JP2006107007A - Authentication procedure analyzing device and method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an authentication procedure analyzing device and method for analyzing communicative processing in a log-in operation, and for easily cooperating with a system equipped with an authentication system. <P>SOLUTION: An authentication procedure analyzing device 7 carries out the element analysis of communication data and differential analysis and the erasure(normalization) of unnecessary communication, and outputs an analyzed authentication procedure code. Thus, it is possible to execute log-in processing by reading the authentication procedure code, and applying authentication information such as user name, secret information and host name necessary for authentication. Therefore, it is possible for a user who has performed access to a mediating server to acquire authentication information from a reference destination, and to automatically execute the log-in processing by referring to the authentication information from the name of a system cooperating with the name of the user who has logged in the mediating server. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to an authentication procedure analyzing apparatus that analyzes an authentication procedure for a system that performs an authentication process using a user ID and secret information in a system built in a network such as a Web business system, and authentication for the same. It relates to a procedure analysis method.

  Conventionally, according to the selection information guidance system for intranet user members known from the following Patent Document 1, when a user clicks on a link including user authentication information and session information on an intermediary server, automatic login on the information providing side Linking technology in a business system that can connect to a module, log in to an information providing site, and save the user from logging in again is already known.

JP 2002-222271 A

  By the way, when a plurality of business systems that have screens configured in HTML language and individually have an authentication system are linked, the server that intervenes them performs login processing as a proxy, allowing the user to save login work, Therefore, it is desired that the user is not aware of the boundary between business systems.

  However, in such a case, it is necessary to change the process of the already completed system or add a process for the process, and the amount of work becomes a burden on the person who builds the system or, for example, the system itself Is often developed by another organization, it is often impossible to change or add such processing.

  Furthermore, in addition to the situation described above, in many cases, the application on the intermediary server is often created after the system that cooperates. There is a need to execute login processing for linked systems.

  By the way, even in the prior art, for example, a value that is issued to maintain a communication state by performing a login process by a mediating server, that is, a so-called session can be acquired, and the acquired session is delivered to the user's browsing software. According to this, the user is in a state after login, that is, the user can display an arbitrary page of the linked system without performing the login operation again.

  However, in order for the intermediary server to automatically execute the login process, it is necessary to analyze a different login process for each linked system, create a login procedure, and execute the procedure. By the way, the creation of such a login procedure is a time-consuming work that requires an engineer with specialized knowledge to analyze the screen configuration and communication data. Therefore, when the time for building the system is small, the number of linked systems that can automatically execute such login processing is limited, and therefore the number of systems that can be linked is reduced. There was a problem.

  Therefore, in the present invention, in view of the above-described problems in the prior art, specifically, an authentication procedure analysis apparatus for analyzing communication processing at the time of login work and an analysis method therefor are provided. It is an object of the present invention to make it possible to easily realize cooperation between a plurality of business systems each having an authentication system by making creation easy.

  According to the present invention, in order to achieve the above object, first, an apparatus for analyzing an authentication procedure for a system that performs an authentication process using a user ID and secret information, which is obtained by executing an actual authentication operation. There is provided an authentication procedure analyzing apparatus including means for inputting a plurality of communication data, means for analyzing the communication data, and means for outputting a result obtained by the analyzing means.

  In the present invention, in the authentication procedure analyzing apparatus, the analyzing means includes means for decomposing communication data to obtain the user ID and secret information, or a difference between the plurality of input communication data. It is preferable to provide a means for comparison. In the present invention, the analysis unit may include a normalization unit that deletes unnecessary communication.

  Further, according to the present invention, in order to achieve the above object, there is provided an authentication procedure analysis method for analyzing an authentication procedure for a system that performs an authentication process using a user ID and secret information, and performing an actual authentication operation Provides an authentication procedure analysis method for inputting a plurality of communication data, decomposing the input plurality of communication data, comparing them differentially, and analyzing and outputting the authentication procedure.

  In the present invention, in the authentication procedure analyzing method, it is preferable to further normalize and output the plurality of input communication data.

  More specifically, two obtained by actually performing an authentication operation on a system having a screen configured in the HTML language constructed in the Internet or an intranet and performing an authentication process using a user ID and secret information. The authentication procedure is analyzed by comparing the communication data differentially between the communication data using the above communication data as an input value. Further, along with the analysis result, the procedure is analyzed by normalization that deletes unnecessary communication unrelated to the authentication process by arranging the communication in a tree structure.

