JP2005293114A - Authentication method in computer network - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an authentication method in a network for preventing a terminal from being connected to a network without permission when the terminal is handed to the others without making it necessary to use any exclusive key. <P>SOLUTION: A memory 34 of a portable telephone set 3 is stored with user identification information and an authentication code. A hard disk 25 of a PC 2 is stored with user identification information. A hard disk 13 of a center 1 is stored with a first table 133 in which the authentication code is recorded so as to be associated with each user identification information. When a portable telephone 3 transmits the authentication code with the user identification information to the center 1, the center 1 compares the received authentication code with the authentication code stored so as to be associated with the received user identification information in the first table 133 for authentication, and when the authentication is successful, the center 1 permits its data communication with the PC2 which has requested connection by designating the same user identification information. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to an authentication method for authenticating a user who is operating a terminal that has accessed a server device in a computer network.

  In recent years, so-called personal computer communication that connects terminals operated by a large number of users and one server device (or a group of server devices) online to perform mutual data communication, or a spider web connection Computer networks such as the Internet that allow data communication between a large number of server devices and a large number of terminals have become widespread.

  In order to perform data communication on such a computer network, it is necessary to identify the user who is operating the access source terminal.

  For example, in so-called personal computer communication, a user who is authorized to access a server device usually has a user who is registered in advance with this server device (that is, by signing a contract with a supplier operating this server device). The service usage fee is charged to the user according to the service usage status. Therefore, when there is an access from any of the terminals, the server device authenticates whether the operator operating the access source terminal is a registered member, and is a member. In this case, thereafter, data communication with the terminal is permitted, and the service usage fee is charged to the member according to the data communication status.

  In the case of the Internet, each terminal accesses a large number of hosts on the Internet through an ISP (Internet Service Provider) server corresponding to a server device in personal computer communication. That is, each ISP server authenticates whether or not the user operating the access source terminal is a registered member when accessed from any terminal through an access point or broadband. If it is a member, it issues an IP address to the terminal, attaches the IP address, and sends an IP packet (stores an HTTP request message) addressed to the server on the Internet from the terminal to the Internet. Transfer the IP packet addressed to the terminal with the IP address from the Internet (stores the HTTP response message) to the terminal, and serve the member according to the status of such data communication Charge usage fees.

  Some servers on the Internet (which may be built on the same LAN as the ISP server) provide paid content services. When such a server is accessed from any terminal through the Internet (that is, when an HTTP request message is received), it is determined whether or not the user operating the access source terminal is a registered member. If it is authenticated and the member is a member, the request target content is transmitted to the terminal thereafter, and the service usage fee is charged to the member in accordance with the transmission state of such content.

  As described above, in user authentication performed in various scenes of a computer network, a combination of a user ID and a password assigned to each user registered as a member is recorded in advance in a database in the server device. In addition, when accessed from any terminal, the terminal requests the terminal to transmit the user ID and password of the operator, and the combination of the user ID and password transmitted by the terminal in response to this is registered in the database. This is done by checking whether the user has been registered and, if registered, authenticating that the user is a member.

  Such user IDs and passwords are preferably complex in consideration of security, but complicated user IDs and passwords are difficult to memorize and are difficult to input even when they are accurately remembered. For this reason, there is a drawback that input mistakes easily occur.

  On the other hand, many communication programs installed in the terminal can store a user ID and a password, and can save the trouble of inputting them each time authentication is performed. However, if a set of user ID and password is stored in the terminal in this way, if the owner loses the terminal or is stolen, the person who obtains the terminal is not authorized by the owner. Connecting to the network, accessing the content, posting on the bulletin board in the name of the owner, or purchasing goods or services may cause social and economic disadvantages to the owner .

  In order to solve such a problem, a mechanical or electronic lock linked to the main switch of the terminal may be incorporated in the terminal, but a dedicated key for opening and closing the lock is held separately from the terminal. Managing is practically cumbersome. Moreover, such a key can be easily broken by disassembling the terminal and changing the wiring.

  Therefore, the present invention is connected to the network without permission without requiring a dedicated key and without having to input a user ID or / and password each time authentication is performed. It is an object of the present invention to provide an authentication method in a computer network that can prevent such a situation.

  The first aspect of the authentication method in the computer network according to the present invention devised to solve the above-mentioned problems is the first type terminal and the second type terminal respectively having identification information related to each other, these terminals and the computer network. An authentication method for the center device to perform data communication related to a specific service with the second type terminal in a network including a center device capable of communication through the first type terminal and the center device. , Each having a storage device, and storing an authentication code associated with each other in each storage device in association with the identification information, and the first type terminal being stored in its own storage device When the authentication code is transmitted to the center device together with the identification information, the center device receives from the first type terminal. The authentication code is compared with the authentication code stored in its own storage device in association with the identification information received from the first type terminal, and when both authentication codes are related to each other, Data communication regarding a specific service is performed with a second type terminal having identification information related to the identification information.

  When configured in this way, when a user intends to make a connection request to the center device using the second type terminal having identification information stored in the storage device of the center device as indicating itself, By activating the first type terminal having the identification information associated with this identification information, the authentication code stored in the storage device of the first type terminal and the identification information are transferred from the first type terminal to the center device. Send. Then, the center device compares the authentication code stored in the storage device in association with the identification information received from the first type terminal and the identification information received from the first type terminal, and both authentication codes are When they are related to each other, data communication related to a specific service is performed with the second type terminal having identification information related to the identification information. Therefore, the user does not need to input the conventional combination of user ID and password one by one. Therefore, no matter how complicated the authentication code is for the sake of security enhancement, it must be stored. It is freed from troublesomeness, troublesome input, and risk of incorrect input. In addition, even if the second type terminal that performs data communication related to the specific service is lost, the second type terminal is not used unless it is together with the first type terminal having identification information related to the identification information of the second type terminal. Since the third party who acquired the occupation of the seed terminal cannot connect the second type terminal to the network, the third party is not connected to the network without permission.

