JP2005216260A - Information processing apparatus, authentication apparatus, authentication system, control program and computer readable recording medium with the control program recorded thereon - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To enable a user whose user account is not registered in an information processing apparatus which manages apparatus utilization for each user, to safely utilize the apparatus without causing an apparatus manager to newly register the user account. <P>SOLUTION: An information processing apparatus 51 comprises: an input section 12 for acquiring authentication information for authenticating a user from the user; a first authentication section 54 for authenticating the authentication information acquired by the input section 12; and an authentication request section 14 for transmitting authentication request data including the authentication information to an external authentication apparatus and receiving a result of authentication from the authentication apparatus. Thus, even a user who is not registered in the present apparatus, can request authentication to the external authentication apparatus and if the authentication is successful, utilization can be approved. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to an authentication system for managing device usage for each user, and more particularly to an information processing device, an authentication device, an authentication system, a control program, and a computer-readable recording medium on which the information is recorded. .

  In recent years, home networks have been developed along with the spread of the Internet, and it has become possible to connect to the Internet using devices connected to the home network and use contents and services on the Internet. In home networks, wireless LANs such as 802.11b have become widespread in addition to wired LANs based on Ethernet (registered trademark), and the convenience of using the network in the home is also increasing. In addition, a home server is also placed as a device that plays a central role in the configuration of such a home network, a router function between the Internet and the home network, a wireless LAN access point function, a content server function, a TV program A home server having various additional functions such as a recording function is used, and content on the home server can be viewed and enjoyed from a device on a home network at a remote location.

  Assuming the use of a device connected to the home network, a user who is a member of a family can view the content stored on the home server using the device in front of him / her in any room, It is preferable that other devices can be used regardless of the device. The devices connected to the home network are assumed to be connected to various devices such as devices that can be used by anyone such as TV, or devices such as PCs that have user management and cannot be used without user authentication. The

  In such a situation, in order for anyone in the family to be able to use the device in front of them, it is necessary to eliminate the user authentication of each device and operate each device with a policy that anyone can use it. Although it is good, since it is necessary to consider security and privacy even at home, it is not a preferable method.

  In general, in order to use a device that requires user authentication, it is necessary to first register user account information including a user account name and a password in the device. However, if user registration is performed for each device used by the user, there may be cases where a user who has forgotten to register appears, or the registered information varies depending on the device, and the user has forgotten the registered information. Will no longer be available.

  Therefore, a method for avoiding a situation where the user cannot use the device has been proposed for this problem.

  First, there is a method of centrally managing user information called NIS (NETWORK INFORMATION SERVICE). According to NIS, the user does not need to register user information for a plurality of devices, and the trouble that the user remembers the user information registered for each device is eliminated. Normally, on the NIS, in addition to the user account name and password information, IDs for identifying users inside the device such as UID (User ID) and GID (Group ID) are registered as user account information. In a network using NIS, a user inputs a user account name and a password when logging in to a device at hand. The login program of the device obtains the user account name and password from the NIS server and performs authentication. When authenticated, a shell having a UID and GID corresponding to the user managed by the NIS server is created. In the kernel, the UID and GID managed by the NIS server are stored as information indicating the result of user authentication, and the user can use the device as a user identified as the UID.

  As another method, Patent Document 1 below describes a method for managing user information in a distributed manner while synchronizing. According to this method, when user information such as a user account name and password is changed or newly registered in a certain device on the network, this information is transmitted to another device that cooperates, and based on this information. Change or register the corresponding user account name and password on other devices. Thereafter, the user account information can be synchronized in all the devices on the network by sequentially transferring them to the cooperating devices.

  As another method, there is a method in which a common user account name and password of a shared user are set for each device, and the user uses each device with the user account name of the shared user.

As another method, Patent Literature 2 below describes a method of assigning a shared user identifier to a user who is not registered in the server. According to this method, even a user whose user information is not registered in the server can remotely use the server as a shared user. In addition, by adding client information to file management on the server, owner identification and user access restrictions are possible even for files generated by shared users.
JP 2001-67318 A (publication date: March 16, 2001) JP-A-6-274431 (Publication date: September 30, 1994)

  However, in the NIS method, all user accounts are centrally managed on the NIS server, so that if the NIS server malfunctions, all devices cannot be used. In addition, when a new user account is registered, if the administrator of the NIS server is absent, the user cannot use the device. Furthermore, in a network using NIS, the user account name of the NIS server and the client, the user account identifier UID and the group identifier GID inside the device are the same, and different users have the same user account name on the NIS server. It is not allowed to have it, and you cannot set your favorite user account name and use it on each device. For example, if a father has already registered a user account “suzuki” in the NIS server in a certain Suzuki's home, a member of another family cannot have the same user account name “suzuki”.

  In addition, in the method described in Patent Document 1, user information is changed or new registration information is transferred sequentially, so that user information can be synchronized with all devices, but the identity of the user is proved even with the same user account name. Cannot be synchronized and cannot always be synchronized correctly. In particular, assuming home use, there may be situations where different people in the family register the same user account name using their last names on their devices. Under such circumstances, it is not possible to synchronize the update of user information with all devices without contradiction, and there are devices that cannot be used by the user. In addition, the method of setting a unified shared user account for each device requires the administrator of each device to register the shared user's user account for all devices in advance, and if a password is set for the shared user, Must remember the password for each device.

  Furthermore, in the method described in Patent Document 2, the server can be used remotely from a client as a shared user even when a user account is not registered on the server. Without a user account above, you can't use the server or even the client.

  The present invention has been made in order to solve the above-described problems, and an object of the present invention is to provide an information processing device that manages device use for each user to a user who has not registered a user account in the device. Information processing device, authentication device, authentication system, control program, and computer-readable recording medium recording the same can be provided to allow the administrator of the device to use the device safely without newly registering a user account There is.

  In order to solve the above problem, an information processing apparatus according to the present invention includes an input unit that acquires authentication information for authenticating the user from a user, and a first unit that authenticates the authentication information acquired by the input unit. It is characterized by comprising authentication means and authentication request means for transmitting authentication request data including the authentication information to an external authentication device and receiving an authentication result from the authentication device.

  Moreover, the control method of the information processing device according to the present invention includes an input step for acquiring authentication information for authenticating the user from the user, and a first authentication step for authenticating the authentication information acquired in the input step. And an authentication request step of transmitting authentication request data including the authentication information to an external authentication device and receiving an authentication result from the authentication device.

  According to the above configuration, a user who can be authenticated by the own device can be authenticated by the own device, and a user who cannot be authenticated by the own device can be requested to be authenticated by an external authentication device. Therefore, in an information processing device that manages device usage for each user, even if a user account is not registered in the device, the device administrator can safely connect the device without registering a new user account. Can be used. Therefore, it is possible to achieve both user convenience and device safety.

  Further, in the information processing device according to the present invention, it is preferable that the authentication request unit transmits the authentication request data to the external authentication device when the first authentication unit fails in authentication. . The authentication request unit may transmit the authentication request data to the external authentication device even when the first authentication unit succeeds in authentication. In this case, since authentication is performed twice, safety is increased.

  Furthermore, the information processing device according to the present invention includes a function restriction unit that restricts a function that can be used by a user according to an authentication result by the first authentication unit and / or an authentication result by the external authentication device. It is characterized by providing.

  According to the above configuration, by providing a function restriction unit, a function that allows a user to use a user who has succeeded in authentication with the own device and a user who has succeeded in authentication with an external authentication device can be provided. It becomes possible to change.

  Further, the information processing device according to the present invention transmits an input means for acquiring authentication information for authenticating the user from the user, and authentication request data including the authentication information acquired by the input means to an external authentication device. And an authentication requesting unit that receives an authentication result from the authentication device, and an account granting unit that gives the user an account having a predetermined authority when the authentication requesting unit receives a successful authentication result from the authentication device; The authentication result holding means for holding the authentication information and the authentication result by the authentication device in association with each other, and referring to the authentication result holding means based on the user authentication information when connecting to an external authentication device, If information indicating that the authentication by the authentication device has already been successful is held, communication with the authentication device is performed with the authentication information added. It is characterized by comprising: a connection processing unit.

  The information processing device control method according to the present invention includes an input step for acquiring authentication information for authenticating the user from the user, and an authentication request including the authentication information acquired in the input step to an external authentication device. An authentication request step for transmitting data and receiving an authentication result from the authentication device, and an account that gives the user an account having a predetermined authority when receiving a successful authentication result from the authentication device in the authentication request step An authentication result holding step that holds at least the authentication information and the authentication result by the authentication device in association with each other, and an authentication result holding step based on user authentication information when connecting to an external authentication device. Referring to the stored information, information indicating that authentication by the authentication device has already been successful is held. If, is characterized in that it comprises a connection processing steps performed by the communication with the authentication device adds the authentication information.

  According to the above configuration, it is possible to request an external authentication device for authentication of a user who cannot be authenticated by the own device, including a case where the own device does not have a function of authenticating the user. Therefore, in an information processing device that manages device usage for each user, even if a user account is not registered in the device, the device administrator can safely connect the device without registering a new user account. Can be used. Therefore, it is possible to achieve both user convenience and device safety.

  In addition, since the authentication result by the external authentication device is held in association with the user authentication information, the user does not need to input the authentication information again when connecting to the same authentication device. Therefore, the function of the authentication device can be easily used. That is, in the above configuration, when an external authentication device provides a function to a user in addition to an authentication function, for example, an information processing device having an authentication function and a general application function It is particularly suitable when connecting and using an application of a counterpart device.

  Furthermore, the information processing device according to the present invention is held in the authentication result holding unit when the user ends the use of the own device or when the user uses the own device exceeds a certain time. It is characterized by comprising usage monitoring means for invalidating the authentication result by the authentication device corresponding to the user authentication information.

  According to the above configuration, the usage status of the user is further monitored, and authentication is performed by an external authentication device when the user terminates the use of the own device or when the user's use of the own device exceeds a certain time. Invalidate results received. Thereby, even a user who has been successfully authenticated by an external authentication device in the past needs to be authenticated again. Therefore, it is possible to prevent a user who has succeeded in authentication with an external authentication device from using other devices as a user and the external authentication device.

