JP2007115127A - Security management system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a system capable of appropriately managing security in network communication from the viewpoint of surely preventing an illicit act due to spoofing. <P>SOLUTION: According to this security management system, "first authentication processing" for determining whether an ID, etc., coinciding with an ID, etc., transmitted from a client 200 is stored by a first storing means 101 is carried out. In addition, "second authentication processing" for determining whether a user's position is included in an allowable range represented by "allowable range information" is carried out. Thus, two-step authentication using a user's ID, etc., and position information can more surely prevent an illicit act of a third person due to spoofing. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a system for managing network communication security of a plurality of information processing terminals.

A method for confirming whether or not a user who accesses a computer via a network such as the Internet has been registered by using an ID and a password (whether or not the user himself / herself) is known (for example, Non-Patent Document 1). reference)
Nikkei BP Digital Encyclopedia 2001-2002, Nikkei Business Publications, page 506

  However, if an ID or password is stolen, there is a risk of fraud by so-called “spoofing”.

  Accordingly, an object of the present invention is to provide a system capable of appropriately managing security in network communication from the viewpoint of more surely preventing an illegal act caused by such impersonation.

  The security management system of the present invention for solving the above-mentioned problem is a system for managing the security of network communication of a plurality of information processing terminals, and the second information processing terminal when requesting network communication with the first information processing terminal First authentication processing means for receiving authentication information allocated in advance to the user transmitted from the network and determining whether or not authentication information matching the authentication information is stored in the first storage means; The second information processing terminal is requested to transmit the position information according to the position of the user at a predetermined time measured by the position measurement system mounted on the second information processing terminal via the network. 2 Receives location information transmitted from the information processing terminal via the network and corresponds to the authentication information or the authentication information and a predetermined time. The second allowable range information is read out from the second storage means, and a second determination is made as to whether or not the position of the user at the predetermined time according to the position information is included in the allowable range according to the allowable range information. Authentication processing means, and communication control processing means for permitting or prohibiting network communication of the second information processing terminal with the first information processing terminal according to the determination results of the first and second authentication processing means. Features.

  According to the security management system of the present invention, whether or not authentication information matching the authentication information transmitted from the second information processing terminal when the network communication request with the first information processing terminal is requested is stored in the first storage means. The “first authentication process” for determination is executed. Further, the user's position at a predetermined time corresponding to the position information transmitted from the second information processing terminal is stored in the second storage means in association with the authentication information or the authentication information and the predetermined time. A “second authentication process” is performed to determine whether or not the allowable range corresponding to the information is included. In the first authentication process, a positive determination result (= determination result that authentication information matching the authentication information transmitted from the second information processing terminal is stored in the first storage means) is obtained, and When a positive determination result (= determination result that the user's position at a predetermined time is included in the allowable range) is obtained in the second authentication process, the first information processing terminal of the second information processing terminal Network communication is allowed. Therefore, even if the authentication information (for example, the ID or password input to the information processing terminal by the user) is known by a third party, if the position of the third party at a predetermined time is outside the allowable range, A negative determination result is obtained in the second authentication process, and network communication between the first information processing terminal and the second information processing terminal is prohibited. As described above, the two-step authentication using the user authentication information and the position information at a predetermined time can more reliably prevent an illegal act by impersonation of a third party in network communication.

  An embodiment of a security management system of the present invention will be described with reference to the drawings.

  FIG. 1 is a configuration example diagram of the security management system of the present invention, and FIGS. 2 and 3 are function example diagrams of the security management system of the present invention.

  The security management system shown in FIG. 1 of the present invention determines whether or not communication (access) via a network such as the Internet of a client (second information processing terminal) 200 with respect to a server (first information processing terminal) 100 is possible. Thus, this communication is controlled, and is configured by hardware resources of the server 100.

  The security management system includes a first storage unit 101, a second storage unit 102, a first authentication processing unit 110, a second authentication processing unit 120, and a communication control processing unit 130. Each storage means is constituted by a storage device such as a memory or a hard disk. Each processing means is composed of computer hardware resources such as a CPU, a ROM (EEPROM), a memory such as a RAM, a signal input / output circuit, and software for causing the computer to output a certain calculation result according to the input. Has been.

