JP2007095043A - Terminal device, connection condition determining device, system and method for maintaining security - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To allow connection when a terminal device for connecting to a network satisfies an appropriate security condition. <P>SOLUTION: This security maintaining system is structured by: a terminal device 300 equipped with an information collecting part 304 for collecting its own security state information, a card connecting part for connecting a card 306 recording an electronic certificate, a processor 301a for obtaining the electronic certificate from the card and inquiring about the connecting condition to a predetermined network, determining matching by response information, and when it is determined to be adaptable, requesting connection to the predetermined network with the response information; and an authentication device 320 equipped with a managing part 322 for managing the electronic certificate corresponding to each user, and an authentication determining part 323 for determining the matching of the security state information of the terminal device 300 to the connecting condition to the predetermined network and allowing connection using the electronic certificate managed by the managing part when there is a connection request from the terminal device to the predetermined network. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a terminal device, a security maintenance system, and a method for preventing computer virus contamination, in which only a predetermined terminal that is strong against attack from the outside and proven to be healthy is allowed to connect to the system. is there.

According to “Security Maintenance System and USB Key” described in Patent Document 1 as a conventional security maintenance system, the state of a computer OS is checked with a USB key, and information on the OS (operating system) is provided to a web server. However, the web server has improved the security of the computer by providing a setting file that can be used by the computer and guidance for applying an OS patch.
This is intended to instruct the corresponding device to apply the latest patch to increase the defense status.
In the past, only the latest defense system was voluntarily requested for each device in this way, and no attempt was made to systematically prevent the spread of virus contamination as a system.
JP 2003-303114 A

  The conventional security maintenance system is configured as described above, and has an effect of improving the operability when the user operates the system correctly, such as providing guidance when the user applies an OS patch. . However, there is a problem that a user who does not properly operate the security maintenance system cannot prevent problems such as connecting a computer having a security problem to an in-house network or the like and infecting another computer with a virus.

  The present invention has been made to solve the above-described problems. When the terminal device for connecting to the internal network does not satisfy the security conditions, the connection to the internal network is prevented and appropriately applied. The purpose is to allow the connection only in the case of a bad state.

The security maintenance system according to this invention is:
A1) an information collecting unit for collecting security status information of the terminal device itself, A2) a card connecting unit for connecting a card storing an electronic certificate, and A3) the electronic certificate from the card connected to the card connecting unit And sending inquiry information for inquiring to the network device on the network side about the connection condition to the predetermined network based on the acquired electronic certificate, and the connection condition to the predetermined network and the above-mentioned by the response information to the inquiry A processor that determines whether or not the security status information collected by the information collecting unit is compatible, and if it is determined to be compatible, creates a connection request with response information and outputs the connection request to the network to request connection to the predetermined network; A terminal device comprising
B1) a management unit that manages an electronic certificate corresponding to each user, and B2) when a connection request to the predetermined network is received as the user from the terminal device, the electronic certificate managed by the management unit An authentication apparatus comprising: an authentication determination unit that determines whether the security status information of the terminal device is compatible with a connection condition to the predetermined network, and, if the information is compatible, an authentication determination unit that permits connection to the terminal device; It is comprised by.
The inquiry information may be a transmission request for a connection condition to a predetermined network, or conversely, the security status information of the terminal device may be transmitted to inquire whether the connection condition to the predetermined network is applicable. Correspondingly, the response information may be transmission of a connection condition to a predetermined network, and conversely, it may be a response as a result of suitability.

  According to the terminal, system, and method of the present invention, the strong terminal device status information that can avoid an attack from the outside is obtained, and whether or not the connection to the internal network is determined, the security for connecting to the internal network There is an effect of preventing a terminal that does not satisfy the condition and a computer exposed to an external attack from connecting to the internal network and spreading pollution.

Embodiment 1 FIG.
A terminal, an authentication device, and a system that can be connected to an internal system only when the terminal is not exposed to an external attack and the latest appropriate security is guaranteed will be described.
FIG. 1 is a diagram showing a configuration of a terminal device, an authentication device, and a security maintenance system according to Embodiment 1 of the present invention. In the figure, a (virus resistant) terminal device 100 includes an input unit 102, a display unit 103, an information collection unit 104, a VPN (Virtual Private Network) virtual connection unit 105 (an example of a network connection unit), a card connection unit, IC card 106 including 106b is provided. Of course, the IC card can be extracted from the terminal device and stored, and has an encryption unit 107 therein and also has an encryption key 108. The terminal device 100 is connected to the VPN connection device 110 via the external network 114.
Further, the authentication device 120 is connected to the VPN connection device 110 via the internal network 115. The authentication device 120 includes a connection condition storage unit 121, a management unit 122, and an authentication determination unit 123 therein.

In order to prevent connection of a terminal device with low security, it is not sufficient to simply be in the latest virus protection state. This is because it is easy for a normal unprotected terminal device to infiltrate from the outside, and even if there is an encryption unit, it is easy to tamper with information by examining the internal state with a virus or the like. is there. Therefore, the terminal device must be equipped with a mechanism for preventing such tampering due to external intrusion. Also, it must be prevented that a user who does not properly operate the security maintenance system connects the terminal to the internal network. In other words, only terminals that have not been tampered with and in the correct state and in the latest maintenance state can be connected.
FIG. 2 is a diagram illustrating an example of connection conditions stored in the connection condition storage unit 121.
FIG. 3 is a diagram illustrating an example of the registration information 201 stored in the management unit 122, and shows that the user ID 2022 and the encryption key 203 are stored in pairs in the drawing.
FIG. 4 is a diagram illustrating an example of an error reason displayed on the display unit 103 when the connection of the terminal device 100 to the internal network is rejected.

FIG. 5 is a flowchart showing an operation process until the terminal device 100 reports a status and obtains connection authentication before connecting to the VPN connection device 110 using the processor 101a or the like.
FIG. 6 is a flowchart showing an authentication operation process executed when an authentication request regarding a terminal is sent from the VPN connection device 110 performed by the authentication device 120.
The operation of the system having the configuration of FIG. 1 will be described using the above flowchart.
First, an operation for requesting connection permission from the terminal device 100 to the authentication device 120 on the internal network side will be described. In step S101 of FIG. 5 (hereinafter, description of the step is omitted), the input unit 102 receives a user ID from the user. Next, in step S102, the terminal apparatus 100 uses the information collection unit 104 as security status information of the terminal apparatus 100 to determine the OS version, OS application patch number, virus check program version, virus check pattern file number, virus search date, Virus search usage pattern numbers are collected from the OS registry, file name, file date, and the like. Next, in S103, the terminal device 100 uses the encryption unit 107 in the IC card 106 to generate authentication data obtained by encrypting the collected state information with the encryption key 108 (an example of the encryption key). In step S <b> 104, the VPN connection unit 105 transmits an authentication request (an example of inquiry information) including the user ID and authentication data to the VPN device 109.

Since the terminal device is configured as described above and has the encryption unit inside the IC card 106, information in the terminal device is not stolen from the outside and altered. The status information collected for authentication sent from the terminal device 100 to the authentication device 120 is protected by encryption and can be transmitted safely.
When an authentication response is received in S105, the authentication response (an example of response information) received in S106 is checked. If the authentication response is OK, a VPN connection with the VPN connection device 110 is established (S107). Then, the completion of the connection is displayed on the display unit 103 (S108), and the connection process is terminated.
On the other hand, if the authentication response is NG in step S106, the error reason included in the authentication response is displayed on the display unit 103 (S109), and the connection process is terminated.

  On the other hand, when the authentication apparatus 120 receives an authentication request including a user ID and authentication data from the VPN apparatus in S201 of FIG. 6, the registration information 201 in which the user ID 202 matches the user ID received in S202 is stored in the management unit 122. Search for registration. If the registration information 201 that matches the user ID received in S201 is registered in the management unit 122 in S202, the encryption key 203 is extracted (S203). Further, the authentication data is decrypted with the encryption key 203 to obtain status information (S204). Next, the authentication determination unit 123 checks whether or not the state information satisfies each connection condition stored in the connection condition storage unit 121 (S205). It is confirmed whether all the connection conditions are OK (S206). If all the conditions are OK, the VPN connection apparatus 110 is notified of permission to connect the terminal apparatus 100 (S207), and the authentication process is performed. finish. On the other hand, if there is even one that does not meet the connection conditions in step S206, the VPN connection device 110 is notified of the rejection of the connection of the terminal device 100 with an error reason indicating the reason for the failure (S208). ), The authentication process is terminated. In addition, when the registration information 201 whose user ID 202 matches the user ID received in S201 in S202 is not registered in the management unit 111, a connection rejection is notified (S208), and the authentication process is terminated.

As described above, the status information of the terminal device is notified to the internal network based on the information provided on a card different from the terminal, and whether or not connection is possible is determined. It is possible to connect only an anti-virus terminal device satisfying the correct security condition to connect to the internal network.
In the present embodiment, the information collecting unit 104 has been described as a hardware component. However, as shown in FIG. 1, a program describing the function for performing the above operation is stored in the memory 101b. The microprocessor 101a may read and execute these programs. Alternatively, it is stored in the memory in the IC card 106 as an information collection program that can be executed by the microprocessor. The function of the information collecting unit may be executed by the microprocessor 101a when the virus-proof terminal device stores the authentication request. In this case, since the information is stored in the IC card 106 until the information collection program is executed, the terminal state information is collected without contamination from the terminal device 100 without being affected by viruses. Is possible. Even in such a case, it is possible to restrict so that only terminal devices that satisfy the security conditions are connected to the internal network.
In this embodiment, the VPN connection unit 105 is also hardware. However, like the information collection unit 104, a program describing a function for performing connection operation in another area of the memory 101b is stored, and The processor 101a may be configured to read and execute the program, and is stored in the IC card 106 as a VPN connection program that can be executed on the terminal device 100, and the terminal device from the IC card 106 when the VPN connection is executed. The configuration may be such that the program is transferred to the memory 101b of 100 and executed.
Further, the encryption unit may be in the terminal device, and only the encryption key 108 may be stored in the card, and the encryption key may be read out and encrypted. In the present embodiment, the encryption unit 107 has been described as a hardware component. However, the encryption unit 107 may be stored as a program executed on the IC card 106 and executed by the IC card 106. .

Embodiment 2. FIG.
It is common practice for an authentication device to have a function of authenticating the connection of a legitimate terminal device to an internal network. The VPN apparatus performs a simple authentication check such as a password, but usually does not have a complicated processing function such as performing a check after performing a decryption process corresponding to the encryption. In the present embodiment, a configuration will be described in which connection authentication to the internal network of the latest and safe terminal device is performed using the functions of such a normal system and similar to the previous embodiment.
In this embodiment, authentication is divided into two stages, one is not subjected to an external attack, and it is confirmed by providing a connection condition determination device that it is a healthy regular terminal having the latest security measures. . The other is to allow a terminal device that represents a sound legitimate terminal with a password to be allowed to connect to the network after confirming with an authentication device.
FIG. 7 is a configuration diagram showing a terminal device, a connection condition determination device, and a security maintenance system in the present embodiment. In the figure, the terminal device 300 includes an input unit 302, a display unit 303, an information collection unit 304, a VPN connection unit 305, and a card connection unit 306b including an IC card 306 that can be extracted and stored. It is the same. The certificate 307 is written on the IC card 306. The terminal device 300 is connected to the VPN connection device 310 via the external network 314. Further, it is connected to the authentication device 320 via the internal network 315. The authentication device 320 includes a management unit 322 and an authentication determination unit 323 inside.

A new configuration in the present embodiment is that a connection condition determination device 330 separated from the authentication device is provided. The connection condition determination device 330 includes a connection condition storage unit 331, a card authentication unit 332, a connection condition determination unit 333, and a password generation unit 334.
That is, after the connection condition is determined by the connection condition determination apparatus connected via the external network using the IC card certificate, the password is obtained and the connection authentication with the VPN connection apparatus is performed.
An example of the connection condition stored in the connection condition storage unit 331 in the connection condition determination device 330 is the same as the connection condition shown in FIG.
FIG. 8 shows registration information 401 stored by the management unit 322 in the authentication device 320, and stores a pair configuration of the user ID 402 and the password 403.
FIG. 9 is a diagram illustrating an example of a connection determination error displayed on the display unit 303 of the terminal device 300 when the connection condition determination is NG without satisfying the condition.

Next, the operation will be described.
FIG. 10 is a flowchart illustrating processing when the terminal device 300 first requests the connection condition determination device 330 to determine connection conditions using the processor 301a or the like. As described above, the execution of the function program described in the flow using the processor as the operation performed by the terminal device is the same in the other embodiments.
First, in step S <b> 301, a connection condition determination execution instruction with a user ID is received from the input unit 302 from the user. In step S <b> 302, an SSL (Secure Sockets) is exchanged with the card authentication unit 332 of the connection condition determination apparatus 330 using the certificate 307 in the IC card 306.
Communication by Layer) is established. In step S303, the information collection unit 304 uses the OS version, the OS application batch number, the virus check program version, the virus check pattern file number, the virus search date and time, and the virus search use pattern number as the status information of the terminal device 300. Are collected from the OS registry, file name, file date, and the like. In S304, a terminal condition determination request including the user ID received in S301 and the state information acquired in S303 is transmitted to the connection condition determination apparatus 330 by SSL communication established in S302. In step S305, the terminal condition determination result is received. In S306, the received terminal condition determination result is checked. If the determination result is OK, the password included in the connection determination result is displayed on the display unit 303 as a one-time password for the next connection (S307). The process ends. On the other hand, if the authentication response is NG in S306, the reason for error included in the determination result is displayed on the display unit 303 (S308), and the connection process is terminated.

FIG. 11 is a flowchart illustrating processing performed when the connection condition determination device 330 receives a connection determination request from the terminal device 300.
First, in S401, the card authentication unit 332 establishes SSL communication with the terminal device 300. In step S <b> 402, a connection determination request including a user ID (Identifier identifier) and state information of the terminal device 300 is received from the terminal device 300 by SSL communication established in step S <b> 401. In step S <b> 403, the connection condition determination unit 333 checks whether the received state information satisfies the connection condition stored in the connection condition storage unit 331. In S404, it is confirmed whether all the connection conditions are OK. If all the conditions are OK, the password generation unit 334 generates a one-time password (S405), and the user ID and the one-time password for the authentication device 320 are generated. A password setting request including is transmitted (S406). Next, in S407, the result of the connection condition determination OK and the terminal condition determination result including the one-time password generated in S405 are transmitted to the terminal device 300, and the process ends.
On the other hand, if there is one connection condition that is not OK in S404, an error reason indicating the condition that is not OK and a connection condition determination result are transmitted to the terminal apparatus 300 in S408, and the process is performed. finish.

FIG. 12 is a flowchart illustrating processing performed when the terminal device 300 connects to the VPN connection device 310.
First, in S501, the input unit 302 receives the input of the user ID and the one-time password displayed in S307 from the user. In step S <b> 502, an authentication request including a user ID and a one-time password is transmitted to the VPN connection device 310. In step S503, an authentication response is received. Next, the authentication response received in S504 is checked. If the authentication response is OK, the VPN connection with the VPN connection device 310 is established (S505), and the completion of the connection is displayed on the display unit 303 (S506). End the connection process.
On the other hand, if the authentication response is NG in S504, an authentication failure is displayed on the display unit 303 (S507), and the connection process is terminated.
FIG. 13 is a flowchart illustrating processing performed when the authentication device 320 receives a password setting request including a user ID and a one-time password from the connection condition determination device 330.
First, in S601, when a password setting request is received, it is searched whether or not the registration information 401 in which the user ID 402 matches the user ID received in S602 is registered in the management unit 322. If the registration information 401 whose user ID 402 matches the received user ID is registered in the management unit 322 in S602, the one-time password received in S601 is stored in the password 403 (S603), and the password registration is performed. End the process.
On the other hand, if the registration information 401 whose user ID 402 matches the user ID received in S602 is not registered in the management unit 322, the password registration processing is terminated without doing anything.

