JP2008299457A - Authentication system, authentication method, and authentication socket device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a technique for blocking unauthorized communication accesses on a network without changing an existing network configuration as long as possible. <P>SOLUTION: The technique interposes an authentication socket device between a terminal device and a network so that only an authorized user to whom an authorized terminal device is connected can access the network. The socket device authenticates the terminal device by using both identification information of the terminal device and of the user to control network access of the terminal device. It is preferable for the identification information of the user to be stored in a small-sized device with a built-in communication device, such as a USB token or an RFID tag, easily portable by the user, and the identification information is supplied from a portable device to the socket device by means of an appropriate communication means. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an authentication technique for performing authentication of an information terminal in a network and authentication of an operator of the information terminal.

  Conventional user authentication methods for network access are mainly ID / password, biometric authentication, etc., and terminal authentication uses IEEE802.1x authentication, which is a LAN authentication standard, or Ethernet (registered trademark). There is a method of authenticating an information terminal with a MAC (Media Access Control) address or the like which is a physical address. Patent Document 1 (summary) describes a system for performing personal authentication using a USB or the like. Further, paragraphs 0004 to 0020 of Patent Document 2 describe an encryption / decryption technique using a trusted platform module (TPM).

  The conventional network access user authentication method allows a malicious user having a regular ID to connect a personal computer brought in for private use and other information terminals (hereinafter referred to as a PC) to the network. There was a risk of information leakage.

  Also, when building an IEEE802.1x-authenticated network, the server, network equipment, and software in the information terminal must be rebuilt using the same architecture, which increases the introduction cost (schedule / expense), and it is quite easy to introduce it. There are many cases that cannot be stepped on.

  In the one-site centralized management type authentication system, there is a problem that traffic concentrates on the network and the authentication system itself stops when the server goes down.

The MAC address can be camouflaged, and the above-mentioned terminal authentication cannot cope with the MAC address camouflage.
JP 2006-268682 A JP 2004-282391 A

  Under such a background, the present invention provides a technique capable of eliminating at least one of the above-mentioned problems and blocking unauthorized communication access in a network without changing an existing network configuration as much as possible. With the goal.

  The present invention is characterized in that an authentication socket device is interposed between a terminal device and a network so that only a legitimate user who connects the legitimate terminal device can access. This authentication socket device controls network access of a terminal device by performing authentication using the identification information of the terminal device and the identification information of the user. The user identification information is preferably stored in a communication device built-in small device that can be easily carried by the user, such as a USB token or an RFID tag. To be supplied to.

  According to the present invention, authentication for network access can be performed simply by connecting an authentication socket device between a terminal device and a network, so that a dedicated authentication server is not required, and an authentication system can be introduced. Therefore, there is little (or no!) Change in the existing network configuration. In addition, because of the double authentication of terminal authentication and user authentication, it is extremely reliable, and unauthorized terminal devices such as personal computers brought in personal property can access information assets on the network. Can be reliably prevented. Because of these advantages, according to the present invention, a strong authentication system for network access can be introduced very easily.

  In the embodiment of the present invention, the authentication socket device is preferably configured to disconnect communication between the terminal and the network at the physical layer level when the network access of the terminal is not permitted. By disconnecting communication at the physical layer level, unauthorized access to the network can be reliably blocked.

  In the embodiment of the present invention, the authentication socket device preferably includes means for generating its own identification information and transmitting it to the network. In this specification, the identification information of the authentication socket device itself may be referred to as communication identification information. In the embodiment of the present invention, the authentication socket device authenticates communication identification information transmitted from another authentication socket device on the network, and based on the authentication result, the other authentication socket device (and the other authentication). It is preferable that communication with a terminal device connected to the socket device is permitted or not permitted.

  According to such an embodiment, since communication that does not pass through a pre-approved authentication socket device can be blocked, it becomes extremely difficult for an unauthorized terminal to access information assets in the network. Moreover, such a robust access control mechanism can be implemented simply by installing an authentication socket device between each terminal and the network without changing the existing network configuration, and can be introduced very easily. It is.

  In other words, according to the authentication architecture of the present invention, an authentication mechanism for blocking an unauthorized information terminal and an unauthorized person's network connection and providing an authentication device for authenticating the information terminal and the user of the information terminal is replaced with an existing network. It can be realized without changing the configuration without a server.

  The authentication architecture according to the present invention can be expressed as an ad hoc authentication architecture or N: N authentication architecture in the sense that a dedicated device for authentication is provided for each terminal without requiring an authentication server. In such an architecture, unlike the authentication architecture that requires an authentication server, a situation in which authentication traffic is concentrated and authentication processing is delayed at one server location does not occur, so that authentication processing can be performed smoothly. In addition, since an authentication device is required for each terminal, it becomes extremely difficult for an unauthorized terminal device such as a personal computer brought in personal property to access each information asset on the network, and unauthorized access to the network is reliably eliminated. can do.

  The appended claims define the presently preferred embodiments of the invention. However, the scope of the present invention is not limited to the scope defined in the claims, but various novel features and combinations and features with significant effects described or suggested herein. Note that combinations are also included in the scope.

  In a specific embodiment of the present invention, a hardware device having tamper resistance is provided, and an authentication system for authenticating an information terminal and a user of the information terminal, comprising an RFID tag for storing terminal identification information Information terminal, security token that stores user identification information that can limit access to information assets on information terminal network, and terminal identification information received from RFID tag, and use of received terminal identification information and security token And an authentication socket device that performs an authentication process with the user identification information, and controls communication between the information terminal connected to the authentication socket device and the network based on the result of the authentication process.

  The authentication socket device includes an antenna unit that receives terminal identification information from an RFID tag, a memory unit that stores the received terminal identification information, and a hardware device that includes a key generation engine, a random number generation engine, and a hash value calculation engine. The received terminal identification information may be encrypted and stored with a key of the hardware device.

  In such an embodiment, the identification information unique to the information terminal is configured to be encrypted and stored with the key of the hardware device, so that the authentication information can be prevented from being camouflaged.

  The authentication socket device includes a port connector to which the security token can be attached and detached, and compares the user identification information stored in the security token with the user identification information stored in the hardware device. On the basis of the authentication result performed by the above, it is possible to provide a control means for controlling communication between the information terminal connected to the authentication socket device and the network. According to such a configuration, a valid user can be authenticated.

  The authentication socket device may be configured to physically block communication between the information terminal connected to the authentication socket device and the network when the security token is removed. According to such a configuration, it is possible to prevent unauthorized users from accessing the network.

  The authentication socket device adds unique authentication information (communication identification information) calculated in the hardware device of the authentication socket device to the communication data when transmitting / receiving data to / from other end information terminals on the network. May be configured to transmit. According to such a configuration, authentication information can be transmitted to other legitimate information terminals.

  The authentication socket device performs authentication processing by comparing the communication identification information received from other information terminals on the network with the communication identification information calculated in the hardware device of the authentication socket device. May be configured to control communication with other information terminals. According to such a configuration, access from unauthorized information terminals can be blocked.

  One of preferred embodiments of the present invention is an authentication system for authenticating an information terminal and a user of the information terminal, the terminal identification information storage means for storing terminal identification information that is identification information of the information terminal; An authentication socket device connected between the information terminal and the network, a memory storing user identification information which is identification information of the user of the information terminal, and a transmission capable of transmitting the user identification information to the authentication socket device There is an authentication system comprising a security token having a circuit. In this authentication system, the authentication socket device receives the terminal identification information from the terminal identification information storage means, authenticates the information terminal based on the received terminal identification information, and further receives the user identification information from the security token. In addition, the security token is authenticated based on the received user identification information. The authentication system further includes control means for controlling communication between the information terminal and the network based on the result of the authentication process for the information terminal and / or the security token.

  The authentication socket device is preferably hardware separate from the information terminal and the security token. This is because the authentication socket device can be easily added to an existing IT infrastructure such as a corporate intra-department network.

  Depending on the embodiment, the control by the control means may permit or disallow communication between the information terminal and the network based on the result of the authentication process.

  Depending on the embodiment, the control by the control means may connect or disconnect the communication between the information terminal and the network at the physical layer level based on the result of the authentication process.

  In some embodiments, the authentication socket device may be configured to authenticate the information terminal by comparing information stored in advance in the authentication socket device with the received terminal identification information.

  In some embodiments, the authentication socket device may be configured to authenticate the security token by comparing information stored in the authentication socket device with the received user identification information.

  In some embodiments, the authentication socket device includes a hardware device having a key generation engine, a random number generation engine, and a hash value calculation engine, and stores the received terminal identification information by encrypting it with a key of the hardware device. Can be configured. According to such a configuration, stronger security can be realized.

  The security token is preferably hardware separate from the information terminal and the authentication socket device, and is preferably small and light so that the user can carry it. For example, a USB memory or an RFID tag can be used.

  In some embodiments, the authentication socket device includes a port connector to which a security token can be attached and detached, and is configured to physically block communication between the information terminal and the network when the security token is removed from the port connector. Can be done. According to such a configuration, the user can easily prevent access to the network by simply removing the security token from the authentication socket device when leaving the seat.

  In some embodiments, when the security token includes an RFID and the authentication socket device includes an RFID reader, and the RFID reader cannot communicate with the RFID, the authentication socket device physically communicates between the information terminal and the network. Can be configured to block. Thereby, when the user carrying the security token moves away from the authentication socket device, the communication between the information terminal and the network can be automatically cut off, and very strong security is realized.

  Depending on the embodiment, the authentication socket device may be configured to add communication identification information, which is unique authentication information calculated in a hardware device of the authentication socket device, to communication data to be transmitted to the network. This communication identification information can be used by other network devices to confirm whether or not the authentication socket device has a legitimate access authority.

  In some embodiments, the authentication socket device receives the communication identification information calculated in the other authentication socket device from another authentication socket device on the network, and uses the received communication identification information as its own hardware. The communication identification information calculated by the device can be verified, and based on the result of this verification, communication with other authentication socket devices can be permitted or not permitted. According to such an embodiment, since each terminal on the network cannot communicate without passing through an authentication socket device having a legitimate access right, an unauthorized access person can access assets on the network. It becomes very difficult. In addition, the only change that must be made to the network in order to realize such strong security is to connect the authentication socket device between each terminal and the network, which can be introduced very easily. I want to stress.

