and an old password included in the received update request, and transmits the generated update instruction to all application apparatuses. The management server device according to claim 3. The second means,
A response receiving unit that receives a response indicating success or failure of updating the password from each application device,
If the received response indicates success, the password update is determined to be successful for the application device, and if the received response indicates failure, the password update is determined to be unsuccessful for the application device. 4. The management server device according to claim 3, comprising: The second means,
A timing section that measures the elapsed time as time passes;
An initialization unit that resets an elapsed time measured by a clock unit to an initial value at a time when the update instruction is transmitted by the first unit;
A waiting unit that waits for a response indicating success or failure of updating the password from each application device,
A determining unit that determines whether the measured elapsed time is greater than a predetermined threshold,
If the determination unit determines that the elapsed time is equal to or smaller than the threshold value, and the reception unit receives a response from each application device, and the response indicates success, the password is determined for the application device. The management server device according to claim 3, further comprising: a determination unit that determines that the update of the password has succeeded, and in other cases, determines that the update of the password has failed for the application device. The first means instructs all application devices to prepare for updating a password,
The second means determines whether or not preparation for updating a password is not completed for each application device,
The third means, when it is determined that the update preparation is not completed for at least one application apparatus, cancels the update preparation instruction to another application apparatus that has completed the update preparation. 3. The management server device according to claim 2, wherein: The fourth means receives the update request including the new password and the old password of the user,
The first means generates an update preparation instruction including a new password and an old password included in the received update request, and transmits the generated update preparation instruction to all application apparatuses. The management server device according to claim 7, wherein: The second means,
A response receiving unit that receives a response indicating completion or incomplete preparation for updating the password from the application device,
When the received response indicates completion, it is determined that the preparation for updating the password is completed for the application device. When the received response indicates incomplete, preparation for updating the password is not completed for the application device. The management server device according to claim 7, further comprising: a determination unit that determines that the process is completed. The second means,
A timing section that measures the elapsed time as time passes;
An initialization unit that resets an elapsed time measured by a clock unit to an initial value at a time of transmitting an instruction to prepare for update by the first unit;
A standby unit that waits for a response indicating completion or incomplete preparation for updating the password from the application device;
A determining unit that determines whether the measured elapsed time is greater than a predetermined threshold,
When the determination unit determines that the elapsed time is equal to or smaller than the threshold value, and the standby unit receives a response from the application device, and indicates that the response is completed, the preparation for updating the password is completed. The management server device according to claim 7, further comprising: a determination unit that determines that preparation for updating the password has not been completed in other cases. The management server device further comprises:
3. A message transmitting means for transmitting, to the user device, a message for returning to the original password when it is determined that the password cannot be updated by the second means. Management server device. The management server device further comprises:
For each application device, a management storage unit that stores whether or not maintenance is being performed is provided,
The management server device according to claim 2, wherein the first unit attempts to update a password when there is no application device under maintenance. The first means stops updating the password when there is an application device under maintenance,
The management server device further comprises:
3. The management system according to claim 2, further comprising a message transmitting unit that transmits a message to the effect that the updating of the password is stopped to the user device when the updating of the password is stopped by the first unit. Server device. The application device is connected to the management server device via a first network,
The management server device according to claim 2, wherein the user device is connected to the management server device via a second network that is not connected to a first network. The management server device according to claim 14, wherein the first network and the second network are intranets. The management server device and each application device are connected via a dedicated line,
When updating a password, the management server device transmits and receives information for updating the password to and from each application device via the dedicated line,
In providing each service, the management server device relays the transmission and reception of the information related to the service between the user device and each application device via the first and second networks. The management server device according to claim 14, characterized by: The application device and the user device are connected to the management server device via a network,
The management server device further comprises:
Storage means for storing a correspondence table for associating the type of application with the position information of each application device on the network;
From the user device, receiving means for receiving type information indicating an application and processing information indicating the content of processing,
Using the correspondence table, acquisition means for acquiring the position information of the application device corresponding to the received type information,
3. The management server device according to claim 2, further comprising: a transmission unit configured to transmit the processing information to an application device indicated by the acquired position information. 17. The management server device according to claim 16, wherein the network is the Internet. The updated new password is the initial password initially assigned to the user,
