JP2006128873A - Url authentication system and url authentication method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a URL authentication system and a URL authentication method with which unauthorized access with forgery or alteration of an OTU can be prevented, even in the case of physical difference between an issuer and a receiver of the OTU. <P>SOLUTION: A service providing server 103 informs an intermediary server 101 of a connection method, and the intermediary server 101 informs the service providing server 103 of a common key Kc. When a client 102 informs the intermediary server 101 of a request for connection to the service providing server 103, the intermediary server 101 uses the common key Kc to generate an authentication code and issues an OTU to which the generated authentication code is added to a URL. The client 102 traces the OTU to connect to the service providing server 103, and the service providing server 103 confirms validity of the OTU presented from the client 102 by the common key Kc and provides a service to the client 102 in response to confirmation of the validity of the OTU. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a URL authentication system and a URL authentication method, and more particularly to a URL authentication system and a URL authentication method for authenticating a One Time URL.

  In general, One Time URL (hereinafter abbreviated as “OTU”) is a mechanism for issuing a different URL each time a user tries to access specific content on a public network and viewing the content. If issued or when a certain time has elapsed, the issued URL becomes invalid. Further, when providing content that limits users such as paid content, prevention of unauthorized access is complemented in conjunction with an authentication system that has already been performed (see, for example, Patent Document 1). For example, if an application is made in advance for concert live streaming, a different URL is issued for each user immediately before the performance. Due to such OTU features, a specific user is guided to a specific Web page, and the fact that the URL itself is acquired also serves as personal authentication, thereby realizing a simple user authentication function, or to a specific Web page. The number of accesses, the access period, etc. can be limited.

  In particular, OTU is often used in a complementary sense of user authentication. Since the OTU has the property that a Web server issues it to a specific user as needed, knowing it, that is, tracing the OTU to reach a specific Web page itself. An authentication function is realized as it is, and such usage is common. For example, in recent member registration system Web services, there are many examples in which an OTU is transmitted to an email address registered in advance when changing user registration information, and the user is directed to a registration information change screen unique to the user. It is done. Specifically, when the user ID and password are entered on the front page for changing user information, the OTU of the main page for changing user information is sent by mail.

  FIG. 5 is a diagram illustrating an example of an OTU. In this figure, the A1 part of “http: //server.~php” indicates location information (connected device, TCP port number for access (8080 in the figure) and content information on the server to be accessed). The A2 portion of “Param1 to ZZZZ” is referred to as a URL parameter, and is a parameter group that is passed from the client to the server during access using the HTTP protocol. The configuration of this URL is the data structure itself of the URL generally used on the Internet, and the IP network configuring the Internet grasps the position of the server to be connected from the first half A1 of the OTU, and transmits the packet from the client to the server. We will try to resolve the route independently.

  As a general usage method of OTU, access restriction information (user information, access restriction number, etc.) is described in XXX and YYYY in FIG. 5, and an encrypted authentication code is described in ZZZZ. It is done. Here, ZZZZ is a character string for proving the authenticity of the OTU, and the secret key held by the server for the character string excluding “ADM = ZZZZ” from the entire OTU (part A3 in FIG. 5). It is the result of having performed a hash operation using.

  Note that although the expression “One Time URL” is used here, the use restriction of the same type of URL generally depends on the setting on the server side, and its use may be limited to one time only. For example, a plurality of uses may be permitted within a certain period.

  Next, a connection process between the server and the client using the above-described OTU will be described with reference to FIG. In FIG. 6, when the server receives a service provision request (OTU issuance request) from the client, the server selects a URL parameter, and adds the selected URL parameter to the A1 portion of the OTU shown in FIG. Then, an authentication code ZZZZ obtained by performing a hash operation on the A3 part of the OTU with the common key Kc is added to the A3 part of the OTU, and the OTU is issued to the client.

  The client acquires the OTU issued from the server, and accesses the server using the acquired OTU. The server that has received access from the client through the OTU calculates the authentication code GGGG by performing a hash operation on the A3 portion of the OTU with the common key Kc. Finally, it recognizes that the authentication code GGGG and the ZZZZ added to the OTU are the same, and recognizes that the OTU used for access has not been forged or falsified, that is, the validity of the OTU. . As described above, the issuance and acceptance of the OTU is usually performed by the same physically server.