  The information processing device according to the present invention includes an input unit that acquires authentication information for authenticating the user from a user, and authentication request data including the authentication information acquired by the input unit to a plurality of external authentication devices. Authentication request means for receiving an authentication result from each of the authentication devices, and when the authentication request means receives a result of successful authentication from at least one of the authentication devices, an account having a predetermined authority is And an account granting means to be given to the user.

  In addition, the control method of the information processing device according to the present invention includes an input step of acquiring authentication information for authenticating the user from the user, and the authentication information acquired in the input step to a plurality of external authentication devices. An authentication request step for transmitting authentication request data and receiving an authentication result from each authentication device, and when the authentication request step receives a result of successful authentication from at least one of the authentication devices, the user has a predetermined authority. And an account granting step for giving an account to the user.

  According to the above configuration, it is possible to request a plurality of external authentication devices to authenticate a user who cannot be authenticated by the own device, including a case where the own device does not have a function of authenticating the user. Therefore, in an information processing device that manages device usage for each user, even if a user account is not registered in the device, the device administrator can safely connect the device without registering a new user account. Can be used. Therefore, it is possible to achieve both user convenience and device safety. If the authentication request data is transmitted to the authentication device by broadcast, it is not necessary to know the address of the authentication device, so that the information processing device can be realized easily.

  An authentication device according to the present invention is an authentication device that receives the authentication request data including the authentication information from the information processing device, authenticates the authentication information, and transmits the authentication result to the information processing device. An authentication request acceptance / rejection determination unit that determines whether or not to respond to the authentication request based on the authentication information included in the authentication request data is provided.

  According to the above configuration, by setting whether or not to respond to the authentication request based on the authentication information, that is, for each user, it is possible to limit the users who receive the authentication request, so that the load on the authentication device is minimized. Can be suppressed.

  Further, in the authentication device according to the present invention, the authentication request acceptance determination unit determines whether to respond to the authentication request based on the identification information of the information processing device that identifies the transmission source included in the authentication request data. It is characterized by being determined.

  According to the above configuration, since it is possible to limit the information processing devices that receive the authentication request by setting whether to respond to the authentication request based on the identification information of the information processing device, a load on the authentication device is required. It can be minimized. Further, safety can be improved by limiting to only reliable information processing devices. For example, if information processing devices that receive authentication requests are limited to only devices in the home network, authentication requests from devices outside the home network can be eliminated, and security in the home network can be ensured.

  In addition, the authentication system according to the present invention is characterized in that the information processing device and the authentication device are connected to be communicable.

  According to the above configuration, in an information processing device that manages device usage for each user, a device administrator does not newly register a user account for a user who has not registered a user account in the device. Can use the device.

  The information terminal device and the authentication device may be realized by a computer. In this case, a control program for causing the information terminal device to be realized by the computer by operating the computer as each of the above means and a computer-readable recording medium on which the control program is recorded also fall within the scope of the present invention.

  Specifically, the information terminal device and the authentication device are realized by computer hardware and a program executed by a CPU (Central Processing Unit). Generally, such software is stored and distributed in a recording medium such as a floppy (registered trademark) disk or CD-ROM, and is read from the recording medium by a floppy (registered trademark) disk driving device or a CD-ROM driving device. Once stored on solid disk. Further, it is read from the fixed disk to the memory and executed by the CPU or the like. Such computer hardware itself is common. The most essential part of the present invention is software and programs recorded on a recording medium such as a floppy (registered trademark) disk, a CD-ROM, and a fixed disk.

  As described above, the information processing apparatus according to the present invention includes an input unit that acquires authentication information for authenticating the user from the user, and a first authentication unit that authenticates the authentication information acquired by the input unit. And an authentication request means for transmitting authentication request data including the authentication information to an external authentication device and receiving an authentication result from the authentication device.

  Moreover, the control method of the information processing device according to the present invention includes an input step for acquiring authentication information for authenticating the user from the user, and a first authentication step for authenticating the authentication information acquired in the input step. An authentication request step of transmitting authentication request data including the authentication information to an external authentication device and receiving an authentication result from the authentication device.

  Therefore, in an information processing device that manages the use of a device for each user, even if a user account is not registered in the device, the device administrator can safely register the device without newly registering a user account. Can be used. Therefore, it is possible to achieve both user convenience and device safety.

  Further, the information processing device according to the present invention transmits an input means for acquiring authentication information for authenticating the user from the user, and authentication request data including the authentication information acquired by the input means to an external authentication device. And an authentication requesting unit that receives an authentication result from the authentication device, and an account granting unit that gives the user an account having a predetermined authority when the authentication requesting unit receives a successful authentication result from the authentication device; The authentication result holding means for holding the authentication information and the authentication result by the authentication device in association with each other, and referring to the authentication result holding means based on the user authentication information when connecting to an external authentication device, If information indicating that the authentication by the authentication device has already been successful is held, communication with the authentication device is performed with the authentication information added. A connection processing unit is configured to include.

  The information processing device control method according to the present invention includes an input step for acquiring authentication information for authenticating the user from the user, and an authentication request including the authentication information acquired in the input step to an external authentication device. An authentication request step for transmitting data and receiving an authentication result from the authentication device, and an account that gives the user an account having a predetermined authority when receiving a successful authentication result from the authentication device in the authentication request step An authentication result holding step that holds at least the authentication information and the authentication result by the authentication device in association with each other, and an authentication result holding step based on user authentication information when connecting to an external authentication device. Referring to the stored information, information indicating that authentication by the authentication device has already been successful is held. In a method comprising a connection processing steps performed by the communication with the authentication device adds the authentication information.

  Therefore, since the authentication result by the external authentication device is held in association with the user authentication information, the user does not need to input the authentication information again when connecting to the same authentication device. Therefore, there is an effect that the function of the authentication device can be easily used.

  The information processing device according to the present invention includes an input unit that acquires authentication information for authenticating the user from a user, and authentication request data including the authentication information acquired by the input unit to a plurality of external authentication devices. Authentication request means for receiving an authentication result from each of the authentication devices, and when the authentication request means receives a result of successful authentication from at least one of the authentication devices, an account having a predetermined authority is And an account granting means to be given to the user.

  In addition, the control method of the information processing device according to the present invention includes an input step of acquiring authentication information for authenticating the user from the user, and the authentication information acquired in the input step to a plurality of external authentication devices. An authentication request step for transmitting authentication request data and receiving an authentication result from each authentication device, and when the authentication request step receives a result of successful authentication from at least one of the authentication devices, the user has a predetermined authority. An account granting step of giving an account to the user.

  Therefore, in an information processing device that manages the use of a device for each user, even if a user account is not registered in the device, the device administrator can safely register the device without newly registering a user account. Can be used. Therefore, it is possible to achieve both user convenience and device safety.

[Embodiment 1]
One embodiment of the present invention will be described below with reference to FIGS. In the following description, a device having the function of an information processing device is referred to as an information processing device, and a device having a function as an authentication device is referred to as an authentication device.

  FIG. 2 is a block diagram showing a network configuration of an authentication system 5 including an information processing device (information processing device) 1 and an authentication device (authentication device) 3 according to the present embodiment. FIG. 1 is a functional block diagram showing an outline of the configuration of the information processing device 1. FIG. 3 is a functional block diagram showing an outline of the configuration of the authentication device 3.

  As shown in FIG. 2, in the authentication system 5, machineA100 to machineD106 are connected to a network 110. Here, let machine A100 be the information processing device 1, and let machine B102, machineC104, and machineD106 be the authentication device 3. That is, the authentication system 5 includes one information processing device 1 and three authentication devices 3. MachineA to machineD are identifiers of respective devices.

  The network 110 can select any network configuration as long as bidirectional communication is possible. Specifically, the network 110 can be configured by, for example, the Internet, an Ethernet (registered trademark) -based network such as a LAN (Local Area Network), a wireless network such as 802.11b or bluetooth, or IEEE1394. Furthermore, the network 110 may have a configuration in which each other's devices are connected to another network via a router or other network device.

  Hereinafter, in the authentication system 5 having the above-described configuration, a situation where the user tries to directly use the device machineA100 with the user account name “taro” will be described.

  As shown in FIG. 1, the information processing apparatus 1 includes a network interface (hereinafter referred to as a network IF) 10, an input unit (input unit) 12, an authentication request unit (authentication request unit) 14, and a determination unit (account grant unit). 16) The apparatus usage control unit 18 and the output unit 20 are provided at least.

  The network IF 10 is a communication interface capable of transmitting and receiving data to and from the network 110 illustrated in FIG.

  The input unit 12 includes an input device such as a keyboard, a mouse, and a pointing device. User authentication information is input from the input unit 12. The output unit 20 displays a screen to the user, and includes a display device such as a liquid crystal or a CRT.

  The authentication request unit 14 transmits authentication request data including the authentication information received by the input unit 12 to the authentication device 3 through the network IF 10 and receives the authentication result.

  The determination unit 16 determines whether the user can use the authentication result based on the authentication result received from the authentication device 3.

  The device usage control unit 18 controls the use of the information processing device for the user according to the determination of the determination unit 16.

  The processing in the authentication request unit 14, the determination unit 16, and the device usage control unit 18 will be described later.

  As shown in FIG. 3, the authentication device 3 includes an authentication information receiving unit 30, a second authentication unit 32, a second authentication information holding unit 34, an authentication result transmitting unit 36, a network interface (hereinafter referred to as a network IF). ) 37 at least. Note that the machine B102, machineC104, and machineD106 illustrated in FIG. 2 are the authentication devices 3, and are connected to the same network 110 as the machine A100 with the respective device names.

  The network IF 37 is a communication interface capable of transmitting / receiving data to / from the network 110 shown in FIG.

  The second authentication information holding unit 34 holds the user account name of the user and the encrypted password character string registered by the user as authentication information.