  In some embodiments, the authentication socket device further includes user input means, and is configured to be able to transmit the second user authentication information input by the user input means to the security token. If the second user authentication information is valid, the terminal identification information may be transmitted to the authentication socket device. This user input means can be, for example, a PIN pad or a biometric information reading mechanism. Thereby, stronger security can be provided.

  Depending on the embodiment, the terminal identification information storage means may be constituted by an RFID tag having an attaching means for attaching to the information terminal. The terminal identification information is stored in the memory portion of the RFID tag and is read by the RFID reader provided in the authentication socket device. By pasting the RFID tag on an existing computer or the like, the terminal identification information storage function can be easily given to the existing computer. Therefore, the authentication system according to the above embodiment can be easily applied to an existing computer network environment. Can be introduced.

  In some embodiments, the RFID tag is a peeling detection type RFID tag, configured to store the peeling detection information in a memory in the RFID tag when it is peeled off from the information terminal, and authenticate the peeling detection information. It is configured to be able to transmit to a socket device. In this case, the authentication socket device may be configured to authenticate the information terminal based on the peeling detection information received from the RFID tag. According to such a configuration, it is possible to prevent impersonation such as unauthorized removal of the RFID tag to access the network.

  In some embodiments, the terminal identification information storage means may be configured by a so-called trusted platform module (TPM). Since recent computers often have a built-in TPM in advance, an authentication socket device can be set in accordance with the TMP. Further, a more specific embodiment of the above authentication system may include an information terminal including a TPM, an RFID tag, or other terminal identification information storage means.

  In a preferred embodiment of the present invention, an authentication socket device connected between an information terminal and a network and a security token communicable with the authentication socket device are used to authenticate the information terminal and the user of the information terminal. Includes authentication methods. This method includes a first step in which the receiving means of the authentication socket device receives terminal identification information, which is identification information of the information terminal, from the information terminal, and the terminal identification information received by the processing means of the authentication socket device and the authentication socket device. A second step of authenticating the information terminal by comparing with information stored in the authentication socket, and a processing means of the authentication socket device for recognizing a security token storing user identification information which is user identification information. 3 steps, a fourth step in which the receiving means of the authentication socket device receives user identification information from the security token, and a processing means of the authentication socket device is stored in advance in the received user identification information and the authentication socket device. A fifth step of authenticating the security token by comparing the stored information with the processing means of the authentication socket device, Information based on the authentication result of the terminal and / or security token, the sixth step to allow or disallow the communication between the information terminal and a network, characterized by having a.

  A preferred embodiment of the present invention includes an authentication socket device connected between an information terminal and a network for authenticating the information terminal and a user of the information terminal. The apparatus includes means for communicating with terminal identification information storage means for storing terminal identification information which is identification information of an information terminal, means for receiving terminal identification information from the terminal identification information storage means, and identification of a user of the information terminal Means for communicating with the security token storing the user identification information, information, means for receiving the user identification information from the security token, and comparing the received terminal identification information with information stored in advance in the authentication socket device Means for authenticating the information terminal, and means for authenticating the security token by comparing the received user identification information with information stored in advance in the authentication socket device, and the information terminal and Based on the authentication result of the security token, allow or disallow communication between the information terminal and the network Characterized in that it is made.

  In a preferred embodiment of the present invention, terminal identification information storage means adapted to store terminal identification information which is identification information of an information terminal and to transmit the terminal identification information to the authentication socket device, or the terminal identification An information terminal comprising information storage means is included.

  A preferred embodiment of the present invention includes a security token adapted to store user identification information that is identification information of a user of an information terminal and to transmit the user identification information to the authentication socket device. It is.

  Hereinafter, preferred embodiments of the present invention will be described in more detail with reference to the accompanying drawings.

  FIG. 1 is a diagram showing an outline of an authentication system according to an embodiment described here. As shown in the figure, the authentication system includes an authentication socket device 100 and an information terminal having a device 210 that transmits identification information unique to the information terminal (hereinafter referred to as terminal identification information) to the authentication socket device 100. The authentication processing is performed using 200 and a device 300 that inputs identification information unique to the user (hereinafter referred to as user identification information) to the authentication socket device 100. The biometric information of the user may be used instead of the device 300 for inputting the user identification information, and the authentication socket device 100 may be configured with a biometric information reading mechanism to perform authentication processing. Authentication processing is performed using the device 300 for inputting identification information. As the information terminal 200, a PC and a server device can be cited. Here, a PC is taken as an example. The device 210 that transmits terminal identification information is mounted on the PC 200 in a manner that is not touched from the outside.

  Here, the device 210 that transmits the terminal identification information is a device having information that uniquely identifies the information terminal, and uses, for example, an RFID tag. RFID is a technique for reading data from a tag embedded with identification information by short-range wireless communication using electromagnetic waves or the like. Further, a peeling detection type RFID tag is used as the RFID tag. By doing so, when the RFID tag is peeled off from the PC 200, the peeling detection information is stored in the memory in the RFID tag, so that the tag peeling detection information can be acquired via the authentication socket device. It can be surely prevented.

  The device 300 for inputting user identification information may be any device that can store user identification information, and corresponds to a device having a memory such as a so-called USB token. Hereinafter, this device is referred to as a security token. Since the device possessed by the user is a USB token, it is assumed that the user identification information is encrypted in advance with the public key in the USB token and stored in the tamper resistant area of the USB token. The tamper resistant area is a memory area having resistance to unauthorized access and tampering. This prevents unauthorized reading of user identification information and improves security.

  Further, in the authentication socket device 100, terminal identification information is stored in advance in an internal memory, and the authentication socket device 100 is made to correspond to a specific PC 200. Then, authentication is performed between the paired PC and the authentication socket device to authenticate whether the PC is valid. Hereinafter, this authentication process is referred to as “terminal authentication”.

  In this embodiment, the authentication socket device encrypts the hash value of the terminal identification information and stores it in the internal memory in advance. The hash value is a value obtained by a hash function (one-way function). If the original value is different, the calculated value is different, and it is difficult to obtain the original value from the hash value. Thereby, analogy of identification information of the RFID tag can be prevented and security can be improved.

  In the authentication socket device 100, user identification information is stored in advance in an internal memory, and the authentication socket device 100 is made to correspond to a specific user. Then, authentication is performed between the device 300 of the paired user and the authentication socket device 100 to authenticate whether the user is valid. Hereinafter, this authentication process is referred to as “user authentication”.

  Furthermore, in this embodiment, user identification information is encrypted and stored in advance in an internal memory. Thereby, leakage of user identification information can be prevented and security can be improved.

  A first embodiment of the authentication system will be described with reference to FIGS.

  FIG. 2 is a functional block diagram illustrating a configuration of the authentication socket device 100 according to the first embodiment. The authentication socket device 100 includes a security chip 110, a control unit 120, an antenna 130, a USB connector 140, a PIN pad 150, a LAN port 160, and a physical switch (analog switch) 170. The security chip 110 includes a memory unit 111 and a calculation engine 112. The memory unit 111 includes terminal authentication information 111a and user authentication information 111b. The calculation engine 112 includes a key generation engine 112a and random number generation. An engine 112b and a hash value calculation engine 112c. The control unit 120 includes a terminal authentication processing unit 121, a user authentication processing unit 122, and a communication control unit 124. The LAN port 160 is a LAN side port 161. And an information terminal side port 162.

  The security chip 110 is a hardware chip having a memory unit 111 and a calculation engine 112, and is a security chip having a hardware tamper resistance called a TPM (Trusted Platform Module).

  The memory unit 111 is a memory provided in the security chip 110 and configured by a non-volatile memory such as a flash memory, and stores terminal authentication information 111a and user authentication information 111b in advance.

  The terminal authentication information 111 a is an ID such as a unique number or character string for authenticating and specifying the information terminal, and corresponds to the terminal identification information stored in the RFID tag 210 mounted on the PC 200.

  In order to prevent analogy of the terminal identification information stored in the RFID tag 210, the terminal identification information obtained by calculating the hash value by the hash value calculation engine 112c included in the security chip 110 is used. Hereinafter, the hashed terminal identification information is referred to as a terminal identification value.

  In order to prevent leakage of the terminal identification value, the terminal identification value is encrypted using the public key generated by the key generation engine 112a included in the security chip 110, and the encrypted ID is stored in advance as the terminal authentication information 111a. I will leave it.

  The user authentication information 111b is an ID such as a unique number or a character string for specifying the user, and corresponds to the MAC address of the PC 200 in the first embodiment.

  In order to prevent analogization of the MAC address, the value calculated by the hash value calculation engine 112c included in the security chip 110 is used to create the user authentication information 111b.

  In order to prevent the leakage of the user authentication information 111b, the hashed MAC address is encrypted using the public key generated by the key generation engine 112a included in the security chip 110 and encrypted. Is stored in advance as user authentication information 111b.

  The control unit 120 performs terminal authentication processing based on the peeling detection information and terminal identification information received from the RFID tag 210 mounted on the PC 200 via the antenna 130, and from the USB token 300 connected via the USB connector 140. A user authentication process is performed based on the entered user identification information, and the physical switch 170 is turned on / off based on the terminal authentication process and the user authentication process result, thereby connecting the PC 200 and the network at the physical layer level of the OSI reference model. Perform connection / disconnection processing.

  The terminal authentication processing unit 121 authenticates the valid RFID tag by confirming whether or not the peeling detection information received from the RFID tag 210 mounted on the PC 200 exists. Furthermore, the PC 200 paired with the authentication socket device 100 is identified based on whether or not the hash value of the terminal identification information received from the RFID tag 210 matches the value obtained by decrypting the terminal authentication information 111a in the memory unit 111. Process.

  Specifically, since the RFID tag 210 mounted on the PC 200 stores unique identification information for each tag, in this embodiment, the RFID tag identification information is acquired and used as terminal identification information. To do. In addition, a value obtained by hashing the terminal identification information held by the RFID tag 210 of the PC 200 to be authenticated by the hash value calculation engine 112c included in the security chip 110 is used as a terminal identification value, and the terminal identification value is used as the key generation engine 112a included in the security chip 110. Is encrypted in advance with the public key generated and stored in the internal memory unit 111 in advance.

  This terminal authentication processing unit 121 has a terminal identification value “0001” obtained by hashing the terminal identification information received from the RFID tag 210 mounted on the PC 200, and uses the terminal authentication information 111 a read from the memory unit 111 as a security chip. If the terminal identification value is decrypted with the private key that is the public key pair used when the terminal identification value is encrypted by 110 and the decrypted terminal identification value is also “0001”, the PC 200 and the authentication socket 100 are valid. It is determined that it is a pair.