The first means attempts to update all application devices to an initial password,
The second means determines whether it is impossible to update the initial password for each application device,
The management server according to claim 1, wherein the third unit, when there is at least one application device that is determined to be impossible, sets the passwords of all the application devices before updating. apparatus. An application device that provides a service to one user authenticated by one password and updates a password according to an instruction from a management server device,
Old password storage means for storing the password before update,
Authentication password storage means for storing a password used for user authentication,
Receiving means for receiving, from the management server device, a restoration instruction for restoring the password to that before the update,
An application device for reading the password before update from the old password storage unit upon receiving the restoration instruction, and writing the read password over the authentication password storage unit. 21. The application device according to claim 20, wherein the application device transmits and receives information regarding the service to and from a user device of a user via the management server device. 22. The application device according to claim 21, wherein, when the application device is under maintenance, the application device notifies the management server device of the fact. The application device is connected to the management server device via a first network,
22. The application device according to claim 21, wherein the user device is connected to the management server device via a second network that is not connected to a first network. The application device and the management server device are connected via a dedicated line,
When updating the password, the management server device transmits and receives information for updating the password to and from the management server via the dedicated line,
24. The application apparatus according to claim 23, wherein, when each service is provided, information related to the service is transmitted and received via the first and second networks. 22. The application device according to claim 21, wherein the application device and the user device are connected to the management server device via the Internet. A user terminal device, a plurality of application devices that provide each service to one user terminal device authenticated by one password, and a management server device that instructs the application device to update the password. A password update system comprising:
The management server device includes:
First means for attempting to update the passwords of all application devices;
Second means for determining whether or not updating of a password is possible for each application device;
Third means for setting the passwords of all the application devices to those before updating when there is at least one application device determined to be impossible,
Each application device is
Old password storage means for storing the password before update,
Authentication password storage means for storing a password used for user authentication,
Receiving means for receiving, from the management server device, a restoration instruction for restoring the password to the one before the update,
A password updating system comprising: a receiving unit that, upon receiving the restoration instruction, reads a password before updating from an old password storing unit and overwrites the read password on an authentication password storing unit. 27. The password update system according to claim 26, wherein the terminal device and each application device transmit and receive information via the management server device. The application device is connected to the management server device via a first network,
The password update system according to claim 27, wherein the user device is connected to the management server device via a second network that is not connected to a first network. The password updating system according to claim 28, wherein the first network and the second network are intranets. The management server device and each application device are connected via a dedicated line,
When updating the password, the management server device transmits and receives information for updating the password to and from the management server via the dedicated line,
29. The password updating system according to claim 28, wherein, when each service is provided, information related to the service is transmitted and received via the first and second networks. The application device and the user device are connected to the management server device via a network,
The management server device further comprises:
Storage means for storing a correspondence table for associating the type of application with the position information of each application device on the network;
From the user device, receiving means for receiving type information indicating an application and processing information indicating the content of processing,
Using the correspondence table, acquisition means for acquiring the position information of the application device corresponding to the received type information,
28. The password updating system according to claim 27, further comprising: transmitting means for transmitting the processing information to an application device indicated by the acquired position information. The password updating system according to claim 30, wherein the network is the Internet. A management server control method used in a management server device that instructs a plurality of application devices that provide each service to one user authenticated by one password to update the password,
A first step of trying to update the passwords of all application devices;
A second step of determining whether a password update is not possible for each application device;
A third step in which, when at least one application device determined to be impossible exists, the passwords of all the application devices are set to those before updating. A management server control program used in a management server device that instructs a plurality of application devices that provide each service to one user authenticated by one password to update the password,
A first step of trying to update the passwords of all application devices;
A second step of determining whether a password update is not possible for each application device;
A third step of setting the passwords of all the application devices before updating when at least one application device determined to be impossible exists. The management server control program includes:
The management server control program according to claim 34, wherein the management server control program is recorded on a computer-readable program recording medium.

Images