JP2008282166A - Authentication system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent any attack to be made by abusing invalid information when the preliminarily stored communication path of a user terminal is turned to be invalid information, and to deal with authentication when address information of the user terminal dynamically changes. <P>SOLUTION: A user identifier and use path information are stored so as to be associated with each other, and whether it is information whose association is valid or invalid is decided, and when a service request is received, the use path information stored so as to be associated with the user identifier is acquired under such conditions that the use path information is valid information, and service request source path information showing the communication path through which the a service request has been actually transmitted is acquired, and whether or not the user path information is matched with the service request source path information is decided, and a service is provided to the user terminal under such conditions that those pieces of information are matched. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an authentication system.

  Conventionally, in a configuration in which a user terminal and a service providing apparatus that provides a service (for example, a telephone connection service, a message exchange service, a content download service, etc.) to the user terminal are communicably connected via a network, When the user terminal requests the service providing apparatus to receive the service, the service providing apparatus needs to authenticate the user terminal. Specifically, the service providing device is requested from which user terminal (or the user who uses the user terminal) the service request, and the authority to use the service for the user terminal (user) The user terminal is authenticated for the purpose of verifying whether there is any. In such authentication, each time the service providing apparatus authenticates the user terminal, it is common to request a process or procedure for authentication from the user terminal. However, in recent years, a technique called “implicit authentication” that does not need to be requested every time a process or procedure for authentication is authenticated has been proposed.

  For example, in Patent Document 1, a network connection device arranged between a user terminal and a service providing device first identifies the user terminal by the IP (Internet Protocol) address of the user terminal, and then There is disclosed a technique for performing authentication by confirming that the IP address is an IP address permitted by a service providing apparatus. However, the method described above is based on the premise that the IP address and the user terminal are fixedly assigned. That is, the above-described method uses an IP address for authentication of a user terminal, and determines which user terminal the service request is based on from which IP address the service request is made. If this is the case, the above-described method can be used when the same user terminal uses a different IP address due to movement of the user terminal, or when a plurality of user terminals with different timings use the same IP address. It does not correspond to authentication when the address information of the user terminal changes dynamically, such as when using it.

  For this reason, in Patent Document 1, the network connection device first identifies the user terminal (user) by the account of the user terminal, and then the account is an account permitted by the service providing device. Further disclosed is a method of performing authentication by checking. More specifically, the network connection device registers and stores the account permitted by the service providing device in the storage unit in advance. Further, when the network connection device controls the user terminal to connect to the network, the network connection device associates the account with the identifier of the line connected to the user terminal used by the user who is given the account. The line information is registered and stored in advance in the storage unit. Further, when the network connection device transfers the service request transmitted from the user terminal to the service providing device, the communication record includes the combination of the identifier of the used line on which the service request is actually transmitted and the account. And stored in the storage unit.

  Under such a configuration, when the service providing apparatus receives a service request from the user terminal, the service providing apparatus transmits an inquiry including an account that is a transmission source of the service request to the network connection apparatus. Then, based on the account included in the inquiry, the network connection device first identifies whether or not the account is a permitted account registered and stored in the storage unit in advance. Next, for the purpose of confirming whether it is a legitimate user terminal, the network connection device is registered in advance in the storage unit as line information in association with the account based on the account included in the inquiry. Check whether the account in the communication record is spoofed by comparing the stored line identifier with the identifier of the used line stored in the storage unit as a communication record in association with the account. To do.

JP 2005-227993 A

  By the way, in the above-described conventional technology, as described below, when a communication path of a user terminal stored in advance becomes invalid information, an attack performed by misusing the invalid information is prevented. In addition, there is a problem that it is not possible to cope with authentication when the address information of the user terminal changes dynamically. Specifically, as described above, in the method of Patent Document 1, when the network connection device controls the user terminal to connect to the network, the account and the line identifier are associated with each other. In addition, it is registered and stored in the storage unit in advance. For example, after this, when the connection between the user terminal and the network is disconnected and the association between the account and the line identifier becomes different from the actual association (stored in the storage unit in advance). If the registered information becomes invalid information), an account stored in association with the line identifier is used by the Service-to-Self on the same communication path as the invalid line identifier. Suppose that “spoofing” is performed. In such a case, according to the method of Patent Document 1, the network connection device, based on the account included in the query impersonated by the Service-to-Self, the line identifier stored in association with the account, Check that the account in the communication record (account impersonated by the Service-to-Self) is not misrepresented by checking the identifier of the line used and stored in the storage unit as a communication record in association with the account. End up.

  Therefore, the present invention has been made to solve the above-described problems of the prior art, and when the communication path of the user terminal stored in advance becomes invalid information, the invalid information is misused. It is a first object of the present invention to provide an authentication system capable of dealing with authentication in a case where address information of a user terminal changes dynamically while preventing an attack performed in this manner.

  By the way, as described below, the above-described conventional technology cannot cope with authentication when the address information of the user terminal changes dynamically after reducing the load on the network connection device. There was also. More specifically, in the technique disclosed in Patent Document 1, when the network connection device transfers the service request to the service providing device, the network connection device communicates the combination of the identifier of the used line and the account through which the service request is actually transmitted. It must be stored in the storage as a record. In addition, this storage is performed at a stage prior to confirming whether the account in the communication record is not spoofed. If so, for example, when an unauthorized terminal has made an attack that sends a large number of service requests, the network connection device stores a communication record for each service request. There is a possibility that the load becomes high and the quality of service cannot be maintained.

  Accordingly, the present invention has been made to solve the above-described problems of the prior art, and reduces the load on the network connection device and performs authentication when the address information of the user terminal changes dynamically. A second object is to provide an authentication system capable of complying with the above.

  In order to solve the above-described problems and achieve the object, the invention according to claim 1 controls the user terminal used by the user so that the user terminal is connected to the network. On the network of the user terminal controlled to connect to the network in a configuration in which the service providing apparatus that provides a service with network connection and the user terminal are communicably connected via the network. On the condition that the use route information indicating the communication route in the service is matched with the service request source route information indicating the communication route through which the service request for receiving the service is actually transmitted. The service providing apparatus provides the service to the user terminal that has transmitted the request. An authentication system that performs identification and uniquely identifies a user who is currently using the user terminal on the network with information different from the network address assigned to the user terminal in relation to the configuration A user route information storage means for storing the user route and the use route information in association with each other, and a network connection request for requesting connection to the network together with the user identifier from the user terminal, A usage route information registration request unit that transmits a usage route registration request that requests registration of the usage route information in the usage route information storage unit together with the user identifier; and the usage route information registration request unit that is transmitted by the usage route information registration request unit. When the usage route registration request is received together with the user identifier, the usage route registration request is transmitted. Use route information registration means for acquiring a route and registering the acquired communication route as the use route information in the use route information storage means in association with the user identifier transmitted together with the use route registration request; As a transmission destination of the service request, a service request receiving unit that receives the service request from the user terminal together with the user identifier, and the user identifier and the usage route stored by the usage route information storage unit When the service request is received by the valid / invalid determination means for determining whether the association with the information is valid information or invalid information, and the service request receiving means, Based on the user identifier included in the service request, the usage route information description is associated with the user identifier. Use route information acquisition means for acquiring the use route information stored in the storage means on condition that the use route information is determined to be valid information by the validity / invalidity determination means; and the service request reception When the service request is received by the means, service request source route information acquisition means for acquiring the service request source route information indicating a communication route through which the received service request is actually transmitted, and the usage route information acquisition It is determined whether or not the usage route information acquired by the means matches the service request source route information acquired by the service request source route information acquisition means. If the determination does not match and / or the usage route information is not acquired by the usage route acquisition means And the route matching means that the matching does not match, and the route matching means, on the condition that the matching between the route information and the service request source route information is the same Service providing means for performing setting so as to provide the service to the user terminal that has transmitted the service request used to acquire the information and the service request source route information.

  Further, in the invention according to claim 2, in the above invention, the use route information storage means stores the user identifier and the use route information in association with each other, and the association is the use route information. Information relating to the period stored in the storage means is further stored in association with each other, and the validity / invalidity determining means determines whether or not the period exceeds a predetermined period. As a result of the determination, the period exceeds the period. If not, the association is determined as valid information, and if the period exceeds the period as a result of the determination, the association is determined as invalid information.

  Further, in the invention according to claim 3, in the above invention, after controlling the user terminal to connect to the network, the information regarding the connection state of the user terminal in the network is requested to be updated. An update request receiving unit that periodically receives an update request from the usage route information registration request unit, and the usage route information storage unit receives the update request by the update request receiving unit, It is further characterized in that the information regarding the update is stored so that the period is calculated from the update time at which the update request is received.

  According to a fourth aspect of the present invention, in the above invention, the network address assigned to the user terminal in association with the configuration, and the user terminal to which the network address is assigned are the communication path in the configuration. Address communication path information storage means for storing the corresponding communication path information in association with each other, and the service request source path information acquisition means is based on the network address of the user terminal included in the service request. The communication route information stored in the address communication route information storage means in association with the network address is acquired as the service request source route information.

  In the invention according to claim 5, in the above invention, when the service request is received when the service request is transferred to the transmission destination of the service request, service request communication path information indicating a communication path of the service request is A service request transfer unit that adds the service request to the transmission destination, and the service request reception unit adds the service request communication path information to the service request transfer unit. The service request source route information acquisition means receives the service request communication route information added to the service request as the service request source route information. .

  The invention according to claim 6 is the above invention, wherein the service request transfer means transfers the service request communication path information with an electronic signature added to the service request, and the service request reception means includes: The service request source route information acquisition means receives the service request with the electronic signature, and acquires the service request communication route information as the service request source route information after verifying the electronic signature of the service request. It is characterized by.

  The invention according to claim 7 is the above invention, wherein the use route information registration means includes a user identifier for uniquely identifying a user who is currently using the user terminal. When it is controlled to connect to the network by a new communication path that is different from the communication path indicated by the usage path information that is associated and already stored in the usage path information storage means, the new communication path is The usage route information is registered in association with the user identifier so as to be added to the usage route information storage unit, and the route verification unit is associated with a predetermined user identifier in the usage route information storage unit. If there is a plurality of stored usage route information, it is determined whether each of the plurality of usage route information matches the service request source route information. If the determination of whether one of the available route information and the service requesting routing information match, further characterized by said collation shows coincidence.

  Further, the invention according to claim 8 is the above invention, wherein the usage route information registration means includes a user identifier for uniquely identifying a user who is currently using the user terminal. When it is controlled to connect to the network by a new communication path that is different from the communication path indicated by the usage path information that is associated and already stored in the usage path information storage means, the new communication path is The use route information is registered in the use route information storage unit in association with the user identifier, and the use route information already stored in the use route information storage unit in association with the user identifier is invalidated. Or deleting from the use route information storage means.

  According to the first aspect of the present invention, a service providing apparatus that provides a service that involves connection of the network to the user terminal by controlling the user terminal used by the user to connect to the network. And the user terminal to be communicably connected via the network, use path information indicating a communication path on the network of the user terminal controlled to connect to the network, and the service On the condition that the service request for receiving the service request matches with the service request source route information indicating the communication route that has been transmitted, the user terminal that has transmitted the service request An authentication system in which the service providing apparatus performs setting so as to provide a service, wherein the use A user identifier that uniquely identifies a user who is currently using a terminal on the network with information different from a network address assigned to the user terminal in association with the configuration, and the usage route information. When a network connection request that stores and associates with the user identifier is received from the user terminal together with the user identifier, the use route registration request that requests registration of the use route information is used. When the usage route registration request transmitted together with the user identifier is received together with the user identifier, the communication route from which the usage route registration request has been transmitted is acquired, and the acquired communication route is used as the usage route information. The service identifier is registered in association with the user identifier transmitted together with the use route registration request. As the transmission destination, the service request is received from the user terminal together with the user identifier, and the correspondence between the stored user identifier and the usage route information is valid information, or When it is determined whether the information is invalid and the service request is received, the information is stored in association with the user identifier based on the user identifier included in the received service request. The communication route on which the use request information is acquired on the condition that the use route information is determined to be valid information and the service request is received when the service request is received. The service request source route information indicating the service request source route information is acquired, and it is determined whether the acquired use route information matches the acquired service request source route information. In the case where they match, it is determined that the collation is coincident, and in the case where the determination is not coincident and / or when the use route information is not acquired, the collation is mismatched, and the use route information and the service request source route are determined. Provide the service to the user terminal that has transmitted the service request used to acquire the usage route information and the service request source route information on the condition that the matching with the information is matched If the pre-stored communication path of the user terminal becomes invalid information, the address of the user terminal is prevented after preventing an attack performed by misusing the invalid information. It becomes possible to cope with authentication when information changes dynamically.