  If the terminal identification value obtained by hashing the terminal identification information received from the RFID tag 210 mounted on the PC 200 is different from the terminal identification value obtained by decoding the terminal authentication information 111a read from the memory unit 111, the authentication socket 100 is paired. It is determined that the PC 200 to become is illegal.

  The user authentication processing unit 122 is paired based on whether or not the user identification information input from the USB token 300 via the USB connector 140 matches the value obtained by decrypting the user authentication information 111b in the memory unit 111. Process to identify the user.

  Specifically, when the user authentication processing unit 122 detects that the USB token 300 is connected to the USB port 140 of the authentication socket device 100, the user authentication processing unit 122 instructs activation of the tamper resistant area of the USB token 300. At this time, the USB token 300 requests the user authentication processing unit 122 to input a personal identification number PIN (Personal Identity Number) in order to read the identification information stored in the tamper-resistant area in the own device. Here, the user authentication processing unit 122 prompts the user to input a PIN at the PIN pad 150 provided in the authentication socket device 100.

  When the user inputs the PIN using the PIN pad 150, the user authentication processing unit 122 notifies the USB token 300 of the PIN. The USB token 300 verifies the notified PIN, and when it is verified that the PIN is correct, the encrypted user identification information stored in the tamper resistant area in the USB token 300 is read out.

  The user authentication processing unit 122 instructs to decrypt the user identification information encrypted in the USB token 300. The USB token 300 has the public key used when the device itself has the user identification information encrypted. The above-described user identification information is decrypted with the paired secret key.

  The user authentication processing unit 122 also decrypts the user identification information obtained from the USB token 300 and the user authentication information 111b read from the memory unit 111 with the secret key of the security chip 110. The identification information is compared, and if they match, it is determined that the USB token 300 and the authentication socket 100 are a valid pair. If the user identification information obtained as described above is different from the user authentication information 111b read from the memory unit 111, it is determined that the USB token 300 paired with the authentication socket 100 is illegal.

  The communication control unit 124 is a processing unit that starts or disconnects communication between the PC 200 and the network or the LAN 400.

  Specifically, when communication between the PC 200 and the LAN 400 is stopped, a terminal authentication success instruction is received from the terminal authentication processing unit 121, and a user authentication success instruction is received from the user authentication processing unit 122. Connection to the LAN 400 is started. When the PC 200 and the LAN 400 are in a communication state, when the terminal authentication failure instruction is received from the terminal authentication processing unit 121 or the user authentication failure instruction is received from the user authentication processing unit 122, the communication between the PC 200 and the LAN 400 is performed. Disconnect at the physical layer level using the physical switch 170.

  The antenna unit 130 is a device for communicating with the RFID tag 210 mounted on the PC 200. The USB connector 140 is a device for communicating with the USB token 300.

  The USB connector 140 is a connector compliant with the USB standard, and is a connector for inserting the USB token 300.

  The PIN pad 150 is a device for inputting the PIN of the USB token 300, and is provided with a numeric keypad.

  The LAN port 160 is a port for connecting a communication cable that can transmit and receive the data link layer frame of the OSI reference model. The LAN side port 161 is a port for transmitting and receiving frames between the authentication socket device 100 and the LAN 400, and the information terminal side port 162 is a port for transmitting and receiving frames between the PC 200 and the authentication socket device 100.

  The physical switch 170 is a switch that disconnects the transmission line at the physical layer level of the OSI reference model, and uses an analog switch.

  Next, a terminal authentication processing procedure performed by the authentication socket device 100 according to the first embodiment will be described with reference to FIG. Here, the terminal authentication information 111a is stored in the memory unit 111 in advance.

  FIG. 3 is a sequence diagram showing a terminal authentication procedure of the authentication socket device 100. As shown in the figure, in the PC 200 to which the authentication socket device 100 is connected, when the antenna unit 130 of the authentication socket device 100 recognizes the RFID tag 210 mounted on the PC 200 (step S101), the terminal authentication processing unit 121 The fact that the RFID tag 210 has been recognized is notified (step S102).

  Upon receiving the notification, the terminal authentication processing unit 121 inquires of the peeling detection information via the antenna unit 130 (step S103), and transmits a command to the RFID tag 210 (step S104).

  The RFID tag 210 responds to the antenna unit 130 with the peeling detection information held by itself (step S105), and is notified to the terminal authentication processing unit 121 (step S106).

  The terminal authentication processing unit 121 that has acquired the peeling detection information checks whether or not the peeling detection information exists (step S107), and if the peeling detection information exists, instructs the communication control unit 124 to physically disconnect the network. The communication control unit 124 that has received the instruction performs physical line disconnection using the physical switch 170 (step S109).

  When the peeling detection information does not exist, the terminal authentication processing unit 121 instructs the terminal identification information to be read via the antenna unit 130 (Step S110), and transmits a command to the RFID tag 210 (Step S111).

  The RFID tag 210 responds to the antenna unit 130 with the terminal identification information held by itself (step S112), and is notified to the terminal authentication processing unit 121 (step S113).

  The terminal authentication processing unit 121 that has received the terminal identification information instructs the calculation engine 112 of the security chip 110 to calculate the hash value of the received terminal identification information (step S114). The calculation engine 112 of the security chip 110 The hash value of the identification information is calculated (step S115), and the response is made to the terminal authentication processing unit 121 (step S116).

  The terminal authentication processing unit 121 that has acquired the terminal identification value next instructs reading of the terminal authentication information 111a stored in the memory unit 111 (step S117), and the memory unit 111 holds the terminal authentication information held by itself. 111a is returned to the terminal authentication processing unit 121 (step S118).

  The terminal authentication processing unit 121 instructs the security chip 110 to decrypt the acquired terminal authentication information 111a (step S119), and the security chip 110 is paired with the public key used when the terminal identification value is encrypted. Using the key, the terminal authentication information 111a is decrypted (step S120), and the terminal authentication processing unit 121 is responded (step S121).

  The terminal authentication processing unit 121 compares the terminal identification value received from the antenna unit 130 with the terminal identification value decrypted by the security chip 110 as described above (step S122), and if they do not match, the communication control unit 124. The communication control unit 124 that received the instruction performs physical line disconnection using the physical switch 170 (step S124).

  If the terminal identification values match in step S122, the communication control unit 124 is instructed to connect to the network (step S125), and the communication control unit 124 that has received the instruction uses the physical switch 170 to connect the physical line connection. (Step S126), and the frame is transferred via the LAN port 160 (information terminal side 162) (step S127).

  As described above, in terminal authentication according to the first embodiment, an information terminal such as a PC provided with an RFID tag can be authenticated and network connection control can be performed.

  Next, a user authentication processing procedure performed in the authentication socket device 100 according to the first embodiment will be described with reference to FIG. Here, user authentication information 111b is stored in the memory unit 111 in advance.

  FIG. 4 is a sequence diagram showing a user authentication procedure of the authentication socket device 100. As shown in the figure, when the user inserts the USB token 300 into the USB connector 140 of the authentication socket device 100 (step S201), the user authentication processing unit 122 is notified that the USB token 300 has been recognized (step S201). Step S202).

  Upon receiving the notification, the user authentication processing unit 122 notifies the PIN pad 150 of a PIN input instruction to activate the tamper resistant area of the USB token 300, and enters a PIN input waiting state (step S203).

  When the user inputs a PIN using the PIN pad 150 (step S204), the user authentication processing unit 122 notifies the USB token 300 based on the input PIN and activates the tamper resistant area (step S205). .

  When the USB token 300 verifies the PIN, it returns the user identification information held by itself to the user authentication processing unit 122 (step S206).

  The user authentication processing unit 122 instructs the USB token 300 to decrypt the acquired user identification information (step S207), and the USB token 300 is paired with the public key used when the user identification value is encrypted. The user identification information is decrypted using the secret key (step S208), and the response to the user authentication processing unit 122 is made (step S209).

  The user authentication processing unit 122 that has acquired the user identification value next instructs the reading of the user authentication information 111b stored in the memory unit 111 (step S210), and the memory unit 111 is held by itself. The user authentication information 111b is returned to the user authentication processing unit 122 (step S211).

  The user authentication processing unit 122 instructs the security chip 110 to decrypt the acquired user authentication information 111b (step S212), and the security chip 110 is paired with the public key used when the user identification value is encrypted. The user authentication information 111b is decrypted using the secret key to become (step S213), and the response to the user authentication processing unit 122 is made (step S214).

  The user authentication processing unit 122 compares the user identification value obtained by decryption from the USB token 300 with the user identification value decrypted by the security chip 110 as described above (step S215). If not, the communication control unit 124 is instructed to physically disconnect the network (step S216). Upon receiving the instruction, the communication control unit 124 performs physical line disconnection using the physical switch 170 (step S217).

  If the user identification values match in step S215, the communication control unit 124 is instructed to connect to the network (step S218), and the communication control unit 124 that has received the instruction uses the physical switch 170 to perform line physical connection. The connection is made (step S219), and the frame is transferred via the LAN port 160 (information terminal side 162) (step S220).

  As described above, in the user authentication according to the first embodiment, a user having a valid USB token can be authenticated and network connection control can be performed. Further, when detecting that the USB token has been removed from the authentication socket device, the control unit 120 is configured to control the physical switch 170 to control the line physical connection and to cut off the network. Accordingly, the user can easily prevent unauthorized access to the network by removing the USB token from the authentication socket device when leaving the seat.

  As described above, when terminal authentication and user authentication are successful, the network to which the PC is connected is connected at the physical layer level, and when terminal authentication or user authentication fails, the network to which the PC is connected is physically connected. Cut at the layer level.

  In the second embodiment, a case where another device is used as a device that transmits user identification information will be described with reference to FIGS.

  In the first embodiment, the USB token 300 is used as the security token, and the user authentication with the authentication socket device 100 is performed via the USB connector 140. However, the present invention is not limited to this. A communication device may be used. In the second embodiment, an RFID tag that stores user identification information is used instead of the USB token, and user authentication is performed between the card 310 equipped with the RFID tag and the authentication socket device 100 via the antenna unit 130. To do. Note that the RFID tag that stores the user identification information is authenticated by the user himself / herself by being possessed by the user himself / herself, and therefore may not have a peeling detection function.