FIG. 14 is a flowchart showing an authentication process performed when the authentication device 320 receives an authentication request from the VPN connection device 310.
First, in step S <b> 701, when the authentication apparatus 320 receives an authentication request including a user ID and password from the VPN connection apparatus 310, registration information 401 in which the user ID 402 matches the user ID received in step S <b> 702 is registered in the management unit 322. To find out. If the registration information 401 whose user ID 402 matches the user ID received in the management unit 322 is registered in S702, the password 403 is extracted from the management unit 322 (S703), and matches the password received in S701. It is checked whether to do (S704). If the passwords match in the check in S704, the VPN connection device 310 is notified of permission to connect to the terminal device 300 (S705), the password 403 is deleted (S706), and the authentication process ends. To do.
On the other hand, if the passwords do not match in the check in S704, the VPN connection apparatus 310 is notified of the rejection of the connection of the terminal apparatus 300 (S707), and the authentication process is terminated. In S702, if the registration information 401 whose user ID 402 matches the user ID received in step S701 is not registered in the management unit 322, the VPN connection device 310 is notified of the rejection of the connection of the terminal device 300. (S707), and the authentication process ends.

As described above, the connection condition determination device is provided to determine whether connection to the internal network is possible based on the status information of the terminal device and to provide the system with the one-time password necessary for connection. It is possible to prevent a terminal device that does not satisfy the security conditions for connecting to the internal network from connecting to the internal network.
In the present embodiment, the information collecting unit 304 has been described as hardware. However, as in the first embodiment, the information is stored in the memory 301b of the terminal device 300 as an information collecting program that can be executed by the microprocessor 301a. May be. Alternatively, it is stored in the IC card 306 as an information collection program that can be executed on the terminal device 300, and is transferred and stored from the IC card to the memory 301b of the terminal device 300 when executing the authentication process. It can also be configured to be executed by 301a. In this case, since the information collection program is stored in the IC card 306 until it is executed, it is less likely to be affected by viruses on the terminal device 300, and the terminal status information can be collected safely. There is also an effect.
In the present embodiment, the VPN connection unit 305 in the terminal device 300 has also been described as hardware. However, as described above, a program having a VPN connection function is stored in the memory 301b and executed by the microprocessor 301a. Alternatively, a VPN connection program executable on the terminal device 300 is stored in the IC card 306, and when executing the VPN connection, the VPN connection program is transferred from the IC card to the memory 301b of the terminal device 300 and executed. You can also
Furthermore, the one-time password sent from the connection condition determination device 330 is stored as the password 309 in the IC card 306 via the terminal device 300, and when authenticating with the authentication device 320 via the VPN connection device 310, The password 309 may be read from the card and used. This makes it even safer from external attacks.

Embodiment 3 FIG.
It is good also as a structure which performs the determination of a connection condition by the determination part provided in the card | curd instead of performing on a network. That is, in the second embodiment, the connection condition is determined by the connection condition determination device connected from the terminal device via the external network. In this embodiment, however, the connection condition is determined in the IC card. Indicates when to do.
FIG. 15 is a configuration diagram illustrating a terminal device, a connection condition providing device, and a security maintenance system according to the third embodiment. In the figure, the terminal device 500 includes an input unit 502, a display unit 503, an information collection unit 504, a VPN connection unit 505, and a card connection unit 506b including an IC card 506 that can be extracted and stored. The IC card 506 has an encryption unit 507 inside, and has an encryption key 508 for this encryption. Further, the card stores a certificate 509, a password 513, which will be described later, and a connection condition 511, and further includes a connection condition determination unit 512.
The authentication device 520 includes a management unit 522 and an authentication determination unit 523 inside.

On the other hand, the connection condition providing device 530 includes a connection condition storage unit 531, a card authentication unit 532, and a password generation unit 534 inside. One example of the connection condition stored in the connection condition storage unit 531 is the same as the connection condition shown in FIG.
It is assumed that the encryption key 508 is a secret key and the public key corresponding to this is included in the certificate 509.
An example of the connection determination error displayed on the display unit 503 of the terminal device 500 when the connection condition determination is NG in the connection condition determination unit 512 in the IC card 506 is shown in FIG. 9 of the second embodiment. It is the same.
FIG. 16 shows registration information 601 stored in the management unit 522 of the authentication apparatus 520, and a pair of a user ID 602 and a password 603 is stored.

Next, the operation will be described.
FIG. 17 is a flowchart illustrating processing when the terminal device 500 makes a connection condition request to the connection condition providing device 530 and determines whether the connection condition is satisfied.
First, in step S <b> 801, the input unit 502 receives a user ID input and a connection condition determination execution instruction. In step S <b> 802, SSL communication is established with the connection condition providing apparatus 530 using the certificate 509 in the IC card 506. In step S803, a connection condition request including the user ID accepted by the connection condition providing apparatus 530 by the established SSL communication is transmitted. In step S804, a connection condition response including the encrypted password and the encrypted connection condition is received. In step S805, the received encrypted password and connection conditions are decrypted by the encryption unit 507 using the encryption key 508. In step S806, the password obtained by decryption is used as the password 513, and the obtained terminal conditions are set. The connection condition 511 is stored in the IC card 506. In this way, the latest security information is sent from the connection condition providing device 530 to the terminal device. In step S <b> 807, the information collection unit 504 uses the OS version, the OS application batch number, the virus check program version, the virus check pattern / file number, the virus search date / time, and the virus search use pattern number as the status information of the terminal device 500. Are collected from the OS registry, file name, file date, and the like. In step S <b> 808, the connection condition determination unit 512 checks whether the obtained state information of the terminal device 500 satisfies the connection condition 511 received from the connection condition providing apparatus 530 stored in the IC card 506. In step S809, it is confirmed whether all the connection conditions are OK. If all the conditions are OK, the password 513 is displayed as a one-time password on the display unit 503 (S810), and the process ends. On the other hand, if there is one connection condition that does not become OK in S809, the reason for the determination error is displayed on the display unit 503 (S811), and the process ends.

FIG. 18 is a flowchart illustrating processing performed by the connection condition providing device 530 when receiving a connection condition request from the terminal device 500.
First, in step S <b> 901, the card authentication unit 532 establishes SSL communication with the terminal device 500. In step S902, a connection condition request including a user ID is received from the terminal device 501 through the established SSL communication. In step S903, a public key is acquired using the certificate 509 used when establishing SSL. In step S904, the password generation unit 534 generates a one-time password, and in step S905, a password setting request including the user ID and the one-time password is transmitted to the authentication device 520. Next, in S906, each of the connection condition and the one-time password stored in the connection condition storage unit 531 is encrypted with the public key, and in S907, a terminal condition request result including these encrypted data is transmitted to the terminal device 500, The process ends.
The processing performed when the terminal device 500 connects to the VPN connection device 510 is the same as the processing shown in FIG. 12 of the second embodiment.
Further, the process performed when the authentication apparatus 520 receives a password setting request from the connection condition providing apparatus 530 is the same as the process shown in FIG. 13 of the second embodiment.
Furthermore, the authentication process performed when the authentication apparatus 520 receives an authentication request from the VPN connection apparatus 510 is the same as the process shown in FIG. 14 of the second embodiment.
The connection condition determination unit 512 provided in the card is provided not in the card but in the terminal device so that the connection condition 511 received from the connection condition providing device and the security status information collected by the information collection unit 504 are compared. May be.

As described above, whether to connect to the internal network is determined inside the IC card based on the status information of the terminal device, and the one-time password required for connection is read from the IC card to the terminal device. Only terminal devices that are safe against external attacks and satisfy the security conditions can be connected to the internal network.
Also in this embodiment, as in the other embodiments, the information collection unit 504 and the VPN connection unit 505 are not included in hardware, but are stored in the IC card 506 as an information collection program that can be executed on the terminal device 500. It is also possible to store and execute the authentication process by taking it out from the IC card onto the terminal device 500 and executing it. In this case, since the information is stored in the IC card 506 until the information collection program is executed, it is possible to collect terminal status information without being affected by the virus on the terminal device 500.
In this embodiment, the encryption unit 507 and the connection condition determination unit 512 have been described as hardware components. It may be a configuration.

Embodiment 4 FIG.
The authentication device 120 according to the first embodiment, the connection condition determining device 330 according to the second embodiment, and the connection condition providing device 530 according to the third embodiment have been described as being dedicated hardware devices. However, these devices may be configured using a general-purpose computer that stores a program having the functions shown in FIGS. 6, 11, and 18 in a memory, and reads and executes the program with a processor. .
In that case, the effects described in the above embodiments can be obtained by performing the method shown in the flowchart.

Embodiment 5. FIG.
As described as one of the variations in the first embodiment, in the configuration shown in FIG. 1, an encryption unit may be provided in the terminal device 100 to perform the operation of FIG.
FIG. 19 is a diagram illustrating an ID input by a user and a data flow among the terminal device 100, the VPN connection device 110, and the authentication device 120 in the present embodiment. The user transmits an ID to the terminal device 100 (S1000). Thereafter, the terminal device 100 transmits the ID and authentication data to the VPN connection device 110 (S1001), and the VPN connection device 110 transmits the ID and authentication data received in S1001 to the authentication device 120 (S1002).
Thereafter, the authentication device 120 transmits an authentication response to the VPN connection device 110 (S1003), and the VPN connection device 110 transmits the authentication response received in S1003 to the terminal device 100 (S1004). If the authentication response is OK, the terminal device 100 and the VPN connection device 110 exchange data to establish a VPN connection (S1005). When the data exchange in S1005 is completed, the result is returned to the user. Is displayed (S1006) and the process ends.
The system in this embodiment has the same effect as that of the first embodiment.

In contrast to the configuration of the present embodiment, the configuration having the encryption unit 107 of the first embodiment in the IC card 106 has a data flow in the security maintenance system shown in the sequence diagram of FIG.
That is, when the user transmits authentication information for the IC card 106 (S1050), the terminal device 100 receives the authentication information, and the microprocessor 101a displays only the IC card 106 in FIG. The encryption unit of the IC card 106 connected to the device is authenticated, and the authentication result is transmitted to the user (S1051). Thereafter, the user transmits an ID to the terminal device 100 (S1052). Thereafter, the processor 101a transmits security status information from the terminal device 100 to the IC card 106 (S1053), and transmits authentication data from the encryption unit 107 of the IC card 106 to the terminal device 100 (S1054). Thereafter, the terminal device 100 transmits the ID and authentication data to the VPN connection device 110 (S1055), and the VPN connection device 110 transmits the ID and authentication data received in S1055 to the authentication device 120 (S1056).

Thereafter, the authentication device 120 transmits an authentication response to the VPN connection device 110 (S1057), and the VPN connection device 110 transmits the authentication response received in S1057 to the terminal device 100 (S1058). If the authentication response is OK, data is exchanged for establishing a VPN connection between the terminal device 100 and the VPN connection device 110 (S1059). Is displayed (S1060) and the process ends.
As described above, in the first embodiment, since the VPN connection processing cannot be performed unless the IC card is successfully authenticated with the IC card as to whether or not the IC card is that of the authorized user, Unauthorized use of the terminal device can be prevented.
In the first embodiment, if the user authentication with the IC card fails, the process is terminated. However, in order to improve the convenience for the user, the authentication with the authorized user card is failed a plurality of times in succession. In such a case, the process may be terminated. Terminating the process when authentication fails multiple times in succession can also be applied to other embodiments. In the first embodiment and the fifth embodiment, the authentication determination unit 123 performs two processes, ie, a connection condition determination and a VPN connection process. As shown in FIG. It may be divided into

Embodiment 6 FIG.
In the second embodiment, nothing is described about the time from when the connection condition determining device generates the one-time password until the authentication device receives the ID and the one-time password input by the user. A configuration that further increases safety by limiting the time will be described. In other words, this embodiment shows a case where the connection condition is determined using the valid time (the time during which the one-time password can be used).
FIG. 22 is a diagram showing a configuration of a terminal device, a connection condition determination device, and a security maintenance system in the present embodiment. In FIG. 7, the terminal device 600 includes an input unit 602a, a display unit 603a, an information collection unit 604, a VPN connection unit 605, and a card connection unit 606b including an IC card 606 that can be extracted and stored. It is the same. The certificate 607 is written on the IC card 606. The terminal device 600 is connected to the VPN connection device 610 via the external network 614. Further, it is connected to the authentication device 620 via the internal network 615. The authentication device 620 includes a management unit 622, an authentication determination unit 623, and a time acquisition unit 624 therein.
The connection condition determination device 630 includes a connection condition storage unit 631, a card authentication unit 632, a connection condition determination unit 633, a password generation unit 634, and a valid time generation unit 635.

A new configuration in this embodiment is that a time acquisition unit 624 is provided inside the authentication device 620 and an effective time generation unit 635 is provided inside the connection condition determination device 630.
An example of the connection condition stored in the connection condition storage unit 631 in the connection condition determination apparatus 630 is the same as the connection condition shown in FIG.
FIG. 23 shows registration information 701 stored by the management unit 622 in the authentication apparatus 620, and stores a pair configuration of a user ID 702, a password 703, and an effective time 704.
An example of the connection determination error displayed on the display unit 603a of the terminal device 600 when the connection condition determination does not satisfy the condition is NG, is the same as that shown in FIG. 9 of the second embodiment.
FIG. 24 is a diagram illustrating an example of a connection determination error displayed on the display unit 603a of the terminal device 600 when the one-time password expires and becomes NG.

Next, the operation will be described. In the present embodiment, it is assumed that connection condition determination device 630 and authentication device 620 are time-synchronized.
The processing when the terminal device 600 requests the connection condition determination device 630 to determine the connection condition by the processor 601a or the like is the same as the processing shown in FIG. 10 of the second embodiment.
FIG. 25 is a flowchart illustrating processing performed when the connection condition determination device 630 receives a connection determination request from the terminal device 600.
First, in S1201, the card authentication unit 632 establishes SSL communication with the terminal device 600. Next, in S1202, the connection condition determination device 630 transmits a connection condition determination request including the user ID and the status information of the terminal device 600 from the terminal device 600 via the IC card 606 by SSL communication established in S1201. Receive. In step S <b> 1203, the connection condition determination unit 633 checks whether the received state information satisfies the connection condition stored in the connection condition storage unit 631. In S1204, it is confirmed whether all the connection conditions are OK. If all the conditions are OK, the password generation unit 634 generates a one-time password (S1205), and the effective time generation unit 635 determines the effective time of the one-time password. Is generated (S1206). Next, a password setting request including a user ID and a one-time password is transmitted to the authentication device 620 (S1207). Next, in S1208, the result of the connection condition determination OK and the terminal condition determination result including the one-time password generated in S1205 are transmitted to the IC card 606, and the process ends.
On the other hand, in S1204, if even one connection condition is not OK, the connection condition determination device 630 determines the reason for the error and the connection condition determination indicating the condition that is not OK for the IC card 606 in S1209. The result is transmitted and the process is terminated.