  To give a specific example, when the connection between the user terminal and the network is disconnected, the association between the user identifier and the usage route information becomes different from the actual association. (When the information stored in the storage unit in advance becomes invalid information), it is associated with the use route information by the Service-to-Self on the same communication route as the use route information that is invalid information. Assume that “spoofing” is performed using a stored regular user identifier. In such a case, according to the invention of claim 1, since the use route information is determined to be invalid information, the authentication system is included in the inquiry spoofed by the Service-to-Self. The usage route information stored in association with the user identifier is not acquired and collated. Therefore, it is possible to avoid a situation in which it is erroneously determined that the user identifier (user identifier impersonated by the Service-to-Self) who transmitted the service request is not misrepresented.

  According to the invention of claim 2, in addition to storing the user identifier and the usage route information in association with each other, information on a period in which the association is stored is further stored in association with each other, It is determined whether or not the period exceeds a predetermined period. If the period is not exceeded as a result of the determination, the association is determined as valid information, and the period is exceeded as a result of the determination. If the communication route of the user terminal stored in advance becomes invalid information by a simple method of managing the validity period, the association is determined to be invalid information. Thus, it is possible to cope with authentication in a case where the address information of the user terminal changes dynamically, while preventing an attack performed by misusing the invalid information.

  In addition, for example, for the connection state in which the user terminal is connected to the network, the authentication system is effective only by receiving a signal indicating a state change such as “connected” or “disconnected”. Assuming that a method for determining whether the information is invalid or invalid is used, the usage route information that should be invalidated in the authentication system is valid information when the signal transfer fails. It will remain. On the other hand, according to the invention of claim 2, since the authentication system employs a method for determining whether the association is valid information or invalid information based on the validity period, the above transfer Even if an error occurs, since the association is invalidated after a certain time, it is possible to prevent an attack performed by misusing the invalid information.

  According to a third aspect of the present invention, an update request for requesting to update information relating to a connection state of the user terminal in the network is periodically performed after controlling the user terminal to connect to the network. When the update request is received, the information on the period is updated and stored so that the period is calculated from the update time at which the update request is received. It becomes possible to appropriately update the information regarding.

  In addition, since the duration for which the user terminal is continuously connected to the network is not constant every time, for example, a period from the time when the user terminal starts network connection to the authentication system. If the method of comparing the effective period with the effective period is adopted, it may be difficult to appropriately determine the effective period, which is an operational parameter (that is, it continues even if the effective period exceeds 30 minutes, for example). Even if the user terminal wants to receive service, the network will be forcibly disconnected after 30 minutes). On the other hand, according to the invention of claim 3, since the authentication system adopts a method of periodically updating the expiration date, it is possible to cope with the needs when the predetermined expiration time as described above is exceeded. This makes it possible to effectively determine the effective period, and also has an effective effect in terms of operation.

  According to the invention of claim 4, a network address given to the user terminal in association with the configuration, and a communication in which the user terminal given the network address is supposed to be a communication path in the configuration The route information is stored in association with each other, and the communication route information stored in association with the network address is used as the service request source route information based on the network address of the user terminal included in the service request. In addition to the above effects, by registering the network address and communication path information in advance, the address information of the user terminal changes dynamically while reducing the load on the network connection device. It becomes possible to cope with the authentication of the case.

  In other words, according to the invention of claim 4, since the device on the communication path only needs to have a function of transferring a packet, a method for adding information indicating the communication path of the service request to the service request is used. In comparison, after reducing the load on the network connection device, it is possible to easily cope with authentication when the address information of the user terminal changes dynamically.

  According to a fifth aspect of the present invention, when the service request is received when the service request is transferred to the transmission destination of the service request, service request communication path information indicating a communication path of the service request is added to the service request. The service request communication path that is transferred to the destination, receives the service request transferred with the service request communication path information added, and is added to the service request. Since the information is acquired as the service request source route information, even if the network address and the communication route information are not registered in advance, the address information of the user terminal is activated after reducing the load on the network connection device. It is possible to cope with authentication in the case of a continuous change.

  In other words, according to the invention of claim 5, since the network topology design change (for example, when the network address system for each base is changed) is not affected, the network address and the communication path information are preliminarily set. Compared with the method of registering, it is possible to flexibly cope with authentication when the address information of the user terminal changes dynamically, while reducing the load on the network connection device.

  According to a sixth aspect of the present invention, the service request communication path information with an electronic signature is added to the service request and transferred, the service request with the electronic signature is received, and the electronic signature of the service request is received. After the verification, the service request communication path information is acquired as the service request source path information. In addition to the above effects, the reliability of the service request communication path information can be improved.

  According to a seventh aspect of the present invention, the user terminal is already stored in association with a user identifier that uniquely identifies a user who is currently using the user terminal. When it is controlled to connect to the network by a new communication path different from the communication path indicated by the information, the new communication path is registered in association with the user identifier so as to be added as the usage path information. When there are a plurality of the usage route information stored in association with a predetermined user identifier, it is determined whether each of the plurality of usage route information matches the service request source route information. In addition to the above-described effect, if the determination between any one of the usage route information and the service request source route information matches, the new usage Information it is possible to properly stored in the storage unit.

  Specifically, according to the invention of claim 7, it becomes possible for the user terminal to simultaneously hold a plurality of network connections, for example, the timing of moving from one access point to the next access point. In this case, the user terminal can continue the service seamlessly.

  According to an eighth aspect of the present invention, the user route is stored in association with a user identifier that uniquely identifies a user who is currently using the user terminal. When it is controlled to connect to the network by a new communication route different from the communication route indicated by the information, the use route information storage means associates the new communication route with the user identifier as the use route information. In addition to the above effect, the use route information already stored in the use route information storage unit in association with the user identifier is invalidated or deleted from the use route information storage unit. New usage route information can be stored in the storage unit more safely.

  In other words, according to the invention of claim 8, the usage route information of each user is always limited to one. For example, when a service request is transmitted from another communication route by a malicious person, etc. It is possible to detect that the service request is “spoofing” by a Service-to-Self.

  Exemplary embodiments of an authentication system according to the present invention will be described below in detail with reference to the accompanying drawings. In the following, the main terms used in the embodiment, the outline and features of the authentication system according to the first embodiment, the configuration of the authentication system according to the first embodiment, the processing procedure by the authentication system according to the first embodiment, the first embodiment. The effects will be described in order, followed by another example.

[Explanation of terms]
First, main terms used in the following examples will be described. In the following embodiments, the “user terminal” is realized by a commercially available PC (Personal Computer), a telephone terminal, or an IP (Internet Protocol) telephone terminal, and the “service providing apparatus” This is realized by a PC or WS (workstation). In a configuration in which both devices are communicably connected via a network such as a wired LAN (Local Area Network), a wireless LAN, the Internet, a public switched telephone network, or an IP network, the “service providing apparatus” Provide accompanying services to the “user terminal”. For example, the “service providing apparatus” provides services such as a telephone connection service, a message exchange service, or a content download service to the “user terminal”. In the following embodiments, a “SIP (Session Initiation Protocol) server” is assumed as an example of a “service providing apparatus”.

  By the way, when the “user terminal” requests the “service providing apparatus” to receive the service, it is necessary to authenticate the “user terminal”. It is considered that there are various levels of such authentication, but the “authentication system” according to the present invention is an “account” that uniquely identifies a user who uses the “user terminal” on the network (claimed). Confirmation that the “account” is not misrepresented, it is not enough to simply confirm that the “user identifier” described in the scope is an “account” permitted by the “service providing device”. To do. Specifically, “use route information” indicating the communication route on the network of the “user terminal” used by the user uniquely identified by the “account” and a service request (service) from the same “account” (Account) is not spoofed by checking whether or not the message requesting the provision of the service) matches the “service request source route information” that indicates the communication route that was actually sent. Confirm.

  In other words, “use route information” indicates a communication route for “user terminal” authenticated by authentication separately performed by a network connection device such as an access point, and is guaranteed to be correct information. Information. The “authentication system” according to the present invention registers and stores this correct information in association with an “account” that uniquely identifies a user who uses the “user terminal”. On the other hand, “service request source route information” indicates a communication route through which a service request is actually transmitted, and is information that is not yet guaranteed to be correct information. Therefore, the “authentication system” according to the present invention compares “use route information” that is guaranteed to be correct information with “service request source route information” that is not yet guaranteed to be correct information. On the condition that the two match, the “account” that sent the service request is confirmed not to be spoofed, and the “user” used by the user uniquely identified by the “account” The service providing apparatus performs setting so as to provide the service to the “terminal”.

  By the way, as described above, the “use route information” indicates the communication route for “user terminal” authenticated by authentication separately performed by a network connection device such as an access point, and is correct information. There must be guaranteed information. However, for example, when the connection between the user terminal and the network is disconnected, the “use route information” may no longer be information that is guaranteed to be correct information. . For this reason, it is important how the “authentication system” according to the present invention should make “use path information” “information guaranteed to be correct information”. For this reason, the “authentication system” according to the present invention is mainly characterized in solving this point as described below.

  Since “service request source route information” indicates the communication route through which the service request is actually transmitted, it is also important how the “authentication system” obtains such information. . That is, as can be understood from the assumption that the “authentication system” according to the present invention is actually operated, the “authentication system” must authenticate a large number of “user terminals”. It does not mean that “request source route information” should be acquired. For example, when an unauthorized terminal makes an attack that sends a large number of service requests, the service quality may not be maintained if the load on the network connection device such as an “access point” increases. . Therefore, it can be said that the “authentication system” must have a mechanism for acquiring “service request source route information” while reducing the load on the network connection device. For this reason, the “authentication system” according to the present invention also solves this point as described below.

[Outline and Features of Authentication System According to Embodiment 1]
Next, the outline and features of the authentication system according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram for explaining the outline and features of the authentication system according to the first embodiment. In Example 1 below, “use route management device” appears as a device that manages “use route information”, and “service request source route management device” appears as a device that manages “service request source route information”. However, the “authentication system” according to the present invention does not necessarily have to be composed of an “access point”, a “use route management device”, a “service request source route device”, and a “service provision device”. . As will be exemplified later, with respect to what device the function to be provided in the “authentication system” according to the present invention is realized, may be appropriately changed depending on the operation mode of the “authentication system”.

  In the configuration in which the authentication system according to the first embodiment is configured to connect the service providing apparatus and the user terminal via the network by controlling the user terminal to connect to the network as described above. Check that the usage route information indicating the communication route on the network of the user terminal controlled to connect to the network matches the service request source route information indicating the communication route through which the service request is actually transmitted. As a condition, if the service providing device is set to provide a service to the user terminal that transmitted the service request, the usage route information stored in advance becomes invalid information. For the authentication when the address information of the user terminal changes dynamically after preventing the attack that exploits the invalid information. And mainly characterized in that the response.

  This main feature will be briefly described. First, in the authentication system according to the first embodiment, as shown in FIG. 1, the usage route management device uses an account (“user ID”) and usage route information (“use route”). ) Are stored in association with each other (corresponding to “use route information storage means” described in the claims). Although not shown in FIG. 1, the authentication system according to the first embodiment receives a usage route registration request together with an account from a user terminal that requests connection to a network and registration of usage route information. Then, the communication route through which the use route registration request is transmitted is acquired, and the acquired communication route is used as route information, and the account and the route information are associated and registered in the route storage unit. The “account” in the present invention is a user identifier that uniquely identifies a user who is currently using the user terminal on the network, and is associated with the user terminal in connection with the network configuration. This is information different from the network address (for example, IP address).

  For example, the usage route storage unit stores “User2” as an account and “Line20A” as usage route information in association with each other. For example, when an access point (for example, a wireless LAN access point) receives a use route registration request from a user terminal used by a user identified by “User2”, the user terminal and the RADIUS (Remote Authentication Dial In User Service) When performing mutual authentication separately with the use path management device that also functions as a server, and controlling the user terminal that has succeeded in mutual authentication to connect to the network The access point associates “User2” with the usage route information “Line20A” (this usage route information is, for example, information that can be grasped by the access point) in the usage route storage unit. It is a registered one.

  Further, in the authentication system according to the first embodiment, as shown in FIG. 1, the service request source route management apparatus stores an IP address and communication route information (“route”) in association with each other, and stores the address communication route information storage unit. (Corresponding to “address communication path information storage means” described in claims). Here, the IP address has a meaning as a network address given to the user terminal in association with the network configuration. The communication path information has a meaning as communication path information that a user terminal to which a network address is assigned should be used as a communication path in the network configuration. In other words, for example, referring to the example of FIG. 1, a user who is given IP addresses “10.1.2.10”, “10.1.2.20”, and “10.1.2.30”. The terminal is preliminarily defined as having a fixed relationship with the communication path that “Line 20A” should be the communication path in the network configuration in the first embodiment, and the address communication path information storage unit This information is stored as information defined in advance.

  By the way, the authentication system according to the present invention can be considered in two stages, a use route registration request stage and a service request stage. That is, the authentication system according to the present invention proceeds to the service request stage on the assumption that the association between the usage path information and the account is registered in the usage path storage unit in the usage path registration request stage.