  The authentication process can be easily executed by any user by outputting the user ID and secret information of any user to any host that has the same authentication process as the host that performed the authentication work when acquiring communication data. It is possible to do. The authentication processing analysis apparatus is installed in, for example, one intermediary server constructed in the Internet or an intranet and a server intermediating a plurality of business systems.

  That is, according to the authentication procedure analysis apparatus and the authentication procedure analysis method according to the present invention described above, it is possible to easily execute the creation of a login procedure, and between a plurality of business systems each having an authentication system. Demonstrates the excellent effect of making it easy to achieve collaboration.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. The authentication analysis apparatus according to the embodiment of the present invention, which will be described in detail below, can simplify the login procedure for a system constructed in the Internet or an intranet that performs an authentication process using a user ID and secret information. For example, the device of the present invention is incorporated into a proxy device, and according to the device of the present invention, the communication data is decomposed into elements, differential analysis is performed, unnecessary communication is deleted, and login is performed. Normalize the procedure and output the analyzed authentication procedure code. The intermediary server can execute the login process by reading this authentication procedure code and providing authentication information such as a user name, secret information, and host name necessary for authentication.

  First, the principle for analyzing the login process in the authentication analysis apparatus according to the present invention will be described in detail below with reference to FIG.

  In order to analyze the login process, a login operation is performed on the linked system in accordance with specific conditions, thereby acquiring a plurality of communication data. In order to obtain these communication data, the browsing software 1 shown in FIG. 2 (for example, a popular browsing browser) designates the proxy device 2 as a proxy server and links to the business system 3 to cooperate with. On the other hand, log in under specific conditions. The proxy device 2 is a general proxy device in which a communication data acquisition unit 4 for acquiring communication data and a communication data output unit 5 for outputting communication data are added. The communication request and communication response from the browsing software 1 are relayed, and at the same time, the communication request data and the communication response data are acquired as one set in the request order of the communication request, and a series of processes are executed. , Output as communication data 6.

  Next, FIG. 1 attached specifically describes the configuration of the above-described authentication analysis apparatus 7, that is, means for analyzing the login process.

  The authentication analysis apparatus 7 receives the communication data 6 and takes in the communication data into the apparatus by the communication data reading unit 8. Thereafter, the element disassembling unit 9 disassembles the communication request and communication response in the communication data fetched into the device for each element and stores them in the memory in the device (note that the communication request data and communication response data that have been disassembled into elements are stored. The data structure is shown later in FIGS. 3 to 6).

  And the differential analysis part 10 analyzes an authentication procedure by comparing the some capture acquired on specific conditions as a difference. In this way, by performing an analysis operation on a communication request and a communication response (that is, communication request data and communication response data), a user ID variable, a secret information variable, a session variable, and a session between two communications Determine the limited session variables to be used and fixed variables whose values do not change. Further, the unnecessary communication deletion unit 11 deletes (normalizes) a communication request that is not related to the login procedure in the acquired communication data, and the procedure output unit 12 outputs the analysis result, and FIG. The authentication procedure code 13 is obtained. Each unit of the authentication analysis device 7 described above is configured as a program in a server or a proxy device that configures the device.

  Next, FIG. 3 attached here shows the data structure of the communication request data described above. As is apparent from the figure, the communication request data basically includes a request URL (Uniform Resource Locator) 14 that is a requested content, a request header 15 that is a control part of the communication request, and post data. It consists of a certain request content 16.

  The request URL 14 includes a host name 23, a file path 24, a path parameter 17, and a query 18, and the request header 15 includes a cookie 19 and a reference source URL 22. Further, the requested content 16 includes post data 20. As shown in the figure, each of the path parameter 17, the query 18, the cookie 19, and the post data 20 includes a variable name / variable value pair 21.

  Therefore, in the element decomposition unit 9 in the authentication analysis apparatus 7 whose configuration has been described above, the input communication request data is converted into the path parameter 17, the query 18, the cookie 19 and the post data 20 elements shown in FIG. Finally, a transmission name and a transmission value (the variable name and variable value) indicated by reference numeral 21 in the figure are extracted and set as one variable. In addition, although the URL which shows the request origin of a communication request is stored in the reference origin URL shown by the code | symbol 22 in FIG. 3, however, the variable is not acquired here.