The process performed when the terminal apparatus 600 connects to the VPN connection apparatus 610 is the same as the process shown in FIG. 12 of the second embodiment.
FIG. 26 is a flowchart illustrating processing performed when the authentication device 620 receives a password setting request including a user ID, a one-time password, and a valid time from the connection condition determination device 630.
First, in step S1301, when the authentication apparatus 620 receives a password setting request, in step S1302, the authentication determination unit 623 registers registration information 701 in which the user ID 702 matches the received user ID in the management unit 622. To find out. If the registration information 701 whose user ID 702 matches the received user ID is registered in the management unit 622 in S1302, the authentication determination unit 623 stores the one-time password received in S1301 in the password 703 ( In step S1303, the valid time received in step S1301 is stored in the valid time 704 (S1304), and the password and valid time registration process ends.
On the other hand, if the registration information 701 whose user ID 702 matches the user ID received in S1302 is not registered in the management unit 622, the password registration process is terminated without doing anything.

FIG. 27 is a flowchart illustrating an authentication process performed when the authentication apparatus 620 receives an authentication request from the VPN connection apparatus 610.
First, in step S1401, the authentication device 620 receives an authentication request including a user ID and a password from the VPN connection device 610. In step S1402, the time acquisition unit 624 acquires the current time. Next, it is searched whether or not the registration information 701 whose user ID 702 matches the user ID received in S1403 is registered in the management unit 622. If the registration information 701 whose user ID 702 matches the received user ID is registered in the management unit 622 in S1403, the authentication determination unit 623 extracts the valid time 704 from the management unit 622 (S1404), and S1402 It is checked whether the one-time password is valid using the time acquired in step S1405. If the one-time password is valid in S1405, the authentication determination unit 623 extracts the password 703 from the management unit 622 (S1406), and checks whether it matches the password received in S1401 (S1407). If the passwords match in the check in S1407, the VPN connection device 610 is notified of permission to connect the terminal device 600 (S1408), the password 703 and the valid time 704 are deleted (S1409), and authentication is performed. End the process.
On the other hand, if the passwords do not match in the check in S1407, the VPN connection device 610 is notified of the rejection of the connection of the terminal device 600 (S1410), and the authentication process is terminated. In S1403, if the registration information 701 whose user ID 702 matches the user ID received in step S1401 is not registered in the management unit 622, the VPN connection device 610 is notified of the rejection of the connection of the terminal device 600. (S1410), and the authentication process is terminated. In S1405, if the one-time password is not valid, the VPN connection device 610 is notified of rejection of the connection of the terminal device 600 (S1410), and the authentication process is terminated.

FIG. 28 is a sequence diagram showing the data flow of the security maintenance system in the sixth embodiment of the present invention.
First, when the user transmits authentication information for the IC card 606 to the terminal device 600 (S1100), the terminal device 600 transmits the authentication result from the IC card 606 to the user (S1101). Thereafter, the user transmits a connection condition determination execution instruction to the terminal device 600 (S1102). Thereafter, when the terminal device 600 transmits an SSL communication establishment request to the IC card 606 (S1103), data is exchanged for establishing an SSL connection between the IC card 606 and the connection condition determination device 630 (S1104). When the exchange of data in S1104 is completed, the result is transmitted to the terminal device 600 (S1105). Thereafter, the terminal device 600 transmits a connection condition determination request to the IC card 606 (S1106), and the IC card 606 transmits the connection condition determination request received in S1106 to the connection condition determination device 630 (S1107). Thereafter, the connection condition determination device 630 transmits a password setting request including the ID and the one-time password to the authentication device 620 (S1108), and transmits a terminal condition determination result including the one-time password to the terminal device 600 for the IC card 606. (S1109).

The terminal device 600 receives the determination result from the IC card 606 (S1110), and if the determination result is OK, the terminal device 600 displays a one-time password to the user (S1111).
Thereafter, according to the input from the user, the terminal device 600 transmits an authentication request including the ID and authentication data to the VPN connection device 610 (S1113), and the VPN connection device 610 transmits the authentication request including the ID and authentication data received in S1113. It transmits to the authentication device 620 (S1114). Thereafter, the authentication device 620 transmits an authentication response to the VPN connection device 610 (S1115), and the VPN connection device 610 transmits the authentication response received in S1115 to the terminal device 600 (S1116). If the authentication response is OK, data is exchanged for establishing a VPN connection between the terminal device 600 and the VPN connection device 610 (S1117). When the data exchange in S1117 is completed, the result is returned to the user. Is displayed (S1118) and the process ends.
Although the above sequence diagram is also applied to the second embodiment, in this embodiment, in FIG. 28 of the sequence diagram, the password setting request (S1108) includes the valid time.

As described above, the connection condition determination device is provided to determine whether connection to the internal network is possible based on the status information of the terminal device and to provide the system with the one-time password necessary for connection. It is possible to prevent a terminal device that does not satisfy the security conditions for connecting to the internal network from connecting to the internal network.
In addition, since an effective time is provided for the one-time password, authentication processing for VPN connection can be performed before the connection condition is largely changed after checking the security status information. It is possible to prevent a terminal device that has been checked under the connection conditions of the above from connecting to the internal network.

In the present embodiment, the information collecting unit 604 has been described as hardware. However, as in the third embodiment, the memory 601b of the terminal device 600 is stored as an information collecting program that can be executed by the microprocessor 601a. May be. Alternatively, it is stored in the IC card 606 as an information collection program that can be executed on the terminal device 600, transferred to and stored in the memory 601b of the terminal device 600 from the IC card when executing the authentication process, and a microprocessor at the time of authentication request It can also be set as the structure which 601a performs. In this case, since the information collection program is stored in the IC card 606 until it is executed, it is less affected by the virus on the terminal device 600 and the terminal status information can be collected safely. There is also an effect.
In the present embodiment, the VPN connection unit 605 in the terminal device 600 has also been described as hardware. However, as described above, a program having a VPN connection function is stored in the memory 601b and executed by the microprocessor 601a. Alternatively, a VPN connection program executable on the terminal device 600 is stored in the IC card 606, and when executing the VPN connection, the VPN connection program is transferred from the IC card to the memory 601b of the terminal device 600 and executed. You can also

Furthermore, the one-time password sent from the connection condition determination device 630 is stored as the password 609 in the IC card 606 via the terminal device 600, and when authenticating with the authentication device 620 via the VPN connection device 610, The password 609 may be read from the IC card and used. This makes it even safer from external attacks.
In this embodiment, the authentication device 620 checks the one-time password and valid time in the authentication process performed when an authentication request is sent from the VPN connection device 610. However, the connection condition is also checked. May be. Specifically, the authentication device 620 acquires the update date of the current connection condition from the connection condition determination device 630, and compares the acquired update date with the valid time. If the acquired update date is closer to the current time, a connection refusal is notified. By doing so, it becomes possible to permit only the terminal device satisfying the latest connection condition to be connected to the internal network.
In this embodiment, the process ends when the authentication of the IC card and the user fails. However, in order to improve the convenience for the user, the process may be ended when the authentication fails a plurality of times in succession. .

Embodiment 7 FIG.
Up to now, the one-time password has been used for authentication when the authentication apparatus receives an authentication request from the VPN connection apparatus. In this embodiment, the authentication apparatus performs authentication using a signature.
FIG. 29 is a diagram showing a configuration of a terminal device, a connection condition determination device, and a security maintenance system according to the seventh embodiment. In FIG. 21, the terminal device 800 includes an input unit 802, a display unit 803, an information collection unit 804, a VPN connection unit 805, and a card connection unit 806b including an IC card 806 that can be extracted and stored. It is the same. The certificate 807 is written in the IC card 806. The terminal device 800 is connected to the VPN connection device 810 via the external network 814. Further, it is connected to the authentication device 820 via the internal network 815. The authentication device 820 includes a management unit 822, an authentication determination unit 823, a time acquisition unit 824, and a key management unit 825 inside.
The connection condition determination device 830 includes a connection condition storage unit 831, a card authentication unit 832, a connection condition determination unit 833, an authentication information generation unit 834, and an effective time generation unit 835.

A new configuration in the present embodiment is that an authentication information generation unit 834 is provided inside the connection condition determination device 830. The authentication information generation unit 834 generates a signature (connection permission signature). Unlike the certificate 807 that proves that the public key of the IC card 806 is authentic, the signature has a connection condition that is OK, and the terminal ID and signature validity time are determined by the secret key of the connection condition determination device 830. Encryption (signature generation) is performed, and the authentication device 820 guarantees that the connection condition determination device 830 has successfully decrypted (signature verification) using the public key. Unlike the case of using a one-time password, it is not necessary to pass a signature from the connection condition determination device 830 to the authentication device 820 in advance, and each can be configured independently. The signature generated by the authentication information generation unit 834 is stored as authentication information 809 in the IC card 806, and the authentication information acquisition unit 808 extracts the authentication information 809 from the IC card 806.
An example of the connection condition stored in the connection condition storage unit 831 in the connection condition determination device 830 is the same as the connection condition shown in FIG.
An example of a connection determination error displayed on the display unit 803 of the terminal device 800 when the connection condition determination is NG without satisfying the condition is the same as that shown in FIG. 9 of the second embodiment.
FIG. 30 is an example of a connection determination error displayed on the display unit 803 of the terminal device 800 when signature verification is correctly processed.
FIG. 31 is an example of a connection permission notification displayed on the display unit 803 of the terminal device 800 when the connection condition determination satisfies the condition and becomes OK.

Next, the operation of the system configured as described above will be described. In the present embodiment, it is assumed that connection condition determination device 830 and authentication device 820 are time-synchronized. Further, it is assumed that the authentication device 820 has the public key of the connection condition determination device 830 and knows the signature algorithm used by the connection condition determination device 830.
FIG. 32 is a flowchart illustrating processing performed when the terminal device 800 requests the connection condition determination device 830 to determine connection conditions by the processor 801a or the like.
First, in S1500, the user attaches the IC card 806 to the terminal device 800, and performs authentication between the user and the IC card 806. If the information input by the user matches the information stored in the card and authentication is successful in step S1501, the terminal apparatus 800 determines whether or not the connection condition determination is accompanied by the user ID from the input unit 802 in step S1502. Accept execution instructions. In step S <b> 1503, SSL communication is established with the card authentication unit 832 of the connection condition determination apparatus 830 using the certificate 807 in the IC card 806. In step S <b> 1504, the information collection unit 804 uses the OS version, the OS application batch number, the virus check program version, the virus check pattern / file number, the virus search date / time, and the virus search use pattern as the security status information of the terminal device 800. The number is collected from the OS registry, file name, file date, and the like.

In S1505, the terminal device 800 transmits a terminal condition determination request including the user ID received in S1502 from the card connection unit 806b to the connection condition determination device 830 by the SSL communication established in S1502 and the status information acquired in S1504. Send. In step S1506, the IC card 806 receives the terminal condition determination result. In step S1507, the connection permission signature included in the terminal condition determination result is stored in the IC card 806 as authentication information 809.
In step S1508, the received terminal condition determination result is checked. If the determination result is OK, a connection permission notification included in the connection determination result is displayed on the display unit 803 (S1509), and the process ends. On the other hand, if the authentication response is NG in S1508, the reason for the error included in the determination result is displayed on the display unit 803 (S1510), and the connection process is terminated.

FIG. 33 is a flowchart illustrating processing performed when the connection condition determination device 830 receives a connection determination request from the terminal device 800.
First of all, the connection condition determination device 830 establishes SSL communication with the terminal device 800 in the card authentication unit 832 in S1601. In step S1602, a connection condition determination request including the user ID and the status information of the terminal device 800 is received from the terminal device 800 via the IC card 806 by SSL communication established in step S1601. In step S1603, the connection condition determination unit 833 checks whether the received state information satisfies the connection condition stored in the connection condition storage unit 831. In S1604, it is confirmed whether all the connection conditions are OK. If all the conditions are OK, the effective time generation unit 835 generates an effective time of the connection permission signature (S1605). Next, the authentication information generation unit 834 generates a connection permission signature using the secret key of the connection condition determination device 830 (S1606). The connection permission signature is a signature obtained by summarizing the user ID received in S1602 and the valid time received in S1605. In step S1607, the terminal condition determination result including the connection condition determination OK result and the connection permission signature generated in step S1606 is transmitted to the IC card 806, and the process ends.
On the other hand, in S1604, if even one connection condition is not OK, an error reason and a connection condition determination result indicating the condition that is not OK are transmitted to the IC card 806 in S1608, and the process is performed. finish.

FIG. 34 is a flowchart showing processing performed when the terminal device 800 connects to the VPN connection device 810.
First, in any case, the terminal device 800 accepts a VPN connection instruction from the user at the input unit 802 in step S1701. Here, the VPN connection instruction is an instruction for starting VPN connection processing using the authentication information 809 in the IC card. Next, the VPN connection unit 805 of the terminal device 800 transmits a signature acquisition request to the authentication information acquisition unit 808 of the IC card 806 (S1702). The stored connection permission signature is acquired (S1703).
In step S <b> 1704, the VPN connection unit 805 transmits an authentication request including a connection permission signature to the VPN connection device 810. In step S1705, the VPN connection unit 805 receives an authentication response. In step S1706, the VPN connection unit 805 checks the received authentication response. If the authentication response is OK, the VPN connection unit 810 establishes a VPN connection with the VPN connection device 810 (S1707), and the display unit 803 confirms the completion of the connection. Display (S1708), and the connection process is terminated.
On the other hand, if the authentication response is NG in S1706, an authentication failure is displayed on the display unit 803 (S1709), and the connection process is terminated.

FIG. 35 is a flowchart showing an authentication process performed when the authentication device 820 receives an authentication request from the VPN connection device 810.
First, in S1801, when the authentication device 820 receives an authentication request including a connection permission signature from the VPN connection device 810, the time acquisition unit 824 acquires the current time in S1802. Next, in any of the following, the authentication device 820 verifies the connection permission signature using the public key of the connection condition determination device 830 stored in the key management unit 825 in S1803. If the verification process is normally performed in S1804, it is searched whether the user ID obtained in S1803 is registered in the management unit 822 (S1805). Note that the authentication device 820 determines that the terminal device 800 has received a connection permission from the connection condition determination device 830 because the verification process has been normally performed in step S1804. If the user ID obtained in S1803 is registered in the management unit 822 in S1805, the authentication determination unit 823 extracts the valid time obtained in S1803 (S1806), and connects using the time obtained in S1802. It is checked whether the permission signature is valid (S1807). If the connection permission signature is valid in S1807, the VPN connection device 810 is notified of permission to connect the terminal device 800 (S1808), the connection permission signature and the valid time are deleted (S1809), and authentication is performed. The process ends.
On the other hand, if the connection permission signature is not valid in the check in S1807, the VPN connection device 810 is notified of the rejection of the connection of the terminal device 800 (S1810), and the authentication process is terminated. If the verification process is not normally performed in S1804, the VPN connection apparatus 810 is notified of the rejection of the connection of the terminal apparatus 800 (S1810), and the authentication process is terminated. In S1805, if the user ID obtained in S1803 is not registered in the management unit 822, the VPN connection device 810 is notified of the rejection of the connection of the terminal device 800 (S1810), and the authentication process is performed. finish.