  By the way, in recent years, the widespread use of the always-on Internet environment has led to various electrical appliances (hereinafter referred to as “home appliances”) such as DVD recorders, network cameras, and white goods being connected to the network. These network environments in companies and homes (hereinafter referred to as “in-home local network”) are generally connected to the Internet by routers having NAT (Network Address Translation) or NAPT (Network Address Port Translation) functions. is there.

  For this reason, when a connection from outside the house to a specific in-house device is assumed, it is necessary to solve the IP traversal problem, so-called NAT traversal problem. That is, since most of the home devices are installed in the local address space, it is impossible to determine the route from outside the home to a specific home device even if only the location information (IP address) is specified. And port number must be specified.

  On the other hand, it is difficult to obtain the port number for accessing over the NAT from outside the house, and as a result, as shown in FIG. 7, the port number is always grasped while synchronizing with the in-home device (service providing server). A connection mediator (mediation server) is required.

In such a system, an OTU that can easily redirect connections by explicitly using both position information and a port number is used. For example, a user who wants to view video content stored in a home HDD player (home device) on a mobile phone (client) outside the home makes a contract with a specific service ASP (mediation server), and the mediation server for ASP management Allows the HDD player to dynamically manage and issue a connection method (connection OTU).
JP 2003-150492 A

  However, if the issuer of the OTU (device that issues the OTU) and the acceptor of the OTU (device that is accessed by the OTU) are physically different, the validity of the OTU itself, that is, the issuer of the correct issuer Proof that it was originally created and that part of the OTU has not been tampered with, that is, a method for confirming the validity of the OTU has not been established.

  The present invention has been made in view of the above points, and there is provided a URL authentication system and a URL authentication method for preventing unauthorized access due to forgery or falsification of an OTU even when the issuer of the OTU and the acceptor of the OTU are physically different. The purpose is to provide.

  In the first aspect of the present invention, the One Time URL including the authentication code including the authentication code for proving the validity of the One Time URL itself is included in the One Time URL for guiding the connection to another server different from the own server. An intermediary server to issue, a One Time URL issued by the intermediary server, and a client connected to another server different from the intermediary server by tracing the acquired One Time URL; URL authentication comprising: a service providing server as another server different from the mediation server, which confirms the validity of the used One Time URL and provides a service to a client for which the validity of the One Time URL is confirmed. System.

  According to a second aspect of the present invention, in the above aspect, the service providing server shares an encryption key used by the mediation server for generating an authentication code, and confirms the validity of the authentication code using the shared encryption key. This is a URL authentication system.

  According to these configurations, the client connected to another service providing server different from the mediation server by tracing the One Time URL issued by the mediation server, and the validity of the One Time URL was confirmed by the service provision server. By providing a service to the client, even if the publisher of the One Time URL and the receiver of the One Time URL are physically different, unauthorized access due to forgery or falsification of the One Time URL can be prevented.

  A third aspect of the present invention is the URL authentication system according to the above aspect, wherein a secure communication path is provided between the mediation server and the service providing server, and the encryption key is shared via the communication path.

  According to this configuration, it is possible to prevent leakage of the encryption key by sharing the encryption key via the secure communication path provided between the mediation server and the service providing server.

  According to a fourth aspect of the present invention, an authentication code that proves the validity of the One Time URL itself is attached to the One Time URL that induces a connection to another server different from the own server. By using a secret key that is generated and issuing a One Time URL including the generated authentication code, and obtaining the One Time URL issued by the mediation server, tracing the acquired One Time URL, Check the validity of the One Time URL using a client that connects to another server different from the mediation server, and a public key that forms a key pair with the private key in the authentication code of the One Time URL that the client used for connection The URL authentication system includes a service providing server as another server different from the mediation server that provides a service to a client whose One Time URL is confirmed to be valid.

  According to this configuration, the client connects to another service providing server different from the mediation server by tracing the One Time URL issued by the mediation server, and the service provision server confirms the validity of the One Time URL. By providing the service, even if the One Time URL issuer and the One Time URL acceptor are physically different, unauthorized access due to forgery or falsification of the One Time URL can be prevented.

  According to a fifth aspect of the present invention, there is provided an authentication code generation means that uses a first encryption key to generate an authentication code that proves the validity of the One Time URL that guides connection to another server different from the own server; One Time URL generation means for generating a One Time URL including the authentication code generated by the authentication code generation means, and a second encryption key corresponding to the first encryption key used in the authentication code generation means And a notifying means for notifying another different server.

