JP2009258965A - Authentication system, authentication apparatus, communication setting apparatus, and authentication method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To invalidate authentication of a user before permission of connection to a terminal device 4 as the connection is terminated. <P>SOLUTION: An SSE21 transmits a connection request signal to request permission of connection between the terminal device 4 and a communication destination to an SSC31. The SSC31, if an IP address of the terminal device 4 in the connection request signal is stored in a subscriber data storage unit 314, directs the SSE21 to permit connection between the terminal device 4 and the communication destination. Further, the SSC31, if a disconnection request signal to request disconnection of the connection is transmitted from the SSE21, directs the SSE21 to prohibit the connection. The SSE21 sets the connection between the terminal device 4 and the communication destination to be permitted or prohibited according to directions from the SSC31. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an authentication system, an authentication device, a communication setting device, and an authentication method.

  A base network for providing various information communication services to network subscribers is spreading. One example of such a base network is NGN (Next Generation Network). The NGN is a network for providing telephone services, services that combine fixed communication and mobile communication, and future information communication services.

  In such a basic network, improving safety when providing various information communication services is one of the important issues. Improving safety means, for example, preventing unauthorized entry by a third party due to impersonation, etc., so that only authorized users can access the infrastructure network and applications that provide information communication services. It is. To that end, it is important how to authenticate users.

  As a method for authenticating a user, for example, prior to connection between a terminal device used by the user and a communication destination device (for example, a service providing server such as an application server or a content server), the user is authenticated. There are general ways to do it. When such a general authentication method is used, an authentication server for authenticating a user is often provided between the terminal device and the service providing server.

  Such an authentication server authenticates the user based on the user ID and password input by the user, for example. If the user authentication is successful, the authentication server generates a certificate indicating that the authentication is successful, and transmits the generated certificate to the terminal device.

  The terminal device receives the certificate transmitted from the authentication server, and transmits the received certificate to the service providing server. The service providing server determines whether the service may be provided to the terminal device based on the certificate transmitted from the terminal device. When determining that the service may be provided, the service providing server permits the terminal device to connect to the service providing server.

  In the authentication system using the general authentication method described above, various techniques for further improving safety are considered.

  For example, an authentication server device that can perform packet filtering and access control according to the user and the location of the user and suppress unauthorized access in a corporate network using a wireless LAN or a mobile communication network is considered. (For example, refer to Patent Document 1).

  According to the technique disclosed in Patent Literature 1, when the user authentication is successful, the authentication server specifies the user based on the user ID and is included in the authentication request signal transmitted from the terminal device. The location of the terminal device is specified based on the source IP address or the like. Then, the connection permission setting information corresponding to the identified location is searched from the database, and the searched connection permission setting information is set for the service providing server for providing the service. Further, the authentication server transmits a certificate indicating a successful authentication to the terminal device. When the terminal device requests the service providing server to provide a service, the terminal device transmits a certificate from the authentication server to the service providing server. When the service providing server permits the connection to the terminal device based on the certificate, the terminal device and the service providing server use the connection according to the setting content indicated by the connection permission setting information set by the authentication server. Execute communication.

  In addition, for example, an authentication access control server device is conceivable that maintains a high level of safety and makes it difficult to cause a decrease in throughput regardless of whether the service providing server has an authentication function (for example, Patent Document 2). reference.).

According to the technique disclosed in Patent Literature 2, the authentication access control server device has previously been authenticated for permitting the connection between the terminal device and the service providing server requested to be connected by the terminal device. Is determined. If the authentication has never been performed before, the authentication access control server device receives authentication information for authenticating the user of the terminal device from the terminal device. Then, the authentication access control server device authenticates the user using the authentication information from the terminal device when the service providing server to which the connection is requested from the terminal device does not have the authentication function. The authentication access control server device authenticates the user using the authentication information from the terminal device to the service providing server when the service providing server to which the connection is requested has an authentication function. To request. Once authentication for permitting the connection between the service providing server and the terminal device is performed, the service providing server and the terminal device communicate directly without going through the authentication access control server device. .
JP 2004-062417 A JP 2003-242109 A

  However, according to the technique disclosed in Patent Document 1, all the terminal devices and the service providing server must transmit and receive a certificate. Therefore, there is a problem in that it is impossible to provide a service to a terminal device unless all terminal devices and all service providing servers are provided with a means for processing a certificate. In addition, providing each terminal device and each service providing server with a certificate processing means complicates the configuration of the authentication system, and the complexity of the configuration increases the price of the entire authentication system. There is a problem that.

  Further, in order to improve safety by authenticating the user, it is desirable to authenticate the user every time a service is provided to the terminal device.