  Here, FIG. 4 is an example of user authentication information held by the second authentication information holding unit 34. In the present embodiment, it is assumed that the authentication information shown in FIG. 4 is held in the second authentication information holding unit 34 of the machine B102. The machine C 104 and the machine D 106 also hold user authentication information corresponding to each device.

  The authentication information receiving unit 30 receives authentication information from the information processing device 1. Specifically, for example, authentication request data “taro: taro_password :: auth?” Is received from the information processing device machineA100 via the network IF 37.

  The second authentication unit 32 compares the authentication information included in the received authentication request data with the authentication information held by the second authentication information holding unit 34, and performs an authentication process on the received authentication information. Specifically, the second authentication unit 32 performs password authentication by encrypting the password character string “taro_password” of the received authentication information and comparing it with the stored authentication information. Here, if the encrypted character string of the “taro_password” character string received by the authentication information receiving unit 30 of machineB102 is “EgTd7JxJ7gnWw”, it is the same as the password information of the user account name “taro”. Authentication succeeds (FIG. 4).

  The authentication result transmission unit 36 transmits the authentication result to the authentication request source via the network IF 37. When the authentication is successful, for example, an authentication result “taro :: OK” is transmitted to the requesting machine A100. For machineC104 and machineD106, authentication is performed in each device in the same manner.

  However, in this embodiment, it is assumed that authentication has failed in the machineC104 and machineD106 because the user account “taro” is not registered or the password is different. In this case, machineC104 and machineD106 transmit information “taro :: NG” to machineA100.

  Next, the operation of the information processing device 1 will be described. FIG. 5 is an example of a screen that prompts the user to input authentication information in the output unit 20 of the information processing device 1.

  First, the information processing device 1 displays an authentication information input screen (FIG. 5) to prompt the user to input authentication information. Then, when the user inputs authentication information with the input unit 12, the information processing device 1 displays the content on the output unit 20. Specifically, when the user inputs an account name and password using an input device such as a keyboard or a mouse, the output unit 20 displays the account name character string as it is and the password character string “ “*” Is displayed.

  Next, in the information processing device 1, the authentication request unit 14 connects data “taro: taro_password :: auth?” Including the user account name “taro” and the password character string “taro_password” via the network 110. The authentication request is transmitted to the authenticated authentication device 3 by broadcast.

  Next, in the information processing device 1, the determination unit 16 receives the authentication result of the authentication device 3 and determines whether the own device can be used. In the present embodiment, if at least one of the authentication results received by the determination unit 16 is successful, the authentication is considered successful.

  Next, in the information processing device 1, the device usage control unit 18 performs control so that the information processing device 10 can be used or cannot be used according to the determination result of the determination unit 16. For example, when available, the shell can be activated to accept commands, and when unavailable, the output unit 20 can be instructed to prompt the user to input authentication information again.

  In the above example, since machine A100 receives the authentication success result from machine B102, machine A100 permits the use of “taro”. On the other hand, if the authentication request results are all received as “taro :: NG” and the authentication failure data is received, the user is not registered in any authentication device 3 and the user is identified. Since it means that it is not possible, the determination is rejected and use is not permitted.

  As described above, since the information processing device 1 transmits an authentication request to the surrounding authentication devices 3 by broadcasting, the information processing device 1 is connected to the same segment of the network without knowing the address or host name of the authentication device 3. Authentication requests can be sent to other peripheral devices. Of course, in addition to broadcasting, multicast that can be transmitted to a plurality of devices may be used, and for example, transmission may be performed by unicast only to one or more specific devices that can be trusted.

  Also, even when an authentication request is made to a plurality of authentication devices 3 by broadcast or multicast and authentication results can be received from the plurality of authentication devices 3, the use is permitted when the first successful authentication result arrives. May be. By providing such a rule, it is not necessary to wait for all the authentication results, and the authentication time can be shortened.

  In the above example, authentication information (password information) is sent in plain text. However, to prevent the risk of eavesdropping on the network path, the authentication request and authentication result data are sent encrypted. Also good. Furthermore, in order to prevent impersonation, electronic signature data may be added and sent.

  Here, the authentication steps of the information processing device 1 and the authentication device 3 will be described in detail with reference to FIGS.

  FIG. 6 is a flowchart showing a flow of processing when the user uses the information processing device 1.

  In the information processing device 1, first, the input unit 12 accepts input of authentication information from the user (S11). Next, when the authentication information is input, the authentication requesting unit 14 requests the authentication device 3 connected to the network 110 by broadcast (S12). Next, the determination unit 16 determines whether or not all authentication results have been received from the authentication device 3 that has transmitted the authentication request (S13). If all the authentication results have not been received (No in S13), the authentication result waiting state is continued (S14). On the other hand, when all the authentication results have been received (Yes in S13), the determination unit 16 determines whether or not the information processing device 1 can be used from the received authentication results (S15).

  If one or more authentication success results have been received (Yes in S15), the device usage control unit 18 activates, for example, a shell and waits for a command (S16). On the other hand, if the authentication success result is not received from any authentication device 3 (No in S15), the device usage control unit 18 does not permit the user to use the information processing device 1. In this case, for example, the device usage control unit 18 controls the output unit 20 to display a screen for presenting information indicating that the device cannot be used or an input screen for authentication information (S17).

  In step S13, the elapsed time since the authentication request was made in step S12 is measured, and if no authentication result is returned from any authentication device 3 after a certain time, it is determined that the authentication is unsuccessful. The process of S15 may be omitted and the process may be moved to step S17. As a result, even when no authentication device 3 is operating or when there is a failure in the network 110, it is possible to prevent the authentication from waiting for a long time.

  Further, even if not all results are received in step S13, the authentication success determination in step S15 may be performed when one result is received. Thus, if a result of successful authentication is received, it is not necessary to receive all the subsequent results, and the waiting time for authentication can be shortened.

  FIG. 7 is a flowchart showing a flow of authentication processing performed by the authentication device 3, and shows a flow for performing authentication by receiving the authentication request transmitted from the information processing device 1 in step S12 of FIG.

  In the authentication device 3, first, the authentication information receiving unit 30 receives an authentication request from the information processing device 1 (S21). Next, the second authentication unit 32 authenticates the authentication information included in the authentication request (S22). This authentication is performed by the second authentication unit 32 referring to the second authentication information holding unit 34 and comparing the received user account name and password. Next, the second authentication unit 32 generates authentication result data in which the authentication result is recorded (S23), and the authentication result transmission unit 36 transmits it to the information processing device 1 that is the authentication request source (S24). .

  Through the above processing, even in the information processing device 1 that does not have the authentication function, the use of the information processing device 1 is restricted according to the user by using the authentication result of the authentication device 3 connected via the network 110. can do. In addition, assuming a home network, it is possible to use the authentication results of home devices that are generally managed well, so even if complete user authentication cannot be realized, simple user authentication is easy. Can be realized.

[Embodiment 2]
The following will describe another embodiment of the present invention with reference to FIGS. For convenience of explanation, members having the same functions as those shown in the first embodiment are given the same reference numerals, and explanation thereof is omitted. The terms defined in Embodiment 1 are used in accordance with the definitions in this embodiment unless otherwise specified.

  FIG. 8 is a functional block diagram showing an outline of the configuration of the information processing device (information processing apparatus) 51 according to the present embodiment. Also in the present embodiment, as shown in FIG. 2, the machine A100, which is the information processing device 51 used by the user, is connected to the machine B102, machineC104, machineD106, which is the authentication device 3, via the network 110, and the authentication system. 5 is configured. The configuration of the authentication device 3 is the same as that described in the first embodiment with reference to FIG.

  As illustrated in FIG. 8, the information processing device 51 includes a network interface 10, an input unit 12, an authentication request unit 14, a determination unit 16, a device usage control unit 18, and an output unit 20, as with the information processing device 1 (FIG. 1). And a first authentication unit (first authentication means) 54 and a first authentication information holding unit 56.

  The first authentication information holding unit 56 holds user authentication information. The first authentication unit 54 performs an authentication process on the authentication information input by the input unit 12 based on the user authentication information held by the first authentication information holding unit 56.

  Here, FIG. 9 is an example of user authentication information held by the first authentication information holding unit 56. The first authentication information holding unit 56 holds a user account name as a user identifier (user identifier) and a password obtained by encrypting a password character string registered by the user in association with each other. . For example, as shown in FIG. 9, the user account names of “sun”, “star”, and “moon” are registered by each user. These user account names are registered together with password information that only the user knows.

  Here, the first authentication information holding unit 56 is not a user account for a specific user like the above three user accounts, but a general-purpose user account assigned to a user authenticated by another authentication device 3 “Netuser” is registered in advance by the administrator of the information processing device 51. Since “netuser” is an account assigned to a user authenticated by the authentication device 3, NULL is registered in the password.

  Next, the operation of the information processing device 51 will be described.

  First, the information processing device 51 displays an authentication information input screen (FIG. 5) to prompt the user to input authentication information. In the information processing device 51, when the user presses the OK button after entering the authentication information on the authentication information input screen, the first authentication unit 54 causes the input authentication information of the user (in the screen example of FIG. 4, The user account name “taro” and the password “taro_password”) are compared with the authentication information held by the first authentication information holding unit 56 to determine whether the user has the right to use the information processing device 51. To do.

  Here, as shown in FIG. 9, since the password is encrypted and held, the first authentication unit 54 determines the authentication by encrypting the password input by the input unit 12 and then comparing it. . Authentication is successful only when the user account name and password completely match, and fails if any part is different or the user account is not registered. In the above example, since the user account name “taro” is not registered in the first authentication unit 54 of the machine A100, authentication fails. Even if the user account name is “taro”, if the password is different, authentication fails.

  Next, when the authentication fails, the first authentication unit 54 instructs the authentication request unit 14 to make a request for authentication to the authentication device 3 connected via the network 110. Since the authentication request by the authentication request unit 14 and the authentication in the authentication device 3 are the same as those in the first embodiment, the description thereof is omitted.