  According to this configuration, the other server is generated by the mediation server by notifying the second encryption key corresponding to the first encryption key used for generating the authentication code to another server different from the mediation server. The validity of the One Time URL can be confirmed using the second encryption key notified from the mediation server.

  According to a sixth aspect of the present invention, there is provided One Time URL verification means for verifying the validity of the One Time URL used for connection by the client, using the second encryption key notified from the intermediary server of the above aspect; A service providing server comprising service providing means for providing a service to a client whose validity of the One Time URL has been verified by the Time URL verification means.

  According to this configuration, by providing a service to a client whose validity of the One Time URL has been verified, the service is provided only to a client connected by following the One Time URL issued from the mediation server. Therefore, unauthorized access due to forgery or falsification of the One Time URL can be prevented.

  In a seventh aspect of the present invention, the intermediary server includes an authentication code including an authentication code that proves the validity of the One Time URL itself in the One Time URL that induces connection to another server different from the own server. Issuing a One Time URL, the client obtains the One Time URL issued by the mediation server, traces the acquired One Time URL, and connects to another server different from the mediation server, and the mediation server A URL authentication method in which a service providing server as another server different from the server confirms the validity of the One Time URL used by the client for connection and provides the service to the client for which the validity of the One Time URL is confirmed. is there.

  According to this method, the client connects to another service providing server different from the mediation server by tracing the One Time URL issued by the mediation server, and the service provision server confirms the validity of the One Time URL. By providing the service, even if the One Time URL issuer and the One Time URL acceptor are physically different, unauthorized access due to forgery or falsification of the One Time URL can be prevented.

  According to the present invention, an intermediary server different from a server that provides a service issues an OTU that includes an authentication code that proves the validity of the OTU itself, and the service providing server verifies the validity of the OTU. Even when the issuer and the OTU recipient are physically different, it is possible to provide a URL authentication system and a URL authentication method for preventing unauthorized access due to forgery or falsification of the OTU.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

(Embodiment 1)
FIG. 1 is a block diagram showing a configuration of a URL authentication system 100 according to Embodiment 1 of the present invention. In this figure, an intermediary server 101, a client 102, and a service providing server 103 are each connected to a communication network 104 such as the Internet, which is a general public IP network.

  The mediation server 101 periodically connects and exchanges information with the service providing server 103 to grasp the connection method to the service providing server 103, and the grasped connection method is abbreviated as “One Time URL” (hereinafter abbreviated as “OTU”). To the client 102.

  The client 102 acquires an OTU from the mediation server 101, connects to the service providing server 103 by tracing the acquired OTU, receives content from the service providing server 103 via the HTTP protocol, or specifies the service providing server 103. To execute the process.

  The service providing server 103 is, for example, a home device such as an HDD player. The service providing server 103 verifies the authentication code portion of the OTU presented from the client 102 to confirm the validity of the OTU and provides content to the client 102. Alternatively, a service such as executing a specific process according to an instruction from the client 102 is provided.

  FIG. 2 is a block diagram illustrating the internal configuration of the mediation server 101, the client 102, and the service providing server 103. First, the mediation server 101 will be described. In FIG. 2, the inter-server communication unit 111 is connected to the inter-server communication unit 131 of the service providing server 103 via the communication network 104, and periodically receives address information (address information and access information of the service providing server) from the service providing server 103. (TCP port number), and the notified address information is output to the information storage unit 112. Further, the service providing server 103 is notified of the common key Kc stored in the information storage unit 112.

  The information storage unit 112 stores address information output from the inter-server communication unit 111 and also stores a common key Kc.

  The HTTP server function unit 113 is connected to the HTTP client function unit 121 of the client 102 via the communication network 104 and receives access from the client 102. When receiving an access from the client 102, the HTTP server function unit 113 performs client authentication. If the authentication is correct, the HTTP server function unit 113 receives a connection request from the client 102 to the service providing server 103. Further, the client 102 is notified of the OTU generated by the OTU generation unit 114 (described later) as information on the HTML page so that the HTTP client function unit 121 on the client 102 side can directly recognize the information.

  In accordance with the connection request received from the client 102, the OTU generation unit 114 generates a service providing server connection URL from the service providing server address information stored in the information storage unit 112 and service constraint conditions such as a service menu. The generated URL is output to the hash calculation unit 115. In addition, an OTU is generated by adding an authentication code generated by a hash calculation unit 115 to be described later to a URL for connecting to a service providing server, and the generated OTU is notified to the HTTP server function unit 113.

