JP2008187539A - Directory server, verification method using password and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a verification method using passwords, which protects both the database confidentiality and the communication confidentiality for verification processing in a directory server system. <P>SOLUTION: A password is encrypted so as to be incapable of being reverse-converted, and then stored. Also, the password is encrypted so as to be able to be reverse-converted and then stored. The encrypted password that has been made reverse conversion unavailable is used for password verification; and the encrypted password with the reverse conversion is available is decrypted, and a digest is generated, based on the decrypted password for digest verification. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a technique capable of performing digest authentication using a digest generated from a password even when password information is held by encryption that cannot be reversely converted.

  The directory server has a role as a database server for handling account information and passwords, and in many cases, password information is encrypted and stored so as not to be reversely converted in order to maintain confidentiality.

  As an encrypted password method that cannot be reversely converted, a one-way hashed format such as SHA and MD5 is generally used, including a Crypt format represented by UNIX (registered trademark).

  On the other hand, the directory server has the role of an authentication server that takes account information and password as input and collates with the information held by itself. It is generated from the password to maintain confidentiality in communication between the client and server. In many cases, digest authentication is used, which is a method of performing authentication using only the digest to be used.

Here, when the password is input, the first authentication means of the user terminal converts the password according to the first irreversible conversion method, compares it with the password key data stored in the key data storage medium, and matches them. The second authentication means compares the user-specific key data stored in the key data storage medium with the authentication key data stored in the base server via the information communication network, and matches them. If the first and second authentications are given, the authentication unit grants an access right, and the backup process and the restore process are executed on the condition that the access right is given. It is possible to prevent unauthorized access from the user more reliably, and it is extremely unlikely that the contents of the backup data will be known to anyone other than the user who requested the backup. Technology that can provide a data backup method has been proposed (e.g., see Patent Document 1).
JP 2005-196582 A

  However, as in the configuration shown in FIG. 5, the conventional password information storage method always uses a database password regardless of the format in which the password information is encrypted or not. It was stored in the storage area.

  When the digest authentication method is used, since it is necessary to generate a digest code based on the password information, the password information must be in an unencrypted state, that is, in plain text. For this reason, the password held in the database must be plain text or can be reversely converted, and the confidentiality of the database is lowered.

  Conversely, in order to improve the confidentiality of the database, if password information is stored in an encrypted format that cannot be converted in reverse, a digest cannot be generated based on the password information, so the password information is hashed. Therefore, basic authentication to be transmitted / received in a state in which the communication is not performed is unavoidable, resulting in a problem that the confidentiality of communication cannot be ensured.

  The present invention has been made to solve the above-described problems. The purpose is to provide an authentication method using a password that maintains both the confidentiality of the database and the confidentiality of the communication generated in the authentication process in the directory server system.

  The present invention encrypts and holds the password so that it cannot be reversely converted, and encrypts and holds the password so that it can be reversely converted. A directory server for providing a digest generated by decrypting a password encrypted so as to be reversely converted into plain text.

  In addition, the present invention encrypts and holds the password so that it cannot be reversely converted, and encrypts and holds the password so that it can be reversely converted. Provided is an authentication method using a password that uses a digest generated by decrypting a password encrypted in a convertible form into plain text.

  ADVANTAGE OF THE INVENTION According to this invention, the password storage method which maintains both the confidentiality of a database and the confidentiality of the communication which generate | occur | produces by an authentication process can be provided in a directory server system.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. FIG. 1 shows a directory server according to an embodiment of the present invention. As shown in FIG. 1, an authentication processing unit B1 that receives an authentication request from a client, an update processing unit B2 that updates password information, a reference processing unit B3 that searches for password information, and a database unit that has an area for storing password information It consists of B4.

