JP2005222100A - Client server system, server device and communication control method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To realize a client server system capable of enhancing the security to intrusion without impairing the convenience of a network. <P>SOLUTION: The client server system comprises a client device 1 and a server device 2 mutually connected through a network 3. The server device 2 comprises a user authentication means authenticating a user who wants to use a service by use of the client device 1, an approval determination means determining, in response to authentication request information from the user who is the authentication object in the user authentication means, whether an authentication result by the user authentication means is approved or not, based on approval propriety determination information inputted by an approver; and a communication control means controlling communication with the client device based on the authentication result by the user authentication means and the approval determination result by the approval determination means. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a client server system configured using a network, a server device suitable for use in configuring the client server system, and a communication control method suitable for application to the client server system.

  In general, in a client server system, user authentication is widely performed in order to prevent unauthorized entry into a server device via a network. In user authentication, at the first access (login) to a server device, a user who wants to receive a service is requested to input a user ID (user name) and a password, and information input in response to this request is stored. Only when it matches the pre-registered user information, only subsequent users (in other words, authorized users who have the authority to receive services) by permitting subsequent access and denying access otherwise. To provide services.

  When a specific processing flow is simply connected, first, a logical communication connection is established between the client device and the server device via the network. Next, a user ID and a password are sent from the client device to the server device over this communication connection, and the server device authenticates the user according to this information. As a result of the authentication, if it is confirmed that the user is authorized to use the service, communication for use and provision of the service is performed between the client device and the server device on the authenticated communication connection. Between.

  However, with user authentication using a user ID and password, it is difficult to reliably prevent unauthorized intrusion due to third party “spoofing” in terms of network security. For example, when performing user authentication in a network environment that is accessed by an unspecified number of users (for example, on a wide area network such as the Internet), the password can be set with a short word or simple word so that the user can easily remember the password. If configured, the password may be easily guessed by a third party, and unauthorized intrusion by the third party may be permitted. In addition, if the password is composed of complex words, it may lead to a situation where the user cannot be authorized to access due to forgetting to remember the password even if he / she is a regular user. There is a risk that the password will be leaked to a third party if it is seen.

  Therefore, conventionally, a technique for performing user authentication using a MAC address of a computer device connected to a network in addition to a user ID and a password has been proposed (for example, see Patent Document 1). According to this technology, even if the user ID and password are known to a third party, the MAC addresses cannot be matched during user authentication unless a service use request is issued from a computer device of a legitimate user. Therefore, access from an unauthorized third party can be denied.

JP 2000-181867 A

  However, in the above conventional technique, since the computer devices that can use the service are limited, the convenience of the network in the client server system is impaired. Specifically, for example, when a server device used regularly by a regular user is a desktop computer device and the computer device is installed in a regular user's workplace, the regular user is a computer on a business trip destination. Even if an attempt is made to access from a device, the MAC address of the computer device used for the access is different from the MAC address of the computer device of the authorized user. Therefore, a regular user cannot use a desired service from a business trip destination.

  The present invention has been made to solve the above-described problems, and an object of the present invention is to realize a client server system capable of improving security against unauthorized intrusion without impairing the convenience of the network. .

  A client server system according to the present invention is a client server system in which a client device and a server device are connected via a network, and the server device authenticates a user who intends to use a service using the client device. The user authentication means and whether or not to approve the authentication result by the user authentication means are determined based on the approval approval judgment information input by the approver in response to the approval request information from the user to be authenticated by the user authentication means. An approval determination unit for determining, and a communication control unit for controlling communication with the client device based on the authentication result by the user authentication unit and the approval determination result by the approval determination unit.

  In the client server system according to the present invention, the user who intends to use the service using the client device is authenticated as the authorized user by the user authentication means of the server device, and the approver approves the authentication result. Unless the approver who receives the request inputs approval approval determination information for approving the approval result, the approval determination means does not determine that the authentication result is approved. For this reason, even if a third party who attempts an unauthorized invasion impersonates a legitimate user and receives user authentication, and succeeds in this authentication, the probability of subsequent approval failure is very high. Therefore, only when the user authentication unit is authenticated as a legitimate user and the determination to approve the authentication result is made by the approval determination unit, the communication (access) for using and providing the service is permitted. By controlling with the communication control means, it is possible to provide services only to authorized users without providing services to third parties who become unauthorized intruders.