  The hash calculation unit 115 performs a hash calculation on the URL output from the OTU generation unit 114 using the common key Kc stored in the information storage unit 112, and generates an authentication code. The generated authentication code is output to the OTU generator 114. The hash calculation unit 115 functions as an authentication code generation unit.

  Next, the client 102 will be described. In FIG. 2, when the HTTP client function unit 121 connects to the HTTP server function unit 113 of the mediation server 101 and the HTTP server function unit 133 of the service providing server 103 via the communication network 104 and accesses the mediation server 101, the client 102 Receives client authentication from the mediation server 101. Client authentication is performed by inputting a user ID and a password according to the HTML menu. Then, the client 102 selects a connection destination service providing server 103, a service menu, and the like. In addition, the service providing server connection OTU notified from the mediation server 101 is stored in the information storage unit 122. Further, the service providing server 103 is accessed using the OTU stored in the information storage unit 122.

  Next, the service providing server 103 will be described. In FIG. 2, the inter-server communication unit 131 periodically notifies the mediation server 101 of address information, acquires the common key Kc from the mediation server 101, and stores the acquired common key Kc in the information storage unit 132.

  The HTTP server function unit 133 of the service providing server 103 notifies the OTU verification unit 134 of the OTU used for the access in response to the access from the client 102.

  The OTU verification unit 134 outputs a part other than the OTU authentication code notified from the HTTP server function unit 133 to the hash calculation unit 135, and adds a result (hash value) notified from the hash calculation unit 135 described later to the OTU. Check whether it matches the authentication code that is registered.

  The hash calculation unit 135 performs a hash calculation on the portion other than the authentication code of the OTU using the common key Kc stored in the information storage unit 132, and outputs the result (hash value) to the OTU verification unit 134. . The OTU verification unit 134 and the hash calculation unit 135 function as a One Time URL verification unit.

  When the OTU verification unit 134 confirms that the hash value does not match the authentication code added to the OTU, the HTTP server function unit 133 rejects HTTP access from the client. On the other hand, when it is confirmed that the hash value matches the authentication code added to the OTU, the HTTP server function unit 133 permits the HTTP access from the client, and the content provided by the HTTP server stored in the information storage unit 132 is sent to the client. provide. The HTTP server function unit 133 functions as a service providing unit.

  Next, operations of the mediation server 101, the client 102, and the service providing server 103 having the above configuration will be described with reference to FIG. In FIG. 3, in step (hereinafter abbreviated as “ST”) 141, the service providing server 103 sends communication packets to the mediation server 101 periodically (for example, at intervals of 5 seconds) (keep-alive communication). It notifies that the service providing server 103 is in operation and the connection method (IP address, access port number, etc.) of the service providing server 103.

  In ST142, the mediation server 101 notifies the service providing server 103 of the common key Kc used for OTU authentication code generation and authentication code verification at a predetermined timing at the start of service. Thereby, the mediation server 101 and the service providing server 103 have the same common key Kc. Note that it is desirable to prevent leakage of the common key Kc by notifying the common key Kc through a secure communication path separately provided between servers.

  In ST143, the client 102 accesses the fixed address of the mediation server 101 and notifies a connection request to the service providing server 103. In ST144, the mediation server 101 displays access restriction information according to the service menu or the user's request as a URL parameter. Is added to the URL of the A1 portion shown in FIG. 5, an authentication code is generated using the common key Kc, and the authentication code is added to the A3 portion shown in FIG.

  In ST145, after the mediation server 101 performs desired client authentication such as a password, the OTU notifies the client 102 of a connection method to the service providing server 103. At this time, as a notification method of the OTU, notification may be made by e-mail to the mail address of the client 102 grasped in advance by the mediation server 101, or may be notified as information on the HTML page on the HTTP protocol.

  In ST146, the client 102 follows the OTU notified from the mediation server 101 to connect to the service providing server 103. Usually, this connection is realized by a simple user interface by simply clicking a URL link portion on a web browser or mailer.

  In ST147, the service providing server 103 verifies the authentication code portion of the OTU presented from the client 102 with the common key Kc, thereby confirming the validity of the OTU. In ST148, the client 102 determines the desired service providing server 103. HTTP access is realized.

  As described above, according to the first embodiment, another mediation server different from the service providing server is provided, the mediation server periodically acquires the address information of the service providing server, and the OTU-use information is obtained from the address information of the service providing server. The service providing server shares the encryption key used when generating the authentication code, and the service providing server confirms the validity of the authentication code using the shared encryption key, so that the issuer of the OTU and the acceptor of the OTU Even if they are physically different, unauthorized access due to forgery or alteration of the OTU can be prevented.