  The first authentication processing unit 110 receives an ID and a password (authentication information) allocated in advance to the user, transmitted from the client 200 when a network communication request with the server 100 is requested, via the network. Then, the first authentication processing unit 110 determines whether the first storage unit 101 stores an ID and password that match the received ID and password.

  If the determination result by the first authentication processing unit 110 is affirmative, the second authentication processing unit 120 requests the client 200 to transmit position information via the network. Further, the second authentication processing unit 120 receives the position information transmitted from the client 200 in response to this request via the network. Then, the second authentication processing unit 120 reads the allowable range information associated with the ID (or password) and the predetermined time from the second storage unit 102, and the user position at the predetermined time according to the position information is It is determined whether it is included in the allowable range according to the range information.

  The communication control processing unit 130 allows or prohibits the access of the client 200 to the server 100 according to the determination result by the second authentication processing unit 120.

  The client 200 includes an information input device such as a keyboard and a mouse pointing device, an image display device, a storage device 202 such as a memory and a hard disk, and a position measurement system (GPS, if necessary) that measures the position of the user (more precisely, the client 200). In response, it is configured by an altimeter.) 210. Position information f (x, y, z) corresponding to the position (x, y, z) measured by the position measurement system 210 is stored and held in the storage device 202 together with the measurement time.

  Functions of the security management system having the above-described configuration will be described with reference to FIGS.

  A user activates a browser on the client 200 and requests access to the server 100 on which the Web site is placed in order to browse the desired Web site (FIG. 2 / arrow (1)).

  In response to this, the first authentication processing means 110 executes “first authentication processing” (FIG. 2 / S110).

  Specifically, first, the first authentication processing unit 110 requests the client 200 to transmit an ID and a password via the network (FIG. 2 / S112, arrow (2)). As a result, an ID and password input screen pre-assigned to the user is displayed on the image display device of the client 200. When the user inputs an ID and a password to the client 200 through operation of an information input device such as a keyboard or a pointing device of the client 200, the ID and password are transmitted from the client 200 to the server 100 (FIG. 2 / arrow (3)). . Then, the first authentication processing unit 110 determines whether or not the ID and password combination that matches the ID and password combination transmitted from the client 200 is stored in the first storage unit 101 (FIG. 2 / S114). ).

  If the determination result by the first authentication processing unit 110 is affirmative (FIG. 2 / S114... YES), the second authentication processing unit 120 executes “second authentication processing” (FIG. 2 / S120).

  Specifically, first, the second authentication processing unit 120 requests the client 200 to transmit the position information f (x (t), y (t), z (t)) at a predetermined time t via the network. (FIG. 2 / S122, arrow (4)). Transmission of a plurality of position information at a plurality of predetermined times may be requested. As a result, the position information f corresponding to the position (x (t), y (t), z (t)) of the user at the predetermined time t measured by the position measurement system 210 is read from the storage device 202. The position information f is transmitted from the client 200 to the server 100 (FIG. 2 / arrow (5)). The second authentication processing unit 120 reads the allowable range information corresponding to the ID and the predetermined time t from the second storage unit 102. Then, the second authentication processing unit 120 uses the second storage unit 102 to determine the position (x (t), y (t), z (t)) at the predetermined time t according to the position information f transmitted from the client 200. It is determined whether or not it is included in the allowable range D according to the allowable range information read from (S124 in FIG. 2). The tolerance D is wide in the x and y directions (for example, covering one floor of an office building) but narrow in the z direction (for example, limited to one floor of an office building). You may do it. Further, the allowable range D may be divided into a plurality of ranges.

  On the other hand, when the determination result by the first authentication processing unit 110 is negative (FIG. 2 / S114... NO), the communication control processing unit 130 prohibits the client 200 from accessing the server 100 (FIG. 2 / S134, broken line (2)). As a result, a message indicating that access is prohibited is displayed on the image display device of the client 200.