  ADVANTAGE OF THE INVENTION According to this invention, the security with respect to an unauthorized intrusion can be improved in the client server system using a network, without impairing the convenience of a network.

  Hereinafter, specific embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a schematic diagram showing a configuration example of a client server system to which the present invention is applied. In the figure, a client device 1 and a server device 2 are connected to each other via a network 3. The client device 1 has a function of receiving a desired service by making a service use request to the server device 2 connected to the network 3. On the other hand, the server device 2 has a function of receiving a service use request from the client device 1 connected to the network 3 and providing a service that the own device has. As a specific example, the client device 1 is configured by a personal computer or the like, and the server device 2 is configured by a print server, a database server, a file server, a mail server, or the like.

  The network 3 serves as a network means used when data communication (data transmission / reception) is performed between the client device 1 and the server device 2. The network 3 is configured by, for example, a LAN (Local Area Network), a WAN (Wide Area Network), the Internet, or the like. As a specific communication form of the network 3, packet communication in which data transfer is performed in units of packets based on TCP / IP (Transmission Control Protocol / Internet Protocol) can be employed.

  FIG. 2 is a functional block diagram showing a configuration example of the client device according to the embodiment of the present invention. As illustrated, the client device 1 includes a network interface unit 4, a communication control unit 5, an authentication information input unit 6, an approval information input unit 7, and a service use unit 8.

  The network interface unit 4 is an interface for performing data communication (data transmission / reception) with the server device 2 via the network 3. The client device 1 is connected to the network 3 via the network interface unit 4. The communication control unit 5 comprehensively controls data communication with the server device 2. In the communication control unit 5, when performing data communication with the server device 2 via the network 3, the network interface unit 4, the authentication information input unit 6, the approval information input unit 7, and the service use function 8, Data and information used for data communication are exchanged.

  The authentication information input unit 6 inputs information (hereinafter referred to as authentication information) required for user authentication performed when using the service provided by the server device 2 (strictly, before using the service). It is a functional part for. On the other hand, the approval information input unit 7 approves the authentication result when the user authentication performed by the server apparatus 2 is authenticated as a user who actually intends to use the service. It is a functional unit for inputting information (hereinafter, information for approval) required at the time. Input of information (authentication information, approval information) using the authentication information input unit 6 and the approval information input unit 8 is performed by a user who uses the client device 1.

  The service use unit 8 creates a request message according to the specific request contents of the service use input from the user interface unit (not shown) by the user input operation (key operation, mouse operation, etc.), for example. It has a function of sending a message to the communication control unit 5 and receiving a response from the communication control unit 5 to the request message to use a desired service. As specific request contents of service use included in the request message, for example, a combination of contents specifying a service use type and contents specifying a service use condition can be considered. Service usage types include print service, database service, mail service, file service, and the like. Further, the service usage conditions include color printing designation, stapling designation, sorting designation, etc. if the service usage type is a print service. If the service usage type is a database service, there are data search specification by keyword, data search specification by a plurality of keywords, data search range and hierarchy specification, and the like.

  FIG. 3 is a functional block diagram showing a configuration example of the server apparatus according to the embodiment of the present invention. As illustrated, the server apparatus 2 includes a network interface unit 9, a communication control unit 10, a user authentication unit 11, an approval determination unit 12, and a service providing unit 13.

  The network interface unit 9 is an interface for performing data communication (data transmission / reception) with the client device 1 via the network 3. The server device 2 is connected to the network 3 via the network interface unit 4. The communication control unit 10 comprehensively controls data communication with the client device 1. In the communication control unit 10, when data communication is performed with the client device 1 via the network 3, data communication is performed among the network interface unit 9, the user authentication unit 11, the approval determination unit 12, and the service providing unit 13. Deliver data and information used.

  The user authentication unit 11 authenticates a user who intends to use a service using the client device 1, that is, a user who is authorized to use the service is authorized to use the service by a prior user registration procedure or the like ( It is confirmed whether the user is a registered user. The user authentication unit 11 performs user authentication processing using, for example, a user ID (user name) and a password. In this case, the user ID and password correspond to the authentication information. User information (including a user ID and password) having the qualification of a regular user (service usage authority) is stored and held in a database (not shown) at the time of prior user registration processing. Accordingly, the user authentication unit 11 performs user authentication processing with reference to the user information held in the database.