  Furthermore, an example of more specific element disassembly processing will be described with reference to the attached FIG. 4 for the communication request data whose data structure has been described above. Here, an example in which the communication request data is configured in the HTML language is shown. That is, as is apparent from the figure, in the authentication analysis device 7, the communication data read into the device by the communication data reading unit 8 is decomposed by the element decomposition unit 9 into its communication request and communication response for each element. By doing so, it can be acquired as data necessary for login work. More specifically, “Time” and “1500” that are the variable name and variable value 21 of the query 18 are “SessionID” and “SessionNo123” that are the variable name and variable value 21 of the cookie 19, and the post data 20. Variable names and variable values 21 of “LoginAction” and “Below”, “InUserId” and “TestUser”, and “InPasswd” and “Password” are obtained.

  Next, FIG. 5 attached here shows the data structure of the communication response data described above. As is clear from this figure, the communication response data basically consists of a response header 25 which is a part representing communication control, and 26 is response content which is a screen character string.

  The response header 25 includes variables such as a location URL and a cookie. In other words, as shown in the figure, the cookie and the path parameter and query included in the location URL each include a variable name / variable value pair 32. That is, the response header 25 includes a variable such as a URL or a cookie. Therefore, the element disassembly unit 9 in the authentication analysis apparatus 7 performs the same as the communication request data shown in FIG. Perform element decomposition.

  On the other hand, the response content 26 is a screen character string as described above. However, by disassembling the screen character string, a so-called variable name / variable value pair 32, which is the variable, is obtained as described below.

  That is, the response content 26 includes a form 27 in the middle of the disassembly, which is an element for collecting inputs, and an input tag 30 sandwiched between the start and end and a URL 29 are registered as branches. ing. Further, as shown in the figure, this URL 29 includes a path parameter and a query, and each of these URLs includes a pair 32 of a variable name and a variable value, similar to the input tag 30 described above. Reference numeral 28 in the figure is a tag included in the response content 26. The tag 28 includes a URL 31, and the URL 31 includes a path parameter and a query. It includes a pair 32 of variable name and variable value.

  Further, FIG. 6 attached shows an example of more specific element decomposition processing for the communication response data whose data structure has been described above. Here, the communication response data is also an example in which the communication response data is configured in the HTML language. Is shown. That is, as is apparent from the figure, in the authentication analysis device 7, the communication data read into the device by the communication data reading unit 8 is decomposed by the element decomposition unit 9 into its communication request and communication response for each element. By doing so, it can be acquired as data necessary for login work. More specifically, “Time” and “1500” that are the variable name and variable value 32 of the URL 29 are “InUserId”, “None”, and “InPasswd” that are the variable name and variable value 32 included in the form 27. "None", "LoginAction" and "Below" are obtained.

  By the way, the conditions of communication data given in the authentication procedure and the number of communication data given vary depending on the authentication procedure to be analyzed. Here, as a specific example, communication data acquisition conditions when a login process is analyzed will be described. Here, two users with different user names and secret information are prepared in advance, and A, B, C, and D captures with the following conditions are prepared.

  First, in “capture A”, an arbitrary user performs login work from the login screen in the same way as normal use, and acquires communication data of work until the screen after login is displayed.

  Next, in “capture B”, the same user as that at the time of acquisition of the capture A performs the log-in operation in the same manner, and acquires communication data during the operation during this time.

  Further, in “capture C”, a login operation is performed by a user different from the user who logged in when the capture A was acquired, and communication data during the operation is acquired.

  In “Capture D”, the user is the same as that at the time of acquisition of the data of the capture A. However, the secret information is changed in advance, and the login operation is performed again after the change operation is completed. Get the communication data inside.

  That is, as described above, the differential analysis unit 10 of the authentication analysis apparatus 7 shown in FIG. 1 is a program that analyzes an authentication procedure by comparing a plurality of captures acquired under specific conditions as differences. is there. That is, a user ID variable, a secret information variable, a session variable, and a limited session variable used as a session between two communications by performing an analysis operation on a communication request and a communication response executed under a plurality of conditions Then, a fixed variable whose value does not change is determined.

  The specific method of the difference comparison in the differential analysis unit 10, that is, the analysis processing flowchart when using the capture data of “capture A” to “capture D” described above is shown in FIG. .

  In the flowchart shown in FIG. 7, a determination operation is performed on all variable names (A to D) existing in the communication request in the order of the communication requests having a plurality. Here, the object to be compared in the difference determination is the variable value of the same variable name in the same communication request in the communication data acquired under different conditions, and is performed by comparing these.