  Therefore, the service request stage will be described next. First, the user terminal transmits a service request for requesting to receive the service provided by the service providing apparatus to the transmission destination together with the account (FIG. 1). (See (1)). In the first embodiment, since it is assumed that the transmission destination of the service request is the service providing apparatus, for example, the user terminal transmits the service request together with “User2” to the service providing apparatus.

  Then, when the service providing apparatus receives the service request from the user terminal together with the account as the transmission destination of the service request (see (2) in FIG. 1), the usage route management apparatus is included in the received service request. Based on the existing account, the usage route information stored in the usage route storage unit in association with the account is acquired (see (3) -2 in FIG. 1). For example, the usage route management device acquires usage route information “Line20A” stored in the usage route storage unit in association with “User2” based on “User2” included in the service request.

  Here, the use route management apparatus determines whether the association between the user identifier and the use route information stored in the use route storage unit is valid information or invalid before obtaining the use route information. It is determined whether it is information (see (3) -1 in FIG. 1). Further, the usage route management apparatus acquires usage route information on the condition that the usage route information is determined to be valid information. By doing so, the authentication system according to the present invention prevents an attack performed by misusing the invalid information when the use route information stored in advance becomes invalid information.

  On the other hand, when the service providing apparatus receives the service request (see (2) in FIG. 1), the service request source route management apparatus is included in the received service request as information indicating the transmission source of the service request. Based on the IP address of the user terminal, the communication path information associated with the IP address and stored in the address communication path information storage unit is acquired as service request source path information (see (3) -3 in FIG. 1). reference). For example, based on “10.1.2.20” included in the service request, the service request source management apparatus stores it in the address communication path information storage unit in association with “10.1.2.20”. The communication path information “Line20A” being acquired is acquired.

  Then, the service providing device collates whether or not the usage route information acquired by the usage route management device matches the service request source route information acquired by the service request source route management device ((( See 4)). For example, the service providing device collates whether or not the usage route information (“Line 20A”) matches the service request source route information (“Line 20A”).

  Thereafter, although not shown in FIG. 1, the service providing apparatus acquires the usage route information and the service request source route information on condition that the usage route information matches the service request source route information. The user terminal that has transmitted the used service request is set to provide the service. For example, in the example of FIG. 1, since the usage route information (“Line 20A”) matches the service request source route information (“Line 20A”), the service providing apparatus is identified by “User 2”. The user terminal used by the user is set to provide the service.

  As described above, the authentication system according to the first embodiment prevents an attack performed by misusing the invalid information when the communication path of the user terminal stored in advance becomes invalid information. Thus, it is possible to cope with authentication when the address information of the user terminal changes dynamically.

[Configuration of Authentication System According to Embodiment 1]
Next, the configuration of the authentication system according to the first embodiment will be described with reference to FIGS. FIG. 2 is a block diagram illustrating the configuration of the authentication system according to the first embodiment, FIG. 3 is a diagram for explaining a use route storage unit, and FIG. 4 is a diagram for explaining an address communication route information storage unit. FIG.

  First, the configuration of the authentication system according to the first embodiment will be described with reference to FIG. 2. The authentication system according to the first embodiment includes a user terminal 10, an access point 20, a use route management device 30, a service request. It is composed of an original route management device 40 and a service providing device 50 (note that the user terminal 10 is not included in the authentication system and is connected to the service providing device 50 by the authentication system so as to be communicable). The user terminal 10 and the access point 20 are connected via the network 60, and the access point 20, the use route management device 30, the service request source route management device 40, and the service providing device 50 are connected via the network 70. Is done. Hereinafter, each of the user terminal 10, the access point 20, the usage route management device 30, the service request source route management device 40, and the service providing device 50 will be described in order.

[User terminal 10]
As illustrated in FIG. 2, the user terminal 10 according to the first embodiment includes a communication unit 11, a network connection request unit 12, and a service request unit 13.

  The communication unit 11 includes a general communication interface and library, and controls communication between the user terminal 10 and other devices.

  The network connection request unit 12 transmits a network connection request for requesting connection to the network 70. Specifically, the network connection request unit 12 transmits a network connection request together with the account of the user who uses the user terminal 10. In the first embodiment, the network connection request unit 12 transmits a network connection request to the access point 20.

  The service request unit 13 transmits a service request requesting to receive service provision. Here, the service request is a message requesting to receive the service provided by the service providing apparatus 50. Specifically, the service request unit 13 transmits the service request together with the account of the user who uses the user terminal 10. In the first embodiment, the service request unit 13 transmits a service request to the service providing apparatus 50.

[Access point 20]
As illustrated in FIG. 2, the access point 20 according to the first embodiment includes a communication unit 21 and a use route registration request unit 22. The use route registration request unit 22 corresponds to “use route information registration request unit” recited in the claims.

  The communication unit 21 includes a general communication interface and library, and controls communication between the access point 20 and other devices.

  The usage route registration request unit 22 transmits a usage route registration request for requesting registration of usage route information. Here, the usage route information is information indicating a communication route on the network 70 of the user terminal 10. Specifically, when the use route registration request unit 22 receives a network connection request from the user terminal 10 together with an account, the use route registration request unit 22 transmits the use route registration request together with the account. In the first embodiment, the usage route registration request unit 22 transmits a usage route registration request to the usage route management device 30.

[Use Route Management Device 30]
As shown in FIG. 2, the usage route management apparatus 30 according to the first embodiment includes a communication unit 31, a usage route registration unit 32, a usage route storage unit 33, a validity / invalidity determination unit 34, and a usage route information acquisition unit 35. With. The usage route registration unit 32 corresponds to the “use route information registration unit” described in the claims, and the use route storage unit 33 corresponds to the “use route information storage unit” described in the claims. The valid / invalid determination unit 34 corresponds to the “valid / invalid determination unit” described in the claims, and the use route information acquisition unit 35 corresponds to the “use route information acquisition unit” described in the claims. To do.

  The communication unit 31 includes a general communication interface and library, and controls communication between the usage path management device 30 and other devices.

  The usage route registration unit 32 registers the usage route information and the account in the usage route storage unit 33 in association with each other. Specifically, when the usage route registration request is received from the access point 20 together with the account, the usage route registration unit 32 acquires the communication route from which the usage route registration request has been transmitted, and uses the acquired communication route as usage route information. Then, it is registered in the usage route storage unit 33 in association with the account transmitted together with the usage route registration request. Here, the account will be described again. The account according to the present invention is an IP address that is assigned to the user terminal 10 in relation to the configuration of the network 60 and the network 70 by using the user who is currently using the user terminal 10. It is different information and is uniquely identified on the network 70.

  For example, when the usage route registration unit 32 receives a usage route registration request from the access point 20, the usage route registration unit 32 separately performs mutual authentication between the user terminal 10 and the usage route management device 30 having a function as a RADIUS server. When the access point 20 controls to connect the user terminal 10 that has succeeded in mutual authentication to the network 70, the account is associated with the use route information that can be grasped by the use route registration unit 32, Register in the use route storage unit 33.

  The usage route storage unit 33 stores an account and usage route information in association with each other. Specifically, the usage route storage unit 33 stores the account and usage route information in association with each other by being registered by the usage route registration unit 32, and the stored information is stored in the route of the service providing device 50. It is used for processing by the collation unit 53.

  Here, in addition to storing the account and the usage route information in association with each other, the usage route storage unit 33 according to the first embodiment further associates information regarding the period in which the association is stored in the usage route storage unit 33. And remember. More specifically, the usage route management apparatus 30 according to the first embodiment controls the user terminal 10 to be connected to the network 70 and then updates the information related to the connection state of the user terminal 10 in the network 70. An update request receiving unit that periodically receives requested update requests is provided (not shown in FIG. 2). When the update request is received by the update request receiving unit, the usage route storage unit 33 updates and stores information related to the period so that the period is calculated from the update time when the update request is received.

  Specifically, for example, when the user terminal 10 is controlled to connect to the wireless LAN, the access point 20 is connected to the usage route management apparatus 30 having a function as a RADIUS server. , "Accounting-Start" is transmitted. Thereafter, when the user terminal 10 is connected to the wireless LAN, the access point 20 transmits “Accounting-Interim-Update” to the usage path management device 30 at regular intervals. Further, when the user terminal 10 explicitly disconnects, the access point 20 transmits “Accounting-Stop” to the usage route management device 30. The update request receiving unit described above receives “Accounting-Interim-Update”.

  When such a mechanism is assumed, the usage route storage unit 33 receives “Accounting-Interim-Update” as information on a period when “Accounting-Interim-Update” is received by the update request receiving unit. Update and store the period from the time.

  For example, as shown in FIG. 3, the use route storage unit 33 stores an account (“user ID”), use route information (“use route”), and information about a period (“update time”) in association with each other. To do. Specifically, as illustrated in FIG. 3, for example, the usage route storage unit 33 includes an account “User1” and “User2”, usage route information “Line20A”, and period information “2007.5. 1 09:30 ”and“ 2007.5.1 15:20 ”are stored in association. The “2007.5.1 09:30” and “2007.5.1 15:20” are times when “Accounting-Interim-Update” is received by the update request receiving unit.

  For example, when a reconnection request is made due to deterioration of radio wave conditions between the user terminal 10 and the wireless access point 20, a re-authentication process is performed between the user terminal 10 and the RADIUS server 30. Is executed. This re-authentication process is similar to normal connection authentication, but the data exchanged between the user terminal 10 and the RADIUS server 30 is somewhat different, so that it is determined that the re-authentication process is a re-authentication process. When the re-authentication process is executed and the re-authentication is successful, the usage path storage unit 33 updates and stores the information related to the period so that the period is calculated from the time when the re-authentication is successful.

  The valid / invalid determination unit 34 determines whether the association stored in the use route storage unit 33 is valid information or invalid information. Specifically, when the service request transmitted from the user terminal 10 is received by the service providing unit 52 of the service providing apparatus 50, the validity / invalidity determining unit 34 according to the first embodiment is stored in the usage route storage unit 33. It is determined whether the association between the user identifier and the usage route information is valid information or invalid information, and the determined determination result is transmitted to the usage route information acquisition unit 35.

  Specifically, for example, the validity / invalidity determination unit 34 manages the validity period of the association stored in the usage route storage unit 33, and the association is stored in the usage route storage unit 33. It is determined whether or not the valid period exceeds the valid period, and if the valid period is not exceeded as a result of the determination, the route information is determined to be valid information, and the valid period is exceeded as a result of the determination. If it is, the usage route information is determined as invalid information.

  For example, the validity / invalidity determination unit 34 manages the validity period, calculates the period in which the association is stored in the use route storage unit 33 from the update time stored in the use route storage unit 33 and the current time, By comparing the managed effective period and the calculated period, it is determined whether the association is valid information or invalid information.

  The usage route information acquisition unit 35 acquires the usage route information stored in the usage route storage unit 33. Specifically, when the service request transmitted from the user terminal 10 is received by the service providing unit 52 of the service providing apparatus 50, the usage route information acquiring unit 35 includes the account included in the received service request. On the basis of the usage route information stored in the usage route storage unit 33 in association with the account on the condition that the usage route information is determined to be valid information by the validity / invalidity determination unit 34. The acquired usage route information is transmitted to the route verification unit 53 of the service providing apparatus 50.

  For example, when the service request transmitted from the user terminal 10 used by the user of the account “User2” is received, the usage route information acquisition unit 35 sets the account “User2” based on the account “User2”. The usage route information “Line20A” stored in the usage route storage unit 33 in association with each other is acquired on condition that the usage route information “Line20A” is determined to be valid information by the validity / invalidity determination unit 34. The acquired usage route information “Line 20A” is transmitted.

[Service Request Source Route Management Device 40]
As illustrated in FIG. 2, the service request source route management apparatus 40 according to the first embodiment includes a communication unit 41, an address communication route information storage unit 42, and a service request source route information acquisition unit 43. The address communication path information storage unit 42 corresponds to the “address communication path information storage unit” described in the claims, and the service request source path information acquisition unit 43 includes the “service request information” described in the claims. This corresponds to “original route information acquisition means”.

  The communication unit 41 includes a general communication interface and library, and controls communication between the service request source path management device 40 and other devices.

  The address communication path information storage unit 42 stores an IP address and communication path information in association with each other. Specifically, the address communication path information storage unit 42 includes an IP address assigned to the user terminal 10 in association with the configuration of the network 60 and the network 70, and the user terminal 10 to which the IP address is assigned. The communication path information that should be the communication path is stored in association with each other, and the stored information is used for processing by the service request source path information acquisition unit 43. Note that the address communication path information storage unit 42 stores these pieces of information in advance, for example, by being input by an operation manager of the authentication system.