  Next, in the information processing device 51, when the authentication request unit 14 receives the authentication result from the authentication device 3, the determination unit 16 determines whether to permit the use of the own device. For example, when data of successful authentication is received from at least one authentication device 3, it may be determined that the data can be used.

  Next, in the information processing device 51, when the determination unit 16 permits the use, the device usage control unit 18 instructs the user to assign an account (user identifier) in order to give the user the right to use the device. On the other hand, when all the authentication unsuccessful data is received as a result of the authentication request, the user cannot receive authentication from any other authentication device 3 as well as the first authentication unit 54 of the own device. This means that the determination is denied and usage is not permitted.

  In the information processing device 51, the device usage control unit 18 assigns a user account “netuser” to the user who has been authenticated by the authentication device 3. In the above example, the “taro” user can use machineA100 as “netuser”. As described above, “netuser” is a general-purpose user account that can be used only when authenticated by another device, not the device itself, and is created in advance by the administrator of the device.

  Here, the authentication step of the information processing device 51 will be described in detail with reference to FIG.

  FIG. 10 is a flowchart illustrating a processing flow when the user uses the information processing device 51.

  In the information processing device 51, first, the input unit 12 accepts input of authentication information from the user (S31). Next, when authentication information is input, the first authentication unit 54 compares the authentication information registered in the authentication information holding unit 56 with the authentication information input by the user (S32). Authentication succeeds only when the user account name and password match completely, and fails when either part is different. When the authentication by the first authentication unit 54 is successful (No in S33), the device usage control unit 18 assigns the user account of the authenticated user (S40).

  On the other hand, if the authentication by the first authentication unit 54 has failed (Yes in S33), the authentication request unit 14 requests the authentication device 3 connected to the network 110 by broadcast (S34). Next, the determination unit 16 determines whether or not all authentication results have been received from the authentication device 3 that has transmitted the authentication request (S35). If all the authentication results have not been received (No in S35), the authentication result waiting state is continued (S36). On the other hand, when all the authentication results have been received (Yes in S35), the determination unit 16 determines whether or not the information processing device 51 can be used from the received authentication results (S37).

  If the authentication success result is not received from any authentication device 3 (No in S37), the device usage control unit 18 does not permit the user to use the information processing device 51. In this case, for example, the apparatus usage control unit 18 controls the output unit 20 to display a screen for presenting information indicating that the device cannot be used and an input screen for authentication information (S41). On the other hand, if one or more authentication success results have been received (Yes in S37), the device usage control unit 18 reads the user account information ("netuser") and assigns it to the user (S38).

  Finally, when a user account is assigned to the user in step S40 or S38, for example, a shell is activated to wait for a command (S39).

  Even in the information processing device 51, in step S35, the elapsed time since the authentication request is made in step S34 is measured, and if no authentication result is returned from any authentication device 3 after a certain time, the authentication is not successful. As success, the processing of steps S36 and S37 may be omitted, and the processing may be moved to step S41. As a result, even when no authentication device 3 is operating or when there is a failure in the network 110, it is possible to prevent the authentication from waiting for a long time.

  Further, even if not all results are received in step S35, the authentication success determination in step S37 may be performed when one result is received. Thus, if a result of successful authentication is received, it is not necessary to receive all the subsequent results, and the waiting time for authentication can be shortened. For example, even when an authentication request is made to a plurality of authentication devices 3 by broadcast or multicast and authentication results can be received from the plurality of authentication devices 3, the use is permitted when the first successful authentication result arrives. Thus, it is not necessary to wait for all the authentication results, and the authentication time can be shortened.

  As described above, the information processing device 51 includes the first authentication unit 54 and the first authentication information holding unit 56, and thus has an authentication function in the own device. However, it is possible to control the availability by using the authentication result of the authentication device 3 as well. Note that in a general authentication method, if authentication fails, the user cannot use the device.

  As a result, even if the user does not have a user account for the information processing device 51, the user can use it if receiving authentication from any of the surrounding authentication devices 3. For example, when remotely controlling a door phone that monitors a visitor, even though there is a computer device that can be controlled in front of you, there is no user account for that computer device, so you will bother to move to another device that has a user account. Thus, there is no need to perform troublesome work such as control.

  That is, even if the user account is not registered in all devices that the user wants to use, if the user has a user account in another device, the user can use the desired device by receiving authentication from the device. . Therefore, there is no need to perform a troublesome process of registering user accounts for all devices that are desired to be used.

  Further, if an authentication request is made to a plurality of devices at the same time, it is not necessary to remember which device has which user account for each device, and one user account information is stored in a plurality of registered devices. Just remember.

  Furthermore, by limiting the devices that request authentication to devices that are clearly known by the administrator, it is possible to prevent the risk that unauthorized users connect their devices to the network and use them without permission.

  Further, in the above example, when the information processing device 51 cannot be authenticated by the own device, the authentication request is made to the other authentication device 3. However, even if the authentication can be performed by the own device, the authentication request is made. The authentication can be performed twice. Thereby, it can authenticate with a some apparatus and can further raise security. In this case, the user may be assigned a specific user account that can be authenticated instead of the account “netuser”. Furthermore, only the user account name may be registered in the information processing device 1, and when the user account name matches, a password authentication request may be made to another authentication device 3.

  In the above example, a general-purpose user account is created in advance. However, a temporary user account that does not overlap is automatically generated at the timing when the authentication success result is first received from the authentication device 3. You may make it allocate. For this, a user account name to which the identifier of the authentication device 3 is added, for example, an account name such as “machineB: user” can be used.

[Embodiment 3]
The following will describe still another embodiment of the present invention with reference to FIGS. For convenience of explanation, members having the same functions as those shown in the first and second embodiments are given the same reference numerals, and explanation thereof is omitted. The terms defined in Embodiment 1 are used in accordance with the definitions in this embodiment unless otherwise specified.

  FIG. 11 is a functional block diagram showing an outline of the configuration of the information processing device (information processing apparatus) 61 according to the present embodiment. Also in the present embodiment, as shown in FIG. 2, the machine A100 that is the information processing device 61 used by the user is connected to the machine B102, machineC104, and machineD106 that are the authentication devices 3 via the network 110, and the authentication system 5 is configured. The configuration of the authentication device 3 is the same as that described in the first embodiment with reference to FIG.

  As illustrated in FIG. 11, the information processing device 61 includes a network interface 10, an input unit 12, an authentication request unit 14, a determination unit 16, a device usage control unit 18, and an output unit 20, similar to the information processing device 51 (FIG. 8). The first authentication unit 54 and the first authentication information holding unit 56 are provided, and a function restriction unit (function restriction means) 68 is further provided.

  It is assumed that the first authentication information holding unit 56 holds the user authentication information shown in FIG. The authentication and authentication request in the information processing device 61 are the same as those in the information processing device 51 (FIG. 8), and the first authentication unit 54 is a user who has been authenticated by the authentication device 3 connected via the network 110. Assign the account “netuser” to

  The information terminal device 61 includes a function restriction unit 68 that restricts functions that can be used by the device itself. In the function restriction unit 68, function restriction information is registered in advance. Then, the function restriction unit 68 causes the device usage control unit 18 to control the execution process based on the function restriction information. Specifically, the function restriction unit 68 always monitors whether the program executed by the user is a function that is permitted to be used by the user, and restricts the execution if the program is not permitted.

  Here, FIG. 12 is an example of function restriction information held by the function restriction unit 68. In the function restriction unit 68, the function name of the function of the information terminal device 61, the execution program for executing the function, and the user name who can use the function are associated with each other and managed by a table or the like. . For example, as shown in FIG. 12, the function name “system management” indicates that the execution program is “/ sbin / config”, the user name is “sun”, and only the “sun” user can use. ing. Similarly, the function name “WWW browser” has the user name “all”, indicating that all users can use it.

  In the information terminal device 61, the first authentication unit 54 assigns a “netuser” account to the user authenticated by the authentication device 3. Therefore, for example, the “taro” user can use two functions of “WWW browser” and “control (machineB)” as “netuser” user in the machine A100. As described above, even for a user who is not authenticated by the own device, only a function within a limited range can be used for a user who is authenticated by another device.

  In addition to the program arranged in the own device, the program executing each function may be a device other than the device such as starting a CGI program on another device via, for example, HTTP (hypertext transfer protocol). It may be configured to be called up via a network.

  Next, the operation of the information processing device 61 will be described. FIG. 13 is an example of a screen in which the device usage control unit 18 displays a list of functions that can be used on the machine A 100 on the output unit 20 when the “taro” user is authenticated by the machine B 102. FIG. 14 is an example of a screen displayed when the user tries to use a function other than the function permitted to be used. FIG. 15 shows an example of a screen displaying only icons of functions that can be used by the user when the “taro” user is authenticated by the machine B102.

  As shown in FIG. 13, since the “taro” user can use only the WWW browser function and the control (machineB) function from the function restriction information (FIG. 12), the function restriction unit 68 sends these functions to the device usage control unit 18. Display a screen for confirming that only the service can be used. When the user tries to use a function other than the function permitted to be used, a warning screen as shown in FIG. 14 may be displayed. Further, as shown in FIG. 15, icons other than functions available to the user may not be displayed on the display screen. Further, although the list of all functions is displayed, the display color and font may be changed only for the functions that can be used or cannot be used. Further, in the display of a list, an icon, etc., it may be blinked or surrounded by a frame depending on whether or not it can be used.

  Thus, the user can easily visually understand the functions that can be used by the user. In addition, by not displaying a function that cannot be used or by selecting it even if it is displayed, the risk of erroneously selecting a function that is not permitted to be used can be reduced.

  Here, the authentication step of the information processing device 61 will be described in detail with reference to FIG.

  FIG. 16 is a flowchart illustrating a processing flow when the user uses the information processing device 61.

  In the information processing device 61, first, the input unit 12 accepts input of authentication information from the user (S51). Next, when the authentication information is input, the first authentication unit 54 compares the authentication information registered in the authentication information holding unit 56 and authenticates the authentication information input by the user (S52). Authentication succeeds only when the user account name and password match completely, and fails when either part is different. If the authentication by the first authentication unit 54 is successful (No in S53), the device usage control unit 18 assigns the user account of the authenticated user (S62).