  FIG. 5 is a diagram illustrating an outline of an authentication system according to the second embodiment. As shown in the figure, in the second embodiment, the authentication socket device 100, the PC 200 having the RFID tag 210 that transmits terminal identification information to the authentication socket device 100, and the user identification information to the authentication socket device 100 are shown. Authentication processing is performed using the RFID-added card 310 that transmits the message.

  Further, in the authentication socket device 100, terminal identification information is stored in advance in an internal memory, and the authentication socket device 100 is made to correspond to a specific PC 200. Then, authentication is performed between the paired PC and the authentication socket device to authenticate whether the PC is valid.

  In the second embodiment, the authentication socket device encrypts the hash value of the terminal identification information and stores it in the internal memory in advance. Thereby, analogy of identification information of the RFID tag 210 can be prevented, and security can be improved.

  In the authentication socket device 100, user identification information is stored in advance in an internal memory, and the authentication socket device 100 is made to correspond to a specific user. Then, authentication is performed between the device 310 and the authentication socket device 100 of the paired user to authenticate whether the user is valid.

  In the second embodiment, the authentication socket device encrypts the hash value of the user identification information and stores it in the internal memory in advance. As a result, the analogy of the identification information held by the RFID card 310 can be prevented and the security can be improved.

  FIG. 6 is a functional block diagram illustrating a configuration of the authentication socket device 100 according to the second embodiment. The authentication socket device 100 includes a security chip 110, a control unit 120, an antenna 130, a LAN port 160, and a physical switch 170. The security chip 110 includes a memory unit 111 and a calculation engine 112. The memory unit 111 includes terminal authentication information 111a and user authentication information 111b. The calculation engine 112 includes a key generation engine 112a and random number generation. An engine 112b and a hash value calculation engine 112c. The control unit 120 includes a terminal authentication processing unit 121, a user authentication processing unit 122, and a communication control unit 124. The LAN port 160 is a LAN side port 161. And an information terminal side port 162.

  The security chip 110 is a hardware chip having a memory unit 111 and a calculation engine 112, and the TPM is used in the second embodiment as in the first embodiment.

  The memory unit 111 is a memory provided in the security chip 110 and configured by a non-volatile memory such as a flash memory, and stores terminal authentication information 111a and user authentication information 111b in advance.

  The terminal authentication information 111 a is an ID such as a unique number or character string for authenticating and specifying the information terminal, and corresponds to the terminal identification information stored in the RFID tag 210 mounted on the PC 200.

  In order to prevent analogy of the terminal identification information stored in the RFID tag 210, the terminal identification information obtained by calculating the hash value by the hash value calculation engine 112c included in the security chip 110 (terminal identification value) is used.

  In order to prevent leakage of the terminal identification value, the terminal identification value is encrypted using the public key generated by the key generation engine 112a included in the security chip 110, and the encrypted ID is stored in advance as the terminal authentication information 111a. I will leave it.

  The user authentication information 111b is an ID such as a unique number or character string for authenticating and specifying the user, and corresponds to the user identification information stored in the RFID card 310 in the second embodiment. .

  In order to prevent the analogy of the user identification information stored in the RFID-added card 310, the user identification information obtained by calculating the hash value by the hash value calculation engine 112c included in the security chip 110 is used. Hereinafter, the hashed user identification information is referred to as a user identification value.

  In order to prevent the leakage of the user identification value, the user identification value is encrypted using the public key generated by the key generation engine 112a included in the security chip 110, and the encrypted ID is preliminarily used as the user authentication information 111b. Remember it.

  The control unit 120 performs terminal authentication processing based on the terminal identification information received from the RFID tag 210 mounted on the PC 200 via the antenna 130, and converts the user identification information received from the RFID card 310 via the antenna 130 into the user identification information. Based on the result of the terminal authentication process and the user authentication process, the PC 200 and the network are connected / disconnected at the physical layer level of the OSI reference model.

  The terminal authentication processing unit 121 authenticates the valid RFID tag by confirming whether or not the peeling detection information received from the RFID tag 210 mounted on the PC 200 exists. Furthermore, the PC 200 paired with the authentication socket device 100 is identified based on whether or not the hash value of the terminal identification information received from the RFID tag 210 matches the value obtained by decrypting the terminal authentication information 111a in the memory unit 111. Process.

  Specifically, since the RFID tag 210 mounted on the PC 200 stores unique identification information for each tag, in this embodiment, the RFID tag identification information is acquired and used as terminal identification information. To do. In addition, a value obtained by hashing the terminal identification information held by the RFID tag 210 of the PC 200 to be authenticated by the hash value calculation engine 112c included in the security chip 110 is used as a terminal identification value, and the terminal identification value is used as the key generation engine 112a included in the security chip 110. Is encrypted in advance with the public key generated and stored in the internal memory unit 111 in advance.

  This terminal authentication processing unit 121 has a terminal identification value “0001” obtained by hashing the terminal identification information received from the RFID tag 210 mounted on the PC 200, and uses the terminal authentication information 111 a read from the memory unit 111 as a security chip. If the terminal identification value is decrypted with the private key that is the public key pair used when the terminal identification value is encrypted by 110 and the decrypted terminal identification value is also “0001”, the PC 200 and the authentication socket 100 are a valid pair. It is determined that

  If the terminal identification value obtained by hashing the terminal identification information received from the RFID tag 210 mounted on the PC 200 is different from the terminal identification value obtained by decoding the terminal authentication information 111a read from the memory unit 111, the authentication socket 100 is paired. It is determined that the PC 200 to become is illegal.

  The user authentication processing unit 122 determines whether the hash value of the user identification information received from the RFID-added card 310 matches the value obtained by decrypting the user authentication information 111b in the memory unit 111. A process of identifying a user who is paired with 100 is performed.

  Specifically, since identification information unique to each tag is stored in the RFID card 310, in this embodiment, identification information of the RFID card 310 is acquired and used as user identification information. . In addition, a value obtained by hashing the user identification information held by the authentication target RFID card 310 by the hash value calculation engine 112c included in the security chip 110 is used as a user identification value, and the user identification value is generated in the security chip 110. It is encrypted with the public key generated by the engine 112a and stored in advance in the internal memory unit 111.

  This user authentication processing unit 122 has a user identification value “0002” obtained by hashing the user identification information received from the RFID-added card 310, and the user authentication information 111 b read from the memory unit 111 is converted into a security chip. When the user identification value is encrypted by the private key that is a pair of the public key used when the user identification value is encrypted by 110 and the decrypted user identification value is also “0002”, the user and the authentication socket 100 Is determined to be a valid pair.

  When the user identification value obtained by hashing the user identification information received from the RFID-added card 310 and the user identification value obtained by decrypting the user authentication information 111b read from the memory unit 111 are different from each other, it is paired with the authentication socket 100. It is determined that the user who becomes is illegal.

  The communication control unit 124 is a processing unit that starts or disconnects communication between the PC 200 and the LAN 400.

  Specifically, when communication between the PC 200 and the LAN 400 is stopped, a terminal authentication success instruction is received from the terminal authentication processing unit 121, and a user authentication success instruction is received from the user authentication processing unit 122. Connection to the LAN 400 is started. When the PC 200 and the LAN 400 are in a communication state, when the terminal authentication failure instruction is received from the terminal authentication processing unit 121 or the user authentication failure instruction is received from the user authentication processing unit 122, the communication between the PC 200 and the LAN 400 is performed. Disconnect at the physical layer level using the physical switch 170.

  The antenna unit 130 is a device for communicating with the RFID tag 210 and the RFID card 310 mounted on the PC 200.

  The LAN port 160 is a port for connecting a communication cable that can transmit and receive the data link layer frame of the OSI reference model. The LAN side port 161 is a port for transmitting and receiving frames between the authentication socket device 100 and the LAN 400, and the information terminal side port 162 is a port for transmitting and receiving frames between the PC 200 and the authentication socket device 100.

  The physical switch 170 is a switch that disconnects the transmission line at the physical layer level of the OSI reference model, and uses an analog switch.

  Next, a terminal authentication processing procedure performed by the authentication socket device according to the second embodiment will be described with reference to FIG. Here, the terminal authentication information 111a is stored in the memory unit 111 in advance.

  FIG. 7 is a sequence diagram showing a terminal authentication procedure of the authentication socket device 100. As shown in the figure, in the PC 200 to which the authentication socket device 100 is connected, when the antenna unit 130 of the authentication socket device 100 recognizes the RFID tag 210 mounted on the PC 200 (step S301), the terminal authentication processing unit 121 The fact that the RFID tag 210 has been recognized is notified (step S302).

  Upon receiving the notification, the terminal authentication processing unit 121 inquires of the peeling detection information via the antenna unit 130 (step S303), and transmits a command to the RFID tag 210 (step S304).

  The RFID tag 210 responds to the antenna unit 130 with the peeling detection information held by the RFID tag 210 (step S305), and is notified to the terminal authentication processing unit 121 (step S306).

  The terminal authentication processing unit 121 that has acquired the peeling detection information checks whether or not the peeling detection information exists (step S307), and if the peeling detection information exists, instructs the communication control unit 124 to physically disconnect the network. Then, the communication control unit 124 that has received the instruction performs physical line disconnection using the physical switch 170 (step S309).

  If the peeling detection information does not exist, the terminal authentication processing unit 121 instructs reading of the terminal identification information via the antenna unit 130 (step S310), and transmits a command to the RFID tag 210 (step S311).

  The RFID tag 210 responds to the antenna unit 130 with the terminal identification information held by itself (step S312), and is notified to the terminal authentication processing unit 121 (step S313).

  Upon receiving the terminal identification information, the terminal authentication processing unit 121 instructs the calculation engine 112 of the security chip 110 to calculate the hash value of the received terminal identification information (step S314), and the calculation engine 112 of the security chip 110 The hash value of the identification information is calculated (step S315), and the response is made to the terminal authentication processing unit 121 (step S316).

  The terminal authentication processing unit 121 that has acquired the terminal identification value next instructs reading of the terminal authentication information 111a stored in the memory unit 111 (step S317), and the memory unit 111 holds the terminal authentication information held by itself. 111a is returned to the terminal authentication processing unit 121 (step S318).

  The terminal authentication processing unit 121 instructs the security chip 110 to decrypt the acquired terminal authentication information 111a (step S319), and the security chip 110 is paired with the public key used when the terminal identification value is encrypted. Using the key, the terminal authentication information 111a is decrypted (step S320), and the terminal authentication processing unit 121 is responded (step S321).