  The identification information of the first type terminal and the identification information of the second type terminal may be the same as each other, but may be uniquely associated according to a certain rule, or the association between the two in the center device. It may be registered in advance. In short, it is sufficient that the center device can recognize the relationship between the two.

  Similarly, the authentication code stored in the storage device of the center device and the authentication code stored in the first type terminal may be identical to each other, but are uniquely associated according to a certain rule. May be. For example, when the first type terminal includes a biocode detection device that reads a user's physical characteristics and converts it into a character string as a biocode, the specific position of the biocode is specified as a part of the authentication code. Specification information can be included. In this case, the first type terminal cuts out a part corresponding to the specific position designated by the designation information from the biocode acquired by the biocode detection means, and incorporates the cut out part into the authentication code, It transmits to the said center apparatus with identification information. In this case, the authentication code stored in one center device may include the designation information as long as the entire biocode is separately stored in the storage device, and the entire biocode may be stored separately in the storage device. If it is not stored, a part corresponding to the designation information in the biocode may be incorporated in advance. However, if the former is used, the designation information in the authentication code can be arbitrarily changed and used. That is, every time data communication related to a specific service is performed, and periodically during the communication, the authentication code is regenerated, overwritten in the storage device of the center device, and transmitted to the first type terminal. It can be used by overwriting the storage device of the type 1 terminal.

  Note that the first type terminal may transmit the authentication code and the identification information directly to the center apparatus without going through the second type terminal, or may send the authentication code and the identification information through the second type terminal.

  A second aspect of an authentication method in a computer network according to the present invention devised to solve the above-described problem is a network including a terminal having identification information and a center apparatus capable of communicating with the terminal through the computer network. An authentication method for the center device to perform data communication regarding a specific service with the terminal, wherein the terminal and the center device each include a storage device, and the storage device of the center device includes An authentication code is stored in association with the identification information, while a part of the authentication code is stored in the storage device of the terminal, and the terminal communicates with a wireless communication device that transmits the remainder of the authentication code. Wireless communication means for communicating between the wireless communication devices through the wireless communication means. When the remainder of the code is received, the remainder of the received authentication code is combined with a part of the authentication code stored in its own storage device, and then transmitted to the center device together with the identification information. Compares the authentication code received from the terminal with the authentication code stored in its own storage device in association with the identification information received from the terminal, and if both authentication codes are related to each other Thereafter, data communication regarding a specific service is performed with the terminal.

  With this configuration, when a user attempts to make a connection request to the center device using a terminal having identification information stored in the storage device of the center device as indicating itself, the wireless communication device And the remaining part of the authentication code is transmitted from the wireless communication apparatus to the terminal. The terminal receives the remaining part of the authentication code by the wireless communication means. Then, the authentication code is completed by combining a part of the authentication code stored in its own storage device and the remaining part of the received authentication code. Then, the completed authentication code is transmitted to the center device together with the identification information. Then, the center device compares the authentication code stored in the storage device in association with the identification information received from the terminal and the identification information received from the terminal, and the two authentication codes are related to each other. In this case, data communication regarding a specific service is performed with the terminal. Therefore, the user does not need to input the conventional combination of user ID and password one by one. Therefore, no matter how complicated the authentication code is for the sake of security enhancement, it must be stored. It is freed from troublesomeness, troublesome input, and risk of incorrect input. Moreover, even if the terminal is lost, the third party who has acquired the occupation of this terminal cannot connect the terminal to the network unless it is kept with the wireless communication device. It is not connected to the network without permission.

  According to the authentication method in the computer network according to the present invention configured as described above, the terminal can be used by another person without requiring a dedicated key even though it is not necessary to input a user ID or / and a password each time authentication is performed. It is possible to prevent unauthorized connection to the network when it reaches the hand of the user.

  Hereinafter, a form of a computer network that implements an authentication method according to the present invention will be described with reference to the drawings. The following example is an example in which the authentication method according to the present invention is implemented on the Internet.

Embodiment 1

(System configuration)
FIG. 1 is a block diagram showing a schematic configuration of a computer network according to the first embodiment of the present invention. As shown in FIG. 1, this computer network includes a single center 1 in which functions of various servers existing on a network operated by each ISP are collectively shown on a single computer, An access point (computer having a dial-up connection server function) 4 connected to the ISP network, the Internet (a computer network comprising a router of a primary provider, a backbone, a router of a secondary provider, etc.) N, and a telephone A PC 2 that can be connected to the access point 4 through a line or is connected to the Internet N by a server (not shown) operated by another ISP and can access the center 1 through the Internet N, and a mobile phone network (a number of terrestrial Station, wired to each of these ground stations In addition, the communication network is composed of a plurality of switching offices wired to each other in a hierarchical structure, a gateway to the Internet N, etc.) and any one of the ground stations of the cellular phone network M and The mobile phone 3 is configured to be accessible to the center 1 through the mobile phone network M and the Internet N.

  The PC 2 may be connected to the center 1 through a broadband resource of a broadband service provider that is affiliated with the ISP that operates the center 1 and the broadband service, instead of via the access point 4. Furthermore, the mobile phone 3 can communicate with the PC 2 through near field communication such as Bluetooth (trademark of Bluetooth SIG, USA) or infrared communication.