  The approval determination unit 12 confirms whether or not to approve the authentication result by the user authentication unit 11 as a user to be approved by the user authentication unit 11, and more specifically, by the user authentication unit 11 as an authorized user (authentication). In response to the approval request information from the user, the determination is made based on the approval / disapproval determination information input by the approver. In this embodiment, the approver is in a familiar relationship with a user who is authenticated as a regular user by the user authentication unit 11 (for example, a relationship between a boss and a subordinate, a relationship between colleagues, a friend relationship, etc.) A person who has the qualification to be able to confirm his / her identity by listening to his / her voice or looking at his / her face. The approval approval / disapproval determination information input by the approver is information that clearly indicates whether the approval result by the user authentication unit 11 is determined to be approved by the approver with reference to information for approval described later or not approved. .

  When the network interface unit 9 receives a service use request message via the network 3, the service providing unit 13 receives the request message from the communication control unit 10 and determines the service actually requested by the request message. It has a function of determining whether or not it can be provided and providing the actually requested service if it can be provided.

  FIG. 4 is a functional block diagram illustrating a configuration example of the approval information input unit included in the client device according to the embodiment of the present invention. As illustrated, the approval information input unit 7 includes a voice input unit 71 and a voice transmission unit 72. The voice input unit 71 takes in the voice of the user who intends to use the service and generates voice data, and is configured by a small microphone or the like. The voice transmission unit 72 transmits user voice data generated by the voice input unit 71 to the communication control unit 5. The audio data transmitted to the communication control unit 5 is transmitted from the network interface unit 4 to the server device 2 via the network 3.

  FIG. 5 is a functional block diagram illustrating a configuration example of the approval determination unit provided in the server device according to the embodiment of the present invention. As shown in the figure, the approval determination unit 12 includes a voice reception unit 121, a voice output unit 122, an authentication result display unit 123, and an approval determination input unit 124. The voice receiving unit 121 receives user voice data sent from the client device 1 to the server device 2 through the network interface unit 9 and the communication control unit 10, and provides the received voice data to the voice output unit 122. is there. The audio output unit 122 outputs (reproduces) the audio data given from the audio receiving unit 121, and includes a small speaker or the like.

  The authentication result display unit 123 displays user identification information given from the user authentication unit 11 via the communication control unit 10 as visible information as an authentication result in the user authentication unit 11. In the authentication result display unit 123, identification information of a user who is authenticated as a regular user by the user authentication unit 11 is displayed. The user identification information to be displayed may be information that allows an approver who has seen the information to uniquely identify a user (approval requesting user) who wants to receive approval of the authentication result. As an example of the user identification information, a user's name (including a nickname), information obtained by adding a department name to the name, and the like can be used.

  The approval determination input unit 124 inputs approval approval determination information made by the approver itself based on the user's voice output from the audio output unit 122 and the user identification information displayed on the authentication result display unit 123. Is for. The approval determination input unit 124 includes, for example, an approval OK button for performing a pressing operation when it is determined that the authentication result is approved, and an approval NG button for performing a pressing operation when it is determined that the authentication result is not approved. It is done. Further, the approval determination input unit 124 gives approval permission information based on the approval permission determination information input by the approver to the communication control unit 10.

  FIG. 6 is a flowchart showing a processing flow (communication control method) when controlling communication between the client device and the server device in the client-server system according to the embodiment of the present invention. First, a connection request (access request) is made from the client device 1 to the server device 2 via the network 3, and a logical communication connection (connection) is established between the two by accepting the connection request by the server device 2. (Step S1). Next, communication for user authentication is performed on the previously established communication connection (step S2). Communication for user authentication is performed according to the following procedure.

  First, the server device 2 requests the client device 1 to transmit authentication information that is necessary when the user authentication unit 11 authenticates the user. In response to this transmission request, the client device 1 prompts the user who is using (operating) the client device 1 to input authentication information, and the user actually uses the authentication information input unit 6 to authenticate the authentication information ( When the user ID and password are input, this authentication information is transmitted to the server device 2. Then, the server device 2 receives the authentication information transmitted from the client device 1 and sends it to the user authentication unit 11 to perform user authentication processing.