  For example, as shown in FIG. 4, the address communication route information storage unit 42 stores an IP address and communication route information (“route”) in association with each other. Specifically, as shown in FIG. 4, for example, the address communication path information storage unit 42 includes IP addresses “10.1.2.10”, “10.1.2.20”, And “10.1.2.30” and communication path information “Line20A” are stored in association with each other.

  The service request source route information acquisition unit 43 acquires service request source route information. Specifically, when a service request transmitted from the user terminal 10 is received by the service providing unit 52 of the service providing apparatus 50, the service request source route information acquiring unit 43 is included in the received service request. Based on the IP address of the user terminal 10 that is present, the communication path information associated with the IP address and stored by the address communication path information storage unit 42 is acquired as service request source path information, and the acquired service request source The route information is transmitted to the route matching unit 53 of the service providing apparatus 50.

  For example, when a service request transmitted from the user terminal 10 with the IP address “10.1.2.20” is received, the service request source route information acquisition unit 43 receives the IP address “10.1.2.20”. ], The usage route information “Line20A” stored in the address communication route information storage unit 42 in association with the IP address “10.1.2.20” is acquired, and the acquired usage route information “Line20A” is acquired. Send.

[Service Providing Device 50]
As shown in FIG. 2, the service providing apparatus 50 according to the first embodiment includes a communication unit 51, a service providing unit 52, and a route matching unit 53. The service providing unit 52 according to the first exemplary embodiment corresponds to the “service request receiving unit” and the “service providing unit” described in the claims, and the path matching unit 53 includes the “service request receiving unit” described in the claims. Corresponding to “path verification means”.

  The communication unit 51 includes a general communication interface and library, and controls communication between the service providing apparatus 50 and other apparatuses.

  The service providing unit 52 receives the service request as a transmission destination of the service request. Further, the service providing unit 52 performs setting so as to provide a service to the user terminal 10 that has transmitted the service request. Specifically, the service providing unit 52 receives the service request from the user terminal 10 together with the account as a transmission destination of the service request. In addition, the service providing unit 52 uses the service used to acquire the used route information and the service request source route information on condition that the used route information matches the service request source route information by the route check unit 53. The user terminal 10 that has transmitted the request is set to provide a service.

  The route matching unit 53 checks whether or not the usage route information matches the service request source route information. Specifically, the route matching unit 53 determines whether or not the use route information acquired by the use route information acquisition unit 35 matches the service request source route information acquired by the service request source route information acquisition unit 43. Are sent to the service providing unit 52.

  For example, the route matching unit 53 matches the use route information “Line 20A” acquired by the use route information acquisition unit 35 with the service request source route information “Line 20A” acquired by the service request source route information acquisition unit 43. And the result of the collation is transmitted to the service providing unit 52. In response to this result, the service providing unit 52 provides a service to the user terminal 10 (for example, “User2”) that has transmitted the service request used to acquire the use route information and the service request source route information. Set as provided.

[Procedure for Processing by Authentication System According to Embodiment 1]
Up to now, each device and each part constituting the authentication system according to the first embodiment have been briefly described. In the following, a procedure of processing by the authentication system according to the first embodiment will be described in detail with reference to FIGS. To do. FIG. 5 is a sequence diagram illustrating a processing procedure (use route registration request stage) by the authentication system according to the first embodiment. FIG. 6 illustrates a processing procedure (service request stage) by the authentication system according to the first embodiment. FIG. 7 is a diagram for explaining a flow of information between each unit of the authentication system according to the first embodiment.

  However, in the first embodiment, it is assumed that the access point 20 is a wireless LAN access point, and the usage route management device 30 also has a function as a RADIUS server, and the user terminal 10 and the usage route management device 30 (RADIUS server). ) On the assumption that mutual authentication is performed by IEEE 802.1x (Institute of Electrical and Electronic Engineers 802.1x), and further, the service providing device 50 is assumed to be a SIP server. However, the present invention is not limited to this. When the user terminal 10 and the access point 20 are wired LANs, or when other mutual authentication is performed between the user terminal 10 and the network connection device (for example, authentication using an account and a password) The service providing apparatus 50 may be either a WWW server or the like. That is, the present invention does not depend on a specific network, a mutual authentication method, service contents of a service providing apparatus, or the like.

[Use Route Registration Request Stage]
First, the network connection request unit 12 of the user terminal 10 transmits “EAPOL (Extensible Authentication Protocol over LAN) -Start” to the access point 20 as part of a network connection request for requesting connection to the network 70. (Step S101). Then, as a response to “EAPOL-Start”, the access point 20 transmits “EAP-Req / Identity” requesting transmission of an account (hereinafter referred to as user ID) to the user terminal 10 (step S102).

  Next, the network connection request unit 12 of the user terminal 10 transmits “EAP-Resp” together with the user ID (for example, “User2”) to the access point 20 (step S103).

  Then, the usage route registration request unit 22 of the access point 20 gives usage route information (step S104), and requests usage route information to be registered in the usage route storage unit 33 of the usage route management device 30. A route registration request is transmitted to the use route management apparatus 30 together with the user ID (step S105). For example, the usage route registration request unit 22 transmits the usage route registration request after assigning the IP address of the access point 20 as usage route information to “EAP-Resp / RADIUS”.

  Subsequently, mutual authentication processing by “EAP-TLS (Transport Layer Security)” is executed between the user terminal 10 and the usage route management device 30 (RADIUS server) (step S106).

  When this mutual authentication is successful, the usage route registration unit 32 of the usage route management device 30 acquires the communication route from which the usage route registration request is transmitted, and uses the acquired communication route (for example, “Line 20A”) as usage route information. The user ID (“User2”) transmitted with the usage route registration request is associated with the usage route information (“Line20A”) and registered in the usage route storage unit 33 of the usage route management device 30 (step S107). Then, the usage route storage unit 33 stores the user ID (“User2”) and the usage route information (“Line20A”) in association with each other.

  The usage route storage unit 33 according to the first embodiment further stores information on the period in which the association is stored in the usage route storage unit 33 in addition to storing the user ID and the usage route information in association with each other. Then remember. For example, the use route storage unit 33 further stores the association update time (registration time for the first time; for example, “2007.5.1 15:20”) as information relating to the period.

  Thereafter, the usage route management device 30 notifies the access point 20 of the result of usage route registration by “EAP-Success / RADIUS” or the like (step S108), and the access point 20 sends “EAP-Success” to the user terminal. 10 (step S109).

  In the first embodiment, the usage route registration request unit 22 of the access point 20 transmits a usage route registration request after adding the IP address of the access point 20 to the RADIUS protocol as usage route information. Explained. According to this method, the usage route registration unit 32 of the usage route management device 30 acquires the communication route by referring to the IP address of the access point 20 given to the usage route information. However, the present invention is not limited to this method. For example, the usage route registration unit 32 of the usage route management device 30 may acquire the IP address of the access route 20 by acquiring the source IP address of the usage route registration request to acquire the communication route.

[Service request stage]
Next, as part of the service request that the service request unit 13 of the user terminal 10 requests to receive the service, the “REGISTER request” is sent together with the user ID (“User2”) to the service providing device 50. It transmits to the service provision part 52 (step S151).

  Then, the service providing unit 52 of the service providing apparatus 50 (SIP server) receives “REGISTER request”, which is a service request, together with the user ID (“User2”) as the transmission destination of the service request (step S151). The IP address (“10.1.2.20”) of the user terminal 10 included in the “REGISTER request” is acquired, and a message including the IP address (“10.1.2.20”) is sent to the service. The request is transmitted to the request source route management device 40 (step S152).

  Next, the service request source route information acquisition unit 43 of the service request source route management apparatus 40 receives the IP address (“10..10”) of the user terminal 10 included in the “REGISTER request” as information indicating the source of the service request. The address communication path information storage unit 42 is searched based on “1.2.20” (step S153), and the address communication path information storage unit 42 is associated with the IP address (“10.1.2.20”). Is acquired as service request source route information, and is transmitted to the route verification unit 53 of the service providing device 50 (step S154).

  Further, the service providing unit 52 of the service providing apparatus 50 (SIP server) acquires the user ID (“User2”) of the user terminal 10 included in the “REGISTER request”, and the user ID (“User2”). ) Including the message) is transmitted to the usage route management device 30 (step S155).

  Next, the usage route information acquisition unit 35 of the usage route management device 30 searches the usage route storage unit 33 based on the user ID (“User2”) (step S156). At this time, the validity / invalidity determination unit 34 of the usage route management device 30 determines whether the association between the user ID and the usage route information stored in the usage route storage unit 33 is valid information or invalid. It is determined whether it is information. Then, the use route information acquisition unit 35 uses the use route information (“Line20A”) stored in the use route storage unit 33 in association with the user ID (“User2”), and the use route information is valid / invalid. The information is acquired on the condition that the information is determined to be valid information by the determination unit 34, and is transmitted to the route verification unit 53 of the service providing apparatus 50 (step S157). If the validity / invalidity determining unit 34 determines that the association is invalid information, the access point 20 invalidates or deletes the association stored in the use route storage unit 33.

  The route matching unit 53 of the service providing device 50 checks whether or not the service request source route information received in step S154 matches the usage route information received in step S157 (step S158).

  Then, the service providing unit 52 of the service providing apparatus 50 determines that the use route information and the service request are received on the condition that the route matching unit 53 matches the use route information and the service request source route information. The user terminal 10 that has transmitted the service request used to acquire the original route information is set to provide the service.

  For example, the service providing unit 52 of the service providing apparatus 50 completes “REGISTER registration” (step S159) when the collation is matched (Yes at step S158), and then, as a registration result, “REGISTER completion communication”. The message 200 OK ”is transmitted to the user terminal 10 (step S160). If the user ID included in the “REGISTER request” is “User3” and the usage route information received in step S157 is “Line20B”, the service providing unit 52 of the service providing device 50 is provided. If the collation is determined to be inconsistent (No at step S158), the registration result is notified to the user terminal 10 without completing the “REGISTER registration”.

  The above is a detailed description of an example of the processing procedure performed by the authentication system according to the first embodiment. For example, the procedure for acquiring the service request source route performed in steps S152 to S154 and steps S155 to 157 are described. The present invention can be applied in the same manner even when the procedure for obtaining the usage route performed so far is replaced.

  In other words, in the authentication system according to the present invention, the flow of information between the units should be as shown in FIG. In FIG. 7, the arrows indicate the direction in which information flows, the balloons indicate the contents of information, and the dotted balloons are normal information, whereas the solid balloons are This emphasizes “use route information” and “service request source route information” used in authentication (collation) in the present invention.

  Briefly describing FIG. 7, in the use route registration request stage, the network connection requesting unit 12 that requests connection to the network (however, the network connection requesting unit 12 is not a part constituting the authentication system) is connected to the network. When the connection request is transmitted to the use route registration request unit 22 together with the user ID, the use route registration request unit 22 sends the use route registration request to the use route registration unit 32, and the use route registration unit 32 sends the use route registration request. Is acquired, and the acquired communication route is registered in the usage route storage unit 33 as usage route information in association with the user ID.

  On the other hand, in the service request stage, the service request unit 13 that requests to receive the service provision (however, the service request unit 13 is not a part constituting the authentication system), the service request unit together with the user ID provides the service request unit. When transmitted to 52, the service providing unit 52 transmits a service request including the user ID to the route matching unit 53.

  When the route verification unit 53 transmits the user ID to the use route information acquisition unit 35, the use route information acquisition unit 35 associates the user ID with the user ID based on the received user ID. Acquire stored usage route information. At this time, the valid / invalid determination unit 34 determines whether the association between the user ID stored in the use route storage unit 33 and the use route information is valid information or invalid information. is doing. Then, the usage route information acquisition unit 35 acquires the usage route information on the condition that the usage route information is determined to be valid information by the validity / invalidity determination unit 34, and uses the acquired usage route information as a route. It transmits to the collation part 53.

  Further, when the route matching unit 53 transmits a service request (including an IP address indicating the transmission source of the service request) to the service request source route information acquisition unit 43, the service request source route information acquisition unit 43 receives the received IP Based on the address, service request source route information stored in the address communication route information storage unit 42 in association with the IP address is acquired. The service request source route information acquisition unit 43 transmits the acquired service request source route information to the route verification unit 53.

  The route verification unit 53 determines whether or not the usage route information acquired by the usage route information acquisition unit 35 matches the service request source route information acquired by the service request source route information acquisition unit 43. The service providing unit 52 indicates a collation result indicating that the collation is unmatched when the collation is coincident and the determination is not coincident or when the utilization route information is not acquired by the utilization route information acquiring unit 35. Send to.

  In this way, the authentication system according to the present invention collates the usage route information that has been determined to be valid information as the user information and the service request source route information. The service providing apparatus confirms that the user ID that transmitted the service request is not spoofed and provides the service to the user terminal used by the user uniquely identified by the user ID. Set up.