The PC 2 shown in FIG. 1 is a computer operated by a user (hereinafter referred to as “member”) who becomes a member who receives an Internet connection service or a content providing service provided by the ISP by making a contract with the ISP. Therefore, it is possible to connect to the center 1 through a dial-up connection through the access point 4, through a broadband resource available to the member by a broadband connection provider, and through the Internet N. Each PC 2 can access a general web server device (not shown) connected to the end of the Internet N through the Internet connection service provided by the center 1. This PC 2 corresponds to a second type terminal. The PC 2 is a CPU [Central processing unit] 20, a communication adapter 21. The display 22, input device 23, RAM [Random access memory] 24, hard disk 25, biocode detection device 28, and short-range wireless communication port 29 are configured.

  Of these, the CPU 20 is a central processing unit that controls the entire PC 2. The communication adapter 21 is a device that forms a physical interface with a telephone line connected to the access point 4. Specifically, the communication adapter 21 is a modem, a TA [Terminal Adapter], a router, etc., and supports broadband when using a broadband connection service. Will be replaced. The display 22 is a display device that displays an image generated by the CPU 20. The input device 23 includes a keyboard and a mouse. The RAM 24 is a main storage device in which a work area is developed when the CPU 20 executes various programs.

  The biocode detection device 28 is a device that digitizes the physical characteristics of the user who operates the PC 2 and inputs a numerical value indicating the physical characteristics (hereinafter referred to as “biocode”) to the CPU 20. is there. As this biocode detection device 28, for example, a device that detects and digitizes (vectorizes) a graphic feature of a user's fingerprint or iris is used. The short-range wireless communication port 29 is a Bluetooth card or an infrared communication port. The near field communication port 29 corresponds to a wireless communication unit.

  The hard disk 25 is a storage device that stores various programs and various data that are read and executed by the CPU 20. The program stored in the hard disk 25 has a function of performing communication according to TCP / IP (Transmission Control Protocol / Internet Protocol) with the center 1 and a web server device (not shown) via the communication adapter 21. Including an operating system (not shown), various messages are sent to the center 1 and general web server devices using the communication function of the operating system, and the web contents sent by the center 1 in response to these messages (Screen data consisting of HTML [Hyper Text Markup Language] data etc.) and interpreting and displaying the browser 26, using the communication function of the operating system and following the instructions input via the input device 23 between the center 1 Connection program 27 for communication, BioCo Driver program for collecting bio-code controls the detection unit 28, a driver program for performing short-range wireless communication by controlling the short-range wireless communications port 29, including. The connection program 27 is newly created to implement the present invention, and will be described in detail later with reference to FIG. On the other hand, since the browser 26 is a commercially available program (for example, “Internet Explorer [registered trademark of the company]” of Microsoft Corporation in the United States), a detailed description of the processing contents is omitted. The various data registered in the hard disk includes user identification information (user ID) of the user who uses the user terminal.

  The mobile phone 3 is a mobile communication terminal used by the same user as the PC 2. The mobile phone 3 corresponds to a first type terminal and a wireless communication device.

  The cellular phone 3 includes a CPU 30, a wireless device 31, a display 32, a keyboard 33, a memory 34, a biocode detection device 35, a voice input device 36, and a short-range wireless communication port 37 connected to each other via a bus B. Has been.

  Among these, the CPU 30 controls other hardware constituting the mobile phone 3 in accordance with a program stored in the memory 34, thereby enabling various functions of the mobile phone (voice call function, mail creation, transmission / reception, and display function). , Web browsing function, short-range wireless communication function, biocode detection function, etc.). The wireless device 31 is a device (including an antenna and a modem) that wirelessly transmits and receives data to and from a ground station (not shown) of the mobile phone network M in accordance with control by the CPU 30. The display 32 is a display device for displaying a screen generated when the CPU 30 realizes the various functions.

  The voice input / output device 36 is mainly a microphone and a speaker for voice calls. The keyboard 33 includes numeric keys, cursor keys, and function keys for inputting various commands and data (for example, a destination telephone number, a mail address of a mail transmission destination, a URL of a web page to be browsed, etc.) to the CPU 30. It is an input device.

  The biocode detection device 35 digitizes the physical characteristics of the user who operates the mobile phone 3 and inputs a numerical value indicating the physical characteristics (hereinafter, this numerical value is referred to as “biocode”) to the CPU 30. Device. The short-range wireless communication port 37 is a Bluetooth card or an infrared communication port.

  The memory 34 stores a program for causing the CPU 30 to execute the above various functions and various data, an authentication code received from the center 1, a biocode of the user that is collected and initially registered through the biocode detection device 35, and the like. The storage device includes a flash memory in which user identification information (user ID) of the user initially registered through the input device 23 is stored, and a RAM in which a work area of the CPU 30 is constructed.

  The program stored in the memory (ROM) 34 includes a program that realizes a communication function according to TCP [TLP] / IP [PDC-P], and a program that realizes a web page browsing function according to HTTP [ALP]. , A driver program for collecting the biocode by controlling the biocode detection device 35 and a driver program for performing the short-range wireless communication by controlling the short-range wireless communication port 37 are included.

  The access point 4 is connected to a telephone line and a dedicated line connected to the center 1 (that is, a network operated by the ISP), and when the PC 2 dial-up connected through the telephone line requests authentication, 1 requests authentication to the authentication server (authentication server program 123) that constitutes 1, and if this authentication server succeeds in authentication, it issues an IP address to the PC 2, and thereafter the PC 2 sends the IP address to the connection source. When a message stored in an IP packet incorporated as an IP address is transmitted, the message is transferred to the center 1. When a response addressed to the PC 2 is received from the center 1, the response is transferred to the PC 2.

  The center 1 is actually a plurality of server devices (computers) and routers existing on a network operated by the ISP. Such a center 1 has a function of a mail server, a function of a content server that executes a content providing service for providing contents to members, a function of an authentication server, and a member management server. Those that fulfill the function, those that fulfill the function of the accounting server, and the like are included. However, here, in order to simplify the description, the functions of these various servers will be described as being realized by a program executed on one computer.