  Specifically, when the process is started, it is confirmed that the communication data is a communication request loop of A (step S71), and further, it is confirmed that the communication data is a communication request variable loop (step S72). Thereafter, it is determined whether or not this is the same as the capture B (step S73).

  If it is determined that the result is the same as B (YES) as a result of the determination step S73, it is further determined whether or not it is the same as C (step S74). As a result, if it is determined to be the same as C (YES), it is registered as a fixed value (step S75), and further confirmation of the communication request variable loop (step S76) and confirmation of the communication request loop of A (step S75) The process is ended through S77).

  On the other hand, if it is determined that the result of the determination step S74 is not the same as C (NO), it is next determined whether or not it is the same as D (step S78). As a result, if it is determined that it is the same as D (YES), it is further determined whether or not it is already registered as a user ID variable (step S79), and as a result, it is already registered (YES). If it is determined, registration is performed as a limited session (step S80), and the process is ended through the confirmation steps S76 and S77. If it is determined as a result of the determination step S79 that it is not yet registered (NO), user ID variable registration is performed (step S81), and the process is also terminated through the confirmation steps S76 and S77. If it is determined that the result of the determination step S78 is not the same as D (NO), secret information variable registration is performed (step S82), and the process is also terminated through the confirmation steps S76 and S77.

  If it is determined that the result of the determination step S73 is not the same as B (NO), it is further determined whether or not the session is registered as a limited session (step S83). If it is determined (YES), session registration is performed (step S84). On the other hand, if it is determined that it has not yet been registered (NO), it is registered as a limited session. In the same manner as above, the process is completed through the confirmation steps S76 and S77. The above process is repeated for all variable names (A to D).

  An example of specific data on which the above processing is executed is shown in the upper part of the attached FIG. The example shown in FIG. 8 shows an example of the configuration of data stored on the memory in the authentication analysis apparatus 7. In the analysis process described above, the determination of FIG. 7 is executed on all variables (variable names) in the communication requests 1 to 3 based on the variables obtained in the respective captures A to D. As a result, a determination result as shown in the lower part of FIG. 8 is obtained. In other words, each variable name “InUserID”, “InPasswd”, “time”, “loginaction”, “Sessid” is changed to “user ID variable”, “secret information variable”, “limited session”, “fixed value”, It becomes possible to register as a “session”.

  For the limited session in the above description, the coordinates of the tree structure are obtained from the transmission name and the transmission value based on the result of the communication response decomposed in FIG. 5, and this is used as a reference location. Thereby, when executing the login procedure, the variable value of the limited session can be acquired from the screen character string of the communication response data. In addition, although the example which used four communication data (capture A-capture D) was described as a specific example for this differential determination, other information, for example, the screen character string of a communication response is used. By analyzing in detail, the number of communication data to be used can be reduced.

  Specifically, in the above example, the reason for acquiring the data of the capture D is used to distinguish the user name from the secret information. However, by using cognitive knowledge, For example, it is possible to determine secret data from the immediately preceding communication response data. For example, in the response content 26 shown in FIG. 5, a variable name such as “Password” or “Secret” is often used as a variable representing information indicating secret information, and a “ID” variable includes “ Variable names such as “User” are used. Therefore, if the secret information can be limited to one, it can be determined only by the variable name. It can also be determined from the attribute of the input tag. The secret data here includes a so-called password, but is not limited thereto.

  Thereby, the number of communication data to be used can be reduced. Note that the determination condition is not determined, and communication data acquired under another condition can be used, and is not limited to only the condition described in the specific example above.

  Next, a program for deleting (normalizing) a communication request unrelated to the login procedure in the acquired communication data in the unnecessary communication deleting (normalizing) unit 11 denoted by reference numeral 11 in FIG. 1 will be described.

  Since the system to be analyzed in the authentication procedure is intended for authentication, that is, to identify the user, the transmission of the user ID and secret information for identifying the user and further the acquisition of the session There is always communication. In addition, depending on the system, there is a system that requires communication for performing a limited session for authentication. In other words, in communications other than the above, information that should identify the user is not transmitted / received, and therefore the same response can be obtained even if this authentication is not performed. Therefore, it is possible to determine that the communication that does not transmit / receive information that should identify the user is communication that is unrelated to the authentication procedure. Therefore, the login procedure is replayed by leaving only a series of communications that are played in order, and transmitting the user ID and secret information, obtaining a limited session, and obtaining a session, and deleting other communications. It becomes possible to reduce communication at the time.