  The authentication processing unit B1 is an authentication method determination unit B5 that determines whether the authentication method is basic authentication or digest authentication. In the case of digest authentication, the authentication processing unit B1 is an encrypted password that can reversely convert password information stored in the database. Password storage format determination means B6 for determining whether or not, in the case of digest authentication, a digest code to be issued to the client side based on password information stored in the database part B4, digest generation means B7, generated digest code And authentication processing means B8 for executing the authentication processing using.

  The update processing unit B2 includes password update processing means B9 that accepts requests for registration, change, and deletion of password information from the client to the directory server system.

  The reference processing unit B3 includes password search processing means B10 that receives a search request when confirming password information.

  The database unit B4 includes a password storage area B11 for storing password information regardless of the password format, and a digest generation password storage area B12 used only when the password storage format is an encrypted password that cannot be reversely converted during digest authentication. Consists of.

  Next, the operation of the present embodiment will be described in detail with reference to the drawings.

  First, a case where the directory server system accepts an authentication request from a client will be described.

  Normally, a request is accepted regardless of the authentication method, and the authentication method is determined by the authentication method determination means B4. In the case of basic authentication, an unencrypted plaintext password is passed from the client side, so the format of the password stored in the database is plaintext, a reversible encryption method, and a nonreversible encryption method. Any form of password can be authenticated, and this is not a problem. If the password storage format is plain text or an encrypted format that can be reversely converted even for digest authentication, the encrypted password is returned to plain text, and the digest is based on the plain text password information. Again, this is not a problem because the code can be generated. In the following, a case where a digest authentication request is received from a client and password information is stored in an encryption method that cannot be reversely converted will be described as an example.

  A flowchart of the authentication processing unit B1 is shown in FIG. First, when an authentication request is received from a client, it is checked whether the requested authentication method is basic authentication or digest authentication (C1).

  If it is not digest authentication, password information is extracted from the password storage area B11 of the database (C2), and basic authentication is performed based on the password information (C3).

  If the requested authentication method is digest authentication, whether or not the password information can be used depends on the password storage format. Therefore, it is checked whether or not the password storage format can be reversely converted (C4). In general, password information stored in a database section of a directory server system has an encryption method written in parentheses at the beginning of the password value in order to determine the encryption method of the password. Specifically, {Crypt}, {SHA}, {MD5}, and the like.

  In C4, when the password storage format can be reversely converted, after the password information is extracted from the password storage area 11 of the database, the digest generation means B7 generates a digest code based on the password information (C8 ). If the password storage format can be reversely converted, the corresponding password information is not stored in the digest generation password storage area 12.

  If the password storage format cannot be reversed, the password is extracted from the digest generation password storage area B12 (C6).

  The extracted encrypted password is converted into plain text (C7). Thereafter, the digest generating means B7 generates a digest code based on the password information (C8).

  After the digest code is returned to the client side (C9), the password information hashed with the digest is passed from the client, and digest authentication processing is performed in the authentication processing means B8 (C3). As a result, the directory server system can execute the digest authentication even when the password is stored as the password information by performing encryption that cannot be reversely converted.

  Next, a method for updating password information will be described. A flowchart of the update processing unit B2 is shown in FIG. First, when a password registration, change, or deletion request is received from a client, a check is made as to whether or not the password is stored in an encryption method that cannot be reversely converted as a setting of the directory server system (D1). ).

  Depending on how the system is operated, the administrator may search for password information to investigate if the user forgets the password, and reverse the password information for the directory server system. It may be stored in a convertible format. When performing such operations, the directory server system is set not to store the password as an encryption method that cannot be reversely converted, and always generates an encrypted password that can be reversely converted (D2). Store in the password storage area B11 (D3).

  On the other hand, if the password is set as an encryption method that cannot be reversely converted, an encrypted password that cannot be reversely converted is generated (D4) and stored in the password storage area B11 (D5). Further, a reverse convertible encryption password is generated (D6) and stored in the digest generation password storage area B12 (D7).

  Next, a method for referring to password information will be described. FIG. 4 shows a flowchart of the reference processing unit B3. Explain using the case example mentioned earlier. Depending on how the system is operated, there is a case where the administrator can search and search for password information as a countermeasure when the user forgets the password.