  The terminal authentication processing unit 121 compares the terminal identification value received from the antenna unit 130 with the terminal identification value decrypted by the security chip 110 as described above (step S322), and if they do not match, the communication control unit 124. The communication control unit 124 that has received the instruction performs physical line disconnection using the physical switch 170 (step S324).

  If the terminal identification values match in step S322, the communication control unit 124 is instructed to connect to the network (step S325), and the communication control unit 124 that has received the instruction uses the physical switch 170 to perform the physical connection of the line. (Step S326), and the frame is transferred via the LAN port 160 (information terminal side 162) (step S327).

  As described above, in terminal authentication according to the second embodiment, an information terminal such as a PC having an RFID tag can be authenticated and network connection control can be performed.

  Next, a user authentication processing procedure performed by the authentication socket device according to the second embodiment will be described with reference to FIG. Here, user authentication information 111b is stored in the memory unit 111 in advance.

  FIG. 8 is a sequence diagram showing a user authentication procedure of the authentication socket device 100. The control unit 120 investigates whether or not the RFID tag is within a readable range by periodically radiating read radio waves from the antenna unit 130. When the control unit 120 detects that the user holding the card 310 with the RFID tag approaches the authentication socket device 100 and enters the readable range (step S401), the RFID tag 310 is notified to the user authentication processing unit 122. Is notified (step S402).

  Upon receiving the notification, the user authentication processing unit 122 inquires about the user identification information via the antenna unit 130 (step S403), and transmits a command to the RFID-tagged card 310 (step S404).

  The RFID-tagged card 310 responds to the antenna unit 130 with the user identification information held by itself (step S405), and is notified to the user authentication processing unit 122 (step S406).

  The user authentication processing unit 122 that has acquired the user identification information instructs the calculation engine 112 of the security chip 110 to calculate the hash value of the received user identification information (step S407), and the calculation engine of the security chip 110. 112 calculates the hash value of the user identification information (step S408), and responds to the user authentication processing unit 122 (step S409).

  The user authentication processing unit 122 that has acquired the user identification value next instructs reading of the user authentication information 111b stored in the memory unit 111 (step S410), and the memory unit 111 is held by itself. The user authentication information 111b is returned to the user authentication processing unit 122 (step S411).

  The user authentication processing unit 122 instructs the security chip 110 to decrypt the acquired user authentication information 111b (step S412), and the security chip 110 is paired with the public key used when the user identification value is encrypted. The user authentication information 111b is decrypted using the secret key to become (step S413), and the response to the user authentication processing unit 122 is made (step S414).

  The user authentication processing unit 122 compares the user identification value received from the antenna unit 130 with the user identification value decrypted by the security chip 110 as described above (step S415). If the two do not match, communication is performed. The control unit 124 is instructed to physically disconnect the network (step S416), and the communication control unit 124 that has received the instruction performs physical line disconnection using the physical switch 170 (step S417).

  If the terminal identification values match in step S415, the communication control unit 124 is instructed to physically connect the network (step S418), and the communication control unit 124 that has received the instruction uses the physical switch 170 to perform the physical connection of the line. (Step S419), and the frame is transferred via the LAN port 160 (information terminal side 162) (step S420).

  As described above, in the user authentication according to the second embodiment, it is possible to authenticate a user having a card with an RFID tag and perform network connection control.

  As described above, when terminal authentication or user authentication fails, the network to which the PC is connected is disconnected at the physical layer level. Even while communication between the PC and the network is permitted, the control unit 120 periodically checks whether or not the RFID tag is within a readable range. When it is detected that the RFID tag card 310 is not within the readable range, for example, when the user leaves the seat, the communication control unit 124 uses the physical switch 170 to control the line physical connection, and between the PC and the network. Block communication at the physical layer level. Therefore, it is effective when a user who is always connected for 24 hours wants to block intrusion and attack from a network other than during PC operation.

  In the third embodiment, an embodiment for authenticating whether or not a communication partner is valid by arranging authentication socket devices in pairs between information terminals to be communicated on a LAN will be described with reference to FIGS. 9 to 13. explain.

  FIG. 9 is a diagram illustrating an outline of an authentication system according to the third embodiment. As shown in the figure, the authentication socket device 100 is arranged between the LAN and the transmission-side PC 200, and the authentication socket device 500 is arranged between the LAN and the reception-side PC 600. The authentication socket device 500 receives the received communication identification information and performs authentication between the authentication socket devices to authenticate whether or not the communication partner is valid. Hereinafter, this authentication process is referred to as “communication authentication”.

  In the authentication socket device 100, terminal identification information is stored in advance in an internal memory, and the authentication socket device 100 is associated with a specific PC 200. Then, authentication is performed between the paired PC and the authentication socket device to authenticate whether the PC is valid.

  In the third embodiment, the authentication socket device encrypts the hash value of the terminal identification information and stores it in the internal memory in advance. Thereby, analogy of identification information of the RFID tag 210 can be prevented, and security can be improved.

  In the authentication socket device 100, user identification information is stored in advance in an internal memory, and the authentication socket device 100 is made to correspond to a specific user. Then, authentication is performed between the device 300 of the paired user and the authentication socket device 100 to authenticate whether the user is valid.

  In the third embodiment, user identification information is encrypted and stored in advance in an internal memory. Thereby, leakage of user identification information can be prevented and security can be improved.

  FIG. 10 is a functional block diagram illustrating a configuration of the authentication socket device 100 according to the third embodiment. The authentication socket device 100 includes a security chip 110, a control unit 120, an antenna 130, a USB connector 140, a PIN pad 150, a LAN port 160, and a physical switch 170. The security chip 110 includes a memory unit 111 and a calculation engine 112. The memory unit 111 includes terminal authentication information 111a, user authentication information 111b, communication authentication information 111c, and a common key 111d. The engine 112 includes a key generation engine 112a, a random number generation engine 112b, and a hash value calculation engine 112c. The control unit 120 includes a terminal authentication processing unit 121, a user authentication processing unit 122, and a communication authentication processing unit 123. The LAN port 160 includes a LAN side port 161 and an information terminal side port 162.

  The security chip 110 is a hardware chip having a memory unit 111 and a calculation engine 112, and the third embodiment uses a TPM as in the first embodiment.

  The memory unit 111 is a memory provided in the security chip 110 and configured by a non-volatile memory such as a flash memory. The terminal 111 includes user authentication information 111a, user authentication information 111b, communication authentication information 111c, and a common key 111d. I remember it.

  The terminal authentication information 111 a is an ID such as a unique number or character string for authenticating and specifying the information terminal, and corresponds to the terminal identification information stored in the RFID tag 210 mounted on the PC 200.

  In order to prevent analogy of the terminal identification information stored in the RFID tag 210, the terminal identification information obtained by calculating the hash value by the hash value calculation engine 112c of the security chip 110 (terminal identification value) is used.

  In order to prevent leakage of the terminal identification value, the terminal identification value is encrypted using the public key generated by the key generation engine 112a included in the security chip 110, and the encrypted ID is stored in advance as the terminal authentication information 111a. I will leave it.

  The user authentication information 111b is an ID such as a unique number or character string for specifying the user, and corresponds to the MAC address of the PC 200 in the third embodiment.

  In order to prevent analogization of the MAC address, the value calculated by the hash value calculation engine 112c included in the security chip 110 is used to create the user authentication information 111b.

  In order to prevent the leakage of the user authentication information 111b, the hashed MAC address is encrypted using the public key generated by the key generation engine 112a included in the security chip 110 and encrypted. Is stored in advance as user authentication information 111b.

  The communication authentication information 111c is information for sending the validity of the transmission source device to the communication partner, and includes a random number obtained from the calculation engine 112 of the security chip 110 and a hash value calculated from the random number and the common key 111d. . The communication authentication information 111c is calculated and stored in the memory unit 111 at the start of communication, but is deleted from the memory unit 111 when communication is completed.

  The common key 111d is a value shared between communication partners, and is used when generating the communication authentication information 111c.

  The control unit 120 performs terminal authentication processing based on the terminal identification information received from the RFID tag 210 mounted on the PC 200 via the antenna 130, and the user input from the USB token 300 connected via the USB connector 140. User authentication processing is performed based on the identification information, communication authentication processing is performed with the authentication socket device 500 installed between the LAN port 160 and the terminal 600 connected via the LAN 400, and terminal authentication processing, Based on the results of the user authentication process and the communication authentication process, the PC 200 and the network are connected / disconnected at the physical layer level of the OSI reference model.

  The terminal authentication processing unit 121 authenticates the valid RFID tag by confirming whether or not the peeling detection information received from the RFID tag 210 mounted on the PC 200 exists. Furthermore, the PC 200 paired with the authentication socket device 100 is identified based on whether or not the hash value of the terminal identification information received from the RFID tag 210 matches the value obtained by decrypting the terminal authentication information 111a in the memory unit 111. Process.

  Specifically, since the RFID tag 210 mounted on the PC 200 stores unique identification information for each tag, in this embodiment, the RFID tag identification information is acquired and used as terminal identification information. To do. In addition, a value obtained by hashing the terminal identification information held by the RFID tag 210 of the PC 200 to be authenticated by the hash value calculation engine 112c included in the security chip 110 is used as a terminal identification value, and the terminal identification value is used as the key generation engine 112a included in the security chip 110. Is encrypted in advance with the public key generated and stored in the internal memory unit 111 in advance.

  This terminal authentication processing unit 121 has a terminal identification value “0001” obtained by hashing the terminal identification information received from the RFID tag 210 mounted on the PC 200, and uses the terminal authentication information 111 a read from the memory unit 111 as a security chip. If the terminal identification value is decrypted with the private key that is the public key pair used when the terminal identification value is encrypted by 110 and the decrypted terminal identification value is also “0001”, the PC 200 and the authentication socket 100 are a valid pair. It is determined that

  If the terminal identification value obtained by hashing the terminal identification information received from the RFID tag 210 mounted on the PC 200 is different from the terminal identification value obtained by decoding the terminal authentication information 111a read from the memory unit 111, the authentication socket 100 is paired. It is determined that the PC 200 to become is illegal.

  The user authentication processing unit 122 is paired based on whether or not the user identification information input from the USB token 300 via the USB connector 140 matches the value obtained by decrypting the user authentication information 111b in the memory unit 111. Process to identify the user.