  On the other hand, when the authentication by the first authentication unit 54 fails (Yes in S53), the authentication request unit 14 requests the authentication device 3 connected to the network 110 by broadcast (S54). Next, the determination unit 16 determines whether or not all authentication results have been received from the authentication device 3 that has transmitted the authentication request (S55). If all the authentication results have not been received (No in S55), the authentication result waiting state is continued (S56). On the other hand, when all the authentication results have been received (Yes in S55), the determination unit 16 determines whether or not the information processing device 51 can be used from the received authentication results (S57).

  If the authentication success result is not received from any authentication device 3 (No in S57), the device usage control unit 18 does not permit the user to use the information processing device 51. In this case, for example, the device usage control unit 18 controls the output unit 20 to display a screen for presenting information indicating that the device cannot be used and an input screen for authentication information (S63). On the other hand, if one or more authentication success results have been received (Yes in S57), the device usage control unit 18 reads the user account information ("netuser") and assigns it to the user (S58).

  Next, when a user account is assigned to the user in step S58 or S62, for example, a shell is activated to wait for a command (S59).

  Thereafter, the function restriction unit 68 monitors the execution process in order to restrict the available functions to the authenticated user (S60). Further, the function restriction unit 68 displays, on the output unit 20, a screen that presents a function that can be used by the user in accordance with whether or not the function based on the function restriction information is available (S 61).

  Even in the information processing device 61, in step S55, the elapsed time since the authentication request is made in step S54 is measured, and if no authentication result is returned from any authentication device 3 after a certain time, the authentication is not successful. As success, the processing of steps S56 and S57 may be omitted, and the processing may be moved to step S63. As a result, even when no authentication device 3 is operating or when there is a failure in the network 110, it is possible to prevent the authentication from waiting for a long time.

  Further, even if not all results are received in step S55, the authentication success determination in step S57 may be performed when one result is received. Thus, if a result of successful authentication is received, it is not necessary to receive all the subsequent results, and the waiting time for authentication can be shortened. For example, even when an authentication request is made to a plurality of authentication devices 3 by broadcast or multicast and authentication results can be received from the plurality of authentication devices 3, the use is permitted when the first successful authentication result arrives. Thus, it is not necessary to wait for all the authentication results, and the authentication time can be shortened.

  As described above, the information terminal device 61 includes the function restriction unit 68, so that even if the user authenticated by the external authentication device 3 is permitted to use, the information terminal device 61 has a function that can be used according to the intention of the device administrator. Can be limited. In other words, if you register in advance a function that allows users who have been authenticated by other devices to use it, you can safely use your device for users registered in other devices. It is possible to save the time and effort of setting operations for registering user accounts and restricting access to individual users for all users who have been given permission to use. Therefore, it is possible to achieve both the convenience of the user that a user who has not registered a user account can be used and the safety of the apparatus that can restrict the function for each user.

  Therefore, for example, with regard to highly confidential functions such as e-mail and document browsing and important functions inside the device, the use of users who are not registered in the device itself is prohibited, and functions with low confidentiality such as homepage browsing with a WWW browser are prohibited. It is possible to control such that anyone can use it.

  Further, for example, when any family member permits only remote control of the doorphone, the administrator of the device only needs to give permission to “netuser” for the function named “control (doorphone)”. Thereby, although there is no user account in the device, only the control of the door phone can be given to a user who has been authenticated by another device.

  In addition, for example, if “netuser” is given permission to use a player that plays content on a home server, even if a user does not have a user account on a device with the player, a user who has been authenticated by another device Will only be allowed to play content.

  Subsequently, a modification of the present embodiment will be described.

  FIG. 17 shows another example of function restriction information held in the function restriction unit 68. In the table of FIG. 17, in addition to the table of FIG. 12, information of the authentication device name for specifying the device to be authenticated is added.

  In FIG. 17, for example, the function name “WWW browser” is a function that can be used by all of the users who have been authenticated by any authentication device 3 (any), but “control (machineB)” This indicates that not all “netusers” can be used, but only users who have been authenticated by the own device (machineA100) or machineC104.

  The authentication device name, which is the name of the authenticated device, is information that can be easily acquired by sending the authentication result transmission source IP address or adding the authentication device name to the authentication result. For example, when machine B 102 sends an authentication result to machine A 100, an authentication result such as “machineB: taro: OK” is sent. By doing so, the function can be limited not only by the user account name but also by the authentication device. If a home device name is set in the home network, users authenticated by other suspicious devices can be excluded, and security can be improved.

  FIG. 18 shows still another example of the function restriction information held in the function restriction unit 68. The table in FIG. 18 is an example when the information terminal device 61 is a PVR (Personal Video Recorder). In this example, a television program name, an actual video file name, and an authentication device name are registered in the table from the left.

  Here, the machine A 100 is a PVR device on which a TV program is recorded, and the PVR device has a personal computer named “father_pc” managed by a father and a personal computer named “son_pc” managed by a child as an authentication device 3. Assume a system configuration in which two units are connected. In this case, according to the table of FIG. 18, a user who is authenticated by “father_pc” can view all recorded programs, but a user who is authenticated by “son_pc” cannot view a love drama. In this way, the function restriction unit 68 can function like a so-called parental lock.

  Further, the function can be limited according to the characteristics of the information terminal device 61 and the content to be used. For example, when the information terminal device 61 is a display device that can only display content that is permitted to be displayed but not permitted to be copied due to copyright, the user is allowed to view the content, Use may not be permitted if the device is a duplicatable device such as a computer. Thereby, the function of the information terminal device 61 can be operated in correspondence with the copyright management.

  Further, depending on whether the information terminal device 61 is a stationary desktop computer in the home or a mobile computer that can be moved and carried, restrictions may be imposed on the functions and contents that can be used. For example, it is possible to determine whether or not the content can be used by holding device characteristic information in a non-rewritable memory and comparing and referencing the device information and the copyright information of the content when using the content. it can.

  Next, the function restriction information registration function will be described with reference to FIGS. 19 and 20. FIG. 19 is a functional block diagram showing an outline of the configuration of an information processing device (information processing apparatus) 71 having a function restriction information registration function. FIG. 20 is an example of a function restriction information registration screen displayed on the information processing device 71.

  As illustrated in FIG. 19, the information processing device 71 includes a function registration unit 72 in addition to the configuration included in the information processing device 61 (FIG. 11).

  The function registration unit 72 has a function of arbitrarily registering function restriction information that the function restriction unit 68 refers to when restricting functions. Specifically, the function registration unit 72 displays a function restriction information registration screen (FIG. 20) on the output unit 20 and prompts the user to input the function restriction information. When the registration button is pressed by the user, the entered function restriction information is acquired and stored in the function restriction unit 68. Note that the example of FIG. 20 corresponds to FIG.

  Thus, by providing the function registration unit 72, it is possible to easily add a function or update a function restriction. Furthermore, by making this registration function available only to the administrator of the device, the device administrator can safely set the device usage.

[Embodiment 4]
The following will describe still another embodiment of the present invention with reference to FIGS. For convenience of explanation, members having the same functions as those shown in the first to third embodiments are given the same reference numerals, and explanation thereof is omitted. The terms defined in Embodiment 1 are used in accordance with the definitions in this embodiment unless otherwise specified.

  FIG. 21 is a functional block diagram showing an outline of the configuration of the information processing device (information processing apparatus) 81 according to the present embodiment. FIG. 23 is a functional block diagram showing an outline of the configuration of the authentication device 203 connected to the information processing device 81 via the network 110. Also in the present embodiment, as shown in FIG. 2, the machine A100 that is the information processing device 81 used by the user is connected to the machine B102, machineC104, and machineD106 that are the authentication devices 203 via the network 110, and the authentication system 5 is configured.

  As shown in FIG. 21, the information processing device 81 is similar to the information processing device 71 (FIG. 19), and includes a network interface 10, an input unit 12, an authentication request unit 14, a determination unit 16, a device usage control unit 18, and an output unit 20. The first authentication unit 54, the first authentication information holding unit 56, the function restriction unit 68, and the function registration unit 72, and further includes a device information holding unit 82.

  The device information holding unit 82 holds device information that identifies the authentication device 203 that is the transmission destination of the authentication request. Here, FIG. 22 shows an example of device information held by the device information holding unit 82. As shown in FIG. 22, in the device information, the device names of machine B 102 to machine D 106 that are the authentication devices 203 are associated with their IP addresses.

  In the information terminal device 81, the authentication request unit 14 does not transmit the authentication request by broadcast, but makes an authentication request only to the authentication device 203 described in the device information held in the device information holding unit 82. Specifically, the authentication request unit 14 of the machine A 100 transmits authentication request data “10.36.60.1:taro:taro_password::auth?” To the machine B 102, machine C 104, and machine D 106. Here, the IP address “10.36.61.1” is the IP address of the machine A100, and is added to the authentication request data as information indicating the transmission source.

  As shown in FIG. 23, the authentication device 203 is similar to the authentication device 3 (FIG. 3) in that the authentication information receiving unit 30, the second authentication unit 32, the second authentication information holding unit 34, the authentication result transmitting unit 36, A network IF 37 is provided, and an authentication request acceptance determination unit (authentication request reception determination unit) 38 is further provided.

  In response to the authentication request from the information terminal device 81, the authentication request acceptance / rejection determination unit 38 determines whether to receive an authentication request based on the device information of the information processing device. The authentication request acceptance determination unit 38 determines whether to accept the authentication request based on the authentication information included in the authentication request data and / or the identification information of the information processing device 91 that identifies the transmission source.

  Specifically, the authentication request acceptance determination unit 38 determines that the machine B 102, machine C 104, and machine D 106 that are the authentication devices 203 have the machine A 100 “10.36.60.1:taro:taro_password::auth?” From the machine A 100 that is the information terminal device 81. The authentication request data including the IP address is received. The following describes the processing in machineB102. The other authentication devices 203 perform similar processing.