  The computer (center device) as the center 1 is composed of a CPU 10, a communication interface 11, a RAM 12, and a hard disk 13 connected to each other by a bus B. Among these, the CPU 10 is a central processing unit (computer) that controls the entire center 1. The RAM 12 is a main storage device in which a work area is expanded when the CPU 10 executes various processes. The communication interface 11 includes a dedicated line connected to the Internet N and the access point 4, and is a communication device that can communicate with the PC 2 and the mobile phone 3 via the access point 4 and the Internet N.

  The hard disk 13 is a storage device that stores various programs 130 and various data read and executed by the CPU 10. The various programs 130 stored in the hard disk 13 include a program for performing the various functions described above (for example, a content server program 124 for performing the function of a content server, an authentication server for performing a function as an authentication server). A program 123) is included. Among these, the authentication server program 123 will be described in detail later with reference to the flowchart of FIG. The content server program 124 is a content subject to the content providing service for a terminal that has been authenticated (authenticated as a terminal operated by a user registered in advance as a member of the content providing service) by the authentication server program 123. Is a program that responds.

  In addition, various data stored in the hard disk 13 are contracted in advance with the ISP in addition to various contents transmitted to the request source terminal (PC2, mobile phone 3, etc.) according to the content server program 124. Personal information (user ID, password, member name, address, e-mail address, which is identification information uniquely assigned to the member) for each of the various other members (members of the Internet connection service, members of the content providing service) , A member database 132 in which a service type provided based on a contract for the member is registered, a first table 133 shown in FIG. 2, and a second table 134 shown in FIG. ing.

  As shown in FIG. 2, the first table 133 is composed of a large number of records assigned to each member registered in the member database 132. Each record has a “user” field in which user identification information (user ID) of the user to whom the record is assigned is stored, and a pointer to a storage area in the member database 132 in which information about the user is stored. “Detailed information” field to be stored, “Current code” field to store the authentication code currently set for the user, and the biocode of the user initially registered by the user when the service provision contract with the user is concluded (For example, in the case of a fingerprint, the whole obtained by encoding the entire fingerprint) “Biocode” field in which the value specifying the length (1 to n bytes) of the authentication code is "Code length" field set at random every time the authentication code is updated, update the above authentication code An “update frequency” field in which a default value or a user setting value of a period to be stored is stored, and identification information (pattern identification information) for identifying a pattern registered in the second table 134 as a structure pattern of the authentication code is possible The “pattern” field is made up of.

  As shown in FIG. 3, the second table 134 is composed of a number of records respectively assigned to all patterns that can be stored in the “pattern” field of the first table 133. Each record has a “pattern” field in which pattern identification information for identifying a pattern assigned to the record is stored, and types of characters (numeric characters, alphabetical characters, characters) included in the first segment of the pattern. “Character string, biocode)” and “first segment” field in which information specifying the combination of bytes (hereinafter referred to as “character string designation information”) is stored, as well as character strings for character strings incorporated in the second segment A “second segment” field in which designation information is stored, and a “third segment” field in which character string designation information about a character string incorporated in the third segment is stored. The biocode can take various character types depending on the encoding algorithm (in the “biocode” field of FIG. 2, an example in which alphabets and special symbols are combined is shown).

  Note that the authentication code generated based on the pattern in which the biocode character string designation information is included in any field of the second table 134 (stored in the “current code” field of the first table 133 and the mobile phone 3 Or the authentication code transmitted to the PC 2, the N-th byte to the N + Y-th byte in the biocode at the segment corresponding to the character string designation information of the biocode (where N is a random number when setting the authentication code) The information (hereinafter referred to as “extracted portion designation information”) for designating and substituting and substituting the integer selected for Y, where Y is the number of bytes designated by the character string designation information) is written. This cut-out portion designation information corresponds to designation information for designating a specific position of the biocode.

(Processing content)
Hereinafter, in the first embodiment, when the user connects the PC 2 to the center 1 and performs data communication related to a specific service, the CPU 30 of the mobile phone 3 performs processing (hereinafter simply referred to as “mobile phone”) according to a program on the memory 34. 3 ”, processing executed by the CPU 20 of the PC 2 in accordance with the connection program 27 (hereinafter simply referred to as“ processing of PC 2 ”), and processing executed by the CPU 10 of the center 1 in accordance with the authentication server program 123 (hereinafter referred to as“ processing 2 ”). Will be described with reference to the flowchart of FIG. In the present embodiment, the biocode detection device 28 of the PC 2 is not used. In addition, the memory 34 of the mobile phone 3 stores the biocode of the user input in the initial setting, and stores the latest authentication code received from the authentication server in the past processing ( S207, S009).

  A user who has authority to use the PC 2 and the mobile phone 3 first starts the connection program 27 by inputting a predetermined command to the input device 23 of the PC 2. Then, in the first S101, a connection request specifying user identification information stored in the hard disk 25 is made to the center 1 through the access point 4 or the Internet N. Then, in the center 1, the authentication server (authentication server program 123) is activated and waits for an authentication code from the mobile phone 3 in the first S201. On the other hand, the PC 2 also waits for a response result from the mobile phone 3 in S102.

  Next, the user turns on the mobile phone 3. Then, in the first S001, the mobile phone 3 checks whether or not it is initially set to perform bio-authentication for activation with reference to the initial setting value on the memory 34. If the setting for performing bio-authentication for activation has not been made, the mobile phone 3 advances the process to S004 as it is.