  Heretofore, in the first embodiment, the description has been given on the assumption that the above-described units are configured as shown in FIG. However, the present invention is not limited to this. For example, in the authentication system according to the present invention, each unit may be configured as shown in FIG. As can be seen from a comparison between FIG. 2 and FIG. 8, in the authentication system shown in FIG. 8, functions corresponding to the use route management device 30 and the service request source route management device 40 are configured to be integrated with the service providing device 150. Has been. Note that the authentication system according to the present invention may be configured by a configuration other than the configurations shown in FIGS. 2 and 8.

[Effect of Example 1]
As described above, according to the first embodiment, the user terminal used by the user is controlled to be connected to the network, thereby providing the user terminal with a service associated with the network connection. Route information indicating a communication route on the network of the user terminal controlled to connect to the network in a configuration in which the service providing apparatus to be connected and the user terminal are communicably connected via the network And the user terminal that transmitted the service request on the condition that the service request for receiving provision of the service matches with the service request source path information indicating the communication path that has been transmitted. An authentication system in which the service providing apparatus performs setting so as to provide the service to A user identifier that uniquely identifies the user currently using the user terminal on the network with information different from the network address assigned to the user terminal in association with the configuration; Usage route information that stores usage route information in association with each other and receives a network connection request that requests connection to the network together with the user identifier from the user terminal. When the registration request is transmitted together with the user identifier and the transmitted usage route registration request is received together with the user identifier, the communication route through which the usage route registration request is transmitted is acquired, and the acquired communication route is The usage route information is registered in association with the user identifier transmitted together with the usage route registration request, As a transmission destination of the service request, whether the service request is received from the user terminal together with the user identifier, and the correspondence between the stored user identifier and the usage route information is valid information. Or when the service request is received, the information is stored in association with the user identifier based on the user identifier included in the received service request. Is obtained on the condition that the use route information is determined to be valid information, and when the service request is received, the received service request is actually transmitted. The service request source route information indicating the received communication route is acquired, and it is determined whether or not the acquired use route information matches the acquired service request source route information. If the judgment matches, the collation is coincident, and if the judgment does not coincide and / or the use route information is not acquired, the collation is mismatched, and the use route information On the condition that the matching with the service request source route information is the same, to the user terminal that has transmitted the service request used to acquire the use route information and the service request source route information, Since the setting is made so as to provide the service, when the communication path of the user terminal stored in advance becomes invalid information, after preventing an attack performed by misusing the invalid information, It is possible to cope with authentication when the address information of the user terminal changes dynamically.

  To give a specific example, when the connection between the user terminal and the network is disconnected, the association between the user identifier and the usage route information becomes different from the actual association. (When the information stored in the storage unit in advance becomes invalid information), it is associated with the use route information by the Service-to-Self on the same communication route as the use route information that is invalid information. Assume that “spoofing” is performed using a stored regular user identifier. In such a case, according to the invention of claim 1, since the use route information is determined to be invalid information, the authentication system is included in the inquiry spoofed by the Service-to-Self. The usage route information stored in association with the user identifier is not acquired and collated. Therefore, it is possible to avoid a situation in which it is erroneously determined that the user identifier (user identifier impersonated by the Service-to-Self) who transmitted the service request is not misrepresented.

  That is, according to the first embodiment, impersonation of another person can be eliminated in user authentication, and user authentication processing on the service providing apparatus side can be facilitated. It is possible to provide a user authentication method that can cope with various changes.

  Further, according to the first embodiment, in addition to storing the user identifier and the usage route information in association with each other, information on a period in which the association is stored is further stored in association with each other. It is determined whether or not a predetermined period has been exceeded, and if the result of the determination does not exceed the period, the association is determined to be valid information, and the result of the determination exceeds the period. If the communication path of the user terminal stored in advance becomes invalid information by a simple method of managing the validity period, the association is determined as invalid information. It is possible to cope with authentication in a case where the address information of the user terminal changes dynamically while preventing an attack performed by misusing invalid information.

  In addition, for example, for the connection state in which the user terminal is connected to the network, the authentication system is effective only by receiving a signal indicating a state change such as “connected” or “disconnected”. Assuming that a method for determining whether the information is invalid or invalid is used, the usage route information that should be invalidated in the authentication system is valid information when the signal transfer fails. It will remain. On the other hand, according to the first embodiment, the authentication system employs a method of determining whether the association is valid information or invalid information based on the valid period. Even if it occurs, since the association is invalidated after a certain period of time, it is possible to prevent an attack performed by misusing the invalid information.

  In addition, according to the first embodiment, after the user terminal is controlled to connect to the network, an update request for requesting to update information related to the connection state of the user terminal in the network is periodically issued. When the update request is received, the information about the period is updated and stored so that the period is calculated from the update time at which the update request is received. Can be updated appropriately.

  In addition, since the duration for which the user terminal is continuously connected to the network is not constant every time, for example, a period from the time when the user terminal starts network connection to the authentication system. If the method of comparing the effective period with the effective period is adopted, it may be difficult to appropriately determine the effective period, which is an operational parameter (that is, it continues even if the effective period exceeds 30 minutes, for example). Even if the user terminal wants to receive service, the network will be forcibly disconnected after 30 minutes). On the other hand, according to the invention of claim 3, since the authentication system adopts a method of periodically updating the expiration date, it is possible to cope with the needs when the predetermined expiration time as described above is exceeded. This makes it possible to effectively determine the effective period, and has an effective effect in terms of operation.

  Further, according to the first embodiment, the network address given to the user terminal in association with the configuration, and the communication route information that the user terminal to which the network address is assigned should be the communication route in the configuration And the communication route information stored in association with the network address is acquired as the service request source route information based on the network address of the user terminal included in the service request. So, in addition to the above effects, registering the network address and communication path information in advance reduces the load on the network connection device, and the address information of the user terminal changes dynamically. It becomes possible to support authentication.

  In other words, according to the first embodiment, since the device on the communication path only needs to have a function of transferring a packet, it is compared with a method of adding information indicating the communication path of the service request to the service request. Thus, it is possible to easily deal with authentication when the address information of the user terminal changes dynamically, while reducing the load on the network connection device.

  So far, as the first embodiment, a method in which the authentication system according to the present invention acquires service request source route information from an address communication route information storage unit that stores an IP address and communication route information in association with each other has been described. It was. However, the present invention is not limited to this. Therefore, as a second embodiment, a method in which the authentication system according to the present invention acquires service request source route information from information added to a service request will be described with reference to FIGS. FIG. 9 is a diagram for explaining the outline and features of the authentication system according to the second embodiment.

[Outline and Features of Authentication System According to Second Embodiment]
Similarly to the authentication system according to the first embodiment, the authentication system according to the second embodiment also prevents an attack performed by misusing the invalid information when the use route information stored in advance becomes invalid information. In addition, the main feature is to support authentication when the address information of the user terminal changes dynamically. Here, as can be seen from a comparison between FIG. 1 and FIG. 9, in the authentication system according to the second embodiment, a router and a service request source route guarantee device are newly added as components.

  The main features of the authentication system according to the second embodiment will be briefly described. First, in the authentication system according to the second embodiment, as in the first embodiment, the use route management apparatus associates the account with the use route information. A use route storage unit for storing is provided. However, unlike the first embodiment, the authentication system according to the second embodiment does not require the service request source path management device to include an address communication path information storage unit that stores the IP address and the communication path information in association with each other.

  Also, the authentication system according to the second embodiment differs from the first embodiment in that the service request source path guarantee device supports VLANID (Virtual LAN ID) and communication path information (“path”) as shown in FIG. A VLAN management unit is also provided for storing the data. Here, the VLANID has a meaning as an ID assigned between the access point and the router. The communication path information is communication path information that a user terminal that passes through an access point assigned with a predetermined VLAN ID should use as a communication path in the network configuration, and is a service request communication indicating a communication path of a service request. It has meaning as route information. That is, for example, referring to the example of FIG. 9, the user terminal that passes through the access point to which the VLAN ID “10” is assigned should use “Line 20A” as the communication path in the network configuration in the second embodiment. That is, the VLANID management unit stores it.

  Therefore, the service request stage will be described. First, the user terminal transmits a service request together with the account to the transmission destination as in the first embodiment (see (1) in FIG. 9).

  Then, in the authentication system according to the second embodiment, when the service request source path guarantee device receives the service request when transferring it to the transmission destination of the service request, the service request communication path indicating the communication path of the service request Information is added to the service request with an electronic signature, and then the service request is transferred to the destination (see (2) in FIG. 9).

  For example, when the service request source route assurance device receives a service request from a user terminal, the service request source route assurance device associates the VLAN request assigned to the access point with the VLAN management unit based on the access point through which the received service request has passed. The stored communication path information is acquired. For example, the service request source path guarantee device acquires the communication path information “Line 20A” stored in the VLAN management unit in association with the VLAN ID “10” based on the VLAN ID “10”. Then, the service request source path guarantee apparatus adds the acquired communication path information “Line 20A” to the service request, and transfers the service request to the destination service providing apparatus with an electronic signature.

  Then, when the service providing apparatus receives the service request from the user terminal together with the account as the transmission destination of the service request (see (3) in FIG. 9), the usage route management apparatus receives the same as in the first embodiment. Based on the account included in the service request, the usage route information associated with the account and stored in the usage route storage unit is acquired (see (5) -2 in FIG. 9).

  Here, the use route management apparatus determines whether the association between the user identifier and the use route information stored in the use route storage unit is valid information or invalid before obtaining the use route information. It is determined whether it is information (see (5) -1 in FIG. 1). Further, the usage route management apparatus acquires usage route information on the condition that the usage route information is determined to be valid information. By doing so, the authentication system according to the present invention prevents an attack performed by misusing the invalid information when the use route information stored in advance becomes invalid information.

  On the other hand, when the service providing apparatus receives the service request (see (3) in FIG. 9), unlike the first embodiment, the service request source path apparatus verifies the electronic signature of the service request (see FIG. 9). Service request source communication path information “Line 20A” added to the service request is acquired as service request source path information (see (5) -3 in FIG. 9).

  Thereafter, as in the first embodiment, the service providing apparatus determines whether or not the use route information acquired by the use route management apparatus matches the service request source route information acquired by the service request source route management apparatus. Collate (see (6) in FIG. 9), on the condition that the collation is matched, to the user terminal that has transmitted the service request used to obtain the use route information and the service request source route information, Set to provide services.

  Thus, the authentication system according to the second embodiment is not affected by the change in the network topology design (for example, when the network address system for each base is changed) in addition to the effects of the first embodiment. Compared to the method of registering the network address and communication path information in advance, the load on the network connection device is reduced and the authentication is flexible when the address information of the user terminal changes dynamically. It becomes possible to respond.

[Configuration of Authentication System According to Second Embodiment]
Next, the configuration of the authentication system according to the second embodiment will be described with reference to FIGS. FIG. 10 is a block diagram illustrating the configuration of the authentication system according to the second embodiment, FIG. 11 is a diagram for explaining the VLAN management unit, and FIG. 12 is a diagram for explaining the verification of the electronic signature. It is. In describing the configuration of the authentication system according to the second embodiment, differences from the configuration of the authentication system according to the first embodiment will be mainly described.

  As illustrated in FIG. 10, in the authentication system according to the second embodiment, a router 280 and a service request source route guarantee device 290 are newly added as components. In the second embodiment, the service request route guarantee device 290 includes a communication unit 291, a VLAN management unit 292, and a service request transfer unit 293 (corresponding to “service request transfer unit” described in claims). It has.

  The communication unit 291 includes a general communication interface and library, and controls communication between the service request source path assurance device 290 and other devices.

  The VLAN management unit 292 stores the VLAN ID and communication path information in association with each other. Specifically, the VLAN management unit 292 stores the VLAN ID and the communication path information in association with each other by, for example, being registered in advance by a network operation manager or the like. It is used for processing by the path matching unit 253 of the device 250. Here, the VLANID has a meaning as an ID assigned between the access point 220 and the router 280. The communication path information is communication path information that the user terminal 210 via the access point 220 assigned with a predetermined VLAN ID should use as a communication path in the network configuration, and indicates a service request communication path. It has meaning as request communication path information.

  For example, as illustrated in FIG. 11, the VLAN management unit 292 stores a VLAN ID and communication path information (“communication path”) in association with each other. Specifically, as illustrated in FIG. 11, for example, the VLAN management unit 292 stores the VLAN ID “10” and the communication path information “Line 20A” in association with each other.

  The service request transfer unit 293 adds service request communication path information indicating the communication path of the service request to the service request, and transfers the service request toward the transmission destination. Specifically, when receiving the service request when transferring the service request to the destination of the service request, the service request transfer unit adds the service request communication path information with the electronic signature to the service request, and then transmits the destination of the destination. Transfer to the service providing apparatus 250.