  FIG. 24 is an example of authentication information held in the second authentication information holding unit 34 of the machine B 102 that is the authentication device 203. As described with reference to FIG. 4, the second authentication information holding unit 34 holds the user account name of the user and the encrypted password character string registered by the user as authentication information. . In the authentication device 203, authentication request availability information is further added.

  The authentication request availability information is used to determine whether or not to respond to the authentication request based on the device information of the authentication request source. Specifically, in the example of FIG. 24, in response to the authentication request for the “taro” user, from the information terminal device 81 whose IP address is “10.36.60. *” (* Indicates that it is arbitrary). It indicates that only the authentication request is accepted. That is, an authentication request from the machine A100 having the IP address “10.36.60.1” is permitted. If the authentication request data “10.36.60.1:suzuki:suzuki_password::auth?” Is received, it does not match the conditions described in the authentication request availability information registered in the authentication request availability information. Do not respond to requests.

  Note that the present invention is not limited to the above example. For example, whether or not the user is allowed to use may be managed by a flag, and whether or not the authentication request is permitted is determined based on the account name.

  Here, the authentication steps of the information processing device 81 and the authentication device 203 will be described in detail with reference to FIGS.

  FIG. 25 is a flowchart illustrating a processing flow when the user uses the information processing device 81.

  In the information processing device 81, first, the input unit 12 accepts input of authentication information from the user (S71). Next, when authentication information is input, the first authentication unit 54 compares the authentication information registered in the authentication information holding unit 56 and authenticates the authentication information input by the user (S72). Authentication succeeds only when the user account name and password match completely, and fails when either part is different. If the authentication by the first authentication unit 54 is successful (No in S73), the device usage control unit 18 assigns the user account of the authenticated user (S83).

  On the other hand, when the authentication by the first authentication unit 54 has failed (Yes in S73), the device information for which the authentication request unit 14 makes an authentication request is read from the device information holding unit 82 (S74) and described in the read device information. An authentication request is sent to the authentication device 203 that is present via the network 110 (S75).

  Next, the determination unit 16 determines whether or not all authentication results have been received from the authentication device 203 that has transmitted the authentication request (S76). If all the authentication results have not been received (No in S76), the authentication result waiting state is continued (S77). On the other hand, when all the authentication results have been received (Yes in S76), the determination unit 16 determines whether or not the information processing device 51 can be used from the received authentication results (S78).

  If the authentication success result is not received from any authentication device 203 (No in S78), the device usage control unit 18 does not permit the user to use the information processing device 51. In this case, for example, the device usage control unit 18 controls the output unit 20 to display a screen for presenting information indicating that the device cannot be used and an input screen for authentication information (S84). On the other hand, if one or more authentication success results have been received (Yes in S78), the device usage control unit 18 reads the user account information ("netuser") and assigns it to the user (S79).

  Next, when a user account is assigned to the user in step S79 or S83, for example, a shell is activated to wait for a command (S80).

  Thereafter, the function restriction unit 68 monitors the execution process in order to restrict the available functions for the authenticated user (S81). Further, the function restriction unit 68 displays, on the output unit 20, a screen or the like that presents a function that can be used by the user, depending on whether or not the function based on the function restriction information can be used (S82).

  Note that the information processing device 81 also measures the elapsed time since the authentication request was made in step S75 in step S76, and if no authentication result is returned from any authentication device 203 even after a predetermined time has passed, the authentication is not successful. As success, the processing of steps S77 and S78 may be omitted, and the processing may be shifted to step S84. As a result, even when any authentication device 203 is not operating or when there is a failure in the network 110, it is possible to prevent the authentication waiting state for a long time.

  Further, even if not all results are received in step S76, the authentication success determination in step S78 may be performed when one result is received. Thus, if a result of successful authentication is received, it is not necessary to receive all the subsequent results, and the waiting time for authentication can be shortened. For example, even when an authentication request is made to a plurality of authentication devices 203 by broadcast or multicast and authentication results can be received from the plurality of authentication devices 203, the use is permitted when the first authentication success result arrives. Thus, it is not necessary to wait for all the authentication results, and the authentication time can be shortened.

  FIG. 26 is a flowchart showing a flow of authentication processing performed by the authentication device 203, and shows a flow for performing authentication by receiving the authentication request transmitted from the information processing device 81 in step S75 of FIG.

  In the authentication device 203, first, the authentication information receiving unit 30 receives an authentication request from the information processing device 81 (S91). Next, the authentication request acceptance / rejection determination unit 38 determines whether or not to accept the authentication request based on the received authentication request data and the authentication request permission information registered in advance (S92). ).

  When responding to the authentication request (Yes in S93), the second authentication unit 32 authenticates the authentication information included in the authentication request (S94). This authentication is performed by the second authentication unit 32 referring to the second authentication information holding unit 34 and comparing the received user account name and password. Next, the second authentication unit 32 generates authentication result data in which the authentication result is recorded (S95), and the authentication result transmission unit 36 transmits it to the information processing device 81 that is the authentication request source (S96). .

  On the other hand, if the authentication request is not responded (No in S93), the second authenticating unit 32 generates authentication result data indicating an authentication failure (S95), and the authentication result transmitting unit 36 processes the information that is the authentication request source. It transmits with respect to the apparatus 81 (S96).

  As described above, by setting a device that responds to an authentication request for each user, it is possible to prevent a user account from being used by an unauthorized device. Furthermore, if only the devices in the home network are limited, authentication requests from devices outside the home network can be eliminated, and security in the home network can be ensured.

[Embodiment 5]
The following will describe still another embodiment of the present invention with reference to FIGS. For convenience of explanation, members having the same functions as those shown in the first to fourth embodiments are given the same reference numerals, and explanation thereof is omitted. In addition, the terms defined in Embodiment 1 are used in accordance with the definitions in this embodiment unless otherwise specified.

  FIG. 27 is a functional block diagram showing an outline of the configuration of the information processing device (information processing apparatus) 91 according to the present embodiment. Also in the present embodiment, as shown in FIG. 2, the machine A100, which is the information processing device 91 used by the user, is connected to the machine B102, machineC104, and machineD106, which are the authentication devices 203, via the network 110, and the authentication system. 5 is configured. The configuration of the authentication device 203 is the same as that described in the fourth embodiment with reference to FIG.

  As shown in FIG. 27, the information processing device 91 is similar to the information processing device 81 (FIG. 21), and includes a network interface 10, an input unit 12, an authentication request unit 14, a determination unit 16, a device usage control unit 18, and an output unit 20. , A first authentication unit 54, a first authentication information holding unit 56, a function restriction unit 68, a function registration unit 72, and a device information holding unit 82, and an authentication result holding unit (authentication result holding unit, usage monitoring unit) 94. A connection processing unit (connection processing means) 96 is provided.

  The authentication result holding unit 94 holds the result of the authentication request. The connection processing unit 96 requests a connection to the network IF 10 when the information processing device 91 accesses a file on another device or uses content. It is assumed that the first authentication information holding unit 56 holds the user authentication information shown in FIG.

  Similar to the information terminal device 81 (FIG. 21), the information processing device 91 makes an authentication request to the authentication device registered in the device information holding unit 82 when the user cannot be authenticated on the own device. The authentication request method is as described in the fourth embodiment. That is, when the authentication requesting unit 14 receives a result of successful authentication from the authentication device 203, the determination unit 16 gives an account having a predetermined authority to the user.

  The authentication result holding unit 94 holds at least the authentication information and the authentication result by the authentication device 203 in association with each other. Further, when the connection processing unit 96 connects to the external authentication device 203, the connection processing unit 96 refers to the authentication result holding unit 94 based on the user authentication information, and information indicating that the authentication device 203 has already been authenticated is displayed. If held, communication with the authentication device 203 is performed with the authentication information added. Further, the authentication result holding unit 94 holds the user in the authentication result holding unit 94 when the user finishes using the own device or when the user uses the own device exceeds a certain time. The authentication result by the authentication device 203 corresponding to the authentication information is invalidated.

  In the present embodiment, when the authentication device 203 receives an authentication request from the information processing device 91 and performs authentication, the authentication device 203 transmits an authentication result including information that can identify the authentication device 203 itself as an authentication result. For example, when the machine B 102 as the authentication device 203 receives the authentication request data “10.36.60.1:taro:taro_password::auth?” From the machine A 100 as the information processing device 91 and authenticates the “taro” user, the authentication result The transmission unit 36 transmits the authentication result including the IP address of the machine B 102 of “10.36.60.2:taro::OK” to the requesting machine A100. At this time, in the machine C 104 and machine D 106 that are the authentication devices 203, if the authentication process is performed in the same manner and the authentication fails, they are referred to as “10.36.60.5:taro::NG” and “10.36.60.8:taro:NG”, respectively. An authentication result including the IP address of the device is transmitted to machine A100. The device identification name may use a host name in addition to the IP address as long as it is a unique identifier that can be distinguished from each other in the network. The reason why the authenticated device identification name is added to the authentication result as described above is to determine which authentication device 203 is the authentication result of the information processing device 91 when an authentication request is issued to a plurality of authentication devices 203. It is.

  Then, in the machine A 100, when the determination unit 16 receives authentication success data such as “10.36.60.2:taro::OK” from at least one authentication device, the “netuser” is used to give the user the right to use the machine A 100. Is instructed to the apparatus usage control unit 18 to assign the user account "." At this time, the connection processing unit 96 records the authentication result in the authentication result holding unit 94. The connection processing unit 96 records the authentication result in the authentication result holding unit 94 in the same manner even when the authentication result indicating that authentication is unsuccessful is received.

  Here, FIG. 28 is an example of authentication result information recorded in the authentication result holding unit 94. In the authentication result information, the assigned user account and the authentication result are associated with each other. The authentication result information includes, for example, the following items. The use account name is a user account name used in the device. The authentication request account name is a user account name authenticated by the authentication request. In the example of FIG. 28, “netuser” and “taro” are obtained, respectively. Further, the authentication information is information input for the user to be authenticated. In the example of FIG. 28, a password is recorded. The use start time is a time at which an account (user identifier, user identifier) is allocated and made available. The authentication request result indicates the device information that issued the authentication request and the authentication result.