  On the other hand, when the setting for performing the bio setting for activation is performed, the mobile phone 3 executes the bio authentication process for activation in S002. In this bio-authentication process, after an instruction to collect a biocode of the user through the biocode detection device 35 is displayed on the display 32, the biocode input from the biocode detection device 35 is initially stored in the memory 34. In comparison with the registered biocode, this is a process for determining that the authentication is OK when the two match (when the degree of coincidence exceeds a predetermined ratio).

  In next S003, the mobile phone 3 checks whether or not the result of the bio-authentication process in S002 is authentication OK. If the authentication is not OK, the mobile phone 3 stops activation and turns off the power. On the other hand, if the authentication is OK, the mobile phone 3 advances the process to S004.

  In S004, the mobile phone 3 waits for an input to the keyboard 33 and checks whether the input is for selecting connection of the PC2. If the input to the keyboard 33 does not select connection of the PC 2, the mobile phone 3 executes processing according to the content of the input in S 012.

  On the other hand, if the input to the keyboard 33 selects the connection of the PC 2, the mobile phone 3 executes a process of transmitting an authentication code to the authentication server of the center 1 in S005. That is, the cellular phone 3 checks whether or not the cutout portion designation information is included in the authentication code stored in the memory 34. And when cut-out part designation | designated information is contained in an authentication code, it is checked whether S002 was performed, and when S002 was performed, from the biocode collected in S002, The range specified by the cutout part designation information is cut out and substituted into the cutout part designation information in the authentication code. On the other hand, when S002 is not executed, the mobile phone 3 displays an instruction to the user to collect its biocode through the biocode detection device 35 on the display 32, and then detects this biocode. From the biocode input from the device 35, the range designated by the cutout portion designation information is cut out and substituted into the cutout portion designation information in the authentication code. On the other hand, when the cutout portion designation information is not included in the authentication code, the mobile phone 3 reads the authentication code from the memory 34 as it is. Thereafter, the mobile phone 3 transmits the authentication code together with the user identification information stored in the memory 34 to the authentication server of the center 1 via the mobile phone network M and the Internet N. After completing S005, the cellular phone 3 waits for a response from the authentication server in the next S006.

  Upon receiving the authentication code and user identification information transmitted from the mobile phone 3, the authentication server advances the process from S201 to S202 and executes the authentication process. That is, the authentication server, when the authentication code registered in the first table 133 in association with the received user identification information does not include the cutout portion designation information, the authentication code and the authentication received from the mobile phone 3 Compare with code. Further, when the authentication code registered in the first table 133 in association with the received user identification information includes the cutout portion designation information, it is registered in the first table 133 in association with this authentication code. A portion indicated by the cut-out portion designation information is cut out from the biocode and substituted into the cut-out portion designation information. Then, the authentication code after substitution is compared with the received authentication code. In any case, if both authentication codes match, it is determined that the authentication is OK, and if both authentication codes do not match, it is determined that the authentication is NG.

  When S202 is completed, the authentication server transmits the result (authentication result) of the authentication process in S202 to the mobile phone 3 in the next S203, and in the next S204, whether or not the authentication result is an authentication OK. Check. If the authentication server is authenticated NG, the process is interrupted. If the authentication is OK, the access point 4 or content server program connected to the PC 2 indicates that the authentication for the user identification information is completed in S205. 124 is notified. As a result, the access point 4 that has received the notification can relay the communication with the PC 2 that has requested the connection by designating the user identification information, and the content server program 124 is able to relay from the PC 2 having the user identification information. In response to the request, the content providing service target content can be responded.

  On the other hand, the mobile phone 3 that has received the authentication result advances the process from S006 to S007. In S007, the mobile phone 3 notifies the PC 2 of the received authentication result through short-range wireless communication. In next S008, the mobile phone 3 checks whether or not the received authentication result is authentication OK. Then, if the authentication result is authentication NG, the mobile phone 3 gives up the connection and executes other functions (such as waiting for a new function selection) in S012. On the other hand, if the authentication result is authentication OK, the mobile phone 3 advances the process to S009.

  On the other hand, the PC 2 that has received the authentication result advances the process from S102 to S103. In S103, the PC 2 checks whether or not the received authentication result is authentication OK. If the authentication result is authentication NG, the PC 2 displays a warning on the display 22 in S104, and then ends the process. On the other hand, if the authentication result is authentication OK, the PC 2 starts communication with the center 1 regarding the Internet connection service through the access point 4 or the content providing service by the content server program 124 in S105.

  On the other hand, the authentication server that has completed S205 executes a new code generation process in S206. FIG. 5 is a flowchart showing a new code generation processing subroutine executed in S206. In the first step S301 after entering this subroutine, the authentication server reads the pattern identification information stored in the first table 133 in association with the user identification information notified from the PC 2 and the mobile phone 3.

  In next step S302, the authentication server reads out the character string designation information of the first to third segments stored in the second table 134 corresponding to the pattern identification information read out in step S301.

  In the next S303, the authentication server generates an authentication code based on the character string designation information of the first to third segments read in S302. Specifically, for each character string designation information, the authentication server generates an arbitrary character of the type designated by the character string designation information for the designated number of bytes. However, if the type designated by the character string designation information is a biocode, the authentication server uses the randomly selected value of N and the number of bytes designated by the character string designation information to extract the cutout portion designation information. Is generated. The authentication server then combines the generated character strings of the first to third segments in order. In the authentication server, the total number of bytes designated by the character string designation information of the first to third segments is the code registered in the first table 133 corresponding to the pattern identification information acquired in S301. When the length is insufficient, a character string designated by the same character string designation information as that of the first segment is added after the third segment character string by an amount corresponding to the shortage byte. If the character string is still insufficient, the character string specified by the same character string specifying information as the second segment and the character string specified by the same character string specifying information as the second segment will be used. Add a column.