FIG. 36 is a sequence diagram showing the data flow of the security maintenance system in the seventh embodiment of the present invention.
When the user transmits authentication information for the IC card 806 via the terminal device 800 (S1900), the terminal device 800 transmits the authentication result from the IC card 806 to the user (S1901). Thereafter, the user transmits a connection condition determination execution instruction to the terminal device 800 (S1902). Thereafter, when the terminal device 800 transmits an SSL communication establishment request to the IC card 806 (S1903), data exchange is performed between the IC card 806 and the connection condition determination device 830 for establishing an SSL connection (S1904). When the data exchange in S1904 is completed, the result is transmitted to the terminal device 800 (S1905). Thereafter, the terminal device 800 transmits a connection condition determination request to the IC card 806 (S1906), and the IC card 806 transmits the connection condition determination request received in S1906 to the connection condition determination device 830 (S1907). Thereafter, the terminal condition determination result including the connection permission signature is transmitted to the IC card 806 (S1908). The determination result is transmitted from the IC card 806 to the terminal device 800 (S1909). If the determination result is OK, the terminal device 800 displays a connection permission notification to the user (S1910). Thereafter, when the user transmits a VPN connection instruction to the terminal device 800 (S1911), the terminal device 800 transmits a signature acquisition request to the IC card 806 (S1912), and the IC card 806 transmits a connection permission signature to the terminal device 800. (S1913). Thereafter, the terminal device 800 transmits an authentication request including the connection permission signature to the VPN connection device 810 (S1914), and the VPN connection device 810 transmits the authentication request including the connection permission signature received in S1914 to the authentication device 820 (S1915). ).
Thereafter, the authentication device 820 transmits an authentication response to the VPN connection device 810 (S1916), and the VPN connection device 810 transmits the authentication response received in S1916 to the terminal device 800 (S1917). When the authentication response is OK, the terminal device 800 and the VPN connection device 810 exchange data for establishing a VPN connection (S1918). When the data exchange in S1918 ends, the result is displayed as the user. Is displayed (S1919) and the process ends.

As described above, the connection condition determination device is provided to determine whether connection to the internal network is possible based on the status information of the terminal device and to provide the system with a connection permission signature necessary for connection. It is possible to prevent a terminal device that does not satisfy the security condition for connecting to the internal network from being connected to the internal network.
Further, since a valid time is provided for the connection permission signature, authentication processing for VPN connection can be performed after the check of the security status information is completed and before the connection condition is largely changed. It is possible to prevent a terminal device that has been checked under the connection conditions of the above from connecting to the internal network.
In this embodiment, since communication does not occur between the connection condition determination device and the authentication device, the organization that operates the connection condition determination device and the organization that operates the authentication device can be independent. For this reason, even organizations that cannot build a large system can provide services using the connection condition determination device and do not meet the security requirements for connecting to the internal network regardless of the size of the organization. It is possible to prevent the terminal device from connecting to the internal network.

In the present embodiment, the information collection unit 804 is described as hardware. However, as in the third embodiment, the memory 801b of the terminal device 800 is stored as an information collection program executable by the microprocessor 801a. May be. Alternatively, it is stored in the IC card 806 as an information collection program that can be executed on the terminal device 800, transferred to the memory 801b of the terminal device 800 from the IC card and stored when executing the authentication process, and the microprocessor when the authentication is requested. It can also be configured to be executed by 801a. In this case, since the information collection program is stored in the IC card 806 until it is executed, it is less affected by viruses on the terminal device 800, and the terminal status information can be collected safely. There is also an effect.
In this embodiment, the VPN connection unit 805 in the terminal device 800 is also described as hardware. However, as described above, a program having a VPN connection function is stored in the memory 801b and executed by the microprocessor 801a. Alternatively, a VPN connection program that can be executed on the terminal device 800 is stored in the IC card 806, and is transferred from the IC card 806 to the memory 801b of the terminal device 800 and executed when the VPN connection is executed. It can also be.
Further, in this embodiment, the verification of the connection permission signature and the valid time are checked in the authentication process performed when the authentication device 820 receives an authentication request from the VPN connection device 810, but the connection condition is also checked. You may do it. Specifically, the authentication device 820 acquires the update date of the current connection condition from the connection condition determination device 830, and compares the acquired update date with the valid time. If the acquired update date is closer to the current time, a connection refusal is notified. By doing so, it becomes possible to permit only the terminal device satisfying the latest connection condition to be connected to the internal network.
In this embodiment, the process ends when the authentication of the IC card and the user fails. However, in order to improve the convenience for the user, the process may be ended when the authentication fails a plurality of times in succession. .

Embodiment 8 FIG.
In the third embodiment, there is a case where nothing is described about the time from when the connection condition providing device generates the one-time password until the authentication device receives the ID and the one-time password input by the user. It was. In this embodiment, a case is shown in which the connection condition is determined using the valid time (the time during which the one-time password can be used).
FIG. 37 is a diagram illustrating a configuration of a terminal device, a connection condition providing device, and a security maintenance system according to the eighth embodiment. In the figure, a terminal device 1100 includes an input unit 1102, a display unit 1103, an information collection unit 1104, a VPN connection unit 1105, and a card connection unit 1106b (not shown in FIG. 37) including an IC card 1106 that can be extracted and stored. I have. The IC card 1106 has an encryption unit 1107 inside, and has an encryption key 1108 for this encryption. The card stores a certificate 1109, a password 1113, which will be described later, and a connection condition 1111, and further includes a connection condition determination unit 1112.
The authentication device 1120 includes a management unit 1122, an authentication determination unit 1123, and a time acquisition unit 1124 inside.

On the other hand, the connection condition providing apparatus 1130 includes a connection condition storage unit 1131, a card authentication unit 1132, a password generation unit 1134, and an effective time generation unit 1135. An example of the connection condition stored in the connection condition storage unit 1131 is the same as the connection condition shown in FIG.
It is assumed that the encryption key 1108 is a secret key and the public key corresponding to the encryption key 1108 is included in the certificate 1109.
An example of a connection determination error displayed on the display unit 1103 of the terminal device 1100 when the connection condition determination is NG in the connection condition determination unit 1112 in the IC card 1106 is shown in FIG. 9 of the second embodiment. It is the same.
An example of a connection determination error displayed on the display unit 603 of the terminal device 600 when the one-time password expires and becomes NG is the same as that in FIG. 24 of the sixth embodiment.
The new configuration in the present embodiment is that a time acquisition unit 1124 is provided in the authentication device 1120 and an effective time generation unit 1135 is provided in the connection condition providing device 1130.
FIG. 38 shows registration information 1201 stored in the management unit 1122 of the authentication apparatus 1120, and a pair of a user ID 1202, a password 1203, and an effective time 1204 is stored.

Next, the operation will be described. In the present embodiment, it is assumed that connection condition providing apparatus 1130 and authentication apparatus 1120 are time-synchronized.
Processing when the terminal apparatus 1100 makes a connection condition request to the connection condition providing apparatus 1130 and determines whether the connection condition is satisfied is the same as that in FIG. 17 of the third embodiment.
FIG. 39 is a flowchart illustrating processing performed by the connection condition providing apparatus 1130 when receiving a connection condition request from the terminal apparatus 1100.
First, in S2301, the card authentication unit 1132 establishes SSL communication with the IC card 1106. Next, in any of the following, the connection condition providing apparatus 1130 receives the connection condition request including the user ID from the terminal apparatus 1100 via the IC card 1106 by the established SSL communication in S2302. In step S2303, the public key is acquired using the certificate 1109 used when establishing the SSL. In step S2304, the password generation unit 1134 generates a one-time password. In step S2305, the effective time generation unit 1135 generates an effective time for the one-time password. In step S <b> 2306, a password setting request including a user ID, a one-time password, and a valid time is transmitted to the authentication apparatus 1120. In step S2307, each of the connection condition and the one-time password stored in the connection condition storage unit 1131 is encrypted with the public key. 1106, and the process ends.

The processing performed when the terminal device 1100 connects to the VPN connection device 1110 is the same as the processing illustrated in FIG. 12 of the second embodiment.
Further, the process performed when the authentication apparatus 1120 receives a password setting request from the connection condition providing apparatus 1130 is the same as the process shown in FIG. 26 of the sixth embodiment.
Further, the authentication process performed when the authentication apparatus 1120 receives an authentication request from the VPN connection apparatus 1110 is the same as the process shown in FIG. 27 of the sixth embodiment.
FIG. 40 is a sequence diagram showing the data flow of the security maintenance system in the eighth embodiment of the present invention.
First, when the user transmits authentication information for the IC card 1106 to the terminal device 1100 (S2200), the terminal device 1100 transmits the authentication result from the IC card 1106 to the user (S2201). Thereafter, the user transmits a connection condition determination execution instruction to the terminal device 1100 (S2202). After that, when the terminal device 1100 transmits an SSL communication establishment request to the IC card 1106 (S2203), data is exchanged for establishing an SSL connection between the IC card 1106 and the connection condition providing device 1130 (S2204). When the data exchange in S2204 is completed, the result is transmitted to the terminal device 1100 (S2205). Thereafter, the terminal device 1100 transmits a connection condition request to the IC card 1106 (S2206), and the IC card 1106 transmits the connection condition request received in S2206 to the connection condition providing device 1130 (S2207). Thereafter, the connection condition providing apparatus 1130 transmits a password setting request including the ID and the one-time password to the authentication apparatus 1120 (S2208), and transmits a connection condition response including the one-time password and the connection condition to the IC card 1106 (S2209). .

When the connection condition response result is transmitted from the IC card 1106 to the terminal device 1100 (S2210), the terminal device 1100 transmits status information to the IC card 1106 (S2211). Thereafter, the IC card 1106 transmits a determination result to the terminal device 1100 (S2212). If the determination result is OK, the terminal device 1100 displays a one-time password to the user (S2213). Thereafter, when the user inputs the ID and the one-time password displayed in S2213 to the terminal device 1100 (S2214), the terminal device 1100 transmits an authentication request including the ID and authentication data to the VPN connection device 1110 (S2215). The VPN connection device 1110 transmits an authentication request including the ID and authentication data received in S2215 to the authentication device 1120 (S2216). Thereafter, the authentication device 1120 transmits an authentication response to the VPN connection device 1110 (S2217), and the VPN connection device 1110 transmits the authentication response received in S2217 to the terminal device 1100 (S2218). If the authentication response is OK, the terminal device 1100 and the VPN connection device 1110 exchange data for establishing a VPN connection (S2219). When the data exchange in S2219 is completed, the result is returned to the user. Is displayed (S2220) and the process ends.
The above sequence diagram is also applied to the third embodiment.
In the present embodiment, in the above sequence diagram, the password setting request (S2208) includes the valid time.

As described above, whether to connect to the internal network is determined inside the IC card based on the status information of the terminal device, and the one-time password required for connection is read from the IC card to the terminal device. Only terminal devices that are safe against external attacks and satisfy the security conditions can be connected to the internal network.
In addition, since an effective time is provided for the one-time password, authentication processing for VPN connection can be performed before the connection condition is largely changed after checking the security status information. It is possible to prevent a terminal device that has been checked under the connection conditions of the above from connecting to the internal network.
The connection condition determination unit 1112 provided in the card is provided not in the card but in the terminal device so that the connection condition 1111 received from the connection condition providing device is compared with the security status information collected by the information collection unit 1104. May be. This configuration can also be applied to other embodiments.

Also in this embodiment, as in the other embodiments, the information collection unit 1104 and the VPN connection unit 1105 are not included in the hardware but in the IC card 1106 as an information collection program that can be executed on the terminal device 1100. It is also possible to store and execute the authentication process by taking it out from the IC card 1106 onto the terminal device 1100 and executing it. In this case, it is possible to collect terminal status information without being affected by the virus.
In this embodiment, the authentication device 1120 checks the one-time password and the valid time in the authentication process performed when an authentication request is sent from the VPN connection device 1110. However, the connection condition is also checked. May be. Specifically, the authentication device 1120 acquires the update date of the current connection condition from the connection condition providing device 1130, and compares the acquired update date with the valid time. If the acquired update date is closer to the current time, a connection refusal is notified. By doing so, it becomes possible to permit only the terminal device satisfying the latest connection condition to be connected to the internal network.
Further, in this embodiment, the process is terminated when the authentication of the IC card and the user fails, but the process may be terminated when the authentication fails a plurality of times as in the other embodiments.

Embodiment 9 FIG.
In the system including the connection condition providing device in the previous embodiment, the authentication device uses a one-time password for authentication when an authentication request is sent from the VPN connection device. In this embodiment, a signature is used. The case where the authentication device performs authentication is shown.
FIG. 41 is a diagram showing a configuration of a terminal device, a connection condition providing device, and a security maintenance system in the present embodiment. In the figure, a terminal device 1300 includes an input unit 1302, a display unit 1303, an information collection unit 1304, a VPN connection unit 1305, and a card connection unit 1306b including an IC card 1306 that can be extracted and stored (not shown in FIG. 41). I have. The IC card 1306 has an encryption unit 1307 inside, and has an encryption key 1308 for this encryption. Further, the card stores a certificate 1309, authentication information 1313, which will be described later, and a connection condition 1311, and further includes a connection condition determination unit 1312.
The authentication device 1320 includes a management unit 1322, an authentication determination unit 1323, a time acquisition unit 1324, and a key management unit 1325.

On the other hand, the connection condition providing apparatus 1330 includes a connection condition storage unit 1331, a card authentication unit 1332, an authentication information generation unit 1334, and an effective time generation unit 1335. An example of the connection condition stored in the connection condition storage unit 1331 is the same as the connection condition shown in FIG.
It is assumed that the encryption key 1308 is a secret key and a public key corresponding to the encryption key 1308 is included in the certificate 1309.
An example of a connection determination error displayed on the display unit 1303 of the terminal device 1300 when the connection condition determination is NG in the connection condition determination unit 1312 in the IC card 1306 is shown in FIG. 9 of the second embodiment. It is the same.
An example of the connection determination error displayed on the display unit 1303 of the terminal device 1300 when the signature verification is correctly processed is the same as that in FIG. 30 of the seventh embodiment.
In addition, when the connection condition determination satisfies the condition and becomes OK, an example of the connection permission notification displayed on the display unit 1303 of the terminal device 1300 is the same as FIG. 31 of the seventh embodiment.
A new configuration in this embodiment is that an authentication information generation unit 1334 is provided inside the connection condition providing device 1330. Further, the signature generated by the authentication information generation unit 1334 is stored as authentication information 1313 in the IC card 1306.
A new configuration in this embodiment is that an authentication information generation unit 1334 is provided inside the connection condition providing device 1330. The authentication information generation unit 1334 generates a signature (connection permission signature). Unlike the certificate 1309 that proves that the public key of the IC card 1306 is authentic, the signature is that the connection condition is OK, the terminal ID and the validity time of the signature are set by the private key of the connection condition determination device 1330. Encryption is performed (signature generation), and the authentication device 1320 ensures that the connection condition determination device 1330 succeeds in decryption (signature verification) using the public key. Unlike the case of using a one-time password, it is not necessary to pass a signature from the connection condition determination device 1330 to the authentication device 1320 in advance, and each can be configured independently.