  For example, unnecessary communication can be deleted by arranging communication requests in a tree structure by using the transmission source URL 22 described in FIG. . That is, the user ID transmission variable, the secret information transmission variable, the communication request part making the communication request acquired by the session is left as the trunk part of the tree, and the communication request corresponding to the other branch part is the authentication procedure and As a irrelevant communication, these are deleted collectively.

  A more specific example will be described with reference to FIG. First, in the communication request of this figure, the user ID and the secret information are transmitted in the communication request 2 (33), and in the communication request 3 (34) as the subsequent communication response, the acquisition of the limited session is performed. Furthermore, in communication request 4 (35), a session is acquired. Therefore, as shown by the broken line 36 in the figure, the communication request 1, the communication request 2, the communication request 3, and the communication request 4 are communication requests for the log-in procedure, and are communication necessary for authentication as a tree trunk portion. Leave as request. On the other hand, other communication requests, for example, communication request 5, communication request 6, and communication request 7 indicated by broken line 37 in the figure are communication parts belonging to the above-described tree structure branches, that is, unnecessary communication parts. Remove from login procedure. Here, the condition for the communication request to become a trunk includes, for example, one of user ID, transmission of secret information, session acquisition, and limited session acquisition as described above. Therefore, in some cases, a plurality of the trunks may exist.

  As described above, the authentication analysis apparatus 7 shown in FIG. 1, more specifically, the element decomposition unit 9, the differential analysis unit 10, and the unnecessary communication deletion unit ( As described above, the result analyzed in the (normalization) 11 is output in the procedure output unit 12 of FIG. 1 and the authentication procedure code 13 is obtained. An example of the output authentication procedure code 13 is shown in FIG.

  An example in which the authentication procedure code 13 obtained from the authentication analysis device 7 is input in advance to a mediating server is shown in FIG. In this way, if the authentication information can be referred to in advance from the system name linked to the user name logged in to the intermediary server, it is desired to display the screen of the system linked to the user accessing the mediation server. When the authentication information is automatically acquired from the reference destination and the login process is automatically executed, the user can access a page on any linked system without performing another login operation. . As a specific authentication information reference destination, a general database device (user ID reference database 42) is used. In the example shown in this figure, assuming that a database is used as a reference destination, the user name logged into the intermediary server, the collaborative system side user name, the collaborative system side secret information, and the collaborative system to log in are assumed to be used. The host name is stored in each field.

  In the above description, the automatic execution of the login process is described. However, the present invention can be applied to other authentication processes. For example, regarding the change of the password, if the acquisition conditions for acquiring the communication data are changed and the number of items to be analyzed is increased, the normalized authentication procedure code can be obtained in the same manner as the login process. Further, by giving the authentication procedure code to the execution device of the mediating server, the user can change the password without accessing the system that cooperates to change the secret information, and the mediation server The password can be changed at once.

  Further, the usage is not limited to the above-described intermediary server. For example, it can be used for simple one-to-one mutual calls between systems. As described above, the present invention has an advantage that the system cooperation can be easily performed.

  Further, in order to execute the normalized authentication procedure, it is necessary to set a data reference destination at the time of execution. The setting of the reference destination can be easily set, for example, by allowing the person who constructs it to set it on the screen. For example, a specific example of this setting screen is shown in FIG.

  That is, the reference destination setting screen shown in FIG. 11 displays the result of the authentication server code shown in FIG. 10 read by the intermediary server (authentication procedure read 44 in FIG. 12). For example, on the reference destination setting screen, the host name of the system to be linked and its field name are designated in the part indicated by reference numeral 40 in the figure. Further, the field name of the user ID variable is designated in the part indicated by reference numeral 38, and the field name of the secret information is designated in the part indicated by reference numeral 39. At this time, it is designated by the field name of the reference table 43 of the authentication information shown in FIG.

  Further, the normalized login procedure is executed by the authentication procedure reproduction function on the intermediary server (see reference numeral 41 in FIG. 12). First, the user requests the intermediary server to access the linkage system. The mediation server uses the authentication procedure reproduction function 41 to make an inquiry to the database 42 based on the requested user ID and the requested system name, obtain the user ID in the cooperation system, and acquire the authentication information. Next, the authentication procedure code of the requested cooperation system is read (see reference numeral 44 in FIG. 12) and executed by the authentication procedure reproduction function 41. When this authentication procedure playback function 41 is executed, the login procedure is automatically played back and a session can be acquired. Then, by handing over the obtained session information to the user's browsing software, the user enters a post-login state and can call an arbitrary screen of the linked system.