  For example, the service request transfer unit 293 determines the communication path information stored in the VLAN management unit 292 in association with the VLAN ID assigned to the access point 220 based on the access point 220 through which the received service request has passed. get. For example, the service request transfer unit 293 acquires the communication path information “Line 20A” stored in the VLAN management unit 292 in association with “10” based on the VLAN ID “10”. Then, the service request transfer unit 293 adds the acquired communication path information “Line 20A” to the service request, and transfers it to the destination service providing apparatus 250 with an electronic signature.

  The service request source route information acquisition unit 243 of the service request source route management apparatus 240 according to the second embodiment verifies the electronic signature of the service request and then uses the communication route information added to the service request as the service request source route information. Get as.

  The verification of the electronic signature will be described with a specific example. For example, as shown in (1) of FIG. 12, the service request transfer unit 293 indicates a service request communication path indicating a service request communication path in the service request. The information “Line 20A” is added, and the entire service request to which the service request communication path information is added is hashed as shown in (2) of FIG. It is assumed that an electronic signature is given with the private key SKey90A.

  When the service request transfer unit 293 transfers a service request with an electronic signature to the service providing device 250 as shown in (3) of FIG. 12, the service request source route information acquisition unit 243 of the service request source route management device 240 12, the hash value is extracted with the public key PKey90A corresponding to the secret key SKey90A, and the entire service request to which the service request communication path information is added is hashed separately, as shown in FIG. By comparing each other, the electronic signature is verified.

  Note that the verification of the electronic signature described above is merely an example, and the authentication system according to the present invention may give the electronic signature by other methods and verify the electronic signature by other methods. In the second embodiment, the method in which the service request transfer unit 293 transfers the service request with the electronic signature has been described. However, the present invention is not limited to this, and the service request transfer unit 293 simply receives the service request. The present invention can be similarly applied to a method of adding communication path information to a service request and transferring it (a method of not giving an electronic signature). In this case, the service request source route information acquisition unit 243 of the service request source route management device 240 acquires the service request source route information without verifying the electronic signature.

[Processing Procedure by Authentication System According to Second Embodiment]
Up to now, each device and each part constituting the authentication system according to the second embodiment has been briefly described. In the following, the processing procedure by the authentication system according to the second embodiment will be described in detail with reference to FIGS. To do. FIG. 13 is a sequence diagram illustrating a processing procedure (use route registration request stage) by the authentication system according to the second embodiment, and FIG. 14 illustrates a processing procedure (service request stage) by the authentication system according to the second embodiment. FIG. 15 is a diagram for explaining the flow of information between the units of the authentication system according to the second embodiment.

[Use Route Registration Request Stage]
The processing procedure at the usage registration request stage in the authentication system according to the second embodiment is the same as the processing procedure at the usage registration request stage in the authentication system according to the first embodiment (see FIG. 5). Therefore, in brief, first, as in the first embodiment, the network connection request unit 212 of the user terminal 210 transmits “EAPOL-Start” to the access point 220 as part of the network connection request (step S201). Then, the access point 220 transmits “EAP-Req / Identity” requesting transmission of the user ID to the user terminal 210 as a response to “EAPOL-Start” (step S202). The network connection request unit 12 of the user terminal 210 transmits “EAP-Resp” together with the user ID to the access point 220 (step S203), and the use route registration request unit 222 of the access point 220 After giving the route information (step S204), the use route registration request is sent to the use route management apparatus 2 together with the user ID. Is transmitted to 0 (step S205). Subsequently, a mutual authentication process is executed between the user terminal 210 and the usage route management device 230 (step S206). The usage route registration unit 232 acquires the communication route from which the usage route registration request has been transmitted, uses the acquired communication route as usage route information, and uses the user ID and usage route information transmitted together with the usage route registration request. Correspondingly, it is registered in the use route storage unit 233 of the use route management device 230 (step S207), and then the use route management device 230 notifies the access point 220 of the result of use route registration (step S208). The access point 220 transmits “EAP-Success” to the user terminal 210 (step S209).

[Service request stage]
Next, as in the first embodiment, the service request unit 213 of the user terminal 210 sends a “REGISTER request” together with a user ID (“User2”) as part of a service request that requests the provision of service. Then, the data is transmitted to the service providing unit 252 of the service providing apparatus 250 (step S251).

  Then, the router 280 receives the service request transmitted from the user terminal 210 and transfers it to the service request source route guarantee device 290 (step S252). Then, based on the VLAN ID “10”, the service request transfer unit 293 of the service request source path guarantee device 290 acquires the communication path information “Line20A” stored in the VLAN management unit 292 in association with “10”. Then, the acquired communication path information “Line 20A” is added to the service request (step S253), an electronic signature using the secret key SKey90A possessed by the service request source path guarantee device 290 is added (step S254), and the service request is sent to the router 280. (Step S255).

  Subsequently, the router 280 transfers the service request with the electronic signature received from the service request source route guarantee device 290 to the service providing device 250 that is the transmission destination of the service request (step S256).

  Then, the service providing unit 252 of the service providing apparatus 250 (SIP server) uses the “REGISTER request”, which is a service request, as the transmission destination of the service request, the user ID (“User2”), and the service request source communication path information (“ Line 20A ”) and the electronic signature (step S256), and the received information is transmitted to the service request source path management device 240 (step S257).

  Then, the service request source route information acquisition unit 243 of the service request source route management device 240 first verifies the electronic signature with the public key PKey 90A corresponding to the secret key SKey 90A of the service request source route guarantee device 290 (step S258). If no data alteration is detected, the service request source communication path information “Line20A” added to the service request is acquired as service request source path information (step S259) and transmitted to the path verification unit 253 of the service providing apparatus 250. (Step S260).

  As in the first embodiment, the service providing unit 252 of the service providing apparatus 250 (SIP server) acquires and uses the user ID (“User2”) of the user terminal 210 included in the “REGISTER request”. A message including the user ID (“User2”) is transmitted to the usage route management device 230 (step S261).

  Next, as in the first embodiment, the usage route information acquisition unit 235 of the usage route management device 230 searches the usage route storage unit 233 based on the user ID (“User2”) (step S262). At this time, the validity / invalidity determination unit 234 of the usage route management device 230 determines whether the association between the user ID and the usage route information stored in the usage route storage unit 233 is valid information or invalid. It is determined whether it is information. Then, the usage route information acquisition unit 235 uses the usage route information (“Line20A”) stored in the usage route storage unit 233 in association with the user ID (“User2”), and the usage route information is valid / invalid. The information is acquired on the condition that the information is determined to be valid information by the determination unit 234, and is transmitted to the route matching unit 253 of the service providing apparatus 250 (step S263).

  Then, as in the first embodiment, the service providing unit 252 of the service providing apparatus 250 uses the route verification unit 253 on the condition that the route verification unit 253 has verified that the route usage information matches the service request source route information. The user terminal 210 that has transmitted the service request used to acquire the service request source route information is set to provide the service (steps S264 to S267).

  The above is a detailed description of an example of a processing procedure performed by the authentication system according to the second embodiment. For example, a procedure for acquiring a service request source route performed in steps S257 to S260 and steps S261 to S263 are described. The present invention can be applied in the same manner even when the procedure for obtaining the usage route performed so far is replaced.

  In other words, in the authentication system according to the present invention, the flow of information between the units should be as shown in FIG. The difference from the first embodiment will be mainly described with reference to FIG. 15. In the service request stage, a service request unit 213 that requests to receive service is provided (however, the service request unit 213 is not a part constituting the authentication system). ) Transmits the service request to the service providing unit 252 together with the user ID, the service request transfer unit 292 received when transferring the service request toward the transmission destination of the service request indicates the communication path of the service request. The service request communication path information is added to the service request, and then the service request is transferred to the service providing unit 252 that is the transmission destination.

  Then, when the route verification unit 253 of the service providing unit 252 transmits a service request (with service request communication route information added) to the service request source route information acquisition unit 243, the service request source route information acquisition unit 243 Service request source route information is acquired from service request communication route information added to the service request. The service request source route information acquisition unit 243 transmits the acquired service request source route information to the route verification unit 253.

  The route verification unit 253 checks whether the usage route information acquired by the usage route information acquisition unit 235 matches the service request source route information acquired by the service request source route information acquisition unit 243. Or the collation result of the mismatch is transmitted to the service providing unit 252.

  In this way, the authentication system according to the present invention collates the usage route information that has been determined to be valid information as the user information and the service request source route information. The service providing apparatus confirms that the user ID that transmitted the service request is not spoofed and provides the service to the user terminal used by the user uniquely identified by the user ID. Set up.

  Heretofore, in the second embodiment, the description has been made on the assumption that each unit as described above is configured as shown in FIG. However, the present invention is not limited to this. For example, in the authentication system according to the present invention, each unit may be configured as shown in FIG. As can be seen from a comparison between FIG. 10 and FIG. 16, in the authentication system shown in FIG. 16, functions corresponding to the use route management device 230 and the service request source route management device 240 are integrated into the service providing device 350. Has been. Note that the authentication system according to the present invention may be configured by a configuration other than the configurations shown in FIGS. 10 and 16.

[Effect of Example 2]
As described above, according to the second embodiment, when the service request is received when the service request is transferred to the transmission destination of the service request, service request communication path information indicating a communication path of the service request is received. The service request is forwarded to the transmission destination, the service request transmitted with the service request communication path information added is received, and the service request added to the service request Since the communication route information is acquired as the service request source route information, it is possible to reduce the load on the network connection device without registering the network address and the communication route information in advance. It is possible to cope with authentication in the case of changing dynamically.

  In other words, according to the second embodiment, since the network topology design change (for example, when the network address system for each base is changed) is not affected, the network address and the communication path information are registered in advance. Compared to the above-described method, it is possible to flexibly cope with authentication when the address information of the user terminal changes dynamically, while reducing the load on the network connection device.

  According to the second embodiment, the service request communication path information with an electronic signature is added to the service request and transferred, the service request with the electronic signature is received, and the electronic signature of the service request is verified. Since the service request communication path information is acquired as the service request source path information, the reliability of the service request communication path information can be improved in addition to the above effects.

  So far, as the first and second embodiments, the authentication system according to the present invention stores information stored in the address communication route information storage unit of the service request source route management device and the use route storage unit of the use route management device. The method of collating the use route information with the service request source route information has been described using information that has been used or information added by the service request source route guarantee device. However, the present invention is not limited to this. For example, the present invention is similarly applied to a method of simply collating with only an access point without going through complicated procedures by a service request source route device, a use route management device, or a service request source route guarantee device. can do. Therefore, as a third embodiment, a method in which the authentication system according to the present invention performs simple verification using only an access point will be described with reference to FIGS. FIG. 17 is a diagram for explaining the outline and features of the authentication system according to the third embodiment.

[Outline and Features of Authentication System According to Embodiment 3]
Similarly to the authentication systems according to the first and second embodiments, the authentication system according to the third embodiment is an attack that is performed by misusing the invalid information when the use route information stored in advance becomes invalid information. The main feature is that it supports authentication when the address information of the user terminal changes dynamically. Here, as can be seen from FIG. 17, in the authentication system according to the third embodiment, the service request source route management device, the use route management device, and the service request source route guarantee device are not constituent elements. In addition, the function as a RADIUS server which the utilization route management apparatus has in the first and second embodiments is a component of the authentication system as an independent RADIUS server.

  The main features of the authentication system according to the third embodiment will be briefly described. First, the authentication system according to the third embodiment includes a use route storage unit in which an access point stores an account and use route information in association with each other. Yes. For example, the usage route storage unit stores “User2” and the IP address “10.1.2.20” in association with each other as an account. For example, when the access point receives a use route registration request from a user terminal used by a user identified by “User2”, mutual authentication is separately performed between the user terminal and the RADIUS server. When controlling to connect the user terminal that has succeeded in mutual authentication to the network, the access point assigns an IP address “10.1.2.20” to the user terminal, and “User2” and IP The address “10.1.2.20” is associated and registered in the use route storage unit.

  Next, the service request stage will be described. First, as in the first embodiment, the user terminal transmits a service request together with the account to the transmission destination (see (1) in FIG. 17).

  Then, in the authentication system according to the third embodiment, the access point receives the service request together with the account from the user terminal as the service request transmission destination (see (2) in FIG. 17).

  Then, based on the account included in the received service request, the access point acquires the usage route information stored in the usage route storage unit of the access point in association with the account ((4 in FIG. 17). )).

  Here, prior to the acquisition of the usage route information, the access point is a valid or invalid information in which the correspondence between the user identifier stored in the usage route storage unit and the usage route information is valid. It is determined (see (3) in FIG. 1). Further, the access point acquires the usage route information on condition that the usage route information is determined to be valid information. By doing so, the authentication system according to the present invention prevents an attack performed by misusing the invalid information when the use route information stored in advance becomes invalid information.

  On the other hand, when the access point receives the service request (see (2) in FIG. 17), the access point indicates the source IP address that is the information included in the service request and indicates the source of the service request. Obtained as route information.