  However, according to the technology disclosed in Patent Document 1, once a terminal device obtains a certificate from an authentication server, the same certificate can be obtained even when the terminal device is connected to each of a plurality of service providing servers. There is a problem that it is possible to connect to each service providing server using. This is because the certificate is not invalidated until the expiration date elapses, and is therefore not invalidated at the end of the communication session for connecting to the service providing server.

  Further, according to the technique disclosed in Patent Document 2, once the authentication server executes the authentication of the user for permitting the connection between the terminal device and the server providing device, thereafter, the authentication of the terminal device is performed. The connection between the terminal device and the service providing server becomes possible without user authentication. Therefore, even the technique disclosed in Patent Document 2 has a problem that the user cannot be authenticated every time the service is provided to the terminal device.

  An object of this invention is to provide the authentication system, authentication apparatus, communication setting apparatus, and authentication method which solve the subject mentioned above.

  In order to solve the above problems, an authentication system according to the present invention is connected to a terminal device used by a user, an authentication device that authenticates the user, the terminal device, and the authentication device. And a communication setting device that controls the connection between the terminal device and a communication destination of the terminal device, the authentication device comprising: a subscriber data storage unit that stores identification information for identifying the terminal device; A connection request signal for requesting permission for connection between the terminal device and the communication destination is received from the communication setting device, and the connection request signal received by the reception unit is included in the connection request signal If the authentication unit determines whether identification information is stored in the subscriber data storage unit, and the authentication unit determines that the identification information is stored in the subscriber data storage unit, the communication setting To device The communication setting device transmits a disconnection request signal for instructing the connection between the terminal device and the communication destination to request disconnection of the connection between the terminal device and the communication destination. A connection control instruction unit that instructs the communication setting device to prohibit connection between the terminal device and the communication destination, and the communication setting device is transmitted from the terminal device. When the transmission unit that transmits the connection request signal to the authentication device and the connection control instruction unit are instructed to permit the connection between the terminal device and the communication destination, the terminal device and the communication device Setting to permit connection with the destination, and prohibiting connection between the terminal device and the communication destination when the connection control instruction unit instructs to prohibit the connection between the terminal device and the communication destination And a setting unit for setting to do so.

  Further, the authentication system of the present invention performs identification information conversion on the identification information included in a predetermined location of the connection request signal transmitted from the communication setting device, and the connection request signal includes the identification information converted into the identification information. The subscriber data storage unit stores the identification information of the terminal device and the identification information converted by the identification information conversion device in advance in association with each other. The authentication unit receives the identification information included in the connection request signal transmitted from the identification information conversion device and the identification information converted by the identification information conversion device in the subscriber data storage unit. The connection control instruction unit determines whether the identification information included in the connection request signal and the identification information converted from the identification information are associated and stored in the subscriber data storage unit. If the authentication unit determines that the connection is established, the communication setting device is instructed to permit the connection between the terminal device and the communication destination, and the disconnection is performed to request the disconnection between the terminal device and the communication destination. When the request signal is transmitted from the communication setting device, the communication setting device may be instructed to prohibit the connection between the terminal device and the communication destination.

  In order to solve the above-described problem, an authentication device according to the present invention is an authentication device connected to a communication setting device that controls connection between a terminal device used by a user and a communication destination of the terminal device. A subscriber data storage unit that stores identification information for identifying a device, and a reception unit that receives a connection request signal for requesting permission of connection between the terminal device and the communication destination from the communication setting device; An authentication unit for determining whether the identification information included in the connection request signal received by the receiving unit is stored in the subscriber data storage unit; and the identification information is the subscriber data storage unit If the authentication unit determines that the information is stored in the communication device, the communication setting device is instructed to permit the connection between the terminal device and the communication destination, and the connection between the terminal device and the communication destination Requesting disconnection When a disconnection request signal is transmitted from the communication setting apparatus, it has on the communication setting apparatus, and a connection control instruction unit for instructing to inhibit the connection between the terminal device and the communication destination.

  Further, the authentication device of the present invention is a connection including a port number for the communication setting device to connect the terminal device and the communication destination when the authentication unit determines that the identification information is stored in the subscriber data storage unit. A setting that generates permission setting information and generates connection prohibition setting information including a port number for disconnecting the connection between the terminal device and the communication destination when the disconnection request signal is transmitted from the communication setting device. When the information generation unit and the connection control instruction unit instruct the communication setting device to permit the connection between the terminal device and the communication destination, the connection permission setting information is transmitted to the communication setting device, and the connection control instruction unit May instruct the communication setting device to prohibit connection between the terminal device and the communication destination, and may include a setting information transmitting unit that transmits connection prohibition setting information to the communication setting device.