  In the authentication process by the user authentication unit 11, it is confirmed whether or not user information including information that matches the authentication information transmitted from the client device 1 exists in the database. If it does not exist, it is determined that the user is not a regular user. If it is determined that the user is an authorized user, the communication control unit 10 is notified of an authentication result indicating that the authentication has been successful. If it is determined that the user is not an authorized user, an authentication result indicating that the authentication has failed is displayed. Notify the communication control unit 10. In response to the notification of the authentication result, the communication control unit 10 determines whether or not the authentication by the user authentication unit 11 is successful, and controls the subsequent communication connection.

  That is, when the authentication is successful (Yes in step S3), communication for approving the authentication result by the user authentication unit 11 is performed on the previously established communication connection (step S4). If authentication fails (No in step S3), the communication between the two is disconnected at that time (step S8). Communication for approving the authentication result is performed in the following procedure.

  First, the server device 2 requests the client device 1 to transmit approval information necessary for approving the authentication result together with the notification that the user authentication unit 11 has succeeded in user authentication. In response to this transmission request, the client device 1 prompts the user who is using (operating) the client device 1 to input approval information, and the user actually receives the approval information from the authentication information input unit 7. When input, approval request information including the approval information is transmitted to the server device 2. The approval request information includes header information for requesting approval of the authentication result and approval information necessary for approval. At this time, the client device 1 captures the user's voice from the voice input unit 71 of the approval information input unit 7 and sends the user's voice data generated thereby from the voice transmission unit 72 to the communication control unit 5. The voice data of the user as the approval information is transmitted from the network interface unit 4 to the server device 2 via the network 3. Then, after the approval request information is transmitted, the authentication result is awaiting approval (waiting for a response).

  On the other hand, the server device 2 receives the approval request information transmitted from the client device 1, sends the approval information (user's voice data) included in the approval request information to the approval determination unit 12, and approves the authentication result. Process whether or not. In this approval processing, the approval request information transmitted from the client device 1 is received by the network interface unit 9 and sent to the communication control unit 10. Further, the approval information included in the approval request information, that is, the user's voice data is transmitted to the communication control unit. The data is extracted at 10 and sent to the approval determination unit 12. Then, the approval determination unit 12 receives the audio data sent from the communication control unit 10 by the audio reception unit 121 and sends it to the audio output unit 122, where the user's audio data is reproduced and output. In parallel with this, the identification information of the user authenticated as the authorized user by the user authentication unit 11 is sent from the communication control unit 10 to the approval determination unit 12, and this user identification information is displayed on the authentication result display unit 123. To do. Thereby, the approver in the space where the server apparatus 2 is installed and close to the server apparatus 2 confirms the user's voice output from the audio output unit 122 with the ear, and displays the authentication result on the authentication result display unit 123. The displayed user identification information can be visually confirmed.

  As a result, the approver can determine (confirm) whether the user who intends to use the service using the client device 1 is the user who has been authenticated by the user authenticating unit 11 as the authorized user. it can. At this time, the approver uses the approval determination input unit 124 to input information based on the approval / disapproval determination made by himself / herself. For example, in the situation where the approval OK button and the approval NG button are provided in the approval determination input unit 124 as described above, if the approver determines to approve the authentication result in the user authentication unit 11, If approval approval / disapproval determination information is input by pressing the approval OK button and it is determined that the authentication result in the user authentication unit 11 is not approved, approval approval determination information is input by pressing the approval NG button. As a result, when the approval OK button is pressed by the approver, the approval determination unit 12 determines that the authentication result is approved, notifies the communication control unit 10 of approval / disapproval information, and the approver approves the approval. When the NG button is pressed, it is determined that the authentication result is not approved, and approval approval / disapproval information to that effect is notified to the communication control unit 10. Then, the communication control unit 10 transmits (notifies) the approval / denial information input thereto to the client device 1 from the network interface unit 9 via the network 3. Accordingly, the client device 1 can know whether or not the authentication result has been successfully approved on the server device 2 side by checking the content of the approval / disapproval information transmitted from the server device 2.