  Specifically, when the user authentication processing unit 122 detects that the USB token 300 is connected to the USB port 140 of the authentication socket device 100, the user authentication processing unit 122 instructs activation of the tamper resistant area of the USB token 300. At this time, the USB token 300 requests the user authentication processing unit 122 to input the personal identification number PIN in order to read the identification information stored in the tamper-resistant area in the own device. Here, the user authentication processing unit 122 prompts the user to input a PIN at the PIN pad 150 provided in the authentication socket device 100.

  When the user inputs the PIN using the PIN pad 150, the user authentication processing unit 122 notifies the USB token 300 of the PIN. The USB token 300 verifies the notified PIN, and when it is verified that the PIN is correct, the encrypted user identification information stored in the tamper resistant area in the USB token 300 is read out.

  The user authentication processing unit 122 instructs to decrypt the user identification information encrypted in the USB token 300. The USB token 300 has the public key used when the device itself has the user identification information encrypted. The above-described user identification information is decrypted with the paired secret key.

  The user authentication processing unit 122 also decrypts the user identification information obtained from the USB token 300 and the user authentication information 111b read from the memory unit 111 with the secret key of the security chip 110. The identification information is compared, and if they match, it is determined that the USB token 300 and the authentication socket 100 are a valid pair. If the user identification information obtained as described above is different from the user authentication information 111b read from the memory unit 111, it is determined that the USB token 300 paired with the authentication socket 100 is illegal.

  The communication authentication processing unit 123 is a processing unit that authenticates whether the communication received from the LAN port 160 via the LAN 400 is from a valid partner. That is, a process of identifying the authentication socket of the communication source is performed based on whether or not the communication identification information transmitted from the authentication socket device on the transmission side matches the communication identification information calculated by the authentication socket device on the reception side.

  The communication control unit 124 is a processing unit that starts or disconnects communication between the PC 200 and the network or the LAN 400.

  Specifically, when communication between the PC 200 and the LAN 400 is stopped, a terminal authentication success instruction is received from the terminal authentication processing unit 121, and a user authentication success instruction is received from the user authentication processing unit 122. Connection to the LAN 400 is started. When the PC 200 and the LAN 400 are in a communication state, when the terminal authentication failure instruction is received from the terminal authentication processing unit 121 or the user authentication failure instruction is received from the user authentication processing unit 122, the communication between the PC 200 and the LAN 400 is performed. The transmission line using the physical switch 170 is disconnected at the physical layer level. Further, when a communication authentication failure instruction is received from the communication authentication processing unit 123 while the PC 200 and the LAN 400 are in communication, the communication between the PC 200 and the LAN 400 is disconnected at the physical layer level using the physical switch 170.

  The antenna unit 130 is a device for communicating with the RFID tag 210 mounted on the PC 200. The USB connector 140 is a device for communicating with the USB token 300.

  The USB connector 140 is a connector compliant with the USB standard, and is a connector for inserting the USB token 300.

  The PIN pad 150 is a device for inputting the PIN of the USB token 300, and is provided with a numeric keypad.

  The LAN port 160 is a port for connecting a communication cable that can transmit and receive the data link layer frame of the OSI reference model. The LAN side port 161 is a port for transmitting and receiving frames between the authentication socket device 100 and the LAN 400, and the information terminal side port 162 is a port for transmitting and receiving frames between the PC 200 and the authentication socket device 100.

  The physical switch 170 is a switch that disconnects the transmission line at the physical layer level of the OSI reference model, and uses an analog switch.

  Here, the above-mentioned “communication authentication” will be described in more detail with reference to FIGS. FIG. 11 is a diagram illustrating an outline of data transmitted at the time of communication authentication, FIG. 12 is a sequence diagram illustrating a communication authentication procedure of the transmission-side authentication socket device according to the third embodiment, and FIG. FIG. 10 is a sequence diagram showing a communication authentication procedure of the receiving side authentication socket device according to the third embodiment. Further, it is assumed that the authentication socket device 100 is a transmission side and the authentication socket device 500 is a reception side, and terminal authentication and user authentication have been completed in each device.

  When terminal authentication and user authentication are completed in FIG. 12, when a connection request to the LAN from the PC 200 is received via the LAN port 160 (information terminal side 162) (step S501), the communication authentication processing unit 123 is received. Is notified of the LAN connection request (step S502).

  The communication authentication processing unit 123 issues a random number calculation instruction to the calculation engine 112 of the security chip 110 (step S503), and the calculation engine 112 of the security chip 110 calculates a random number M (step S504). It responds to 123 (step S505).

  Next, the communication authentication processing unit 123 instructs to read the common key 111d stored in the memory unit 111 (step S506), and the memory unit 111 sends the common key 111d held by itself to the communication authentication processing unit 123. A response is made (step S507). Hereinafter, it is assumed that the read common key 111d is K.

  The communication authentication processing unit 123 instructs the calculation engine 112 of the security chip 110 to calculate a hash value using the combination of the received common key K and the generated random number M as an argument (step S508). 112 performs a hash value calculation using the pair of the common key K and the random number M as an argument (step S509), and responds to the communication authentication processing unit 123 (step S510). Hereinafter, it is assumed that the hash value calculated in step S510 is h (M, K).

  The communication authentication processing unit 123 stores the random number M and the hash value h (M, K) calculated as described above in the memory unit 111 as communication authentication information (step S511).

  The communication authentication processing unit 123 creates a frame by adding an authentication header with communication identification information as authentication data to the data link layer frame transmitted to the LAN (step S512), and creates the frame for the communication control unit 124. A frame transfer instruction is issued (step S513).

  Upon receiving the instruction, the communication control unit 124 performs line physical connection using the physical switch 170 (step S514), transfers the frame to the LAN side port 161 (step S515), and transmits the frame to the LAN 400 (step S516). .

  In FIG. 13, when the authentication socket device 500 receives a frame transferred from the authentication socket device 100 via the LAN port 160 (LAN side 161) from the LAN 400 (step S601), the authentication socket device 500 sends a frame to the communication authentication processing unit 123. Is transmitted (step S602).

  The communication authentication processing unit 123 extracts the communication identification information from the received frame, and extracts the random number M and the hash value h (M, K) (step S603).

  Next, the authentication socket device 500 instructs to read the common key 111d held in the memory unit 111 of the own device (authentication socket device 500) (step S604), and the memory unit 111 holds the common key held by itself. 111d is returned to the communication authentication processing unit 123 (step S605). Since the read common key has the same value as the authentication socket device (authentication socket device 100) of the communication partner, it can be expressed as a common key K.

  The communication authentication processing unit 123 instructs the calculation engine 112 of the security chip 110 to calculate a hash value using the combination of the read common key K and the received random number M as an argument (step S606). 112 performs a hash value calculation using the pair of the common key K and the random number M as an argument (step S607), and responds to the communication authentication processing unit 123 (step S608). Hereinafter, it is assumed that the hash value calculated in step S608 is h ′ (M, K).

  The communication authentication processing unit 123 compares the received hash value h (M, K) with the hash value h ′ (M, K) calculated by the own device (authentication socket device 500) (step S609). If not, the communication control unit 124 is instructed to physically disconnect the network (step S610), and the communication control unit 124 that has received the instruction performs physical line disconnection using the physical switch 170 (step S611).

  If the hash values match in step S609, the communication control unit 124 is instructed to physically connect the network (step S612), and the communication control unit 124 that has received the instruction uses the physical switch 170 to establish the physical line connection. (Step S613), the frame is transferred to the information terminal side port 162 (step S614), and transmitted to the PC 600 (step S615).

  By taking the configuration example as described above, only authenticated communication can be permitted only by arranging a pair of authentication socket devices between information terminals to be protected on LAN.

  In the fourth embodiment, a case where another device is used as a device that transmits terminal identification information will be described with reference to FIGS.

  In the previous embodiments, the peeling detection type RFID tag 210 is used as a device for transmitting terminal identification information, and terminal authentication with the authentication socket apparatus 100 is performed via the antenna 130. Not limited to this, other devices may be used. In the fourth embodiment, instead of this peeling detection type RFID tag, a PC in which a TPM is previously mounted on a motherboard is used, and terminal authentication is performed between the PC 200 on which the TPM 220 is mounted and the authentication socket device 100 via the LAN port 160. To do. Since the TPM 220 can detect hardware and software tampering of the PC 200 using the measurement value of the configuration information of the PC 200, security can be improved.

  FIG. 14 is a diagram showing an outline of an authentication system according to the fourth embodiment. As shown in the figure, in the fourth embodiment, there is an authentication socket device 100, a PC 200 having a TPM 220 for storing terminal identification information, transmitting terminal identification information to the authentication socket device 100, and the authentication socket device 100. Authentication processing is performed using the USB token 300 for inputting user identification information.

  Further, in the authentication socket device 100, terminal identification information is stored in advance in an internal memory, and the authentication socket device 100 is made to correspond to a specific PC 200. Then, authentication is performed between the paired PC and the authentication socket device to authenticate whether the PC is valid.

  In the fourth embodiment, the authentication socket device encrypts terminal identification information and stores it in an internal memory in advance. Thereby, leakage of terminal identification information can be prevented and security can be improved.

  In the authentication socket device 100, user identification information is stored in advance in an internal memory, and the authentication socket device 100 is made to correspond to a specific user. Then, authentication is performed between the USB token 300 held by the paired user and the authentication socket device 100 to authenticate whether the user is valid.

  In the fourth embodiment, the authentication socket device encrypts the user identification information and stores it in the internal memory in advance. Thereby, leakage of user identification information can be prevented and security can be improved.

  FIG. 15 is a functional block diagram illustrating a configuration of the authentication socket device 100 according to the fourth embodiment. The authentication socket device 100 includes a security chip 110, a control unit 120, a USB connector 140, a PIN pad 150, a LAN port 160, and a physical switch 170. The security chip 110 includes a memory unit 111 and a calculation engine 112. The memory unit 111 includes terminal authentication information 111a and user authentication information 111b. The calculation engine 112 includes a key generation engine 112a and random number generation. An engine 112b and a hash value calculation engine 112c. The control unit 120 includes a terminal authentication processing unit 121, a user authentication processing unit 122, and a communication control unit 124. The LAN port 160 is a LAN side port 161. And an information terminal side port 162.

  The security chip 110 is a hardware chip having a memory unit 111 and a calculation engine 112, and in the fourth embodiment, a TPM is used as in the first embodiment.

  The memory unit 111 is a memory provided in the security chip 110 and configured by a non-volatile memory such as a flash memory, and stores terminal authentication information 111a and user authentication information 111b in advance.