  In addition, the authentication device of the present invention performs identification information conversion on identification information included in a predetermined location of the connection request signal transmitted from the communication setting device, and includes a connection request signal including identification information converted from the identification information The subscriber data storage unit associates the identification information of the terminal device with the identification information converted by the identification information conversion device in advance. The authentication unit stores the identification information included in the connection request signal transmitted from the identification information conversion device and the identification information converted by the identification information conversion device in the subscriber data storage unit. The connection control instructing unit associates the identification information included in the connection request signal with the identification information converted from the identification information in the subscriber data storage unit. When the authentication unit determines that it is remembered, it instructs the communication setting device to permit the connection between the terminal device and the communication destination, and requests to disconnect the connection between the terminal device and the communication destination. When the disconnection request signal is transmitted from the communication setting device, the communication setting device may be instructed to prohibit the connection between the terminal device and the communication destination.

  In order to solve the above problems, a communication setting device of the present invention is a communication setting device connected to a terminal device used by a user and an authentication device for authenticating the user, and is transmitted from the terminal device. A transmission unit that transmits a connection request signal for requesting permission for connection between the terminal device and the communication destination of the terminal device to the authentication device; and from the authentication device to the terminal device and the communication destination Instructed to permit the connection between the terminal device and the communication destination, and to prohibit the connection between the terminal device and the communication destination from the authentication device. A setting unit configured to prohibit connection between the terminal device and the communication destination.

  In addition, the setting unit of the communication setting device of the present invention connects the terminal device and the communication destination using connection permission setting information including a port number for connecting the terminal device and the communication destination transmitted from the authentication device. The connection between the terminal device and the communication destination is prohibited using the connection prohibition setting information including the port number for disconnecting the connection between the terminal device and the communication destination transmitted from the authentication device. You may set to do.

  In order to solve the above problems, an authentication method of the present invention includes a terminal device used by a user, an authentication device that authenticates the user, the terminal device, and the authentication device connected to the terminal device. And a communication setting device for controlling connection between the terminal device and a communication destination of the terminal device, wherein the communication setting device transmits the terminal device and the communication destination transmitted from the terminal device. A transmission process for transmitting a connection request signal for requesting permission for connection to the authentication apparatus, and a subscriber data storage process for storing identification information for the authentication apparatus to identify the terminal apparatus; The authentication apparatus includes the reception process for receiving the connection request signal transmitted in the transmission process from the communication setting apparatus, and the authentication apparatus is included in the connection request signal received in the reception process. Have An authentication process for determining whether identification information for identifying the terminal device is stored in the subscriber data storage process; and the authentication apparatus stores the identification information in the subscriber data storage process. If the authentication process determines that the connection is made, the communication setting device is instructed to permit the connection between the terminal device and the communication destination, and the connection between the terminal device and the communication destination is instructed. Connection control instruction processing for instructing the communication setting apparatus to prohibit connection between the terminal apparatus and the communication destination when a disconnection request signal for requesting disconnection is transmitted from the communication setting apparatus And when the communication setting device is instructed by the authentication device to permit the connection between the terminal device and the communication destination in the connection control instruction processing, the connection between the terminal device and the communication destination is established. To allow And setting to prohibit connection between the terminal device and the communication destination when the authentication device instructs to prohibit the connection between the terminal device and the communication destination in the connection control instruction process. Setting processing.

  In the authentication method of the present invention, the authentication system performs identification information conversion on the identification information included in a predetermined location of the connection request signal transmitted from the communication setting device, and the identification information converted into the identification information is displayed. In the subscriber data storage process, the identification information of the terminal device and the identification information converted by the identification information conversion device are included in the subscriber data storage process. In the authentication process, the identification information included in the connection request signal transmitted from the identification information conversion device and the identification information converted by the identification information conversion device are the subscribers. In the connection control instruction process, it is determined whether the identification information included in the connection request signal and the identification information converted from the identification information are the subscriber data. When the authentication process determines that the data is stored in association with the data storage process, the communication setting apparatus is instructed to permit the connection between the terminal apparatus and the communication destination, and the terminal apparatus and the communication destination When a disconnection request signal for requesting disconnection of the connection is transmitted from the communication setting device, the communication setting device may be instructed to prohibit the connection between the terminal device and the communication destination.

  According to the present invention, a terminal device used by a user, an authentication device that authenticates the user, and communication that is connected to the terminal device and the authentication device and controls connection between the terminal device and a communication destination of the terminal device. In the authentication system including the setting device, the communication setting device transmits a connection request signal for requesting permission for connection between the terminal device and the communication destination transmitted from the terminal device to the authentication device, and performs authentication. Identification information for the device to store identification information for identifying the terminal device, receive the transmitted connection request signal from the communication setting device, and identify the terminal device included in the received connection request signal If it is determined that the identification information is stored, the communication setting device is instructed to permit connection between the terminal device and the communication destination, and the terminal device and the communication destination Disconnect from When a disconnection request signal for requesting is transmitted from the communication setting device, the communication setting device is instructed to prohibit the connection between the terminal device and the communication destination, and the communication setting device When the authentication device instructs to permit the connection between the terminal device and the communication destination, the authentication device sets so as to permit the connection between the terminal device and the communication destination and prohibits the connection between the terminal device and the communication destination. Since it is configured to prohibit connection between the terminal device and the communication destination when instructed, the user authentication performed before connecting the terminal device and the communication destination of the terminal device is It can be invalidated when communication using the connection ends.