  Subsequently, when the authentication result is approved (Yes in step S5), communication for using or providing the service is performed between the client device 1 and the server device 2 (step S6). If the authentication result is not approved (No in step S5), the communication between the two is disconnected at that time (step S8). The communication control unit 10 of the server apparatus 2 performs the disconnection of communication on an initiative basis. Communication for use and provision of services is performed according to the following procedure.

  First, in the client device 1, a request message describing a desired service content is created by the service using unit 8, and this request message is sent to the communication control unit 5. Then, the communication control unit 5 transmits the service use request message received from the service use unit 8 from the network interface unit 4 to the server device 2 via the network 3. Then, in the server device 2, the request message transmitted from the client device 1 is received by the network interface unit 9 and sent to the communication control unit 10, and further the request message is sent from the communication control unit 10 to the service providing unit 13. The service using unit 13 that has received the request message determines whether or not the service requested by the request message can be actually provided, and if it can be provided, the actually requested service is provided.

  Thereafter, the client device 1 notifies the server device 2 that the use of the service is terminated, or the server device 2 waits for a service use request to reach a preset timeout time. When the use of is terminated (Yes in step S7), the communication between the two is disconnected at that time (step S8).

  By performing data communication between the client device 1 and the server device 2 in this way, authentication information (user ID, user password) necessary for a legitimate user to use the service is provided to a third party. This third party sends his authentication information (user ID, password) to the server device 2 using his computer device as the client device 1, and the user authentication unit 11 authenticates that he is a legitimate user. Even if it is received, the service cannot be used until the authentication result is approved. When actually receiving approval, it is necessary for a third party who attempts unauthorized intrusion to input his / her voice through the approval information input unit 7 of the client apparatus 1 and send the voice data to the server apparatus 2. In such a case, the authenticator who is on the server device 2 side checks whether or not the voice output from the voice output unit 122 of the approval determination unit 12 matches the voice of the authorized user, and if it matches, the authentication result is approved. Approval approval / disapproval determination information is input from the approval determination input unit 124. If they do not match, approval approval / disapproval determination information indicating that the authentication result is not approved is input from the approval determination input unit 124. Therefore, it is possible to provide services only to authorized users without providing services to third parties who become unauthorized intruders.

  Thereby, when user authentication is performed using a user ID and a password, unauthorized intrusion by a third party can be surely prevented without configuring the password with complicated words. In addition, since it is not necessary to use identification information unique to a device such as a MAC address for user authentication, the computer device that can use the service is not limited. As a result, security against unauthorized intrusion can be enhanced without impairing the convenience of the network.

  In the above embodiment, the user's voice information (voice data) is used as the authentication information included in the authentication request information. However, the present invention is not limited to this. For example, video information showing the user's face is used. You may make it use. In addition to this, for example, the approver inquires the user by voice or text using the server device 2 for information that only the authorized user can know, and a response (answer) to the inquiry, that is, between the user and the user. The communication information (conversation content using voice, characters, etc.) exchanged in (1) may be used as authentication information.

  In the above-described embodiment, the approval request information including the approval information is transmitted from the client device 1 to the server device 2 over the communication connection established between the client device 1 and the server device 2. The approval request information may be notified to the approver through a communication path different from the communication connection. Specifically, the following embodiments can be employed.

  FIG. 7 is a functional block diagram showing a configuration example of a client device according to another embodiment of the present invention. As illustrated, the client apparatus 1 includes a network interface unit 4, a communication control unit 5, an authentication information input unit 6, a service use unit 8, and an information output unit 14. Among these, the functions of the network interface unit 4, the communication control unit 5, the authentication information input unit 6, and the service use unit 8 are the same as those in the above-described embodiment. The information output unit 14 outputs communication connection identification information for identifying a communication connection established between the client device 1 and the server device 2.

  FIG. 8 is a functional block diagram showing a configuration example of a server apparatus according to another embodiment of the present invention. As illustrated, the server apparatus 2 includes a network interface unit 9, a communication control unit 10, a user authentication unit 11, an approval determination unit 12, and a service providing unit 13. Although the overall configuration is the same as that of the above-described embodiment, the internal configuration (described later) of the approval determination unit 12 is different from the above-described embodiment.