  The terminal authentication information 111a is an ID such as a unique number or character string for authenticating and specifying the information terminal, and corresponds to the terminal identification information transmitted from the PC 200. As the terminal identification information, a PCR (Platform Configuration Registers) value stored in the TPM 220 mounted on the PC 200 is used. The PCR value is a value obtained by the TPM 220 calculating the hash value of the configuration information of the PC 200 measured by the OS when the PC 200 is activated, and guarantees the integrity of the PC 200. In addition, the PCR value is stored in a tamper-resistant area of the TPM 220 and cannot be read illegally.

  In order to prevent leakage of the terminal identification information, the terminal identification information (PCR value) is encrypted using the public key generated by the key generation engine 112a included in the security chip 110, and the encrypted terminal identification information is converted into the terminal authentication information. It is assumed that it is stored in advance as 111a.

  The user authentication information 111b is an ID such as a unique number or a character string for specifying the user, and corresponds to the MAC address of the PC 200 in the fourth embodiment.

  In order to prevent analogization of the MAC address, the value calculated by the hash value calculation engine 112c included in the security chip 110 is used to create the user authentication information 111b.

  In order to prevent the leakage of the user authentication information 111b, the hashed MAC address is encrypted using the public key generated by the key generation engine 112a included in the security chip 110 and encrypted. Is stored in advance as user authentication information 111b.

  The control unit 120 performs terminal authentication processing based on the terminal identification information received from the PC 200 via the LAN port 160, and user authentication based on the user identification information input from the USB token 300 connected via the USB connector 140. The processing is performed, and the PC 200 and the network are connected / disconnected at the physical layer level of the OSI reference model based on the result of the terminal authentication processing and the user authentication processing.

  The terminal authentication processing unit 121 identifies the PC 200 that is paired with the authentication socket device 100 based on whether or not the terminal identification information received from the PC 200 matches the value obtained by decrypting the terminal authentication information 111a in the memory unit 111. Process.

  Specifically, since the TPM 220 mounted on the PC 200 stores unique identification information (PCR value) for each PC, in the present embodiment, the PCR value of the TPM 220 is acquired and used as terminal identification information. Use. The PCR value of the TPM 220 of the authentication target PC 200 is encrypted with the public key generated by the key generation engine 112 a included in the security chip 110 and stored in the internal memory unit 111 in advance.

  The terminal authentication processing unit 121 uses the terminal identification information (PCR value) received from the PC 200 and the terminal authentication information 111a read from the memory unit 111 to obtain the public key used when the security chip 110 encrypts the PCR value. The terminal identification information obtained by decrypting with the paired secret key is compared, and if they match, it is determined that the PC 200 and the authentication socket 100 are a valid pair.

  If the terminal identification information obtained as described above is different from the terminal identification information obtained by decrypting the terminal authentication information 111a read from the memory unit 111, it is determined that the PC 200 paired with the authentication socket 100 is illegal. .

  The user authentication processing unit 122 is paired based on whether or not the user identification information input from the USB token 300 via the USB connector 140 matches the value obtained by decrypting the user authentication information 111b in the memory unit 111. Process to identify the user.

  Specifically, when the user authentication processing unit 122 detects that the USB token 300 is connected to the USB port 140 of the authentication socket device 100, the user authentication processing unit 122 instructs activation of the tamper resistant area of the USB token 300. At this time, the USB token 300 requests the user authentication processing unit 122 to input a personal identification number PIN code in order to read the identification information stored in the tamper-resistant area in the own device. Here, the user authentication processing unit 122 prompts the user to input a PIN at the PIN pad 150 provided in the authentication socket device 100.

  When the user inputs the PIN using the PIN pad 150, the user authentication processing unit 122 notifies the USB token 300 of the PIN. The USB token 300 verifies the notified PIN, and when it is verified that the PIN is correct, the encrypted user identification information stored in the tamper resistant area in the USB token 300 is read out.

  The user authentication processing unit 122 instructs to decrypt the user identification information encrypted in the USB token 300. The USB token 300 has the public key used when the device itself has the user identification information encrypted. The above-described user identification information is decrypted with the paired secret key.

  The user authentication processing unit 122 also decrypts the user identification information obtained from the USB token 300 and the user authentication information 111b read from the memory unit 111 with the secret key of the security chip 110. The identification information is compared, and if they match, it is determined that the USB token 300 and the authentication socket 100 are a valid pair. If the user identification information obtained as described above is different from the user authentication information 111b read from the memory unit 111, it is determined that the USB token 300 paired with the authentication socket 100 is illegal.

  The communication control unit 124 is a processing unit that starts or disconnects communication between the PC 200 and the network or the LAN 400.

  Specifically, when communication between the PC 200 and the LAN 400 is stopped, a terminal authentication success instruction is received from the terminal authentication processing unit 121, and a user authentication success instruction is received from the user authentication processing unit 122. Connection to the LAN 400 is started. When the PC 200 and the LAN 400 are in a communication state, when the terminal authentication failure instruction is received from the terminal authentication processing unit 121 or the user authentication failure instruction is received from the user authentication processing unit 122, the communication between the PC 200 and the LAN 400 is performed. Disconnect at the physical layer level using the physical switch 170.

  The USB connector 140 is a connector compliant with the USB standard, and is a connector for inserting the USB token 300.

  The PIN pad 150 is a device for inputting the PIN of the USB token 300, and is provided with a numeric keypad.

  The LAN port 160 is a port for connecting a communication cable that can transmit and receive the data link layer frame of the OSI reference model. The LAN side port 161 is a port for transmitting and receiving frames between the authentication socket device 100 and the LAN 400, and the information terminal side port 162 is a port for transmitting and receiving frames between the PC 200 and the authentication socket device 100.

  The physical switch 170 is a switch that disconnects communication at the physical layer level of the OSI reference model, and uses an analog switch.

  Next, a terminal authentication processing procedure performed by the authentication socket device 100 according to the fourth embodiment will be described with reference to FIG. Here, the terminal authentication information 111a is stored in the memory unit 111 in advance.

  FIG. 16 is a sequence diagram illustrating a terminal authentication procedure of the authentication socket device 100. As shown in the figure, in the PC 200 to which the authentication socket device 100 is connected, when the PC 200 is activated (step S701), the TPM 220 acquires hardware and software configuration information of the PC 200 (step S702).

  The TPM 220 calculates a hash value of the acquired configuration information and stores it in the PCR in the TPM 220 (step S703).

  The PC 200 acquires the PCR value from the TPM 220 (step S704), transmits the PCR value as terminal identification information via the LAN port 160 (information terminal side 162) (step S705), and sends the terminal authentication processing unit 121 to the terminal. The identification information is transmitted (step S706).

  The terminal authentication processing unit 121 that has acquired the terminal identification information next instructs reading of the terminal authentication information 111a stored in the memory unit 111 (step S707), and the memory unit 111 holds the terminal authentication information held by itself. 111a is returned to the terminal authentication processing unit 121 (step S708).

  The terminal authentication processing unit 121 instructs the security chip 110 to decrypt the acquired terminal authentication information 111a (step S709), and the security chip 110 is paired with the public key used when the terminal identification information is encrypted. Using the key, the terminal authentication information 111a is decrypted (step S710), and the terminal authentication processing unit 121 is responded (step S711).

  The terminal authentication processing unit 121 compares the terminal identification information received from the PC 200 with the terminal identification information decrypted by the security chip 110 as described above (step S712). The communication control unit 124 that has received the instruction performs physical line disconnection using the physical switch 170 (step S714).

  If the terminal identification values match in step S712, the communication control unit 124 is instructed to make a physical connection to the network (step S715), and the communication control unit 124 that has received the instruction uses the physical switch 170 to perform the physical line connection. (Step S716), and frame transfer via the LAN port 160 (information terminal side 162) is started (step S717).

  As described above, in terminal authentication according to the fourth embodiment, a PC having a TPM can be authenticated and network connection control can be performed.

  Next, a user authentication processing procedure performed by the authentication socket device 100 according to the fourth embodiment will be described with reference to FIG. Here, user authentication information 111b is stored in the memory unit 111 in advance.

  FIG. 17 is a sequence diagram illustrating a user authentication procedure of the authentication socket device 100. As shown in the figure, when the user inserts the USB token 300 into the USB connector 140 of the authentication socket device 100 (step S801), the user authentication processing unit 122 is notified that the USB token 300 has been recognized ( Step S802).

  Upon receiving the notification, the user authentication processing unit 122 notifies the PIN pad 150 of a PIN input instruction to activate the tamper resistant area of the USB token 300, and enters a PIN input waiting state (step S803).

  When the user inputs a PIN using the PIN pad 150 (step S804), the user authentication processing unit 122 notifies the USB token 300 based on the input PIN and activates the tamper resistant area (step S805). .

  When the USB token 300 verifies the PIN, it returns the user identification information held by itself to the user authentication processing unit 122 (step S806).

  The user authentication processing unit 122 instructs the USB token 300 to decrypt the acquired user identification information (step S807), and the USB token 300 is paired with the public key used when the user identification value is encrypted. The user identification information is decrypted using the secret key (step S808), and the response to the user authentication processing unit 122 is made (step S809).

  The user authentication processing unit 122 that has acquired the user identification value next instructs the reading of the user authentication information 111b stored in the memory unit 111 (step S810), and the memory unit 111 holds it. The user authentication information 111b is returned to the user authentication processing unit 122 (step S811).

  The user authentication processing unit 122 instructs the security chip 110 to decrypt the acquired user authentication information 111b (step S812), and the security chip 110 is paired with the public key used when the user identification value is encrypted. The user authentication information 111b is decrypted using the secret key to become (step S813), and the response to the user authentication processing unit 122 is made (step S814).

  The user authentication processing unit 122 compares the user identification value obtained by decryption from the USB token 300 with the user identification value decrypted by the security chip 110 as described above (step S815). If not, the communication control unit 124 is instructed to physically disconnect the network (step S816). Upon receiving the instruction, the communication control unit 124 performs physical line disconnection using the physical switch 170 (step S817).

  If the user identification values match in step S815, the communication control unit 124 is instructed to connect to the network (step S818), and the communication control unit 124 that has received the instruction uses the physical switch 170 to perform line physical connection. The connection is made (step S819), and the frame is transferred via the LAN port 160 (information terminal side 162) (step S820).

  As described above, in the user authentication according to the fourth embodiment, a user having a valid USB token can be authenticated, and network connection control can be performed.