Next, the operation will be described. In the present embodiment, it is assumed that connection condition providing apparatus 1330 and authentication apparatus 1320 are time-synchronized. Further, it is assumed that the authentication apparatus 1320 has the public key of the connection condition providing apparatus 1330 and knows the signature algorithm used by the connection condition providing apparatus 1330.
The processing when the terminal apparatus 1300 makes a connection condition request to the connection condition providing apparatus 1330 and determines whether the connection condition is satisfied includes a connection permission signature in the connection condition response of FIG. , Except that the connection permission notification is displayed instead of the password display in S2011, is the same as FIG. 17 of the third embodiment.
FIG. 42 is a flowchart illustrating processing performed by the connection condition providing apparatus 1330 when receiving a connection condition request from the terminal apparatus 1300.
First, in S <b> 2401, the card authentication unit 1332 establishes SSL communication with the IC card 1306. Next, in any of the following, the connection condition providing apparatus 1330 receives the connection condition request including the user ID from the terminal apparatus 1300 via the IC card 1306 by the established SSL communication in S2402. In step S2403, the public key is acquired using the certificate 1309 used when establishing the SSL. In step S2404, the authentication information generation unit 1334 generates a connection permission signature using the secret key of the connection condition providing device 1330. In step S2405, the effective time generation unit 1335 generates a connection permission signature valid time. In step S2406, each of the connection condition and the connection permission signature stored in the connection condition storage unit 1331 is encrypted with the public key. In step S2407, the terminal condition request result including the encrypted data is transmitted via the terminal device 1300 to the IC card. 1306, and the process ends.

The processing performed when the terminal device 1300 connects to the VPN connection device 1310 is the same as the processing shown in FIG. 34 of the sixth embodiment.
Furthermore, the authentication process performed when authentication apparatus 1320 receives an authentication request from VPN connection apparatus 1310 is the same as the process shown in FIG. 35 of the sixth embodiment.
FIG. 43 is a sequence diagram showing a data flow of the security maintenance system in the ninth embodiment of the present invention.
When the user transmits authentication information for the IC card 1306 to the terminal device 1300 (S2500), the terminal device 1300 transmits the authentication result from the IC card 1306 to the user (S2501). Thereafter, the user transmits a connection condition determination execution instruction to the terminal device 1300 (S2502). Thereafter, when the terminal device 1300 transmits an SSL communication establishment request to the IC card 1306 (S2503), data is exchanged between the IC card 1306 and the connection condition providing device 1330 to establish an SSL connection (S2504). When the data exchange in S2504 is completed, the result is transmitted to the terminal device 1300 (S2505). Thereafter, the terminal device 1300 transmits a connection condition request to the IC card 1306 (S2506), and the IC card 1306 transmits the connection condition request received in S2506 to the connection condition providing device 1330 (S2507). Thereafter, the connection condition providing apparatus 1330 transmits a connection condition response including the connection permission signature and the connection condition to the IC card 1306 (S2508). When the connection condition response result is transmitted from the IC card 1306 to the terminal device 1300 (S2509), the terminal device 1300 transmits the status information to the IC card 1306 (S2510). Thereafter, the IC card 1306 transmits the determination result to the terminal device 1300 (S2511). When the determination result is OK, the terminal device 1300 displays a connection permission notification to the user (S2512).

  Thereafter, when the user transmits a VPN connection instruction to the terminal device 1300 (S2513), the terminal device 1300 transmits a signature acquisition request to the IC card 1306 (S2514), and the IC card 1306 transmits a connection permission signature to the terminal device 1300. (S2515). Thereafter, the terminal device 1300 transmits an authentication request including the connection permission signature to the VPN connection device 1310 (S2516), and the VPN connection device 1310 transmits the authentication request including the connection permission signature received in S2516 to the authentication device 1320 (S2517). ). Thereafter, the authentication device 1320 transmits an authentication response to the VPN connection device 1310 (S2518), and the VPN connection device 1310 transmits the authentication response received in S2518 to the terminal device 1300 (S2519). If the authentication response is OK, the terminal device 1300 and the VPN connection device 1310 exchange data for establishing a VPN connection (S2520). When the data exchange in S2520 is completed, the result is returned to the user. Is displayed (S2521) and the process ends.

As described above, whether to connect to the internal network is determined inside the IC card based on the status information of the terminal device, and the connection conditions necessary for the connection are read from the IC card to the terminal device. Only terminal devices that are safe against attacks and satisfy the security conditions can be connected to the internal network.
In addition, since a valid time is provided for the authentication information, it is possible to perform authentication processing for VPN connection after the check of the security status information is completed and before the connection condition is largely changed. It is possible to prevent the terminal device checked in the connection condition from connecting to the internal network.
In this embodiment, since communication does not occur between the connection condition providing device and the authentication device, the organization that operates the connection condition providing device and the organization that operates the authentication device can be independent. For this reason, even organizations that cannot build a large system can provide services using the connection condition determination device and do not meet the security requirements for connecting to the internal network regardless of the size of the organization. It is possible to prevent the terminal device from connecting to the internal network.
The connection condition determination unit 1312 provided in the card is provided not in the card but in the terminal device so that the connection condition 1311 received from the connection condition providing device is compared with the security status information collected by the information collection unit 1304. May be.

Also in this embodiment, as in the other embodiments, the information collection unit 1304 and the VPN connection unit 1305 may be programs instead of hardware. The effect obtained as a result is the same as the effect of the corresponding embodiment.
In this embodiment, the authentication apparatus 1320 checks the connection permission signature and the valid time in the authentication process performed when an authentication request is sent from the VPN connection apparatus 1310. However, the connection condition is also checked. May be. Specifically, the authentication device 1320 acquires the update date of the current connection condition from the connection condition providing device 1330, and compares the acquired update date with the valid time. If the acquired update date is closer to the current time, a connection refusal is notified. By doing so, it becomes possible to permit only the terminal device satisfying the latest connection condition to be connected to the internal network.
In this embodiment, the process ends when the authentication of the IC card and the user fails. However, in order to improve the convenience for the user, the process may be ended when the authentication fails a plurality of times in succession. .

Embodiment 10 FIG.
In the ninth embodiment, the information collection unit uses the OS version, the OS application batch number, the virus check program version, the virus check pattern / file number, the virus search date / time, and the virus search use pattern number as the security status information of the terminal device. Are collected from the OS registry, file name, file date, and the like. Since the status collection unit contains information on the OS registry and file name to be investigated, if the OS registry or file name in which the security status information is described is changed, the information collection unit is also changed. There must be. Changing the information collection unit takes time and cost, and the connection from the external network to the internal network becomes impossible during the change period.
In this embodiment, the IC card also receives collection designation information including information on the investigation item, OS registry to be investigated, and file name in addition to the connection condition from the connection condition providing device. As the collection specification information, the OS version acquisition command or the file or registry location storing the OS version number, the OS application patch number acquisition command, or the file or registry storing the OS application patch number is stored. And the virus check program version number acquisition command, or the file or registry location where the virus check program version number is stored, and the virus check pattern file number acquisition command or virus check pattern File / registry location where the file number is stored, virus scan date / time acquisition command, file / registry location where the virus scan date / time is stored, and virus scan usage pattern number Acquiring command or virus scanning used pattern number, it is described, and a file or registry location stored.
When the information collection unit collects the security status information of the terminal device, first, the collection designation information is read, and the investigation item, the registry of the OS to be investigated, and information on the file name are acquired. As a result, there is no need to change the status collection unit, and even when there is a change in the registry or file name of the OS in which the security status information is described, it is possible to respond quickly.

FIG. 44 is a configuration diagram illustrating a terminal device, a connection condition providing device, and a security maintenance system according to the tenth embodiment. In the figure, a terminal device 1400 includes an input unit 1402, a display unit 1403, a specified information collection unit 1404, a VPN connection unit 1405, and a card connection unit 1406b including an IC card 1406 that can be extracted and stored (not shown in FIG. 44). It has. The IC card 1406 has an encryption unit 1407 inside, and has an encryption key 1408 for this encryption. The card also stores a certificate 1409, a password 1413, a connection condition 1411, and collection designation information 1416, which will be described later, and further includes a connection condition determination unit 1412.
The authentication device 1420 includes a management unit 1422 and an authentication determination unit 1423 inside.
A new component in the present embodiment is that the connection condition providing apparatus 1430 includes a collection designation information storage unit 1433. The connection condition providing device 1430 also includes a connection condition storage unit 1431, a card authentication unit 1432, and a password generation unit 1434, as in some other embodiments. An example of the connection condition stored in the connection condition storage unit 1431 is the same as the connection condition illustrated in FIG. 2 of the first embodiment.

It is assumed that the encryption key 1408 is a secret key and a public key corresponding to the encryption key 1408 is included in the certificate 1409.
An example of the connection determination error displayed on the display unit 1403 of the terminal device 1400 when the connection condition determination is NG in the connection condition determination unit 1412 in the IC card 1406 is shown in FIG. 9 of the second embodiment. It is the same.
The registration information stored in the management unit 1422 of the authentication device 1420 is the same as that shown in FIG. 16 of the third embodiment.
FIG. 45 is an example of the collection designation information stored in the collection designation information storage unit 1433 of the connection condition providing device 1430. The upper example in FIG. 45 has the following meaning. {Be sure to check the software of “Virus Checker A 2006” (N means essential). Specifically, the version of the program in the registry HKEY_LOCAL_MACHINE \ a \ program, the pattern file number in the registry HKEY_LOCAL_MACHINE \ a \ pattern, and the file name search. Check the virus search date in the search tag of txt. }

Next, the operation will be described.
FIG. 46 is a flowchart illustrating processing when the terminal device 1400 makes a connection condition request to the connection condition providing device 1430 and determines whether the connection condition is satisfied.
In step S <b> 2600, the user attaches the IC card 1406 to the terminal device 1400 and performs authentication between the user and the IC card 1406. If the authentication is successful in S2601, the input unit 1402 accepts an input of a user ID and a connection condition determination execution instruction in S2602. Next, in any case, the terminal device 1400 establishes SSL communication with the connection condition providing device 1430 using the certificate 1409 in the IC card 1406 in S2603. In step S2604, a connection condition request including the user ID accepted by the connection condition providing apparatus 1430 by the established SSL communication is transmitted. In step S2605, a connection condition response including the encrypted password, the encrypted connection condition, and the encrypted collection designation information is received. In step S2606, the received encrypted password, connection condition, and collection designation information are decrypted by the encryption unit 1407 using the encryption key 1408. In step S2607, the password obtained by decryption is obtained as the password 1413. The obtained terminal conditions are stored in the IC card 1406 as the connection conditions 1411 and the acquired collection designation information is collected as the collection designation information 1416.
In this way, the latest security information and collection designation information are sent from the connection condition providing device 1430 to the terminal device 1400.

  In step S <b> 2608, the designation information collection unit 1404 retrieves the collection designation information 1416 stored in the IC card 1406 in step S <b> 2607 and reads the content written in the collection designation information 1416. In step S <b> 2609, the specified information collection unit 1404 uses the OS version, the OS application batch number, the virus check program version, the virus check pattern file number, the virus search date and time, and the virus search usage pattern as the status information of the terminal device 1400. Numbers are collected from the OS registry, file name, file date, etc. read in S2608. In step S <b> 2610, the connection condition determination unit 1412 checks whether the obtained state information of the terminal apparatus 1400 satisfies the connection condition 1411 received from the connection condition providing apparatus 1430 stored in the IC card 1406. In S2611, it is confirmed whether all the connection conditions are OK. If all the conditions are OK, the password 1413 is displayed as a one-time password on the display unit 1403 (S2612), and the process is terminated. On the other hand, if there is one in which the connection condition is not OK in S2611, the reason for the determination error is displayed on the display unit 1403 (S2613), and the process ends. The process is also terminated when authentication fails in S2601.

FIG. 47 is a flowchart showing processing performed by the connection condition providing apparatus 1430 when receiving a connection condition request from the terminal apparatus 1400.
First, in S2701, the card authentication unit 1432 establishes SSL communication with the IC card 1406. In step S2702, the card authentication unit 1432 receives a connection condition request including the user ID from the terminal device 1400 via the IC card 1406 by the established SSL communication. Next, in any of the following, the connection condition providing apparatus 1430 acquires a public key with the certificate 1409 used when establishing SSL in S2703. In step S2704, the password generation unit 1434 generates a one-time password. In step S2705, the password generation request including the user ID and the one-time password is transmitted to the authentication device 1420. Next, in step S2706, the connection condition stored in the connection condition storage unit 1431, the collection designation information stored in the collection designation information storage unit 1433, and the one-time password are encrypted with the public key. The terminal condition request result including it is transmitted to the IC card 1406 via the terminal device 1400, and the process is terminated.
The processing performed when the terminal device 1400 connects to the VPN connection device 1410 is the same as the processing shown in FIG. 12 of the second embodiment.
Further, the process performed when the authentication apparatus 1420 receives a password setting request from the connection condition providing apparatus 1430 is the same as the process shown in FIG. 13 of the second embodiment.
Furthermore, the authentication process performed when the authentication apparatus 1420 receives an authentication request from the VPN connection apparatus 1410 is the same as the process shown in FIG. 14 of the second embodiment.

FIG. 48 is a sequence diagram showing a data flow of the security maintenance system in the tenth embodiment of the present invention.
First, when the user transmits authentication information for the IC card 1406 to the terminal device 1400 (S2800), the terminal device 1400 transmits the authentication result from the IC card 1406 to the user (S2801). Thereafter, the user transmits a connection condition determination execution instruction to the terminal device 1400 (S2802). After that, when the terminal device 1400 transmits an SSL communication establishment request to the IC card 1406 (S2803), an SSL connection is established between the IC card 1406 and the connection condition providing device 1430 (S2804). The data is transmitted to the device 1400 (S2805). The terminal apparatus 1400 transmits a connection condition request to the IC card 1406 (S2806), and the IC card 1406 transmits the received connection condition request of S2806 to the connection condition providing apparatus 1430 (S2807). Thereafter, the connection condition providing device 1430 transmits a password setting request including the ID and the one-time password to the authentication device 1420 (S2808).

The connection condition providing apparatus 1430 transmits a connection condition response including the one-time password, the connection condition, and the collection designation information to the IC card 1406 (S2809). When the connection condition response result is transmitted from the IC card 1406 to the terminal device 1400 (S2810), the terminal device 900 transmits a collection designation information request to the IC card 1406 in order to obtain the collection designation information (S2811). The IC card 1406 transmits the collection designation information to the terminal device 900 (S2812). Thereafter, the terminal device 1400 transmits status information to the IC card 1406 (S2813). Thereafter, the IC card 1406 transmits the determination result to the terminal device 1400 (S2814). If the determination result is OK, the terminal device 1400 displays a one-time password to the user (S2815).
Thereafter, when the user inputs the ID and the one-time password displayed in S2815 to the terminal device 1400 (S2816), the terminal device 1400 transmits an authentication request including the ID and authentication data to the VPN connection device 1410 (S2817). The VPN connection device 1410 transmits an authentication request including the ID and authentication data received in S2817 to the authentication device 1420 (S2818). Thereafter, the authentication device 1420 transmits an authentication response to the VPN connection device 1410 (S2819), and the VPN connection device 1410 transmits the authentication response received in S2819 to the terminal device 1400 (S2820). If the authentication response is OK, data is exchanged for establishing a VPN connection between the terminal device 1400 and the VPN connection device 1410 (S2821). When the data exchange in S2821 is completed, the result is returned to the user. Is displayed (S2822) and the process ends.

As described above, whether to connect to the internal network is determined inside the IC card based on the status information of the terminal device, and the one-time password required for connection is read from the IC card to the terminal device. Only terminal devices that are safe against external attacks and satisfy the security conditions can be connected to the internal network.
Further, since the security status information is collected using the collection designation information, the description of the collection designation information need only be changed even when the specifications of the OS registry and file name are changed. For this reason, even immediately after the specification change, it is possible to connect only terminal devices that are safe against attacks from the outside and satisfy the security conditions to the internal network.
In the present embodiment, it has been described that the collection designation information 1416 of the terminal device 1400 is sent from the collection designation information storage unit 1433 of the connection condition providing apparatus 1430 at the timing of reception of the connection response. It may be obtained by a method such as loading or at another timing.
Further, as described in the previous embodiment, a valid time may be provided for the one-time password. A signature may be used instead of the one-time password. In this way, it is possible to connect only terminal devices that are more secure, safe from external attacks, and satisfy the security conditions, to the internal network.