  Thereafter, as in the first embodiment, the access point collates whether or not the acquired use route information matches the acquired service request source route information (see (5) in FIG. 17). On the condition that the service route information and the service request source route information are acquired, a setting is made so as to provide the service to the user terminal that has transmitted the service request used to acquire the use route information and the service request source route information.

  In this way, the authentication system according to the third embodiment is a method of performing verification only with an access point in addition to the effects of the first embodiment. It is also possible to cope with an operation form in which most of the authentication system is implemented and only the result of verification is transmitted to a service providing apparatus that is operated and managed by the service provider.

[Configuration of Authentication System According to Embodiment 3]
Next, the configuration of the authentication system according to the third embodiment will be described with reference to FIGS. FIG. 18 is a block diagram illustrating a configuration of the authentication system according to the third embodiment, and FIG. 19 is a diagram for explaining a use route storage unit. In the description of the configuration of the authentication system according to the third embodiment, differences from the configuration of the authentication system according to the first and second embodiments will be mainly described.

  As illustrated in FIG. 18, in the authentication system according to the third embodiment, the access point 420 includes not only the communication unit 421 and the usage route registration request / registration unit 422 but also the usage route storage unit 423 and the validity / invalidity determination unit 424. The apparatus further includes a service request receiving unit 425, a use route information acquisition unit 426, a service request source route information acquisition unit 427, a route matching unit 428, and an IP address assignment unit 429. The functions of these units are almost the same as those of the authentication system according to the first and second embodiments. However, in the authentication system according to the first embodiment, the service providing unit 52 of the service providing apparatus 50 transmits a service request. In the authentication system according to the third embodiment, these functions are provided with the access point 420 and the service provision. The difference is that it is distributed to the device 450. That is, the service request receiving unit 425 of the access point 420 has a function of receiving a service request as a transmission destination of the service request (corresponding to “service request receiving means” described in the claims), and the service providing apparatus 450. The service providing unit 452 has a function of performing setting so as to provide a service (corresponding to “service providing means” described in the claims).

  Similarly to the first embodiment, the usage route storage unit 423 stores an account and usage route information in association with each other. However, unlike the first embodiment, the usage route storage unit 423 stores an IP address as the usage route information. For example, as shown in FIG. 19, the usage route storage unit 423 stores an account (“user ID”) and usage route information (“IP address”) in association with each other.

  Specifically, the usage route storage unit 423 stores “User2” and IP address “10.1.2.20” in association with each other as an account, as shown in FIG. 19. . For example, when the access point 420 receives a use route registration request from the user terminal 410 that is used by the user identified by “User2”, the access point 420 is separately connected between the user terminal 410 and the RADIUS server 430. When the mutual authentication is performed and the user terminal 410 that has succeeded in the mutual authentication is controlled to be connected to the network 470, the access point 420 sends the IP address “10.1.2.20” to the user terminal 410. And “User2” and the IP address “10.1.2.20” are associated with each other and registered in the use route storage unit 423.

  Further, the IP address assignment unit 429 assigns an IP address to the user terminal 410. Specifically, the IP address assignment unit 429 first triggered by the fact that the RADIUS server 430 has notified that the mutual authentication process performed between the user terminal 410 and the RADIUS server 430 was successful. The account already received from the user terminal 410 and the MAC (Media Access Control) address are associated with each other and registered in the storage unit. Next, when the IP address assignment unit 429 receives an IP address issue request for requesting an IP address assignment by DHCP (Dynamic Host Configuration Protocol) from the user terminal 410 together with the MAC address of the user terminal 410, the IP address assignment unit 429 stores the IP address assignment request in the storage unit. The MAC address is searched from the correspondence between the stored account and the MAC address, and if the search is successful, an IP address is assigned to the user terminal 410. Then, the IP address assignment unit 429 transmits to the usage route registration request / registration unit 422 that the IP address has been assigned. If the search for the MAC address fails, the IP address assignment unit 429 does not assign an IP address to the user terminal 410 and permits it.

[Procedure for Processing by Authentication System According to Embodiment 3]
So far, each device and each part constituting the authentication system according to the third embodiment has been briefly described. In the following, the processing procedure by the authentication system according to the third embodiment will be described in detail with reference to FIGS. To do. FIG. 20 is a sequence diagram illustrating a processing procedure (use route registration request stage) by the authentication system according to the third embodiment. FIG. 21 illustrates a processing procedure (service request stage) by the authentication system according to the third embodiment. FIG.

[Use Route Registration Request Stage]
First, as in the first embodiment, the network connection request unit 412 of the user terminal 410 transmits “EAPOL-Start” to the access point 420 as part of the network connection request (step S301). In response to “EAPOL-Start”, “EAP-Req / Identity” requesting transmission of the user ID is transmitted to the user terminal 410 (step S302), and then the network connection of the user terminal 410 is performed. The request unit 412 transmits “EAP-Resp” together with the user ID to the access point 420 (step S303).

  Subsequently, the access point 420 puts “EAP-Resp” received from the network connection request unit 412 on the RADIUS protocol, and transmits “EAP-Resp / RADIUS” to the RADIUS server 430 (step S304). Next, a mutual authentication process is executed between the user terminal 410 and the RADIUS server 430 (step S305). If the mutual authentication is successful, the RADIUS server 430 sends “EAP-Success / RADIUS” to the access point 420. (Step S306).

  Then, the IP address assignment unit 429 of the access point 420 uses the fact that the mutual authentication process performed between the user terminal 410 and the RADIUS server 430 has been successful, when notified from the RADIUS server 430. The account already received from the user terminal 410 and the MAC address (received together with “EAP-Resp” in step S303) are associated with each other and registered in the storage unit (step S307). Subsequently, the IP address assignment unit 429 transmits “EAP-Success” to the user terminal 410 (step S308).

  Next, when the IP address assignment unit 429 receives an IP address delivery request for requesting the delivery of an IP address by DHCP from the user terminal 410 together with the MAC address of the user terminal 410 (step S309), the IP address assignment unit 429 stores the IP address delivery request in the storage unit. The MAC address is searched from the correspondence between the account and the MAC address (step S310). If the search is successful, the IP address assignment unit 429 assigns an IP address to the user terminal 410 (step S311). If the search for the MAC address fails, the IP address assignment unit 429 does not assign an IP address to the user terminal 410 and permits it.

  Here, assuming that the search is successful, subsequently, the use route registration request / registration unit 422 of the access point 420 uses the IP address assignment unit 429 to set the IP address when triggered by the successful assignment of the IP address. The user ID of the assigned user terminal 410 is associated with the IP address as the usage route information and registered in the usage route storage unit 423 (step S312). Thereafter, the access point 420 transmits the result of IP address payout by DHCP to the user terminal 410 (step S313).

[Service request stage]
Next, the service request unit 413 of the user terminal 410 sends “REGISTER request” together with the user ID “User2” as a service request for requesting to receive service provision, and the service request reception unit 425 of the access point 420. (Step S351). The transmission destination of the service request is not the service providing apparatus 450 but the access point 420 unlike the first and second embodiments.

  Then, the service request reception unit 425 of the access point 420 receives the service request transmitted from the user terminal 410, and the service request source route information acquisition unit 427 of the access point 420 indicates the transmission source of the “REGISTER request”. A source IP address (hereinafter referred to as a source IP address) is acquired from the service request (step S352). For example, the service request source route information acquisition unit 427 acquires the source IP address “10.1.2.20” as the service request source route information and transmits it to the route verification unit 428.

  The service request receiving unit 425 of the access point 420 receives the service request transmitted from the user terminal 410 and acquires the user ID “User2” of the user terminal 410 included in the “REGISTER request”. And transmitted to the use route information acquisition unit 426. Then, the usage route information acquisition unit 426 associates the user ID “User2” with the IP address “10.1.2.20” stored in the usage route storage unit 423 based on the user ID “User2”. ] Is searched (step S353).

  At this time, the validity / invalidity determination unit 424 of the access point 420 determines whether the association between the user ID and the usage route information stored in the usage route storage unit 423 is valid information or invalid information. Judging whether there is. Then, the usage route information acquisition unit 426 uses the usage route information (“10.1.2.20”) stored in the usage route storage unit 423 in association with the user ID (“User2”) The usage route information is acquired on condition that it is determined by the validity / invalidity determination unit 424 to be valid information (step S353). When the validity / invalidity determination unit 424 determines that the association is invalid information, the access point 420 invalidates or deletes the association stored in the use route storage unit 423 and stores the association. The association between the account stored in the section and the MAC address is also invalidated or deleted.

  Then, the route matching unit 428 checks whether or not the usage route information matches the service request source route information (step S354). When matching is confirmed (Yes at step S354), the path matching unit 428 forwards a “REGISTER request”, which is a service request, to the service providing apparatus 450, as well as notification of the matching result that the matching result is matched ( In step S355), upon receiving the “REGISTER request”, the service providing apparatus 450 performs “REGISTER registration” (step S356), and sends the registration result to the user terminal 410 via the access point 420 (step S357). Transmit (step S358).

  If the user ID included in the “REGISTER request” is “User3” or the like, the result of the verification by the path verification unit 428 will not match, so the access point 420 will service the “REGISTER request”. The result is transmitted to the user terminal 410 without being transferred to the providing device 450 (step S358).

  Although not shown in FIG. 20, at the use route registration request stage, as in the authentication systems according to the first and second embodiments, the access point 420 associates the user ID and the IP address with the RADIUS server 430. The RADIUS server 430 may register the association between the user ID and the IP address in the storage unit and transmit the registration result to the user terminal 410.

  In this case, at the service request stage, the access point 420 may obtain an IP address corresponding to the user ID by inquiring the RADIUS server 430, or the access point 420 itself may also be duplicated. If the association between the IP address and the IP address is registered in the storage unit, the IP address registered in the storage unit may only be searched without inquiring of the RADIUS server 430.

  Heretofore, in the third embodiment, the description has been made on the assumption that each part as described above is configured as shown in FIG. However, the present invention is not limited to this. For example, in the authentication system according to the present invention, the route matching unit 428 may be provided in the service providing apparatus 450 instead of being provided in the access point 420. In this case, the collation described in step S354 in FIG. 21 is performed not in the access point 420 but in the service providing apparatus 450.

  Up to now, the authentication system according to the first embodiment (method for performing collation using information stored in the address communication path information storage unit of the service request source path management device), the authentication system according to the second embodiment (service request source) Although the authentication method according to the third embodiment (method for performing verification using only the access point) has been described, the authentication system according to the present invention has been described. Some of these methods may be selected or combined.

  That is, for example, as shown in FIG. 22, the service providing apparatus provides services to a plurality of user terminals, and these user terminals are connected to different access points. By authenticating these user terminals by different methods (from the top, the method by the authentication system according to the first embodiment, the method by the authentication system according to the second embodiment, the method by the authentication system according to the third embodiment), It is also possible to perform setting so that the service providing apparatus provides a service.

  By the way, in the description of the first to fourth embodiments, how to store the association between the usage route information and the account in the usage route storage unit has not been described in detail. Therefore, how the authentication system according to the fifth embodiment stores the association between the usage route information and the account in the usage route storage unit will be described in detail below.

  Here, the usage route storage unit according to the fifth embodiment stores the user identifier (“user ID”) and the usage route information (“use route”) in association with each other. The period (“update time”) stored in the storage unit is further stored in association with each other.

  For example, in the example of FIG. 23, the information that the usage route information of the user ID “User1” is “Line20A” is information updated to “2007.5.1 09:30”. Further, the information that the usage route information of the user ID “User3” is “Line20B” is information updated to “2007.5.1 15:31”.

  Here, in the fifth embodiment, the usage route information acquisition unit acquires the usage route information on the condition that the usage route information is determined to be valid information. If the usage route information acquisition unit cannot acquire the usage route information, it cannot be collated, and as a result, the service request from the user terminal is rejected.

  The usage route registration unit in the fifth embodiment registers a new communication route in the usage route storage unit. Specifically, the use route registration unit causes the access point to connect the user terminal to the network through a new communication route different from the communication route indicated by the use route information already stored in the use route storage unit. When it is controlled, new usage route information indicating a new communication route is registered in association with the account so as to be added to the usage route storage unit.

  For example, as shown in FIG. 23, the user terminal with the user ID “User3” is already registered as the usage route information “Line20B”, but the access point is connected to the user terminal by “Line20C”. As shown in FIG. 23, the new usage route registration unit registers the correspondence between “User3” and “Line20C” to be added to the usage route storage unit.

  At this time, when there are a plurality of pieces of use route information associated with a predetermined user identifier and stored in the use route storage unit, each of the plurality of use route information and service request source route information Are matched, and if any one of the usage route information matches the determination of the service request source route information, the matching is assumed to be the same.