  In this embodiment, the OTU issuance method is directly notified on HTML. However, the present invention is not limited to this, but notification by e-mail, notification by a short message service of a mobile phone, PC terminal Notification by instant messaging or offline notification such as verbal transmission may be used.

  In this embodiment, server access based on the HTTP protocol is assumed. However, the present invention is not limited to this, and the location specification by URL may use the HTTPS protocol or the FTP protocol.

  In addition, the hash calculation function in the present embodiment may be any type as long as it is an irreversible one-way function, and the URL calculation target range of the URL may be arbitrarily set. However, the hash calculation target range of the URL must be matched between the service providing server and the mediation server.

  In this embodiment, when a client connects to a mediation server, client authentication is performed using a user ID and a password. However, the present invention is not limited to this, and whether or not to perform client authentication is arbitrarily selected. The type of authentication method is not limited when client authentication is performed.

(Embodiment 2)
FIG. 4 is a block diagram showing the internal configuration of the client, the mediation server, and the service providing server according to Embodiment 2 of the present invention. However, the parts in FIG. 4 common to those in FIG. 2 are denoted by the same reference numerals as those in FIG.

  First, the mediation server 101 will be described. In FIG. 4, a key pair generation unit 151 generates a key pair based on a public key cryptosystem in advance, and stores one in the information storage unit 152 as a secret key Ks and the other as a public key Kp.

  The inter-server communication unit 153 notifies the inter-server communication unit 161 of the service providing server 103 via the communication network 104 of the common key Kc and the public key Kp stored in the information storage unit 152.

  The encryption processing unit 154 performs encryption processing on the hash calculation result obtained by using the common key Kc by the hash calculation unit 115 using the secret key Ks stored in the information storage unit 152, and performs encryption processing The result is output to the OTU generation unit 155 as an authentication code.

  The OTU generation unit 155 generates an OTU by adding the authentication code output from the encryption processing unit 154 to the service providing server connection URL, and notifies the HTTP server function unit 113 of the generated OTU. The hash calculation unit 115 and the encryption processing unit 154 function as an authentication code generation unit.

  Next, the service providing server 103 will be described. 4, the inter-server communication unit 161 acquires the common key Kc and the public key Kp from the mediation server 101, and stores the acquired common key Kc and public key Kp in the information storage unit 162. Here, since the service providing server 103 acquires the public key Kp based on the public key cryptosystem from the mediation server 101, there is no need to provide a secure communication path between the servers as described in the first embodiment.

  The decryption processing unit 163 acquires an authentication code described in the OTU from an OTU verification unit 164 described later, and performs a decryption process using the public key Kp stored in the information storage unit 162 for the acquired authentication code. To notify the OTU verification unit 164 of the result of the decoding process.

  The OTU verification unit 164 outputs to the partial hash calculation unit 135 other than the OTU authentication code notified from the HTTP server function unit 133, and uses the common key Kc stored in the information storage unit 162 in the hash calculation unit 135. The obtained hash calculation result (hash value) is acquired, and it is confirmed whether or not the calculation result (hash value) matches the decryption result of the authentication code notified from the decryption processing unit 163.

  If the hash value does not match the decryption result of the authentication code, the HTTP server function unit 133 rejects HTTP access from the client 102. This is because a correct authentication code cannot be generated unless the mediation server 101 can know the secret key Ks, and if the validity of the OTU is not confirmed in the service providing server 103, whether the OTU has been tampered with by a third party, This is because it can be considered that there has been a spoofing (spoofing) attack related to the mediation server 101.

  On the other hand, if the hash value matches the authentication code added to the OTU, the HTTP server function unit 133 permits HTTP access from the client 102 and provides the HTTP server provided content stored in the information storage unit 162 to the client. .

  As described above, according to the second embodiment, another mediation server different from the service providing server is provided, and the mediation server performs a hash operation on the address information periodically acquired from the service providing server with the common key, and makes it public. Using the secret key that is one of the key pairs that can be used for the key encryption method, the hash calculation result is encrypted to generate an authentication code for OTU, and the service providing server uses a common key shared with the mediation server And the hash calculation result for the portion other than the authentication code of the OTU, and the decryption processing of the authentication code using the public key that is paired with the secret key used for the encryption processing by the mediation server, Even if the issuer of the OTU and the acceptor of the OTU are physically different by comparing the decryption processing result and confirming the validity of the authentication code, the OTU is forged or altered. That it is possible to prevent unauthorized access.