The connection condition determination unit 1412 provided in the card is provided not in the card but in the terminal device so that the connection condition 1411 received from the connection condition providing device is compared with the security state information collected by the designated information collection unit 1404. It may be.
Further, the designated information collection unit 1404 and the VPN connection unit 1405 are stored in the IC card 1406 as programs that can be executed on the terminal device 1400 instead of hardware, and the terminal device 1400 is stored in the IC card when executing authentication processing. It can also be configured to be taken out and executed. The effect in this case is as already described in other similar embodiments.
Further, in the process of authentication failure between the IC card and the user, the process may be terminated when the authentication fails a plurality of times in succession.

Embodiment 11 FIG.
In the tenth embodiment, the connection condition and the collection designation information are generated only by the connection condition providing device. In the present embodiment, a case is shown in which connection conditions and collection designation information are created from the check results of security status information stored so far in the IC card.
FIG. 49 is a diagram showing a configuration of a terminal device, a connection condition providing device, and a security maintenance system in the present embodiment. In the figure, a terminal device 1500 includes an input unit 1502, a display unit 1503, a specified information collection unit 1504, a VPN connection unit 1505, a determination result acquisition unit 1518, and a card connection unit 1506b including an IC card 1506 that can be extracted and stored. (Omitted in FIG. 49). The IC card 1506 has an encryption unit 1507 inside and an encryption key 1508 for this encryption. Further, the card stores a certificate 1509, a password 1513, a connection condition 1511, collection specification information 1516, and a connection condition determination result 1517 described later, and further includes a connection condition determination unit 1512.
The authentication device 1520 includes a management unit 1522 and an authentication determination unit 1523 inside.
A new component in this embodiment is that the connection condition providing device 1530 includes a collection designation information generation unit 1533.
The connection condition providing apparatus 1530 also includes a connection condition generation unit 1531, a card authentication unit 1532, a password generation unit 1534, and a connection condition determination result management unit 1535, as in some other embodiments. An example of the connection condition generated by the connection condition generation unit 1531 is the same as the connection condition shown in FIG. 2 of the first embodiment.

It is assumed that the encryption key 1508 is a secret key and the public key corresponding to this is included in the certificate 1509.
An example of a connection determination error displayed on the display unit 1503 of the terminal device 1500 when the connection condition determination is NG in the connection condition determination unit 1512 in the IC card 1506 is shown in FIG. 9 of the second embodiment. It is the same.
Also, the registration information stored in the management unit 1522 of the authentication device 1520 is the same as that shown in FIG. 16 of the third embodiment.
An example of the collection designation information generated by the collection designation information generation unit 1533 of the connection condition providing device 1530 is the same as that shown in FIG. 45 of the tenth embodiment.
FIG. 50 shows management information 1601 stored in the connection condition determination result management unit 1535 of the connection condition providing device 1530, and stores a pair configuration of the user ID 1602 and the connection condition determination result 1603.
FIG. 51 is an example of the connection condition determination result stored in the connection condition determination result management unit 1535 of the connection condition providing device 1530.

Next, the operation will be described. It is assumed that the connection condition determination result 1517 already stores the previous connection condition determination result.
FIG. 52 is a flowchart illustrating processing when the terminal device 1500 makes a connection condition request to the connection condition providing device 1530 and determines whether the connection condition is satisfied.
In step S <b> 2900, the user attaches the IC card 1506 to the terminal device 1500 and performs authentication between the user and the IC card 1506. If the authentication is successful in S2901, the input unit 1502 receives a user ID input and a connection condition determination execution instruction in S2902. In step S 2903, SSL communication is established with the connection condition providing apparatus 1530 using the certificate 1509 in the IC card 1506. Next, in S2904, the determination result acquisition unit 1518 extracts the connection condition determination result encrypted by the encryption unit 1507, and the terminal device 1500 uses the established SSL communication to the connection condition providing device 1530 in S2905. A connection condition request including the user ID received from the IC card and the encrypted connection condition determination result acquired in S2904 is transmitted.
In step S2906, a connection condition response including the encrypted password, the encrypted connection condition, and the encrypted collection designation information is received. In step S2907, the received encrypted password, connection condition, and collection designation information are decrypted by the encryption unit 1507 using the encryption key 1508. In step S2908, the password obtained by decryption is obtained as the password 1513. The obtained terminal conditions are stored in the IC card 1506 as the connection conditions 1511 and the obtained collection designation information as the collection designation information 1516. In this way, the latest security information and collection designation information generated from the previous connection condition determination result are sent from the connection condition providing device 1530 to the terminal device 1500. In step S2909, the designation information collection unit 1504 retrieves the collection designation information 1516 stored in the IC card 1506 in step S2908, and reads the contents written in the collection designation information 1516.

In step S2910, the specified information collection unit 1504 uses the OS version, the OS application batch number, the virus check program version, the virus check pattern file number, the virus search date and time, and the virus search use pattern as the status information of the terminal device 1500. The numbers are collected from the OS registry, file name, file date, and the like read in S2909.
In step S2911, the connection condition determination unit 1512 checks whether the obtained state information of the terminal apparatus 1500 satisfies the connection condition 1511 received from the connection condition providing apparatus 1530 stored in the IC card 1506. In step S2912, it is confirmed whether all the connection conditions are OK. If all the conditions are OK, the password 1513 is displayed on the display unit 1503 as a one-time password (S2913), and the process ends. On the other hand, if even one connection condition is not OK in S2912, the reason for the determination error is displayed on the display unit 1503 (S2914), and the process ends. Also, the processing ends when authentication fails in S2901.

FIG. 53 is a flowchart illustrating processing performed by the connection condition providing apparatus 1530 when receiving a connection condition request from the terminal apparatus 1500.
First, in S3001, the card authentication unit 1532 establishes SSL communication with the IC card 1506. In step S <b> 3002, the card authentication unit 1532 receives a connection condition request including the user ID and the encrypted connection condition determination result from the terminal device 1500 via the IC card 1506 through the established SSL communication. In step S3003, the public key is acquired using the certificate 1509 used when establishing the SSL. Next, in any of the following, the connection condition providing device 1530 decrypts the encrypted connection condition determination result received in S3002 with the public key obtained in S3003 in S3004, and based on the user ID received in S3002 The connection result determination result 1603 is registered in the determination result management unit 1535. In step S3005, the current connection condition is generated from the connection condition determination result 1603 by the connection condition generation unit 1531, and the current collection specification information is generated from the current connection condition by the collection specification information generation unit 1533. Specifically, the connection condition determination result 1603 is compared with the connection condition (not shown in FIG. 49) stored in the connection condition providing device 1530, and the connection condition stored in the connection condition providing device 1530 Only the item with the latest is used as the current connection condition. Further, only the items necessary for the current connection condition from the collection specification information (omitted in FIG. 49) stored in the connection condition providing device 1530 are taken as the current collection specification information.
In step S3006, the password generation unit 1534 generates a one-time password. In step S3007, a password setting request including the user ID and the one-time password is transmitted to the authentication device 1520. In step S3008, the connection condition generation unit 1531 encrypts each of the connection condition generated in step S3005, the collection specification information generation unit 1533 generated in step S3005, and the one-time password with a public key. The terminal condition request result including the encrypted data is transmitted to the IC card 1506 via the terminal device 1500, and the process ends.

The processing performed when the terminal device 1500 connects to the VPN connection device 1510 is the same as the processing shown in FIG.
Further, the processing performed when the authentication device 1520 receives a password setting request from the connection condition providing device 1530 is the same as the processing shown in FIG. 13 of the second embodiment.
Furthermore, the authentication process performed when authentication apparatus 1520 receives an authentication request from VPN connection apparatus 1510 is the same as the process shown in FIG. 14 of the second embodiment.
The sequence diagram showing the data flow of the security maintenance system in the eleventh embodiment of the present invention is the same as that in FIG. 48 except that the connection condition request is included in the connection condition request in FIG. 48 of the tenth embodiment.
In the present embodiment, it has been described that the collection designation information 1516 of the terminal device 1500 is generated by the collection designation information generation unit 1533 of the connection condition providing apparatus 1530 and sent at the timing of connection response reception. It may be obtained by a method such as loading from another medium or at another timing.

Since it is configured as described above, only terminal devices that are safe against external attacks and satisfy the security conditions can be connected to the internal network.
Further, since the security status information is collected using the collection designation information, the description of the collection designation information need only be changed even when the specifications of the OS registry and file name are changed. For this reason, since the collection designation information generation unit 1533 generates and transmits even immediately after the specification change, only terminal devices that are safe against external attacks and satisfy the security conditions are connected to the internal network at any time. Is possible.
In addition, since the current connection condition and collection specification information are determined based on the previous connection condition determination result, only the difference from the previous connection condition determination result can be checked, and the connection condition determination process is efficiently performed. It can be performed.
Further, in the present embodiment, only one connection condition determination result is used, but the current connection condition and collection designation information may be determined using a plurality of connection condition determination results.
Furthermore, as described in the previous embodiment, a valid time may be provided for the one-time password, or a signature may be used instead of the one-time password. In that case, the effect described in the previous embodiment is obtained.

The connection condition determination unit 1512 provided in the card is provided not in the card but in the terminal device so that the connection condition 1511 received from the connection condition providing device is compared with the security state information collected by the designated information collection unit 1504. It may be.
Note that the specified information collection unit 1504, the determination result acquisition unit 1518, and the VPN connection unit 1505 are stored in the IC card 1506 as programs that can be executed on the terminal device 1500, not hardware, and the IC is used when executing the authentication process. A configuration may be adopted in which the card is taken out from the card onto the terminal device 1500 and executed. In this case, the virus resistance characteristics are improved with respect to the collection of terminal status information.
Further, the end process when the authentication of the IC card and the user fails may be performed when the authentication fails a plurality of times in succession.

Embodiment 12 FIG.
As an authentication request to be sent to the authentication server before the VPN connection establishment process, a one-time password or signature generated by the connection condition determining device or the connection condition providing device has been used so far. Here, the case where the password previously stored in the IC card is used is shown.
FIG. 54 is a diagram showing a configuration of a terminal device, a connection condition providing device, and a security maintenance system in the present embodiment. In the figure, a terminal device 1700 includes an input unit 1702, a display unit 1703, an information collection unit 1704, a VPN connection unit 1705, and a card connection unit 1706b including an IC card 1706 that can be extracted and stored (not shown in FIG. 54). I have. The IC card 1706 has an encryption unit 1707 inside, and has an encryption key 1708 for this encryption. The card also stores a certificate 1709, a password 1713 stored in advance, a connection condition 1711 and a random number 1716, which will be described later, and a connection condition determination unit 1712 and a card calculation unit 1717.
The authentication device 1720 includes a management unit 1722, an authentication determination unit 1723, and a server calculation unit 1724 inside.
On the other hand, the connection condition providing device 1730 includes a connection condition storage unit 1731, a card authentication unit 1732, and a random number generation unit 1734. One example of the connection condition stored in the connection condition storage unit 1731 is the same as the connection condition shown in FIG. 2 of the first embodiment.
It is assumed that the encryption key 1708 is a secret key and a public key corresponding to the encryption key 1708 is included in the certificate 1709.
An example of a connection determination error displayed on the display unit 1703 of the terminal device 1700 when the connection condition determination is NG in the connection condition determination unit 1712 in the IC card 1706 is shown in FIG. 9 of the second embodiment. It is the same.
FIG. 55 shows registration information 1801 stored in the management unit 1722 of the authentication apparatus 1720, in which a pair of a user ID 1802, a password 1803, and a random number 1804 is stored.

Next, the operation will be described. It is assumed that the management unit 1722 of the authentication device 1720 stores the values of the user ID 1802 and the password 1803 (the authentication device 1720 knows the password stored in the IC card 1706).
FIG. 56 is a flowchart showing processing when the terminal device 1700 makes a connection condition request to the connection condition providing device 1730 and determines whether the connection condition is satisfied.
First, in step S3100, the user attaches the IC card 1706 to the terminal device 1700, and performs authentication between the user and the IC card 1706. If the authentication is successful in S3101, the input unit 1702 accepts an input of a user ID and a connection condition determination execution instruction in S3102. Next, in any case, the terminal device 1700 establishes SSL communication with the connection condition providing device 1730 using the certificate 1709 in the IC card 1706 in S3103. In step S3104, a connection condition request including the accepted user ID is transmitted to the connection condition providing apparatus 1730 through the established SSL communication. In step S3105, a connection condition response including the encrypted random number and the encrypted connection condition is received. In step S3106, the received encrypted random number and the connection condition are decrypted by the encryption unit 1707 using the encryption key 1708. In step S3107, the random number obtained by the decryption is used as the random number 1716. The connection condition 1711 is stored in the IC card 1706.

In step S <b> 3108, the information collection unit 1704 displays the OS version, the OS application batch number, the virus check program version, the virus check pattern file number, the virus search date and time, and the virus search use pattern number as the status information of the terminal device 1700. Are collected from the OS registry, file name, file date, and the like. In step S3109, the connection condition determination unit 1712 checks whether the obtained state information of the terminal apparatus 1700 satisfies the connection condition 1711 received from the connection condition providing apparatus 1730 stored in the IC card 1706. In S3110, it is confirmed whether all the connection conditions are OK. If all the conditions are OK, the hash value of the concatenation of the password 1713 and the random number 1716 is displayed on the display unit 1703 (S3111), and the process ends. On the other hand, if there is one in which the connection condition is not OK in S3110, the reason for the determination error is displayed on the display unit 1703 (S3112), and the process ends. The process is also terminated when authentication fails in S3101.
The process performed when the connection condition providing apparatus 1730 receives a connection condition request from the terminal apparatus 1700 is the same as that in FIG. 18 of the third embodiment except that the one-time password is a random number.
The flowchart showing the processing performed when the terminal device 1700 connects to the VPN connection device 1710 is the same as that in FIG. 12 except that the value input by the user is replaced with the hash value.
Further, the processing performed when the authentication device 1720 receives a password setting request from the connection condition providing device 1730 is the same as the processing shown in FIG. 13 of the second embodiment except that the one-time password becomes a random number. is there.

FIG. 57 is a flowchart showing authentication processing that is performed when the authentication apparatus 1720 receives an authentication request from the VPN connection apparatus 1710.
First, in S3201, when the authentication device 1720 receives an authentication request including a user ID and a hash value from the VPN connection device 1710, registration information 1801 in which the user ID 1802 matches the user ID received in S3202 is registered in the management unit 1722. Find out what has been done. If the registration information 1801 in which the user ID 1802 matches the received user ID is registered in the management unit 1722 in S3202, the authentication determination unit 1723 extracts the password 1803 and the random number 1804 from the management unit 1722 (S3203). Then, the server calculation unit 1724 calculates a hash value of the concatenation of the password 1803 and the random number 1804 (S3204). Next, it is checked whether the hash value obtained in S3204 matches the hash value received in S3201 (S3205). If the hash values match in the check in S3205, the VPN connection device 1710 is notified of permission to connect the terminal device 1700 (S3206), the random number 1804 is deleted (S3207), and the authentication process is performed. finish.
On the other hand, if the passwords do not match in the check in S3205, the VPN connection device 1710 is notified of the rejection of the connection of the terminal device 1700 (S3208), and the authentication process is terminated. In S3202, if the registration information 1801 whose user ID 1802 matches the user ID received in Step S3201 is not registered in the management unit 1822, the VPN connection apparatus 1810 is notified of the rejection of the connection of the terminal apparatus 1800. In step S3208, the authentication process ends.