  In this case, the new usage route information can be appropriately stored in the storage unit. More specifically, the user terminal can simultaneously hold a plurality of network connections. For example, even when the user terminal moves from one access point to the next access point, the user terminal Can be continued seamlessly.

  The usage route registration unit may register a new communication route in the usage route storage unit as shown in FIG. Specifically, the use route registration unit causes the access point to connect the user terminal to the network through a new communication route different from the communication route indicated by the use route information already stored in the use route storage unit. Control the new usage route information indicating the new communication route in the usage route storage unit in association with the account, and the usage route information already stored in the usage route storage unit in association with the account. , Disable or delete.

  For example, as shown in FIG. 24, the association between the user ID “User3” and the usage route information “Line20B” is overwritten by the correspondence between the user ID “User3” and the usage route information “Line20C”.

  In this case, the new usage route information can be stored in the storage unit more safely. In other words, since the usage route information of each user is always limited to one, for example, when a service request is transmitted from another communication route by a malicious party, the service request is transmitted by the malicious party. It becomes possible to detect “spoofing”.

[Other embodiments]
Although the embodiments of the present invention have been described so far, the present invention may be implemented in various different forms other than the embodiments described above.

[Get service request source route information]
So far, in the first embodiment, the authentication system according to the present invention has described a method in which the service request source route information is acquired from an address communication route information storage unit that stores an IP address and communication route information in association with each other. In the second embodiment, the authentication system according to the present invention has been described with respect to the method of acquiring the service request source route information from the information added to the service request. However, the present invention is not limited to this. For example, the authentication system according to the present invention acquires service request source route information from the server on the assumption that a server that manages the correspondence between IP addresses and communication route information is connected to the network. The present invention can be similarly applied to a technique for performing the above. Since this server manages both a static association and a dynamic association, the authentication system according to the present invention is dynamic even if the association is static. Even in this case, the service request source route information can be acquired.

Valid / invalid judgment
In the first embodiment, the usage route management apparatus includes an update request receiving unit, and when the usage route storage unit receives “Accounting-Interim-Update” by the update request receiving unit, information on the period is displayed as “Accounting- The update is stored so that the period is counted from the time of receiving “Interim-Update”, and the validity / invalidity determination unit determines whether or not the period stored in the use route storage unit exceeds a predetermined period. As a result of the determination, if the predetermined period has not been exceeded, the use route information is determined as valid information. If the result of the determination indicates that the predetermined period has been exceeded, the use route information is determined. Although the method for determining invalid information has been described, the present invention is not limited to this.

  For example, unlike the first embodiment, it is assumed that the usage route storage unit is not involved in whether or not “Accounting-Interim-Update” is received by the update request reception unit, and the validity / invalidity determination unit is used as the usage route storage unit. It is determined whether or not the period stored in the period exceeds a predetermined period. If the predetermined period is not exceeded as a result of the determination, the usage route information is determined to be valid information. As a result, when the predetermined period is exceeded, a method of determining the use route information as invalid information may be used.

  Further, for example, as described in the first embodiment, when the user terminal is controlled to connect to the wireless LAN, the access point transmits to the usage route management apparatus having a function as a RADIUS server “ When the “Accounting-Start” is transmitted, and when the user terminal explicitly disconnects, the access point transmits “Accounting-Stop” to the use path management device. Then, the valid / invalid determination unit may determine whether the association is valid information or invalid information.

  That is, for example, when “Accounting-Start” is received by the update request receiving unit, the validity / invalidity determining unit determines that the association is valid information. When “Accounting-Stop” is received by the update request receiving unit, the validity / invalidity determining unit determines that the association is invalid information, and the use path management device invalidates or deletes the association. To do.

  Also, for example, when the access point has a function of notifying the use path management device (RADIUS server) that the access point has been turned off when the access point is turned off and restarted, The validity / invalidity determination unit may not determine the usage route information based on a predetermined period.

  Further, for example, if the use route management device (RADIUS server) has a function of confirming connection with the access point at regular intervals, the access point is turned off, or the connection between the access point and the RADIUS server is performed. The state can be confirmed accurately, and the validity / invalidity determination unit does not have to determine the usage route information for a predetermined period.

[System configuration, etc.]
In addition, among the processes described in this embodiment, all or part of the processes described as being performed automatically can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-mentioned document and drawings can be arbitrarily changed unless otherwise specified.

  Each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated (for example, FIG. 2). In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

  The authentication method described in this embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program can be distributed via a network such as the Internet. The program can also be executed by being recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD and being read from the recording medium by the computer.

  As described above, the authentication system according to the present invention controls the user terminal to connect to the network, thereby providing the service providing apparatus that provides the user terminal with a service associated with the connection of the network. In a configuration in which a user terminal is connected to be communicable via the network, use path information indicating a communication path on the network of the user terminal controlled to connect to the network and receiving a service are provided. A service providing apparatus that provides a service to a user terminal that has transmitted a service request on the condition that the requested service request is matched with service request source route information indicating a communication path that has been transmitted. Is useful for setting, especially when the communication path of the user terminal stored in advance is invalid. When a broadcast, after preventing attacks that exploit the invalid information, suitable to respond to the authentication when the address information of the user terminal changes dynamically.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a diagram for explaining an overview and features of an authentication system according to a first embodiment. 1 is a block diagram illustrating a configuration of an authentication system according to Embodiment 1. FIG. It is a figure for demonstrating a utilization path | route memory | storage part. It is a figure for demonstrating an address communication path | route information storage part. It is a sequence diagram which shows the procedure (use route registration request | requirement step) of the process by the authentication system which concerns on Example 1. FIG. It is a sequence diagram which shows the procedure (service request | requirement step) of the process by the authentication system which concerns on Example 1. FIG. It is a figure for demonstrating the flow of the information between each part of the authentication system which concerns on Example 1. FIG. It is a block diagram which shows the other structure of the authentication system which concerns on Example 1. FIG. It is a figure for demonstrating the outline | summary and characteristic of the authentication system which concern on Example 2. FIG. It is a block diagram which shows the structure of the authentication system which concerns on Example 2. FIG. It is a figure for demonstrating a VLAN management part. It is a figure for demonstrating verification of an electronic signature. It is a sequence diagram which shows the procedure (use route registration request | requirement step) by the authentication system which concerns on Example 2. FIG. It is a sequence diagram which shows the procedure (service request | requirement step) of the process by the authentication system which concerns on Example 2. FIG. FIG. 10 is a diagram for explaining a flow of information between each unit of the authentication system according to the second embodiment. It is a block diagram which shows the other structure of the authentication system which concerns on Example 2. FIG. It is a figure for demonstrating the outline | summary and characteristic of the authentication system which concern on Example 3. FIG. It is a block diagram which shows the structure of the authentication system which concerns on Example 3. FIG. It is a figure for demonstrating a utilization path | route memory | storage part. It is a sequence diagram which shows the procedure (use route registration request | requirement step) by the authentication system which concerns on Example 3. FIG. It is a sequence diagram which shows the procedure (service request | requirement step) of the process by the authentication system which concerns on Example 3. FIG. FIG. 10 is a diagram for explaining a configuration of an authentication system according to a fourth embodiment. FIG. 10 is a diagram for explaining a use route storage unit in the fifth embodiment. FIG. 10 is a diagram for explaining a use route storage unit in the fifth embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 User terminal 11 Communication part 12 Network connection request part 13 Service request part 20 Access point 21 Communication part 22 Use route registration request part 30 Use path management apparatus 31 Communication part 32 Use path registration part 33 Use path storage part 34 Valid / invalid determination Unit 35 use route information acquisition unit 40 service request source route management device 41 communication unit 42 address communication route information storage unit 43 service request source route information acquisition unit 50 service providing device 51 communication unit 52 service provision unit 53 route verification unit 60 network 70 network

Claims (8)

By controlling the user terminal used by the user to connect to the network, the service providing apparatus that provides the user terminal with a service associated with the connection of the network and the user terminal are connected to the network. In a configuration in which communication is possible via a network, service route information indicating a communication route on the network of the user terminal controlled to connect to the network and a service requesting to receive provision of the service The service provision so as to provide the service to the user terminal that has transmitted the service request on the condition that the request is matched with the service request source path information indicating the communication path that is actually transmitted. An authentication system in which the device performs settings,
A user identifier that uniquely identifies a user who is currently using the user terminal on the network with information different from a network address assigned to the user terminal in association with the configuration; and the usage route Use route information storage means for storing information in association with each other;
When a network connection request for requesting connection to the network is received from the user terminal together with the user identifier, a use route registration request for requesting registration of the use route information in the use route information storage means A usage route information registration requesting means to be transmitted together with the user identifier;
When the usage route registration request transmitted by the usage route information registration request unit is received together with the user identifier, the communication route from which the usage route registration request is transmitted is acquired, and the acquired communication route is used as the usage route. As usage information, usage route information registration means for registering in the usage route information storage means in association with the user identifier transmitted together with the usage route registration request;
Service request receiving means for receiving the service request from the user terminal together with the user identifier as a destination of the service request;
Valid / invalid determination means for determining whether the association between the user identifier and the use route information stored by the use route information storage means is valid information or invalid information;
When the service request is received by the service request receiving means, based on the user identifier included in the received service request, the service request is stored in the use route information storage means in association with the user identifier. Use route information acquisition means for acquiring the use route information being used on condition that the use route information is determined to be valid information by the valid / invalid determination means;
When the service request is received by the service request receiving means, service request source path information acquiring means for acquiring the service request source path information indicating a communication path through which the received service request is actually transmitted;
When the usage route information acquired by the usage route information acquisition unit matches the service request source route information acquired by the service request source route information acquisition unit, and the determinations match Path matching means that the matching is determined to be unmatched when the determination does not match and / or the usage path information is not acquired by the usage path acquisition means;
The service request used to acquire the usage route information and the service request source route information on the condition that the verification of the usage route information and the service request source route information is the same by the route verification means. Service providing means for performing settings to provide the service to the user terminal that has transmitted
An authentication system characterized by comprising: In addition to storing the user identifier and the usage route information in association with each other, the usage route information storage means further associates information on the period in which the association is stored in the usage route information storage means. Remember,
The valid / invalid determination means determines whether or not the period exceeds a predetermined period. If the period does not exceed the period as a result of the determination, the valid / invalid determination unit determines the association as valid information, The authentication system according to claim 1, wherein if the period exceeds the period as a result of the determination, the association is determined as invalid information. After controlling to connect the user terminal to the network, an update request for requesting to update information related to the connection state of the user terminal in the network is periodically sent from the use route information registration request unit. It further comprises an update request receiving means for receiving,
When the update request is received by the update request receiving unit, the usage route information storage unit updates and stores the information related to the period so that the period is calculated from the update time when the update request is received. The authentication system according to claim 2, further characterized by: Address communication in which a network address given to the user terminal in association with the configuration and a communication route information that the user terminal given the network address is supposed to use as a communication route in the configuration are stored in association with each other Further comprising route information storage means,
The service request source route information acquisition means is based on the network address of the user terminal included in the service request, and is associated with the network address and is stored in the address communication route information storage means. Is acquired as the service request source route information. The authentication system according to any one of claims 1 to 3. When the service request is received when transferred to the destination of the service request, service request communication path information indicating a communication path of the service request is added to the service request, and the service request is directed to the destination. Service request transfer means for transferring
The service request receiving means receives the service request transferred with the service request communication path information added by the service request transfer means,
4. The service request source route information acquisition unit acquires the service request communication route information added to the service request as the service request source route information. The described authentication system. The service request transfer means adds the service request communication path information with an electronic signature to the service request and transfers it,
The service request receiving means receives the service request with the electronic signature;
6. The authentication according to claim 5, wherein the service request source route information acquisition unit acquires the service request communication route information as the service request source route information after verifying an electronic signature of the service request. system. The usage route information registration means is configured to store the user terminal in the usage route information storage means in association with a user identifier that uniquely identifies a user who is currently using the user terminal. The new communication route is added to the use route information storage means as the use route information when the network is controlled to connect to the network by a new communication route different from the communication route indicated by the use route information. Registered in association with the user identifier,
When there are a plurality of pieces of use route information associated with a predetermined user identifier and stored in the use route information storage unit, the route collating unit includes each of the plurality of use route information and the service request. It is determined whether or not the original route information matches, and when the determination of any one of the used route information and the service request source route information matches, the collation is further matched The authentication system according to any one of claims 1 to 6, characterized in that:   The usage route information registration means is configured to store the user terminal in the usage route information storage means in association with a user identifier that uniquely identifies a user who is currently using the user terminal. When the connection to the network is controlled by a new communication route different from the communication route indicated by the use route information, the use is performed by associating the new communication route with the user identifier as the use route information. It is further characterized in that it is registered in the route information storage means, and the use route information already stored in the use route information storage means in association with the user identifier is invalidated or deleted from the use route information storage means. The authentication system according to any one of claims 1 to 6.

Images