  As described above, when terminal authentication or user authentication fails, the network to which the PC is connected is disconnected at the physical layer level. This means that when there is a change in the configuration information of the PC 200 such as the hardware configuration or the software configuration, the network is disconnected at the physical layer level due to the failure of terminal authentication. As a result, it is possible to block access to a network of a PC on which unauthorized hardware or software is installed.

As described above, the authentication system and the authentication socket device according to the present invention are useful for preventing information leakage from a PC or the like, and particularly when it is desired to easily introduce authentication processing in an environment where a large-scale authentication system is not desired to be introduced. Is suitable.

1 is an explanatory diagram illustrating a configuration method of an authentication system according to Embodiment 1. FIG. 1 is a functional block diagram illustrating a configuration of an authentication socket device according to a first embodiment. FIG. 3 is a sequence diagram illustrating a processing procedure of terminal authentication processing of the authentication system according to the first embodiment. It is divided into an upper half (FIG. 3A) and a lower half (FIG. 3B). FIG. 3 is a sequence diagram illustrating a processing procedure of terminal authentication processing of the authentication system according to the first embodiment. It is divided into an upper half (FIG. 3A) and a lower half (FIG. 3B). FIG. 4 is a sequence diagram illustrating a processing procedure of user authentication processing of the authentication system according to the first embodiment. It is divided into an upper half (FIG. 4A) and a lower half (FIG. 4B). FIG. 4 is a sequence diagram illustrating a processing procedure of user authentication processing of the authentication system according to the first embodiment. It is divided into an upper half (FIG. 4A) and a lower half (FIG. 4B). It is explanatory drawing which showed the structure method of the authentication system which concerns on Example 2. FIG. It is a functional block diagram which shows the structure of the authentication socket apparatus which concerns on Example 2. FIG. FIG. 7 is a sequence diagram illustrating a processing procedure of terminal authentication processing of the authentication system according to the second embodiment. It is divided into an upper half (FIG. 7A) and a lower half (FIG. 7B). FIG. 7 is a sequence diagram illustrating a processing procedure of terminal authentication processing of the authentication system according to the second embodiment. It is divided into an upper half (FIG. 7A) and a lower half (FIG. 7B). FIG. 8 is a sequence diagram illustrating a processing procedure of user authentication processing of the authentication system according to the second embodiment. It is divided into an upper half (FIG. 8A) and a lower half (FIG. 8B). FIG. 8 is a sequence diagram illustrating a processing procedure of user authentication processing of the authentication system according to the second embodiment. It is divided into an upper half (FIG. 8A) and a lower half (FIG. 8B). It is explanatory drawing which showed the structure method of the authentication system which concerns on Example 3. FIG. FIG. 9 is a functional block diagram illustrating a configuration of an authentication socket device according to a third embodiment. It is the figure which showed the outline of the communication authentication process of the authentication system which concerns on Example 3. FIG. FIG. 12 is a sequence diagram illustrating a processing procedure of communication authentication processing (transmission side) of the authentication system according to the third embodiment. It is divided into an upper half (FIG. 12A) and a lower half (FIG. 12B). FIG. 12 is a sequence diagram illustrating a processing procedure of communication authentication processing (transmission side) of the authentication system according to the third embodiment. It is divided into an upper half (FIG. 12A) and a lower half (FIG. 12B). FIG. 13 is a sequence diagram illustrating the processing procedure of the communication authentication process (reception side) of the authentication system according to the third embodiment. It is divided into an upper half (FIG. 13A) and a lower half (FIG. 13B). FIG. 13 is a sequence diagram illustrating the processing procedure of the communication authentication process (reception side) of the authentication system according to the third embodiment. It is divided into an upper half (FIG. 13A) and a lower half (FIG. 13B). It is explanatory drawing which showed the structure method of the authentication system which concerns on Example 4. FIG. FIG. 10 is a functional block diagram illustrating a configuration of an authentication socket device according to a fourth embodiment. FIG. 16 is a sequence diagram illustrating a processing procedure of terminal authentication processing of the authentication system according to the fourth embodiment. It is divided into an upper half (FIG. 16A) and a lower half (FIG. 16B). FIG. 16 is a sequence diagram illustrating a processing procedure of terminal authentication processing of the authentication system according to the fourth embodiment. It is divided into an upper half (FIG. 16A) and a lower half (FIG. 16B). FIG. 17 is a sequence diagram illustrating a processing procedure of user authentication processing of the authentication system according to the fourth embodiment. It is divided into an upper half (FIG. 17A) and a lower half (FIG. 17B). FIG. 17 is a sequence diagram illustrating a processing procedure of user authentication processing of the authentication system according to the fourth embodiment. It is divided into an upper half (FIG. 17A) and a lower half (FIG. 17B).

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Authentication socket apparatus 110 Security chip 111 Memory part 111a Terminal authentication information 111b User authentication information 111c Communication authentication information 111d Common key 112 Calculation engine 112a Key generation engine 112b Random number generation engine 112c Hash value calculation engine 120 Control part 121 Terminal authentication processing part 122 User Authentication Processing Unit 123 Communication Authentication Processing Unit 124 Communication Control Unit 130 Antenna 140 USB Connector 150 PIN Pad 160 LAN Port 161 LAN Side Port 162 Information Terminal Side Port 200 PC
210 RFID tag 220 TPM
300 USB token 310 RFID card 400 LAN
500 Authentication socket device 550 PIN pad 600 PC
610 RFID tag 700 USB token

Claims (19)

An authentication system for authenticating an information terminal and a user of the information terminal,
Terminal identification information storage means for storing terminal identification information which is identification information of the information terminal;
An authentication socket device connected between the information terminal and the network;
A memory storing user identification information which is identification information of a user of the information terminal, a security token having a transmission circuit capable of transmitting the user identification information to the authentication socket device,
In addition,
The authentication socket device receives the terminal identification information from the terminal identification information storage means, authenticates the information terminal based on the received terminal identification information, and further acquires the user identification information from the security token. Configured to receive and authenticate the security token based on the received user identification information;
The authentication system includes a control unit that controls communication between the information terminal and the network based on a result of the authentication process for the information terminal and / or the security token.   2. The authentication system according to claim 1, wherein the control by the control unit is to permit or disallow communication between the information terminal and the network based on a result of the authentication process.   The control according to claim 1 or 2, wherein the control by the control means is to connect or disconnect communication between the information terminal and the network at a physical layer level based on a result of the authentication process. system.   The authentication socket device is configured to authenticate the information terminal by comparing information stored in the authentication socket device with the received terminal identification information. An authentication system according to any one of the above.   The authentication socket device is configured to authenticate the security token by comparing information stored in the authentication socket device with the received user identification information. The authentication system in any one of.   The authentication socket device includes a hardware device having a key generation engine, a random number generation engine, and a hash value calculation engine, and is configured to encrypt and store the received terminal identification information with a key of the hardware device. The authentication system according to any one of claims 1 to 5.   The authentication socket device includes a port connector to which the security token can be attached and detached, and is configured to physically block communication between the information terminal and the network when the security token is removed from the port connector. The authentication system according to any one of claims 1 to 6, wherein:   When the security token includes RFID and the authentication socket device includes an RFID reader, and the RFID reader cannot communicate with the RFID, the authentication socket device physically communicates between the information terminal and the network. The authentication system according to claim 1, wherein the authentication system is configured to be blocked.   The authentication socket device is configured to add communication identification information, which is unique authentication information calculated in a hardware device of the authentication socket device, to communication data to be transmitted to the network. The authentication system in any one of.   The authentication socket device receives the communication identification information calculated in the other authentication socket device from the other authentication socket device on the network, and uses the received communication identification information as its own hardware. The authentication system according to claim 9, wherein the authentication system is configured to collate with the communication identification information calculated by a device and permit or deny communication with the other authentication socket device based on a result of the collation. The authentication socket device further includes user input means, and is configured to transmit second user authentication information input by the user input means to the security token,
The security token is configured to transmit the terminal identification information to the authentication socket device when the transmitted second user authentication information is valid.
The authentication system according to claim 1.   The authentication system according to any one of claims 1 to 10, wherein the terminal identification information storage unit includes an RFID tag having a pasting unit for pasting to the information terminal. The RFID tag is a peeling detection type RFID tag, and is configured to store peeling detection information in a memory in the RFID tag when peeled from the information terminal, and the peeling detection information is stored in the authentication socket device. Configured to be able to send to
The authentication system according to claim 11, wherein the authentication socket device is configured to authenticate the information terminal based on the peeling detection information received from the RFID tag.   The authentication system according to claim 1, further comprising an information terminal in which the terminal identification information storage unit is incorporated. An authentication method for authenticating the information terminal and a user of the information terminal using an authentication socket device connected between the information terminal and a network, and a security token communicable with the authentication socket device,
A first step in which receiving means of the authentication socket device receives terminal identification information, which is identification information of the information terminal, from the information terminal;
A second step in which the processing means of the authentication socket device authenticates the information terminal by comparing the received terminal identification information with information stored in the authentication socket device;
A third step in which the processing means of the authentication socket device recognizes a security token storing user identification information which is identification information of the user;
A fourth step in which the receiving means of the authentication socket device receives the user identification information from the security token;
A fifth step in which the processing means of the authentication socket device authenticates the security token by comparing the received user identification information with information stored in advance in the authentication socket device;
A sixth step in which processing means of the authentication socket device permits or disallows communication between the information terminal and the network based on an authentication result of the information terminal and / or the security token;
An authentication method. An authentication socket device connected between an information terminal and a network, for authenticating the information terminal and a user of the information terminal,
Means for communicating with terminal identification information storage means for storing terminal identification information which is identification information of the information terminal;
Means for receiving the terminal identification information from the terminal identification information storage means;
Means for communicating with a security token storing user identification information which is identification information of a user of the information terminal;
Means for receiving the user identification information from the security token;
Means for authenticating the information terminal by comparing the received terminal identification information with information prestored in the authentication socket device;
Means for authenticating the security token by comparing the received user identification information with information pre-stored in the authentication socket device;
And an authentication socket device configured to allow or disallow communication between the information terminal and the network based on an authentication result of the information terminal and / or the security token.   17. Terminal identification information storage means adapted to store terminal identification information, which is identification information of an information terminal, and to transmit the terminal identification information to the authentication socket device according to claim 16.   An information terminal comprising the terminal identification information storage means according to claim 17.   17. A security token that stores user identification information that is identification information of a user of an information terminal and is adapted to transmit the user identification information to an authentication socket device according to claim 16.

Images