FIG. 58 is a sequence diagram showing a data flow of the security maintenance system in the present embodiment.
When the user transmits authentication information for the IC card 1706 to the terminal device 1700 (S3300), the terminal device 1700 transmits the authentication result from the IC card 1706 to the user (S3301). Thereafter, the user transmits a connection condition determination execution instruction to the terminal device 1700 (S3302). After that, when the terminal device 1700 transmits an SSL communication establishment request to the IC card 1706 (S3303), data is exchanged for establishing an SSL connection between the IC card 1706 and the connection condition providing device 1730 (S3304). When the data exchange in S3304 is completed, the result is transmitted to the terminal device 1700 (S3305). Thereafter, the terminal device 1700 transmits a connection condition request to the IC card 1706 (S3306), and the IC card 1706 transmits the connection condition request received in S3306 to the connection condition providing device 1730 (S3307). Thereafter, the connection condition providing apparatus 1730 transmits a random number setting request including the ID and random number to the authentication apparatus 1720 (S3308), and transmits a connection condition response including the random number and the connection condition to the IC card 1706 (S3309).

  When the connection condition response result is transmitted from the IC card 1706 to the terminal device 1700 (S3310), the terminal device 1700 transmits the status information to the IC card 1706 (S3311). Thereafter, the IC card 1706 transmits the determination result to the terminal device 1700 (S3312). When the determination result is OK, the terminal device 1700 displays the hash value to the user (S3313). Thereafter, when the user inputs the ID and the hash value displayed in S3313 to the terminal device 1700 (S3314), the terminal device 1700 transmits an authentication request including the ID and authentication data to the VPN connection device 1710 (S3315). The VPN connection device 1710 transmits an authentication request including the ID and authentication data received in S3315 to the authentication device 1720 (S3316). Thereafter, the authentication device 1720 transmits an authentication response to the VPN connection device 1710 (S3317), and the VPN connection device 1710 transmits the authentication response received in S3317 to the terminal device 1700 (S3318). If the authentication response is OK, data is exchanged for establishing a VPN connection between the terminal device 1700 and the VPN connection device 1710 (S3319). When the data exchange in S3319 is completed, the result is returned to the user. Is displayed (S3320) and the process ends.

With the above configuration, only terminal devices that are safe against external attacks and satisfy the security conditions can be connected to the internal network.
In addition, the hash value of the concatenated password and random number stored in advance on the IC card is taken out of the card, and the password itself never goes out, so it is safe from external attacks. is there.
The connection condition determination unit 1712 provided in the card is provided not in the card but in the terminal device so that the connection condition 1711 received from the connection condition providing device is compared with the security state information collected by the information collection unit 1704. May be.
Also in this embodiment, as in the other embodiments, the information collection unit 1704 and the VPN connection unit 1705 are described not by hardware but by a program, read by the microprocessor of the terminal device, and described by a flowchart. The function may be executed. Further, the hunting process in which the authentication of the IC card and the user has failed may be terminated not only once but when the authentication fails a plurality of times in succession.

The authentication device, the connection condition determination device, and the connection condition providing device in the embodiments so far have been described as being dedicated hardware devices. However, these devices may be configured using a general-purpose computer that stores a program having the same function as shown in the flowcharts described in each embodiment in a memory, and reads and executes the program with a processor. .
Even in this case, the effects described in the above embodiments can be obtained.

It is a figure which shows the structure of the terminal device, authentication apparatus, and security maintenance system in Embodiment 1 of this invention. 6 is a diagram illustrating an example of connection conditions stored in a connection condition storage unit in Embodiment 1. FIG. 6 is a diagram illustrating an example of registration information stored in a management unit in Embodiment 1. FIG. 6 is a diagram illustrating a display example of an error reason when connection to a network is refused in the first embodiment. FIG. FIG. 7 is a flowchart showing an operation process of a status report and a connection authentication request performed by the terminal device in the first embodiment. FIG. 5 is a flowchart showing an authentication operation process performed by the authentication apparatus according to the first embodiment. It is a figure which shows the structure of the terminal device in Embodiment 2 of this invention, a connection condition determination apparatus, and a security maintenance system. FIG. 10 is a diagram illustrating an example of registration information stored in a management unit in the authentication device in the second embodiment. 10 is a diagram illustrating a display example of an error reason when connection to a network is rejected in the second embodiment. FIG. FIG. 10 is a flowchart illustrating an operation process in which a terminal device according to Embodiment 2 requests a connection condition determination device to determine a connection condition. FIG. 11 is a flowchart showing connection condition determination operation processing performed by the connection condition determination apparatus in the second embodiment. It is a flowchart which shows the process at the time of the terminal device in Embodiment 2 connecting to a VPN apparatus. FIG. 10 is a flowchart illustrating processing performed by the authentication device in Embodiment 2 when a password setting request is received. FIG. 10 is a flowchart illustrating an authentication process performed when an authentication apparatus according to Embodiment 2 receives an authentication request from a VPN apparatus. It is a figure which shows the structure of the terminal device in Embodiment 3 of this invention, a connection condition provision apparatus, and a security maintenance system. FIG. 11 is a diagram illustrating an example of connection conditions stored in a connection condition storage unit in the third embodiment. FIG. 11 is a flowchart showing a connection condition request and determination process performed by a terminal device in the third embodiment. FIG. 10 is a flowchart showing processing performed by the connection condition providing apparatus in Embodiment 3 when receiving a connection condition request. FIG. 16 is a sequence diagram illustrating a data flow among a terminal device, a VPN connection device, and an authentication device in the fifth embodiment. FIG. 11 is a sequence diagram showing a data flow among a terminal device, a VPN connection device, and an authentication device in the first embodiment compared in the fifth embodiment. FIG. 10 is a diagram showing a configuration of another authentication apparatus in the fifth embodiment. FIG. 20 is a diagram illustrating a configuration of a terminal device, an authentication device, a connection condition determination device, and a security maintenance system in a sixth embodiment. FIG. 20 is a diagram illustrating an example of registration information stored in a management unit in the sixth embodiment. FIG. 20 is a diagram illustrating a display example of an error reason when a password expires in the sixth embodiment. FIG. 23 is a flowchart showing processing performed by the connection condition determination device in Embodiment 6 when receiving a connection determination request. FIG. 25 is a flowchart showing processing performed by the authentication device in the sixth embodiment when receiving a password setting request from a connection determination device. FIG. 20 is a flowchart showing an authentication process performed by the authentication device in the sixth embodiment when receiving an authentication request from a VPN connection device. FIG. 17 is a sequence diagram illustrating a data flow among a terminal device, a VPN connection device, a connection condition determination device, and an authentication device in the sixth embodiment. FIG. 20 is a diagram illustrating a configuration of a terminal device, an authentication device, a connection condition determination device, and a security maintenance system in a seventh embodiment. FIG. 20 is a diagram illustrating a display example of an error reason when signature verification is not correctly processed in the seventh embodiment. FIG. 38 is a diagram illustrating an example of a connection permission notification displayed when a connection condition is satisfied in the seventh embodiment. FIG. 23 is a flowchart showing processing when a terminal device requests a connection condition determination device to determine a connection condition in the seventh embodiment. FIG. 25 is a flowchart showing processing performed by the connection condition determination device in Embodiment 7 when receiving a connection determination request. FIG. 20 is a flowchart showing processing performed when a terminal device in Embodiment 7 connects to a VPN connection device. FIG. 20 is a flowchart showing an authentication process performed when an authentication device in Embodiment 7 receives an authentication request from a VPN connection device. FIG. 17 is a sequence diagram illustrating a data flow among a terminal device, a VPN connection device, a connection condition determination device, and an authentication device in the seventh embodiment. FIG. 20 is a diagram illustrating a configuration of a terminal device, an authentication device, a connection condition providing device, and a security maintenance system in an eighth embodiment. FIG. 20 is a diagram illustrating an example of registration information stored in an authentication device according to an eighth embodiment. FIG. 29 is a flowchart showing processing performed by the connection condition providing device in Embodiment 8 when receiving a connection condition request. FIG. 25 is a sequence diagram illustrating a data flow among a terminal device, a VPN connection device, a connection condition providing device, and an authentication device in the eighth embodiment. FIG. 20 is a diagram illustrating configurations of a terminal device, an authentication device, a connection condition providing device, and a security maintenance system in a ninth embodiment. FIG. 90 is a flowchart showing processing performed by the connection condition providing device in Embodiment 9 when receiving a connection condition request. FIG. 25 is a sequence diagram illustrating a data flow among a terminal device, a VPN connection device, a connection condition providing device, and an authentication device in the ninth embodiment. It is a figure which shows the structure of the terminal device in Embodiment 10, an authentication apparatus, a connection condition provision apparatus, and a security maintenance system. FIG. 38 is a diagram illustrating an example of collection designation information stored in a connection condition providing apparatus according to Embodiment 10. FIG. 38 is a flowchart showing a connection condition request performed by the terminal device according to Embodiment 10 and an operation process for determining whether the connection condition is satisfied. FIG. 29 is a flowchart showing processing performed by the connection condition providing apparatus in Embodiment 10 when receiving a connection condition request. FIG. 38 is a sequence diagram illustrating a data flow among a terminal device, a VPN connection device, a connection condition providing device, and an authentication device in the tenth embodiment. FIG. 38 is a diagram illustrating configurations of a terminal device, an authentication device, a connection condition providing device, and a security maintenance system in an eleventh embodiment. 218 is a diagram illustrating an example of management information stored in a connection condition providing apparatus in Embodiment 11. [FIG. It is a figure which shows the example of the connection condition determination result which the connection condition provision apparatus in Embodiment 11 memorize | stores. FIG. 38 is a flowchart showing an operation process for determining whether or not a connection condition request and a connection condition are made by the terminal device in the eleventh embodiment. [Fig. 38] Fig. 38 is a flowchart showing processing performed by the connection condition providing device in Embodiment 11 when a connection condition request is received. FIG. 38 is a diagram illustrating configurations of a terminal device, an authentication device, a connection condition providing device, and a security maintenance system according to a twelfth embodiment. 218 is a diagram illustrating an example of registration information stored in an authentication device in Embodiment 12. [FIG. FIG. 38 is a flowchart showing an operation process for determining whether or not a connection condition request and a connection condition are made by a terminal device in the twelfth embodiment. FIG. 38 is a flowchart showing an authentication process performed by the authentication device in the twelfth embodiment. FIG. 38 is a sequence diagram illustrating a data flow among a terminal device, a VPN connection device, a connection condition providing device, and an authentication device in the twelfth embodiment.

Explanation of symbols

  100 terminal device, 101a (micro) processor, 102 input unit, 103 display unit, 104 information collection unit, 105 VPN connection unit, 106 IC card, 107 encryption unit, 108 encryption key, 110 VPN connection device, 114 external network , 115 internal network, 120 authentication device, 121 connection condition storage unit, 122 management unit, 123 authentication determination unit, 123b determination unit, 123c authentication unit, 300 terminal device, 302 input unit, 303 display unit, 304 information collection unit, 305 VPN connection unit, 306 IC card, 307 certificate, 309 password, 310 VPN connection device, 314 external network, 315 internal network, 320 authentication device, 322 management unit, 323 authentication judgment unit, 330 connection condition judgment device, 331 connection Case storage unit, 332 card authentication unit, 333 connection condition determination unit, 334 password generation unit, 500 terminal device, 502 input unit, 503 display unit, 504 information collection unit, 505 VPN connection unit, 506 IC card, 507 encryption unit 508, encryption key, 509 certificate, 510 VPN connection device, 511 connection condition, 512 connection condition determination unit, 513 password, 514 external network, 515 internal network, 520 authentication device, 522 management unit, 523 authentication determination unit, 530 Connection condition providing device, 531 Connection condition storage unit, 532 card authentication unit, 534 password generation unit, 600 terminal device, 601a processor, 602a input unit, 603a display unit, 604 information collection unit, 605 VPN connection unit, 606 IC card, 606b car Connection unit, 607 certificate, 609 password, 610 VPN connection device, 614 external network, 615 internal network, 620 authentication device, 622 management unit, 623 authentication determination unit, 624 time acquisition unit, 630 connection condition determination device, 631 connection Condition storage unit, 632 card authentication unit, 633 connection condition determination unit, 634 password generation unit, 635 valid time generation unit, 800 terminal device, 801a processor, 802 input unit, 803 display unit, 804 information collection unit, 805 VPN connection unit 806 IC card, 807 certificate, 808 authentication information acquisition unit, 809 authentication information, 810 VPN connection device, 814 external network, 815 internal network, 820 authentication device, 822 management unit, 823 authentication judgment unit, 824 time acquisition unit, 82 5 Key Management Unit, 830 Connection Condition Determination Device, 831 Connection Condition Storage Unit, 832 Card Authentication Unit, 833 Connection Condition Determination Unit, 834 Authentication Information Generation Unit, 835 Valid Time Generation Unit, 1100 Terminal Device, 1101a Processor, 1102 Input Unit 1103 Display Unit 1104 Information Collection Unit 1105 VPN Connection Unit 1106 IC Card 1106b Card Connection Unit 1107 Encryption Unit 1108 Encryption Key 1109 Certificate 1111 Connection Condition (Information) 1112 Connection Condition Determination Unit 1113 password, 1110 VPN connection device, 1114 external network, 1115 internal network, 1120 authentication device, 1122 management unit, 1123 authentication judgment unit, 1124 time acquisition unit, 1130 connection condition providing device, 1131 connection condition storage unit, 132 card authentication unit, 1134 password generation unit, 1135 valid time generation unit, 1300 terminal device, 1301a processor, 1302 input unit, 1303 display unit, 1304 information collection unit, 1305 VPN connection unit, 1306 IC card, 1307 encryption unit, 1308 Encryption key, 1309 certificate, 1311 connection condition (information), 1312 connection condition determination unit, 1313 authentication information, 1310 VPN connection device, 1314 external network, 1315 internal network, 1320 authentication device, 1322 management unit, 1323 authentication judgment Unit, 1324 time acquisition unit, 1325 key management unit, 1330 connection condition providing device, 1331 connection condition storage unit, 1332 card authentication unit, 1334 authentication information generation unit, 1335 valid time generation unit, 1400 terminal 1401a processor 1402 input unit 1403 display unit 1404 information collection unit 1405 VPN connection unit 1406 IC card 1406b card connection unit 1407 encryption unit 1408 encryption key 1409 certificate 1411 connection condition ( Information), 1412 connection condition determination unit, 1413 password, 1410 VPN connection device, 1414 external network, 1415 internal network, 1420 authentication device, 1422 management unit, 1423 authentication determination unit, 1430 connection condition providing device, 1431 connection condition storage unit, 1432 Card authentication unit, 1433 collection designation information storage unit, 1434 password generation unit, 1500 terminal device, 1501a processor, 1502 input unit, 1503 display unit, 1504 designation information collection unit, 1505 VPN connection unit, 1506 IC card, 1507 encryption unit, 1508 encryption key, 1509 certificate, 1511 connection condition (information), 1512 connection condition determination unit, 1513 password, 1516 collection designation information, 1517 connection condition determination result, 1510 VPN connection device, 1514 external network, 1515 internal network, 1520 authentication device, 1522 management unit, 1523 authentication judgment unit, 1530 connection condition providing device, 1531 connection condition generation unit, 1532 card authentication unit, 1533 collection designation information generation unit, 1534 Password generation unit, 1535 connection condition determination result management unit, 1700 terminal device, 1701a processor, 1702 input unit, 1703 display unit, 1704 information collection unit, 1705 VPN connection unit, 1706 IC card, 1 07 Encryption unit, 1708 Encryption key, 1709 certificate, 1711 Connection condition (information), 1712 Connection condition determination unit, 1713 Password, 1716 Random number, 1717 Card operation unit, 1710 VPN connection device, 1714 External network, 1715 Internal network 1720 Authentication device, 1722 management unit, 1723 authentication determination unit, 1724 server calculation unit, 1730 connection condition providing device, 1731 connection condition storage unit, 1732 card authentication unit, 1734 random number generation unit.