  In next step S304, the authentication server checks whether or not the change of the pattern identification information is designated based on the initially set condition. If the change of the pattern identification information is not designated, the authentication server ends the new code generation process as it is. On the other hand, when the change of the pattern identification information is designated, the authentication server randomly changes the pattern identification information read in S301 registered in the first table 133 in S305. The new code generation process is terminated.

  After completing the new code generation process, the authentication server advances the process from S206 to S207. In S207, the authentication server transmits the authentication code newly generated in S206 to the mobile phone 3 via the mobile phone network M and the Internet N.

  In next S208, the authentication server updates the authentication code stored in the first table 133 in association with the user identification information notified from the PC 2 and the mobile phone 3 with the authentication code newly generated in S206. .

  In the next step S209, the authentication server designates code generation for each access based on the update frequency stored in the first table 133 in association with the user identification information notified from the PC 2 and the mobile phone 3. Check whether or not. When code generation is designated for each access, the authentication server ends all the processes.

  On the other hand, if code generation is not designated for each access, the authentication server is notified of the elapsed time since the generation of the authentication code in S206 from the PC 2 and the mobile phone 3 in S210. It is checked whether or not the period stored in the first table 133 has been exceeded in association with the user identification information. If the elapsed time has not yet exceeded the cycle, the authentication server performs the connection between the center 2 and the PC 2 regarding the Internet connection service through the access point 4 or the content providing service by the content server program 124 in S211. Check whether the communication is disconnected.

  If the communication is still continued, the authentication server returns the process to S210. If the elapsed time exceeds the period while repeating the loop of S210 and S211, the authentication server returns the process to S206 and generates a new authentication code again.

  On the other hand, in S009, the mobile phone 3 checks whether or not a new authentication code has been received from the authentication server. If a new authentication code has not been received, the mobile phone 3 checks whether or not a disconnection notification has been received from the PC 2 in S011. If the disconnection notification has not yet been received from the PC 2, the process returns to S009. If a new authentication code is received from the authentication server while repeating the loop processing of S009 and S010 above, the mobile phone 3 advances the processing from S009 to S010, and authenticates the authentication code stored in the memory 34. Update with new authentication code received from server. When S010 is completed, the mobile phone 3 advances the process to S011.

  On the other hand, the PC 2 disconnects the communication performed with the center 1 regarding the Internet connection service through the access point 4 or the content providing service by the content server program 124, or when the communication is disconnected, the processing is performed in S105. From step S106, a disconnection notice is transmitted to the mobile phone 3 through the short-range wireless communication, and then the processing by the connection program 27 is terminated.

  On the other hand, the mobile phone 3 that has received this connection notification from the PC 2 advances the process from S011 to S012, and executes other functions (such as waiting for a new function selection).

  On the other hand, when the authentication server detects disconnection of communication performed by the PC 2 with the center 1 regarding the Internet connection service through the access point 4 or the content providing service by the content server program 124, the authentication server exits the loop processing from S211. End all processing.

(Effect by embodiment)
According to the first embodiment configured as described above, even if an attempt is made to connect to the center 1 with only the PC 2 without preparing the mobile phone 3 storing the same user identification information, the PC 2 has an authentication code. Is not stored, the authentication code cannot be transmitted to the authentication server of the center 1. Therefore, the authentication server cannot proceed with the process from S201. Therefore, since the authentication server cannot execute the authentication process (S202), and the PC 2 cannot advance the process from S102, the PC 2 eventually uses the Internet connection service or the content server program through the access point 4. Communication with the center 1 related to the content providing service 124 cannot be performed. Therefore, even if the user who owns the PC 2 and the mobile phone 3 loses the PC 2, the user is not connected to the network without permission by a third party who acquires the occupation of the PC 2.

  On the other hand, when the PC 2 and the mobile phone 3 storing the same user identification information are within a short-distance wireless communication range, the user starts up the connection program 27 of the PC 2 and the center. 1, a connection request (S101) is made to the user 1, the mobile phone 3 is activated to select execution of PC connection, and the biocode detection device 35 collects its own biocode. Even if the combination of ID and password is not input one by one, the authentication code and user identification information are automatically transmitted from the mobile phone 3 to the authentication server of the center 1.

  Since this authentication code is received from the authentication server at the time of communication with the center 1 immediately before, the contents of the authentication code each time a connection to the center 1 is made (in some cases, every predetermined period during the connection). Is changed. Therefore, even if the authentication code is intercepted by a third party, the period during which the authentication code is valid is extremely short, and therefore the possibility that the authentication code is stolen by the third party is low. Moreover, even if the authentication code is intercepted by a third party while it is transmitted from the authentication server to the mobile phone 3, if the authentication code includes cutout portion designation information, the third party Since a part of the biocode cannot be substituted in accordance with the cut-out portion designation information, the possibility that the authentication code is stolen by the third party is even lower. On the other hand, even if the authentication code is intercepted by a third party while being transmitted from the mobile phone 3 to the authentication server and a part of the biocode is assigned to the authentication code, the assigned biocode is Is only a part of the entire biocode taken from the user's body, so it is unlikely to cause irreparable damage to the user's privacy. In addition, since the specific position specified by the cutout portion designation information in the authentication code transmitted from the authentication server to the mobile phone 3 is changed every time the connection is made, the biocode in the intercepted authentication code is diverted later. It is unlikely that

Embodiment 2

  The network according to the second embodiment of the present invention has the same hardware configuration as the network according to the first embodiment described above. However, in the second embodiment, all the patterns registered in the second table 134 include biocode character string designation information. In the second embodiment, the latest authentication code received from the authentication server in the past processing is stored in the hard disk 132 of the PC 2, and the CPU 30 of the mobile phone 3 follows the program on the memory 34 in this connection. Processing to be executed (hereinafter simply referred to as “processing of the mobile phone 3”), processing to be executed by the CPU 20 of the PC 2 in accordance with the connection program 27 (hereinafter simply referred to as “processing of the PC 2”), and CPU 10 of the center 1 The processing executed according to the authentication server program 123 (hereinafter simply referred to as “authentication server processing”) is as shown in FIG. Note that the biocode detection device 28 of the PC 2 is not used in the second embodiment. Hereinafter, each process shown in FIG. 6 will be described.