  Although the configuration and operation of the authentication procedure analysis apparatus according to the present invention have been described in detail above, the authentication procedure analysis apparatus and analysis method of the present invention will be summarized below. That is, in the present invention, the authentication procedure analysis device is prepared as a means for analyzing the authentication procedure, and the user is made to perform a plurality of log-in operations under predetermined conditions to acquire their communication data. . Then, the acquired communication data is read and analyzed. That is, a user ID for identifying a user, secret information necessary for authentication, a host name of a linked system to log in, and the like are obtained. Also normalize the login procedure. Note that the normalization of this login procedure means that login operations are performed so that any user can log in and login processing can be executed for any host if the system has the same authentication procedure, eliminating unnecessary communication. It is to make a procedure. Then, in addition to this normalized login procedure, a user ID for identifying a user, secret information necessary for authentication, a host name of a linked system to log in, and the like can be provided as a login procedure. Note that the secret data (secret information) referred to here includes a so-called password, but is not limited thereto. Further, as a reference destination of the authentication information, a general database device can be cited.

  Then, by incorporating the login procedure obtained as described above into, for example, an intermediary server, the login process is automatically executed when the user performs an operation for acquiring information on the linked system. By doing so, the login work is performed, that is, information on the session is acquired from the cooperating system. As a result, if the session can be acquired from the linked system, the user calls an arbitrary screen, or the mediating server collects information on behalf of the user and presents the information to the user on the mediating server It will be possible. As a result, even if the user does not have advanced knowledge, the user can easily link the business systems.

It is a figure which shows an example of a structure of the authentication procedure analysis apparatus used as the carrying of this invention. It is a figure for demonstrating the analysis operation principle in the authentication procedure analysis apparatus of this invention. It is a figure explaining the data structure of the communication request data analyzed with the authentication procedure analysis apparatus of the said invention. It is a figure explaining a more specific example of the said communication request data structure. It is a figure explaining the data structure of the communication response data analyzed with the authentication procedure analysis apparatus of the said invention. It is a figure explaining a more specific example of the said communication response data structure. It is a flowchart figure explaining operation | movement of the difference comparison determination part in the authentication procedure analysis apparatus of the said invention. It is a figure which shows an example of the specific analysis of the said difference comparative determination. It is a figure explaining an example of the deletion (normalization) of the unnecessary communication in the authentication procedure analysis apparatus of the said invention. It is a figure which shows an example of the authentication procedure code output from the authentication procedure analysis apparatus of the said invention. It is a figure which shows an example of the reference destination setting screen using the authentication procedure code output from the said authentication procedure analysis apparatus of this invention. It is a figure which shows an example of the system using the authentication procedure code output from the authentication procedure analysis apparatus of the said invention.

Explanation of symbols

6 Communication data 7 Authentication procedure analysis device 8 Communication data reading unit 9 Element decomposition unit 10 Differential analysis unit 11 Unnecessary communication deletion unit 12 Procedure output unit 13 Authentication procedure code.

Claims (6)

  An apparatus for analyzing an authentication procedure for a system that performs an authentication process using a user ID and secret information, and means for inputting a plurality of communication data obtained by executing an actual authentication operation, and analyzing the communication data An authentication procedure analyzing apparatus comprising: means and means for outputting a result obtained by the analyzing means.   2. The authentication procedure analysis apparatus according to claim 1, wherein the analysis means includes means for decomposing communication data to obtain the user ID and secret information.   2. The authentication procedure analysis apparatus according to claim 1, wherein the analysis means includes means for differentially comparing the plurality of input communication data.   2. The authentication procedure analysis apparatus according to claim 1, wherein the analysis unit includes a normalization unit that deletes unnecessary communication.   An authentication procedure analysis method for analyzing an authentication procedure for a system that performs an authentication process using a user ID and secret information, wherein a plurality of communication data is input by executing an actual authentication operation, and the input plurality of communication data An authentication procedure analysis method characterized in that an element is decomposed, compared differentially, and an authentication procedure is analyzed and output.   6. The authentication procedure analysis method according to claim 5, further comprising normalizing and outputting the plurality of input communication data.

Images