  The communication control processing means 130 executes “communication control processing” in accordance with the determination result by the second authentication processing means 120 (S130 in FIG. 2).

  Specifically, when the determination result by the second authentication processing unit 120 is affirmative (FIG. 2 / YES in S124), the communication control processing unit 130 permits the client 200 to access the server 100 ( FIG. 2 / S132, broken line (1)). Thereby, the Web site (Web page) desired by the user is displayed on the image display device of the client 200.

  On the other hand, when the determination result by the second authentication processing unit 120 is negative (FIG. 2 / S124... NO), the communication control processing unit 130 prohibits the client 200 from accessing the server 100 (FIG. 2 / S134, broken line (2)). As a result, a message indicating that access is prohibited is displayed on the image display device of the client 200.

  According to the security management system of the present invention, the “first authentication process” for determining whether or not the combination that matches the combination of the ID and password transmitted from the client 200 is stored in the first storage unit 102 is executed. (FIG. 2 / S110). When a positive determination result is obtained in the first determination process (FIG. 2 / S114... YES), the position of the user (x (t), y (t), z (t)) at the predetermined time t is determined. Then, the “second authentication process” for determining whether or not it is included in the allowable range D represented by the allowable range information is executed (FIG. 2 / S120). Thereby, even if the user's ID and password are known by a third party, if the position of the third party at the predetermined time t is outside the allowable range D, network communication is prohibited.

  For example, as shown in FIG. 3, the measurement position (x (t), y (t), z (t)) at a predetermined time t is an ID and an allowable range (shaded portion) D (corresponding to the predetermined time t). If it is included in t), the client 200 is allowed to access the server 100 (FIG. 2 / S132, broken line (1)). On the other hand, as shown in FIG. 3, the measurement position (x ′ (t), y ′ (t), z ′ (t)) at the predetermined time t is ID and the allowable range D (t) at the predetermined time t. If it is outside, access to the server 100 of the client 200 is prohibited (FIG. 2 / S134, broken line (2)).

  As described above, the two-step authentication using the user ID and password (authentication information) and the position information at a predetermined time can more reliably prevent an illegal act due to (malicious) third party impersonation in network communication.

  In the above embodiment, the security management system is configured by the hardware resources of the server 100. However, as another embodiment, the security management system is configured by hardware resources of a server different from the server (first information processing terminal) 100. Alternatively, it may be configured by a communication device such as a router installed on a route on the network connecting the first and second information processing terminals.

  Moreover, in the said embodiment, although the 2nd authentication process was performed on condition that the determination result in a 1st authentication process is affirmation, the determination result in a 2nd authentication process is contrary to this as other embodiment. The first authentication process may be executed on the condition that it is affirmative, and the first and second authentication processes may be executed independently.

Configuration example of security management system of the present invention Functional example of security management system of the present invention Functional example of security management system of the present invention

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 ... Server (security management system, 1st information processing terminal), 101 ... 1st memory | storage means, 102 ... 2nd memory | storage means, 110 ... 1st certification | authentication processing system, 120 ... 2nd certification | authentication processing means, 130 ... Communication control processing Means 200 ... client (second information processing terminal) 202 ... storage device 210 ... position measurement system

Claims (1)

A system for managing network communication security of a plurality of information processing terminals,
Authentication information allocated in advance to the user, transmitted from the second information processing terminal at the time of requesting network communication with the first information processing terminal, is received via the network, and authentication information matching the authentication information is stored in the first storage means. A first authentication processing means for determining whether or not the information is stored by:
The second information processing terminal is requested to transmit the position information according to the position of the user at a predetermined time measured by the position measurement system mounted on the second information processing terminal via the network. (2) The location information transmitted from the information processing terminal is received via the network, and the authentication information or the tolerance information associated with the authentication information and a predetermined time is read from the second storage means, and the location information is Second authentication processing means for determining whether the position of the user at the predetermined time is included in an allowable range according to the allowable range information;
Security management comprising: communication control processing means for permitting or prohibiting network communication of the second information processing terminal with the first information processing terminal according to the determination results by the first and second authentication processing means. system.

Images