(Processing content)
A user who has authority to use the PC 2 and the mobile phone 3 first starts the connection program 27 by inputting a predetermined command to the input device 23 of the PC 2. Then, in the first S401, a connection request specifying the user identification information stored in the hard disk 25 is made to the center 1 through the access point 4 or the Internet N. Then, in the center 1, the authentication server (authentication server program 123) is activated, and waits for an authentication code from the PC 2 in the first S601. On the other hand, the PC 2 also waits for a biocode notification from the mobile phone 3 in S402.

  Next, the user turns on the mobile phone 3. Then, the cellular phone 3 executes the processes of S701 to S704. Since the processes of S701 to S704 are exactly the same as the processes of S001 to S004 in the first embodiment described above, description thereof is omitted. If it is determined in S704 that the input to the keyboard 33 does not select connection of the PC 2, the cellular phone 3 executes a process according to the content of the input in S706.

  On the other hand, when it is determined in S704 that the input to the keyboard 33 selects the connection of the PC 2, the mobile phone 3 executes a process of transmitting the biocode to the PC 2 in S705. That is, the mobile phone 3 checks whether or not S702 has been executed, and if S702 has been executed, transmits the biocode collected in S702 to the PC2. On the other hand, if S702 is not executed, the mobile phone 3 displays an instruction to the user to collect its biocode through the biocode detection device 35 on the display 32, and then detects this biocode. The biocode input from the device 35 is transmitted to the PC 2. Upon completion of S705, the mobile phone 3 executes other functions (such as waiting for a new function selection) in S706.

  On the other hand, the PC 2 that has received the biocode (including the remainder of the authentication code) from the mobile phone 3 advances the process from S402 to S403, and executes the authentication code conversion process. That is, the mobile phone 3 reads the authentication code stored in the hard disk 132, and corresponds to the specific position specified by the cut-out portion specifying information included in the authentication code from the biocode received from the mobile phone 3. A part (the remaining part of the authentication code) is cut out and substituted into the cut-out part designation information in the authentication code (that is, combined with a part of the authentication code).

  In the next S404, the PC 2 transmits the authentication code converted in S403 to the authentication server of the center 1 together with the user identification information stored in the hard disk 132. After completing S404, the PC 2 waits for a response from the authentication server in the next S405.

  Upon receiving the authentication code and user identification information transmitted from the PC 2, the authentication server advances the process from S601 to S602 and executes the authentication process. That is, the authentication server is included in the authentication code registered in the first table 133 in association with the user identification information from the biocode registered in the first table 133 in association with the received user identification information. A portion indicated by the cutout portion designation information is cut out and substituted into the cutout portion designation information. Then, the authentication code after substitution is compared with the received authentication code. If the two authentication codes match, the authentication is OK. If the two authentication codes do not match, the authentication is NG.

  Upon completion of S602, the authentication server transmits the result (authentication result) of the authentication process in S602 to the PC 2 in the next S603. The subsequent processing of S604 to S611 is exactly the same as the processing of S204 to S211 in the above-described first embodiment (however, in S607, the newly generated authentication code is transmitted to the PC 2). finish.

  On the other hand, the PC 2 that has received the authentication result advances the process from S405 to S406. In S406, the PC 2 checks whether or not the received authentication result is authentication OK. If the authentication result is authentication NG, the PC 2 displays a warning on the display 22 in S408, and then ends the process. On the other hand, if the authentication result is OK, the PC 2 starts communication with the center 1 regarding the Internet connection service through the access point 4 or the content providing service by the content server program 124 in S407.

  Note that when receiving a new authentication code from the authentication server, the PC 2 executes an interrupt process, and updates the authentication code stored in the hard disk 132 with the new authentication code received from the authentication server in S501. When S501 is completed, the PC 2 ends the interrupt process.

  Thereafter, when the communication with the center 1 regarding the Internet connection service through the access point 4 or the content providing service by the content server program 124 is disconnected, or when the communication is disconnected, the PC 2 connects the connection program 27. The process by is terminated.

  On the other hand, when the authentication server detects disconnection of communication performed by the PC 2 with the center 1 regarding the Internet connection service through the access point 4 or the content providing service by the content server program 124, the authentication server exits the loop processing from S611, End all processing.

(Effect by embodiment)
According to the second embodiment configured as described above, even if an attempt is made to connect to the center 1 using only the PC 2 without preparing the mobile phone 3 in which the same user identification information is stored, it is installed on the PC 2. Since the connection program 27 does not collect the biocode by itself, an authentication code that is valid for the authentication server of the center 1 (authentication code into which the biocode designated by the cutout designation information is assigned) is used. Cannot send. Therefore, the authentication server cannot advance the process from S601. Therefore, the authentication server cannot execute the authentication process (S602), and the PC 2 cannot proceed from S402 first. Communication with the center 1 related to the content providing service 124 cannot be performed. Therefore, even if the user who owns the PC 2 and the mobile phone 3 loses the PC 2, the user is not connected to the network without permission by a third party who acquires the occupation of the PC 2.