Claims (37)

In a terminal device that wants to connect to a given network,
An information collecting unit for collecting security status information of the terminal device itself;
A card connection unit for connecting a card storing an electronic certificate;
Obtaining the electronic certificate from the card connected to the card connection unit, transmitting inquiry information for inquiring a network device on the network side of a connection condition to the predetermined network based on the obtained electronic certificate, and Based on the response information to the inquiry information, it is determined whether the connection condition to the predetermined network and the security status information collected by the information collection unit are compatible. And a processor for requesting connection to the predetermined network. The terminal device includes a connection condition determination unit that compares the security status information collected by the information collection unit and a connection condition required by a predetermined network,
The processor transmits information requesting the network side device to acquire the connection condition to the predetermined network, obtains information on the connection condition to the predetermined network from the network side device as response information, and The terminal device according to claim 1, wherein when the connection condition determination unit determines that the connection condition is met, a connection request to the predetermined network is made.   The card stores in the in-card memory a program that expresses the function of the information collecting unit that can be read and executed by the computer. When the card is connected to the card connecting unit of the terminal device, the processor A program that expresses a function is transferred and stored in the memory of the terminal device, and thereafter, the program that expresses the function of the information collecting unit that is transferred and stored is executed to operate the information collecting unit. The terminal device according to claim 1. A1) an information collection unit that collects security status information of the terminal device itself;
A2) a card connection unit for connecting a card storing an electronic certificate;
A3) Obtain the electronic certificate from the card connected to the card connection unit, and send inquiry information for inquiring the network device on the network side about the connection condition to the predetermined network based on the obtained electronic certificate, It is determined whether the connection condition to the predetermined network and the security status information collected by the information collecting unit are compatible with the response information to the inquiry. A processor for outputting to the predetermined network and requesting connection to the predetermined network;
A terminal device comprising:
B1) a management unit that manages electronic certificates corresponding to each user;
B2) When a connection request to the predetermined network is received from the terminal device as the user, the security status information of the terminal device is connected to the predetermined network using an electronic certificate managed by the management unit. It is determined whether or not the condition is met, and if it is matched, an authentication determination unit that permits connection to the terminal device,
And a security maintenance system comprising: an authentication device comprising: A connection condition providing device for storing a connection condition to a predetermined network and for issuing a connection condition to the predetermined network and a password representing a security state of a terminal device that requests connection to the predetermined network;
The authentication device obtains the user-corresponding password from the connection condition providing device, and manages the user-corresponding password obtained as an electronic certificate in the management unit. 5. The security maintenance system according to claim 4, wherein when a connection request to the predetermined network is received, it is determined whether or not it matches the managed password, and the connection is permitted if it matches. The terminal device attaches an encryption key to the connection request to the connection condition providing device, requests transmission of the connection condition to a predetermined network,
6. The security maintenance system according to claim 5, wherein the connection condition providing device transmits the connection condition to the predetermined network by encrypting using the encryption key.   The card stores in the in-card memory a program that expresses the function of the information collecting unit that can be read and executed by the computer. When the card is connected to the card connecting unit of the terminal device, the processor A program that expresses a function is transferred and stored on the memory of the terminal device, and thereafter, the program that expresses the function of the information collecting unit that is transferred and stored is executed to operate the information collecting unit. The security maintenance system according to claim 4. A network-side apparatus comprising: a connection condition storage unit that stores a connection condition to a predetermined network; and a password generation unit that generates and issues a password to a user who requests connection to the predetermined network. ,
When there is a transmission request for a connection condition to the predetermined network with a digital certificate from the terminal device used by the user, the password generation unit, the terminal device used by the user, and an authentication device that manages the network, A network-side connection condition providing apparatus, wherein an identifier indicating the user and the password are transmitted. A status information collection step for collecting security status information of the terminal device itself;
A connection condition inquiry step of acquiring information of an electronic certificate from a card connected to a card connection unit of a terminal device, and inquiring a network device on a network side about a connection condition to a predetermined network based on the acquired electronic certificate; ,
A conformity determining step for determining whether the connection condition to the predetermined network and the security status information collected by the information collecting unit are in accordance with response information to the connection condition inquiry;
A security maintenance method comprising: a connection step for creating a connection request with response information and outputting the connection request with response information to request connection to the predetermined network when it is determined to be compatible by the determination of compatibility. When a user inquires about a connection condition for a predetermined network based on an electronic certificate, a response that responds to the terminal device inquired based on the electronic certificate for the connection condition and password for the predetermined network Steps,
The authentication step of permitting connection based on the identifier of the user and the password when a connection request to the predetermined network with the password is received from the terminal device. Security preservation method. In a terminal device that wants to connect to a given network,
An information collecting unit for collecting security status information of the terminal device itself;
An encryption unit that encrypts the collected security state information with a unique encryption key;
A network connection for connecting to the network;
The network connection unit is inquired of the connection condition to the predetermined network including the user-specific identification information and the encrypted security state information, and connected to the network by response information to the inquiry. And a processor that requests the terminal device. It has a card connection part that houses the encryption part and connects the card that stores the electronic certificate.
The processor authenticates whether the card connected to the card connection unit is a legitimate user's card with the electronic certificate, confirms that the authentication of the card is correct, and uses the encryption unit in the card. 12. The terminal device according to claim 11, wherein the security state information collected by the information collecting unit is encrypted and an inquiry is made to a device on the network side. In a terminal device that wants to connect to a given network,
An information collecting unit for collecting security status information of the terminal device itself;
A card connection unit for connecting a card storing an electronic certificate;
A network connection for connecting to the network;
The card connected to the card connection unit is card-authenticated with the electronic certificate, and the connection condition to the predetermined network including the identification information based on the card authentication and the security state information is determined from the network connection unit. A terminal device comprising: a processor that makes an inquiry to the device on the network side and requests connection to the network based on response information to the inquiry. It has an encryption unit that encrypts the collected security status information with a unique encryption key,
The terminal device according to claim 13, wherein the processor encrypts the collected security state information by the encryption unit and inquires of the network.   The processor determines conformity to the connection condition to a predetermined network based on response information to the inquiry to the device on the network side, and requests connection to the network with additional information included in the response information based on the determination of conformance The terminal device according to claim 11, wherein the terminal device is configured to do so. The terminal device includes a connection condition determination unit that compares the security status information collected by the information collection unit and the connection condition requested by the device on the predetermined network side,
The processor transmits acquisition request information for requesting the network side device to acquire the connection condition to the predetermined network, obtains connection condition information to the predetermined network as response information from the network side device, and 14. The connection request to the predetermined network is made when it is determined that the match is made by the matching comparison performed by the connection condition determination unit based on the obtained connection condition information. Terminal device. A connection condition determination unit is provided in the card,
The terminal device according to claim 16, wherein the processor performs a compatibility comparison by a connection condition determination unit in the card. The card stores collection designation information indicating a collection range of security information of the terminal device,
The processor reads the collection designation information when the card is connected to the card connection unit, and causes the information collection unit to collect the security status information of the terminal device itself according to the read collection designation information. The terminal device according to any one of claims 12 and 13. The card stores a predetermined random number,
The terminal device according to claim 12, wherein the processor requests connection to a predetermined network based on the random number and the input hash value.   The card stores in the in-card memory a program that expresses the function of the information collecting unit that can be read and executed by the computer. When the card is connected to the card connecting unit of the terminal device, the processor A program that expresses a function is transferred and stored in the memory of the terminal device, and thereafter, the program that expresses the function of the information collecting unit that is transferred and stored is executed to operate the information collecting unit. The terminal device according to claim 12 or claim 13. A1) an information collection unit that collects security status information of the terminal device itself;
A2) an encryption unit that encrypts the collected security state information with a unique encryption key;
A3) a network connection unit for connecting to a predetermined network;
A4) An inquiry is made from the network connection unit to a device on the network side about a connection condition to the predetermined network including the user-specific identification information and the encrypted security state information, and the network is informed by response information to the inquiry. A terminal device comprising: a processor requesting connection;
B1) a management unit that manages unique identification information corresponding to each user;
B2) When an inquiry about a connection condition to the predetermined network is received as the user from the terminal device, the security state information of the terminal device is decrypted using the identification information managed by the management unit Is determined to match the connection condition to the predetermined network, and if it matches, an authentication determination unit that permits connection to the terminal device;
And a security maintenance system comprising: an authentication device comprising: A1) an information collection unit that collects security status information of the terminal device itself;
A2) a card connection unit for connecting a card storing an electronic certificate;
A3) a network connection unit for connecting to a predetermined network;
A4) Card authentication is performed on the card connected to the card connection unit using an electronic certificate, and the connection condition to the predetermined network including the identification information based on the card authentication and the security state information is set as the network connection unit. A terminal device comprising: a processor that inquires to the device on the network side and requests connection to the network according to response information to the inquiry;
B1) a management unit that manages unique identification information corresponding to each user;
B2) When an inquiry about the connection condition to the predetermined network as the user comes from the terminal device, the security status information of the terminal device is sent to the predetermined network using the identification information managed by the management unit. An authentication determination unit that permits connection to the terminal device if it matches,
And a security maintenance system comprising: an authentication device comprising: The terminal device requests the authentication device to send a connection condition to a predetermined network by attaching an encryption key to the connection request.
23. The security maintenance system according to claim 22, wherein the authentication device transmits the connection condition to the predetermined network by performing encryption using the encryption key. A1) an information collection unit that collects security status information of the terminal device itself;
A2) a card connection unit for connecting a card storing an electronic certificate;
A3) a network connection unit for connecting to a predetermined network;
A4) Card authentication is performed on the card connected to the card connection unit using an electronic certificate, and the connection condition to the predetermined network including the identification information based on the card authentication and the security state information is set as the network connection unit. The network side device is inquired from the network side, the response information to the inquiry is used to determine conformity to a connection condition to a predetermined network, and the connection to the network is performed with additional information included in the response information when the conformance is determined. A terminal device comprising: a processor that requests
B1) a connection condition storage unit that stores connection conditions to the predetermined network;
B2) Stores unique identification information corresponding to each user's card and, based on the identification information stored and the connection condition stored in the connection condition storage unit, in response to the connection condition inquiry from the terminal device A card authentication unit for performing authentication,
A connection condition providing device that responds to the terminal with the authentication information authenticated by the card authentication unit as the additional information;
C1) a management unit that manages additional information sent from the connection condition providing device in association with each user;
C2) When an inquiry about a connection condition to the predetermined network as the user is received from the terminal device, the compatibility of the terminal device is determined by using the additional information information managed by the management unit. In this case, an authentication judgment unit that permits connection to the terminal device
And a security maintenance system comprising: an authentication device comprising: The connection condition providing device compares the connection condition to the network stored in the connection condition storage unit with the security information of the terminal device included in the connection condition inquiry from the terminal device, and matches the connection by the comparison. A connection condition determination unit including a connection condition determination unit for determining,
25. The security maintenance according to claim 24, wherein the connection condition determining device responds to the terminal device with additional information indicating the conformity when the connection condition determining unit determines conformity of the connection. system.   The connection condition providing device generates a signature encrypted with a password or an encryption key as authentication information authenticated by the card authentication unit, and transmits the password or signature as the additional information to the terminal device and the authentication device. The security maintenance system according to claim 24.   27. The security maintenance according to claim 26, wherein the connection condition providing device includes an effective time generation unit for determining an expiration date of the authentication information, and transmits the additional information as the authentication information with the generated expiration date. system. The terminal device attaches an encryption key to the connection request to the connection condition providing device, requests transmission of the connection condition to a predetermined network,
25. The security maintenance system according to claim 24, wherein the connection condition providing device transmits the connection condition to the predetermined network by encrypting using the encryption key. The connection condition providing device stores or generates collection designation information that specifies a range for collecting security status information of the terminal device, and responds to the collection designation information in response to an inquiry from the terminal,
The terminal device stores the received collection designation information in the card, and collects security information based on the stored collection designation information when the information collection unit is requested to collect the security information of the terminal. The security maintenance system according to claim 24, characterized in that:   In the terminal device, the card stores a program representing the function of the information collecting unit that can be read and executed by the computer in the in-card memory. When the card is connected to the card connecting unit of the terminal device, the information Transferring and storing a program representing the function of the collecting unit on the memory of the terminal device, and thereafter executing the program representing the function of the information collecting unit transferred and stored to operate the information collecting unit. The security maintenance system according to any one of claims 22 and 24. A connection condition providing device connected to a predetermined network,
A connection condition storage unit for storing a connection condition to the predetermined network;
An authentication unit that performs authentication based on the unique identification information for a terminal that inquires about a connection condition to the predetermined network based on user-specific identification information,
The connection condition providing device generates a signature encrypted with a password or an encryption key when authenticating with a legitimate terminal by the authentication, and transmits the generated password or signature as additional information to the terminal device. Connection condition providing device.   32. The connection condition providing apparatus encrypts the additional information with an encryption key of a corresponding terminal and transmits the encrypted additional information before transmitting the additional information to the terminal apparatus. The connection condition providing device described. The connection condition providing device includes a collection designation information storage unit that stores collection designation information that designates a range for collecting security status information of the terminal device, or collects the security status information based on the collection range of the transmitted security status information A collection designation information generation unit that updates the range and generates collection designation information;
The connection condition providing device transmits the collection designation information obtained from the collection designation information storage unit or the collection designation information generation unit when there is an inquiry about a connection condition from the terminal device to the network. 31. A connection condition providing device according to 31. In a terminal device that wants to connect to a given network,
A state information collecting step in which the terminal device collects security state information of the terminal device itself;
An encryption step for encrypting the collected security state information with a unique encryption key;
Inquiring a device on the network side about a connection condition to the predetermined network including user-specific identification information and the encrypted security state information;
And a step of requesting connection to the network based on response information to the inquiry step. In a terminal device that wants to connect to a given network,
A state information collecting step in which the terminal device collects security state information of the terminal device itself;
Card authentication of a card storing an electronic certificate;
Inquiring a device on the network side about a connection condition to the predetermined network including the identification information based on the card authentication and the security status information;
And a step of requesting connection to the network based on response information to the inquiry step. The terminal device includes a step of determining conformity to a connection condition to a predetermined network based on response information to an inquiry to the network side,
The step of requesting a connection to the network requests the connection to the network with additional information included in the response information based on the determination that the step is determined to be suitable. 35. The security maintenance method according to any one of 35. With a connection condition providing device connected to the network,
The connection condition providing device authenticates a terminal that has inquired about a connection condition to a predetermined network based on user-specific identification information based on the unique identification information;
When authenticating with a legitimate terminal in the step of performing the authentication, a step of generating a signature encrypted with a password or an encryption key and transmitting the generated password or signature as additional information to the terminal device is provided. 36. The security maintenance method according to claim 34 or 35, characterized in that it is characterized in that:

Images