  At this time, the administrator issues a search request to the directory server system (E1). At this time, password information is designated as return information. The directory server system extracts the password from the password storage area B11 and returns the value to the client side (E2).

  Since the reference processing unit cannot access the digest generation password storage area B12 at all, if an encrypted password that cannot be reversely converted is stored in the password storage area, the user cannot perform the reverse conversion. You can only retrieve the password. Thereby, confidentiality can be maintained.

  According to the above-described embodiment, it is possible to perform digest authentication while maintaining password information that cannot be reversely converted and having high confidentiality. The reason is that for password access from the outside, only password information that cannot be reversely converted can be referred to, and password information stored in the digest generation password storage area is digest-authenticated. This is because it is used only at the time of generating a digest to be used in.

  In addition, it is possible to check a password when it is necessary to check a policy of password information such as a password use character and history during authentication processing and password update processing. The reason is that the password policy such as password use characters and history can be checked using the password information that can be reversely converted stored in the digest generation password storage area.

  Also, when the directory server system needs to copy password information to another system, the cooperation destination system does not support an encrypted password format (for example, Crypt, SHA, MD5, etc.) that cannot be reversely converted. However, password information can be copied to the linked system. The reason is that when the directory server system replicates the password information, it can extract the encrypted password information that can be reversely converted internally from the digest storage password storage area of the database, convert it into plain text, and then replicate it. .

  Each of the above-described embodiments is a preferred embodiment of the present invention, and various modifications can be made without departing from the scope of the present invention. For example, the processing for realizing the function of the apparatus may be performed by causing the apparatus to read and execute a program for realizing the function of the directory server. Further, the program is transmitted to another computer system by a transmission wave via a computer-readable recording medium such as a CD-ROM or a magneto-optical disk, or via a transmission medium such as the Internet or a telephone line. Also good.

  The present invention is applicable to integrated authentication systems, integrated identity management, and the like.

It is a figure which shows password storage of embodiment of this invention. It is a flowchart of the authentication process part of embodiment of this invention. It is a flowchart of the update process part of embodiment of this invention. It is a flowchart of the search process part of embodiment of this invention. It is a figure which shows the conventional password storage system.

Explanation of symbols

B1 Authentication processing unit B2 Update processing unit B3 Reference processing unit B4 Database unit B5 Authentication method determination unit B6 Password storage format determination unit B7 Digest generation unit B8 Authentication processing unit B9 Password update processing unit B10 Password search processing unit B11 Password storage area B12 Digest Generation password storage area

Claims (6)

  Encrypts and holds the password so that it cannot be reversely converted, and encrypts and holds the password so that it can be reversely converted. In the password authentication of the own device, the password that is encrypted so that it cannot be reversely converted is used. A directory server characterized by using a digest generated from plaintext after decrypting a password encrypted in a plaintext.   The password information of the device itself stores the encrypted password that cannot be reversely converted, and the password information that is necessary for generating the digest includes the reverse-convertible encryption to the digest generation area that cannot be accessed from the outside. 2. The directory server according to claim 1, wherein the directory password is stored.   Encrypts and holds the password so that it cannot be reversely converted and encrypts and holds the password so that it can be reversely converted. In password authentication, the password encrypted so that it cannot be reversely converted is used, and in digest authentication, it is encrypted so that it can be reversely converted. An authentication method using a password, wherein a digest generated from the plain text is decrypted into a plain text and the digest generated from the plain text is used.   The password information of the directory server system stores the encrypted password that cannot be reversely converted, and the password information necessary for generating the digest can be reversely converted into a digest generation area that cannot be accessed from the outside. 4. The authentication method using a password according to claim 3, wherein an encrypted password is stored.   A program for causing a computer system to realize the function according to claim 1.   A program for causing a computer system to realize the function according to claim 2.

Images