  On the other hand, when the PC 2 and the mobile phone 3 storing the same user identification information are within a short-distance wireless communication range, the user starts up the connection program 27 of the PC 2 and the center. 1, a connection request (S 401) is made to the user 1, the mobile phone 3 is activated to select execution of PC connection, and the biocode detection device 35 collects its own biocode. The authentication code and the user identification information are automatically transmitted from the PC 2 to the authentication server of the center 1 without inputting each combination of ID and password.

  Since this authentication code is received from the authentication server at the time of communication with the center 1 immediately before, the contents of the authentication code each time a connection to the center 1 is made (in some cases, every predetermined period during the connection). Is changed. Therefore, even if the authentication code is intercepted by a third party, the period during which the authentication code is valid is extremely short, and therefore the possibility that the authentication code is stolen by the third party is low. Moreover, even if the authentication code is intercepted by a third party while it is transmitted from the authentication server to the mobile phone 3, a part of the biocode cannot be substituted according to the cutout designation information included in the authentication code. The possibility that the authentication code is stolen by the third party is even lower. On the other hand, even if the authentication code is intercepted by a third party while being transmitted from the mobile phone 3 to the authentication server, a part of the assigned biocode is the entire biocode collected from the user's body Since it is only a part of this, it is unlikely to cause irreparable damage to the user's privacy. In addition, since the specific position specified by the cutout designation information in the authentication code transmitted from the authentication server to the PC 2 is changed every time the connection is made, the biocode in the intercepted authentication code may be diverted later. The nature is low.

1 is a block diagram showing a schematic configuration of a computer network according to a first embodiment of the present invention. Table showing the data structure of the first table Table showing data structure of second table Flow chart showing processing contents of mobile phone, PC and authentication server A flowchart showing a new code generation processing subroutine executed in S206 of FIG. 4 and S606 of FIGS. The flowchart which shows the processing content of the mobile telephone in this 2nd Embodiment of this invention, PC, and an authentication server.

Explanation of symbols

1 center 2 PC
3 Mobile phone 4 Access point 10 CPU
13 Hard disk 20 CPU
21 Communication adapter 24 RAM
25 Hard Disk 27 Connection Program 28 Biocode Detection Device 29 Short-range Wireless Communication Port 30 CPU
31 Wireless Device 34 Memory 35 Biocode Detection Device 37 Short-range Wireless Communication Port 123 Authentication Server Program 133 First Table 134 Second Table M Mobile Phone Network N Internet

Claims (7)

In a network including a first type terminal and a second type terminal each having identification information associated with each other, and a center device capable of communicating with these terminals through a computer network, the center device provides a specific service with the second type terminal. An authentication method for performing data communication related to
Each of the first type terminal and the center device includes a storage device, and stores an authentication code associated with each other in each storage device in association with the identification information.
When the first type terminal transmits the authentication code stored in its own storage device together with the identification information to the center device,
The center device compares the authentication code received from the first type terminal with the authentication code stored in its own storage device in association with the identification information received from the first type terminal. An authentication method in a network, characterized in that, if they are mutually related, thereafter, data communication regarding a specific service is performed with a second type terminal having identification information related to the identification information. The authentication method in the network according to claim 1, wherein the first type terminal transmits the authentication code and the identification information to the center device without passing through the second type terminal. The first type terminal includes a biocode detection device that reads a user's physical characteristics and converts it into a character string as a biocode,
The authentication code includes designation information for designating a specific position of the biocode,
The first type terminal cuts out a part corresponding to a specific position designated by the designation information from the biocode acquired by the biocode detection means, incorporates the cut out part into the authentication code, and then identifies the identification information. Together with the center device,
In the storage device of the center device, the biocode of the user is stored in advance in association with the identification information,
The center device is included in an authentication code stored in the storage device in association with the identification information from a biocode stored in the storage device in association with the identification information received from the first type terminal. A portion corresponding to the specific position designated by the designated information is cut out, the cut out portion is incorporated into the authentication code, the authentication code is compared with the authentication code received from the first type terminal, and both authentication codes are compared. 2. In the network according to claim 1, wherein data communication regarding a specific service is performed with a second type terminal having identification information related to the identification information. Authentication method. 4. The network authentication method according to claim 3, wherein the first type terminal and the center device substitute a part cut out from the biocode for the designation information in the authentication code. Each time the center device performs data communication related to a specific service with the second type terminal, the authentication code is newly generated, overwritten in its own storage device, and transmitted to the first type terminal,
5. The network authentication method according to claim 1, wherein the first type terminal overwrites an authentication code received from the center device in its storage device. 6. In a network including a terminal having identification information and a center apparatus communicable through the terminal and a computer network, the center apparatus performs data communication regarding a specific service with the terminal,
Each of the terminal and the center device includes a storage device, and an authentication code is stored in the storage device of the center device in association with the identification information, while the authentication code is stored in the storage device of the terminal. Part of
The terminal further includes a wireless communication unit that communicates with a wireless communication device that transmits the remaining part of the authentication code, and receives the remaining authentication code from the wireless communication device through the wireless communication unit. The remainder of the code is combined with a part of the authentication code stored in its own storage device, and transmitted to the center device together with the identification information,
The center device compares the authentication code received from the terminal with the authentication code stored in its own storage device in association with the identification information received from the terminal, and the two authentication codes are related to each other. In this case, a network authentication method is characterized in that data communication related to a specific service is performed with the terminal thereafter. The wireless communication device includes a biocode detection device that reads a physical feature of a user and converts it into a character string as a biocode, and transmits the biocode to the terminal.
The remainder of the authentication code is part of this biocode,
The terminal cuts out the part from the biocode received from the wireless communication device through the wireless communication means, and combines the part of the cut out biocode with a part of the authentication code stored in its own storage device 7. The network authentication method according to claim 6, wherein the authentication information is transmitted to the center device together with the identification information.

Images