  FIG. 9 is a functional block diagram illustrating a configuration example of an information output unit included in a client device according to another embodiment of the present invention. As shown in the figure, the information output unit 14 includes an information display unit 141 and an information acquisition unit 142. The information display unit 141 displays the communication connection identification information as visible information on a monitor or the like. The information acquisition unit 142 acquires the communication connection identification information from the communication control unit 10 and gives the acquired communication connection identification information to the information display unit 141. As the communication connection identification information, the IP address of the client device 1 or a TCP port number can be used. Thereby, the user who intends to use the service using the client device 1 can read the communication connection identification information from the visible information displayed on the information display unit 141 of the information output unit 14.

  FIG. 10 is a functional block diagram illustrating a configuration example of an approval determination unit included in a server device according to another embodiment of the present invention. As illustrated, the approval determination unit 12 includes an information acquisition unit 125, an information collation unit 126, and an information input unit 127. The information acquisition unit 125 acquires the communication connection identification information successfully authenticated by the user authentication unit 11 from the communication control unit 10, and gives the acquired communication connection identification information to the information matching unit 126. The communication connection identification information that has been successfully authenticated includes the client device 1 used by the user who has been confirmed (authenticated) by the user authentication unit 11 and the server device designated by the user as the service provider. 2 is information for identifying a communication connection established with the communication terminal 2. Therefore, for example, when the IP address of the client device 1 is used as communication connection identification information, the IP address of the client device 1 used by the user confirmed (authenticated) by the user authentication unit 11 as a regular user is communicated. It is acquired from the control unit 10 by the information acquisition unit 125. In addition, the IP address acquired in this way becomes the IP address of the client apparatus 1 that is waiting for approval of the authentication result by the user authentication unit 11 and is waiting for approval.

  On the other hand, the information input unit 127 is used to input communication connection identification information that is included in the approval request information and notified from the user to the approver, and approval approval / disapproval determination information made by the approver itself. The information input unit 127 is configured by a keyboard or the like. In addition, the information input unit 127 includes, for example, an approval OK button for performing a pressing operation when it is determined that the authentication result is approved, and an approval NG button for performing a pressing operation when it is determined that the authentication result is not approved. It is done. Further, the communication connection identification information and the approval / disapproval determination information input by the approver using the information input unit 127 are given to the information collating unit 126.

  The information collation unit 126 collates the communication connection identification information given from the information acquisition unit 125 and the communication connection identification information given from the information input unit 127 to confirm whether or not both pieces of information match. Whether or not to approve the authentication result by the user authentication unit 11 is determined based on the collation result and the approval / disapproval determination information input by the approver. That is, when the approver presses the approval OK button to input the approval / disapproval determination information, the communication connection identification information input together with the approval / disapproval determination information is the communication connection identification information given from the information acquisition unit 125. Is determined to approve the authentication result. If the approver presses the approval NG button and inputs approval approval / disapproval determination information, it is determined that the authentication result is not approved. When it is determined that the authentication result is approved in the information collating unit 126, approval approval / disapproval information indicating that the authentication result is approved is sent to the communication control unit 10, and when it is determined that the authentication result is not approved, the approval approval / disapproval information indicating that is approved. Send to 10. In addition, when the approver presses the approval OK button or the approval NG button to input approval approval determination information, the communication connection identification information input together with the approval approval determination information is given from the information acquisition unit 125. If the communication connection identification information does not match, the communication connection identification information notified to the approver by the user or the communication connection identification information input by the approver is incorrect, so the communication connection corresponding to the input communication connection identification information A notification process is performed to notify the approver that it cannot be found. This notification process may be performed by the approval determination unit 12 or may be performed by the communication control unit 10 in response to a notification from the approval determination unit 12.

  Next, a flow of processing when controlling communication between a client device and a server device in a client server system according to another embodiment of the present invention will be described. The basic processing flow in the client-server system is the same as that shown in FIG. 6, but the communication processing for approving the authentication result after successful user authentication is performed as described above. It is different from the case of form.