  As described above, the connection processing unit 96 issues a connection request for performing communication through the network IF 10. At this time, the connection processing unit 96 converts the user account name according to the access destination device and requests connection.

  Specifically, as shown in the authentication result of FIG. 28, when “taro” receives authentication from machineB102 and uses machineA100 as “netuser”, when accessing machineB102 again from machineA100, “netuser” Convert to a “taro” account and access. For example, when accessing the home page with a password restriction of the machine B102, the machine B102 requests authentication information from the machine A100, and at this time, automatically requests the connection by adding the user account name and the authentication information in the machineB102.

  FIG. 29 is an example of an HTTP request when accessing a home page with a password restriction of the machine B102. As shown in FIG. 29, the connection processing unit 96 automatically adds data obtained by encoding authentication information “taro” in Basic64 to the Authentication header and sends a request. This eliminates the need to receive “taro” authentication on the machine B 102 again.

  Next, the authentication step of the information processing device 91 will be described in detail. Note that the authentication process in the own device when using the information processing device 91 is the same as that described in the fourth embodiment with reference to FIG.

  FIG. 30 is a flowchart showing a processing flow of the connection processing unit 96 when a user who has been authenticated by another device and uses the information processing device 91 connects from the information processing device 91 to another device. is there.

  In the information processing device 91, when connecting to another device, the connection processing unit 96 refers to the authentication result holding unit 94 (S101), and checks whether the connected device is a device that has already been authenticated (S101). S102). If the connection destination is an unauthenticated device or a device for which authentication has failed (No in S102), the connection processing unit 96 connects to the device without performing any user account conversion (S105).

  On the other hand, when the connection destination is a device that has already been authenticated (Yes in S102), if there is a request for re-authentication when connecting to the device (Yes in S103), the connection processing unit 96 determines the connection destination. A request to which authentication information corresponding to the device is added is created (S104), and a connection is made (S105). If there is no request for re-authentication (No in S103), the connection processing unit 96 performs connection without converting the user account (S105).

  By processing as described above, for a device that has already been authenticated, even if a request for inputting authentication information is received again, by converting the user account name according to the device and accessing it, the user can Access without re-entering authentication information. In addition, from the viewpoint of security, when the user account “netuser” is temporarily assigned and no operation is performed for a certain period of time or when the use is terminated, the use of “netuser” is prohibited, and the authentication result holding unit 94 By performing time monitoring such as deleting the authentication result information that is held, when an authenticated user leaves the seat or forgets to log out, other users can impersonate other devices and use other devices. It is also possible to reduce the sex. In addition, it is possible to monitor a user's utilization condition by measuring the operation condition of input devices, such as a mouse | mouth and a keyboard, and the operated time at any time.

  In each of the above embodiments, in order to make the explanation easy to understand, an information processing device including an authentication request unit 14 and an authentication device including a second authentication unit 32 that performs authentication upon receiving an authentication request from the information processing device. The explanation was made with a distinction. However, all the devices may be configured to have both functions of the authentication request unit 14 and the second authentication unit 32. With this configuration, the user can use functions within the permitted range for any device as long as the user account is registered in at least one of the devices.

  Further, authentication may be performed using physical information such as a fingerprint. With this configuration, the user can save the trouble of inputting user account information using a keyboard, a mouse, or the like, and it is not necessary to store information on registered user accounts.

  Further, the information processing device may function in the television receiver. With this configuration, even a television that does not generally have a user management function is authenticated by using an external authentication device, thereby prohibiting use by the user or restricting TV programs that can be viewed. It becomes possible.

  Here, the information processing devices 1, 51, 61, 71, 81, 91 can be configured based on general-purpose computers (including personal computers). The authentication devices 3 and 203 can be configured based on general-purpose computers (including workstations and personal computers). That is, the information processing devices 1, 51, 61, 71, 81, 91 and the authentication devices 3, 203 receive instructions of programs (information processing device control program, authentication device control program) that realize the respective functions. CPU (central processing unit) to execute, ROM (read only memory) storing boot logic, RAM (random access memory) for expanding the program, and storage devices (recording media) such as a hard disk for storing the program and various databases An input device such as a keyboard and a mouse, an output device such as a monitor, a speaker and a printer, and a network connection device connected to an external network are connected by an internal bus.

  The functions according to the present invention of the information processing devices 1, 51, 61, 71, 81, 91 and the authentication device 3, 203 are the program codes (execution format program, intermediate code program) of the control program that realizes the functions of the above-described units. , Source program) is recorded in a computer-readable recording medium, supplied to the information processing equipment 1, 51, 61, 71, 81, 91 and the authentication equipment 3, 203, and the program code recorded on the recording medium by the CPU This can be realized by reading and executing. Specifically, the information processing equipment 1, 51, 61, 71, 81, 91 includes the network IF 10, the input unit 12, the authentication request unit 14, the determination unit 16, the device usage control unit 18, the output unit 20, and the first. The authentication unit 54, the first authentication information holding unit 56, the function restriction unit 68, the function registration unit 72, the device information holding unit 82, the authentication result holding unit 94, the connection processing unit 96, and the like are stored in a memory (not shown) of the device. This is realized by a CPU or the like executing a predetermined program stored in. Further, the authentication information receiving unit 30, the second authentication unit 32, the second authentication information holding unit 34, the authentication result transmission unit 36, the network IF 37, and the like included in the authentication devices 3 and 203 are a memory (not shown) of the device. This is realized by a CPU or the like executing a predetermined program stored in. Note that part or all of each of the above blocks may be configured by hardware logic.

  The recording medium for supplying the program code can be configured to be separable from the system or apparatus. The recording medium may be a medium that is fixedly supported so that the program code can be supplied. Even if the recording medium is attached to the system or apparatus so that the recorded program code can be directly read by the computer, the recording medium can be connected via the program reading apparatus connected to the system or apparatus as an external storage device. It may be mounted so that it can be read.

  For example, as the recording medium, a disk including a tape system such as a magnetic tape or a cassette tape, a magnetic disk such as a floppy (registered trademark) disk / hard disk, and an optical disk such as a CD-ROM / MO / MD / DVD / CD-R. Card system such as IC card, IC card (including memory card) / optical card, or semiconductor memory system such as mask ROM / EPROM / EEPROM / flash ROM.

  The program code may be recorded so that the computer can read out from the recording medium and directly execute it, or after being transferred from the recording medium to the program storage area of the main memory, the computer can read out from the main memory and execute it. It may be recorded as follows.

  Furthermore, the system or apparatus may be configured to be connectable to a communication network, and the program code may be supplied via the communication network. The communication network is not particularly limited. Specifically, the Internet, intranet, extranet, LAN, ISDN, VAN, CATV communication network, virtual private network, telephone line network, mobile communication A network, a satellite communication network, etc. can be used. In addition, the transmission medium constituting the communication network is not particularly limited, and specifically, it is an infrared ray such as IrDA or a remote control even in a wired manner such as IEEE 1394, USB, power line carrier, cable TV line, telephone line, ADSL line or the like. , Bluetooth (registered trademark), 802.11 wireless, HDR, mobile phone network, satellite line, terrestrial digital network, and the like. The present invention can also be realized in the form of a carrier wave or a data signal sequence in which the program code is embodied by electronic transmission.

  The program for reading the program code from the recording medium and storing it in the main memory, and the program for downloading the program code from the communication network are stored in advance in a system or apparatus so as to be executable by a computer. To do.

  Furthermore, the function described above is obtained by writing the program code read from the recording medium into a memory provided in a function expansion board attached to the computer or a function expansion unit connected to the computer, and then the program code. Based on this instruction, the CPU provided in the function expansion board or function expansion unit can also be realized by performing part or all of the actual processing.

  The present invention is not limited to the above-described embodiments, and various modifications are possible within the scope shown in the claims, and can be obtained by appropriately combining technical means disclosed in different embodiments. Embodiments are also included in the technical scope of the present invention.

  In addition, this invention can be comprised as follows, for example.

  An information processing apparatus according to the present invention includes an input unit that allows a user to input authentication information in a network in which at least one authentication apparatus that manages and authenticates user information is connected to each other without relating the user information. Requesting authentication of the authentication information to at least one authentication device communicable by the network means, output means for displaying, network means for communicating with the authentication device through the network, and authentication An authentication request means for receiving a result, a determination means for determining whether at least one of the authentication results is successful, and at least one of the determination means is determined to be successful, It may be configured to include a device use control unit that permits use of the user.

  Furthermore, in the information processing apparatus according to the present invention, the authentication request unit may request authentication by broadcast communication.

  Furthermore, the information processing apparatus according to the present invention further includes a first authentication information holding unit that holds user authentication information, and a first authentication unit that authenticates the authentication information input by the input unit. The authentication request may be made under a predetermined condition.

  Furthermore, in the information processing apparatus according to the present invention, the predetermined condition may be a case where the first authentication unit cannot authenticate.

  Furthermore, the information processing apparatus according to the present invention further includes a function restricting unit that restricts a function that can be used by the user, and restricts a function that can be used by the user with respect to the user authenticated by the authentication apparatus. It may be.

  Furthermore, in the information processing apparatus according to the present invention, the function restricting unit is configured so that the user is authenticated based on predetermined information included in the authentication result received from the authentication apparatus. It may be possible to limit available functions.

  Furthermore, in the information processing apparatus according to the present invention, the function restriction unit may further include a function registration unit that registers the restricted function.

  Furthermore, in the information processing apparatus according to the present invention, the output unit may output the restricted function by switching to a predetermined display method. In the information processing apparatus according to the present invention, the output unit may not display a function name of the restricted function. Thus, by switching the display method according to the user's authority, the user can easily understand the functions that the user can use.