  In the present embodiment, as a public key distribution method, a method of notifying directly from the intermediary server to the service providing server is adopted. However, the present invention is not limited to this, and is a general public key distribution mechanism. A method of distributing indirectly by a third-party organization defined by the PKI protocol may be used. In short, any method may be used as long as the public key is distributed from the mediation server to the service providing server.

  Moreover, the public key cryptosystem in this Embodiment will not ask | require the type, if it is a cryptosystem using an asymmetric encryption key pair.

  The URL authentication system and the URL authentication method according to the present invention have an effect of preventing unauthorized access due to forgery or falsification of the OTU even when the issuer of the OTU and the acceptor of the OTU are physically different. It can be applied to in-home devices in a local network and mobile terminals such as mobile phones.

1 is a block diagram showing a configuration of a URL authentication system according to Embodiment 1 of the present invention. The block diagram which shows the internal structure of the mediation server shown in FIG. 1, a client, and a service provision server. The sequence diagram which shows operation | movement of the mediation server shown in FIG. 1, a client, and a service provision server The block diagram which shows the internal structure of the mediation server, client, and service provision server which concern on Embodiment 2 of this invention. Diagram showing an example of OTU Diagram for explaining connection processing between server and client using OTU The block diagram which shows the structure of the communication system provided with the mediation server

Explanation of symbols

DESCRIPTION OF SYMBOLS 101 Mediation server 102 Client 103 Service providing server 104 Communication network 111, 131, 153, 161 Inter-server communication unit 112, 122, 132, 152, 162 Information storage unit 113, 133 HTTP server function unit 114, 155 OTU generation unit 115, 135 Hash Calculation Unit 121 HTTP Client Function Unit 134, 164 OTU Verification Unit 151 Key Pair Generation Unit 154 Encryption Processing Unit 163 Decryption Processing Unit

Claims (7)

An intermediary server that issues the One Time URL including the authentication code, including the authentication code that proves the validity of the One Time URL itself in the One Time URL that induces connection to another server different from its own server,
A client that connects to another server different from the mediation server by acquiring the One Time URL issued by the mediation server and tracing the acquired One Time URL;
A service providing server as a server different from the mediation server, which confirms the validity of the One Time URL used by the client for connection and provides a service to the client for which the validity of the One Time URL is confirmed;
A URL authentication system comprising:   2. The URL authentication according to claim 1, wherein the service providing server shares an encryption key used by the mediation server for generating an authentication code, and verifies the validity of the authentication code using the shared encryption key. system.   The URL authentication system according to claim 2, wherein a secure communication path is provided between the mediation server and the service providing server, and the encryption key is shared via the communication path. An authentication code that proves the validity of the One Time URL itself is generated using the secret key that is one of the key pairs based on the public key cryptosystem for the One Time URL that induces connection to another server different from the local server. , A mediation server that issues a One Time URL containing the generated authentication code,
A client that connects to another server different from the mediation server by acquiring the One Time URL issued by the mediation server and tracing the acquired One Time URL;
The client confirms the validity of the One Time URL by using the public key that forms a key pair with the secret key in the One Time URL authentication code used by the client to connect to the client. A service providing server as another server different from the mediation server,
A URL authentication system comprising: An authentication code generating means that uses the first encryption key to generate an authentication code that proves the validity of the One Time URL that guides connection to another server different from the own server;
One Time URL generating means for generating a One Time URL including the authentication code generated by the authentication code generating means;
Notification means for notifying the second encryption key corresponding to the first encryption key used in the authentication code generation means to another server different from the own server;
A mediation server comprising: One Time URL verification means for verifying the validity of the One Time URL used by the client for connection using the second encryption key notified from the mediation server according to claim 5;
Service providing means for providing a service to a client whose validity of the One Time URL has been verified by the One Time URL verification means;
A service providing server comprising: The intermediary server issues a One Time URL including the authentication code, including the authentication code that proves the validity of the One Time URL itself in the One Time URL that induces connection to another server different from its own server,
The client acquires the One Time URL issued by the mediation server, and connects to another server different from the mediation server by tracing the acquired One Time URL.
A service providing server as another server different from the mediation server confirms the validity of the One Time URL used by the client for connection, and provides the service to the client for which the validity of the One Time URL is confirmed. A URL authentication method characterized by the above.

Images