  That is, when the communication processing for approving the authentication result is performed, the server apparatus 2 uses the approval unit necessary for approving the authentication result together with the notification that the user authentication unit 11 has succeeded in user authentication. Request the client device 1 to notify the information. In response to this, in the client device 1, the information acquisition unit 142 acquires the IP address (or TCP port number) of the own device serving as communication connection identification information from the communication control unit 10, and displays this on the information display unit 141. Then, the authentication result is awaiting approval. At this time, the user who wants to receive approval of the authentication result reads the IP address displayed on the information display unit 141. Then, in order to respond to the request for notification of authentication information, for example, the user calls the approver on the server device 2 side and informs the approver that he / she requests the approval of the authentication result. The communication connection identification information (IP address or the like) is read from the information display unit 141 and transmitted to the approver. Thereby, as shown in FIG. 11, the communication connection identification information is notified from the user on the client device 1 side to the approver on the server device 2 side. At this time, together with the communication connection identification information notified to the approver using the telephone, the user's voice actually transmitted from the telephone port to the approver is used as the approval information.

  When the communication connection identification information is notified from the user to the approver in this way, the approver determines whether or not the user's voice actually heard over the telephone matches the voice (voice quality) of the regular user. When it is determined that the authorized user is correct, the approval determination unit 12 of the server device 2 inputs the communication connection identification information notified by the user from the information input unit 127 and identifies with the communication connection identification information. Approval approval determination information for approving the authentication result of the user who is accessing using the connected communication is input by pressing the approval OK button. On the other hand, if it is determined that the user is not the authorized user, the approval determination unit 12 of the server device 2 inputs the communication connection identification information notified from the user from the information input unit 127 and the communication connection identification information. Approval determination information indicating that the authentication result of the user who is accessing using the communication connection identified in the above is not approved is input by pressing the approval NG button.

  Then, in the approval determination unit 12, for example, when the information is input from the information input unit 127, or when the user authentication unit 11 succeeds in authenticating the user before that, the information acquisition unit 125 has successfully authenticated. The connection identification information is acquired from the communication control unit 10 and given to the information matching unit 126. In addition, when the communication connection identification information is input by the approver, the information input unit 127 gives this to the information matching unit 126. As a result, the information collation unit 126 collates the communication connection identification information given from the information acquisition unit 125 with the communication connection identification information given from the information input unit 127. In order to notify, the approval based on the approval / disapproval determination information input from the information input unit 127 so as to notify the client apparatus 1 accessing using the communication connection identified by the communication connection identification information of the approval approval / disapproval result. The availability information is given to the communication control unit 10. Then, the communication control unit 10 transmits (notifies) the approval / non-permission information input from the approval determination unit 12 to the client device 1 via the network 3 from the network interface unit 9. Further, in the communication control unit 10, when it is determined that the authentication determination unit 12 does not approve the authentication result, the communication control unit 10 is identified (specified) by the communication connection identification information that has not been approved from among the plurality of communication connections currently being accessed. The communication connection to be extracted is disconnected. Further, in the above collation result, when the two pieces of information do not match, a notification process is performed in which the approver is notified by a message display or a warning sound.

  By performing data communication between the client device 1 and the server device 2 in this way, authentication information (user ID, user password) necessary for a legitimate user to use the service is provided to a third party. This third party sends his authentication information (user ID, password) to the server device 2 using his computer device as the client device 1, and the user authentication unit 11 authenticates that he is a legitimate user. Even if it is received, the service cannot be used until the authentication result is approved. When actually receiving approval, it is necessary for a third party who attempts unauthorized intrusion to notify the approver of communication connection identification information by telephone. In such a case, the authenticator on the server device 2 side checks whether or not the voice of the user who can be heard from the telephone matches the voice of the legitimate user, and if it matches, it matches the communication connection identification information notified by the user. Approval determination information for approving the authentication result is input from the approval determination input unit 124. If they do not match, the approval approval determination for not approving the authentication result is performed together with the communication connection identification information notified by the user. Information is input from the approval determination input unit 124. Therefore, it is possible to provide services only to authorized users without providing services to third parties who become unauthorized intruders. Therefore, as in the previous embodiment, security against unauthorized intrusion can be enhanced without degrading the convenience of the network.