  Furthermore, the information processing apparatus according to the present invention includes an authentication result holding unit that holds the authentication information authenticated by the authentication apparatus in association with the authentication result, and the authentication apparatus in which a connecting device has already been authenticated. An authenticated determination means for determining whether or not a connection is established, and a connection processing means for performing communication by adding the authentication information to the connection to the authentication apparatus.

  Furthermore, the information processing apparatus according to the present invention may include usage monitoring means for invalidating the user identifier and the authentication result holding means after the user ends use or a certain time has elapsed.

  The authentication apparatus according to the present invention includes: a receiving unit that receives authentication information; a second authentication information holding unit that stores user authentication information; and a second unit that authenticates the received authentication information and transmits a result. An authentication apparatus comprising: an authentication unit, wherein the second authentication unit includes an authentication request acceptance determination unit that determines whether to accept an authentication request based on predetermined information of the authentication information. It may be configured.

  Further, in the authentication apparatus according to the present invention, the predetermined information is the device information and / or the authentication information that is the transmission source of the authentication information, and the authentication request acceptance determination unit determines the device information and / or the authentication information. It may be determined whether or not to respond to authentication.

  An information processing system according to the present invention includes an input unit for inputting authentication information, an authentication request unit for requesting at least one authentication apparatus to authenticate the authentication information, and receiving an authentication result, and a predetermined authority. An information processing apparatus having an apparatus usage control means for assigning and using a user identifier having the authentication information, an authentication information receiving means for receiving the authentication information, and a second for transmitting authentication and an authentication result to the received authentication information An information processing system comprising at least one authentication device provided with the authentication means, wherein the information processing device determines to the user if at least one of the authentication results is successful. A predetermined usage identifier having the right of the above may be allocated and used.

  The information processing method according to the present invention includes an input step for a user to input authentication information, an output step for display, a communication step for communication with another device, and at least one authentication device capable of communication. Requesting authentication of the authentication information and receiving an authentication result, a determination step of determining whether at least one of the authentication results is successful, and at least 1 in the determination step It may be a method having an apparatus usage control step of permitting the user to use when it is determined that one or more are successful.

  According to the present invention, a user who has not registered a user account in the device can use the device safely without newly registering a user account by the device administrator. It can be widely applied to all information processing devices that manage usage.

It is a functional block diagram which shows the outline of a structure of the information processing apparatus which concerns on one embodiment of this invention. It is a block diagram which shows the outline of the authentication system which consists of an information processing apparatus and authentication apparatus which concern on embodiment of this invention. It is a functional block diagram which shows the outline of a structure of the authentication apparatus which concerns on embodiment of this invention. It is explanatory drawing which shows an example of the user's authentication information hold | maintained at the 2nd authentication information holding part of the authentication apparatus shown in FIG. It is explanatory drawing which shows the example of an input screen of the authentication information displayed on the information processing apparatus which concerns on embodiment of this invention. It is a flowchart which shows the procedure of the authentication step in the information processing apparatus shown in FIG. It is a flowchart which shows the procedure of the authentication step in the authentication apparatus shown in FIG. It is a functional block diagram which shows the outline of a structure of the information processing apparatus which concerns on other embodiment of this invention. It is explanatory drawing which shows an example of the user's authentication information hold | maintained at the 1st authentication information holding | maintenance part of the information processing apparatus shown in FIG. It is a flowchart which shows the procedure of the authentication step in the information processing apparatus shown in FIG. It is a functional block diagram which shows the outline of a structure of the information processing apparatus which concerns on other embodiment of this invention. It is explanatory drawing which shows an example of the function information hold | maintained at the function restriction | limiting part of the information processing apparatus shown in FIG. It is explanatory drawing which shows the example of a screen displayed on the information processing apparatus shown in FIG. It is explanatory drawing which shows the example of a screen displayed on the information processing apparatus shown in FIG. It is explanatory drawing which shows the example of a screen displayed on the information processing apparatus shown in FIG. It is a flowchart which shows the procedure of the authentication step in the information processing apparatus shown in FIG. It is explanatory drawing which shows the other example of the function information hold | maintained at the function restriction | limiting part of the information processing apparatus shown in FIG. It is explanatory drawing which shows the further another example of the function information hold | maintained at the function restriction | limiting part of the information processing apparatus shown in FIG. It is a functional block diagram which shows the outline of a structure of the information processing apparatus which concerns on other embodiment of this invention. It is explanatory drawing which shows the example of an input screen of the function restriction information displayed on the information processing apparatus shown in FIG. It is a functional block diagram which shows the outline of a structure of the information processing apparatus which concerns on other embodiment of this invention. It is explanatory drawing which shows an example of the apparatus information hold | maintained at the apparatus information holding part of the information processing apparatus shown in FIG. It is a functional block diagram which shows the outline of a structure of the authentication apparatus which concerns on embodiment of this invention. It is explanatory drawing which shows an example of the authentication information hold | maintained at the 2nd authentication information holding part of the authentication apparatus shown in FIG. It is a flowchart which shows the procedure of the authentication step in the information processing apparatus shown in FIG. It is a flowchart which shows the procedure of the authentication step in the authentication apparatus shown in FIG. It is a functional block diagram which shows the outline of a structure of the information processing apparatus which concerns on other embodiment of this invention. It is explanatory drawing which shows an example of the authentication result information hold | maintained at the authentication result holding | maintenance part of the information processing apparatus shown in FIG. It is explanatory drawing which shows an example of the HTTP request which the connection process part of the information processing apparatus shown in FIG. 27 transmits. It is a flowchart which shows the procedure of the connection authentication step by the connection process part of the information processing apparatus shown in FIG.

Explanation of symbols

1, 51, 61, 71, 81, 91 Information processing equipment 2,203 Authentication equipment 5 Authentication system 12 Input unit (input means)
14 Authentication request section (authentication request means)
16 Judgment part (account grant means)
38 Authentication Request Acceptance Determination Unit (Authentication Request Acceptance Determination Unit)
54 1st authentication part (1st authentication means)
68 Function restriction unit (Function restriction means)
94 Authentication result holding unit (authentication result holding means, usage monitoring means)
96 Connection processing unit (connection processing means)

Claims (16)

Input means for acquiring authentication information for authenticating the user from the user;
First authentication means for authenticating the authentication information acquired by the input means;
An information processing device comprising: authentication request data that transmits authentication request data including the authentication information to an external authentication device and receives an authentication result from the authentication device.   2. The information processing device according to claim 1, wherein the authentication requesting unit transmits the authentication request data to the external authentication device when the first authentication unit fails in authentication. .   3. A function restricting unit that restricts a function that can be used by a user according to an authentication result by the first authentication unit and / or an authentication result by the external authentication device. Information processing equipment described in 1. Input means for acquiring authentication information for authenticating the user from the user;
An authentication request means for transmitting authentication request data including the authentication information acquired by the input means to an external authentication device, and receiving an authentication result from the authentication device;
When the authentication request means receives a successful authentication result from the authentication device, an account granting means for giving the user an account having a predetermined authority;
Authentication result holding means for holding the authentication information and the authentication result by the authentication device in association with each other;
When connecting to an external authentication device, the authentication result holding means is referred to based on user authentication information, and if information indicating that authentication by the authentication device has already been held is held, An information processing device comprising: a connection processing unit configured to add the authentication information.   When the user ends the use of his / her device or when the user's use of his / her device exceeds a certain time, the authentication device corresponding to the user's authentication information held in the authentication result holding means 5. The information processing apparatus according to claim 4, further comprising usage monitoring means for invalidating the authentication result. Input means for acquiring authentication information for authenticating the user from the user;
An authentication request means for transmitting authentication request data including the authentication information acquired by the input means to a plurality of external authentication devices, and receiving an authentication result from the authentication devices;
An information processing device comprising: an account granting unit that gives an account having a predetermined authority to the user when the authentication requesting unit receives a successful authentication result from at least one of the authentication devices. An authentication device that receives the authentication request data including the authentication information from the information processing device according to any one of claims 1 to 6, authenticates the authentication information, and transmits the authentication result to the information processing device. Because
An authentication device comprising: an authentication request acceptance determination unit that determines whether to accept an authentication request based on the authentication information included in the authentication request data.   The authentication request acceptance determination means determines whether or not to respond to the authentication request based on identification information of the information processing device that identifies the transmission source included in the authentication request data. The authentication device according to claim 7.   An information processing apparatus according to any one of claims 1 to 6 and the authentication apparatus according to claim 7 or 8 are communicably connected to each other. An input step of acquiring authentication information for authenticating the user from the user;
A first authentication step for authenticating the authentication information acquired in the input step;
A control method for an information processing device, comprising: an authentication request step of transmitting authentication request data including the authentication information to an external authentication device and receiving an authentication result from the authentication device. An input step of acquiring authentication information for authenticating the user from the user;
An authentication request step for transmitting authentication request data including the authentication information acquired in the input step to an external authentication device, and receiving an authentication result from the authentication device;
When an authentication success result is received from the authentication device in the authentication request step, an account granting step for giving the user an account having a predetermined authority;
An authentication result holding step for holding at least the authentication information and the authentication result by the authentication device in association with each other;
When connecting to an external authentication device, refer to the information held in the authentication result holding step based on the user authentication information, and if information indicating that the authentication by the authentication device has already been held is held, And a connection processing step for performing communication with the authentication device by adding the authentication information. An input step of acquiring authentication information for authenticating the user from the user;
An authentication request step for transmitting authentication request data including the authentication information acquired in the input step to a plurality of external authentication devices, and receiving an authentication result from each authentication device;
Control of information processing device, comprising: an account granting step of giving an account having a predetermined authority to the user when the authentication requesting step receives a result of successful authentication from at least one of the authentication devices. Method.   A control program for an information processing device for operating the information processing device according to any one of claims 1 to 6, wherein the control program for the information processing device causes a computer to function as each of the means.   A computer-readable recording medium in which the control program for the information processing device according to claim 13 is recorded.   9. An authentication device control program for operating an authentication device according to claim 7 or 8, wherein the authentication device control program causes a computer to function as each of the means.   The computer-readable recording medium which recorded the control program of the authentication apparatus of Claim 15.

Images