  The notification of the communication connection identification information from the user to the approver may be any information that uses a communication path different from the communication connection established between the client device 1 and the server device 2. Therefore, in addition to using the telephone, it is also possible to use e-mail or the like. However, in the case of notifying by e-mail, it is necessary for the approver to determine (confirm) whether the user who actually notified the information is a regular user. It is necessary to notify by using an electronic mail with a certificate attached with a certificate proving that the notification is from the authorized user, such as a fingerprint. When using e-mail, the approver and the authorized user do not need to be in a familiar relationship. In addition, as a combination thereof, communication connection identification information can be notified by e-mail, and approval of the authentication result can be requested by telephone.

It is the schematic which shows the structural example of the client server system to which this invention is applied. It is a functional block diagram which shows the structural example of the client apparatus which concerns on embodiment of invention. It is a functional block diagram which shows the structural example of the server apparatus which concerns on embodiment of this invention. It is a functional block diagram which shows the structural example of the information input part for approval with which the client apparatus which concerns on embodiment of this invention is provided. It is a functional block diagram which shows the structural example of the approval determination part with which the server apparatus which concerns on embodiment of this invention is provided. It is a flowchart which shows the flow of a process at the time of controlling communication between a client apparatus and a server apparatus in the client server system which concerns on embodiment of this invention. It is a functional block diagram which shows the structural example of the client apparatus which concerns on other embodiment of this invention. It is a functional block diagram which shows the structural example of the server apparatus which concerns on other embodiment of this invention. It is a functional block diagram which shows the structural example of the information output part with which the client apparatus which concerns on other embodiment of this invention is provided. It is a functional block diagram which shows the structural example of the approval determination part with which the server apparatus which concerns on other embodiment of this invention is provided. It is a conceptual diagram which shows an example of the approval process at the time of controlling the communication between a client apparatus and a server apparatus with the client server system which concerns on other embodiment of this invention.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Client apparatus, 2 ... Server apparatus, 3 ... Network, 4 ... Network interface part, 5 ... Communication control part, 6 ... Information input part for authentication, 7 ... Information input part for approval, 8 ... Service utilization part, 9 ... Network interface unit, 10 ... communication control unit, 11 ... user authentication unit, 12 ... approval determination unit, 13 ... service providing unit, 14 ... information output unit

Claims (9)

A client server system in which a client device and a server device are connected via a network,
The server device authenticates a user who intends to use a service using the client device, and determines whether or not to approve an authentication result by the user authentication unit. An approval determination unit for determining approval based on approval approval determination information input by an approver upon receiving approval request information from the user, and an authentication result by the user authentication unit and an approval determination result by the approval determination unit A client server system comprising: communication control means for controlling communication with a client device. The approval request information is at least one information of voice information, video information, and communication information with the user as the authentication target as approval information required when approving the authentication result. The client server system according to claim 1, comprising: The approval request information is communication for identifying a communication connection between the client device used by the user who is the approval target and the server device, as information for approval required when approving the authentication result. The client server system according to claim 1, further comprising connection identification information. The client server system according to claim 1, wherein the approval determination unit includes a unit that receives an input of the approval approval determination information from the approver. The client server system according to claim 2, wherein the approval request information is transmitted from the client device to the server device over a communication connection established between the client device and the server device. The client according to claim 3, wherein the approval request information is notified from the user to the approver through a communication path different from a communication connection established between the client device and the server device. Server system. The client server system according to claim 4, wherein the approval determination unit receives an input of the approval propriety determination information from an approver in a space where the server device is installed. A server device connected to a client device via a network,
User authentication means for authenticating a user who intends to use a service using the client device;
Approval determination for determining whether to approve an authentication result by the user authentication unit based on approval approval determination information input by an approver in response to approval request information from a user to be authenticated by the user authentication unit Means,
A server apparatus comprising: a communication control unit that controls communication with the client device based on an authentication result by the user authentication unit and an approval determination result by the approval determination unit. A communication control method in a client server system in which a client device and a server device are connected via a network,
A user authentication process for authenticating a user who intends to use a service using the client device;
Approval determination for determining whether to approve an authentication result by the user authentication processing based on approval approval determination information input by an approver in response to approval request information from a user to be authenticated in the user authentication processing Processing,
A communication control method, comprising: controlling communication between the client device and the server device based on an authentication result of the user authentication process and an approval determination result of the approval determination process.

Images