(Embodiment 1)
Hereinafter, an authentication system (including an authentication device, a communication setting device, an authentication method, and a program) according to the first embodiment of the present invention will be described.

  First, the overall configuration of the authentication system according to the first embodiment will be described.

  As shown in FIG. 1, this authentication system includes a network 1 and a terminal device 4.

  The network 1 transmits the packet transmitted from the terminal device 4 to another device (not shown) that is a communication destination of the terminal device 4. Further, the network 1 transmits the packet transmitted from the communication destination of the terminal device 4 to the terminal device 4.

  The communication destination here may be, for example, a service providing server that provides various information communication services to the terminal device 4. For example, when there are a plurality of terminal devices 4 in the authentication system, another terminal device 4 different from the terminal device 4 that transmits the packet may be used.

  Although the form of the network 1 is not particularly limited, in this explanation example, the case where the network 1 is NGN will be described as an example.

  In the following, a case where SIP (Session Initiation Protocol) is used as a call control protocol for controlling a session (call) in which the network 1 connects the terminal device 4 and its communication destination will be described as an example.

  Further, the communication method between the network 1 and the terminal device 4 is not particularly limited. For example, when the communication method is a wireless communication method, wireless communication via a general wireless communication interface may be performed. For example, when the communication method is a wired communication method, wired communication via Ethernet (registered trademark) may be performed.

  The network 1 (NGN) is, for example, a packet-based network and includes a packet transfer layer 2 and a service control layer 3.

  The packet transfer layer 2 is a logical layer that performs a packet transfer function. The packet transfer layer 2 includes an SSE (Subscriber Service Edge) 21 and an IBE (Intermediate Border gateway Equipment) 22.

  The SSE 21 is configured by a router, for example, and relays packets transmitted and received between the terminal device 4 and the communication destination of the terminal device 4. That is, the SSE 21 functions as a router on the user side of the terminal device 4 (that is, the subscriber of the network 1).

  Further, the SSE 21 is a “communication setting device” that also has a general firewall function for setting the connection between the terminal device 4 and the communication destination of the terminal device 4 to either one of permitted or prohibited.

  The IBE 22 is configured by, for example, a router, and transmits and receives packets between the network 1 and another network (not shown) other than the network 1.

  The service control layer 3 is a logical layer that performs various service control functions. The service control layer 3 is composed of a two-level control device including an SSC (Subscriber Session Control Server) 31 and an ISC (Intermediate Session Control Server) 32.

  The SSC 31 authenticates the user by using “identification information” of the terminal device 4 in a “connection request signal” to be described later transmitted from the terminal device 4 at the time of transmission from the terminal device 4. Is.

  In this explanation example, the case where the “identification information” of the terminal device 4 is the IP address or port number of the terminal device 4 will be described as an example.

  Further, when the user authentication is successful, the SSC 31 calls a device other than the terminal device 4 that is the communication destination of the terminal device 4.

  Further, when the communication destination called by the SSC 31 responds, the SSC 31 instructs the SSE 21 that accommodates the terminal device 4 to permit the connection between the terminal device 4 and the communication destination that has responded. For example, the SSC 31 instructs the SSE 21 to open a port number corresponding to a session that can transmit a packet from the terminal device 4 to the communication destination by changing the firewall setting.

  In addition, when the communication using the connection between the terminal device 4 and the communication destination ends (for example, at the end of the call), the SSC 31 prohibits the SSE 21 from connecting the terminal device 4 and the communication destination. In other words, it instructs to disconnect the connection. For example, the SSC 31 instructs the SSE 21 to close the port number corresponding to the session for which connection is permitted by changing the firewall setting.

  The ISC 32 is a server that controls a connection between the network 1 and another network.

  The terminal device 4 is constituted by, for example, a predetermined information processing device and corresponds to a “SIP client”.

  The terminal device 4 executes various processes according to operations performed by the user.

  For example, the terminal device 4 requests the SSC 31 for authentication by transmitting a “connection request signal”. In this example, the case where the connection request signal is an INVITE packet PI will be described as an example.

  The “INVITE packet PI” here is, for example, in accordance with the definition of RFC3311, a SIP client (terminal device 4 in this example) requests connection to its communication destination (for example, a service providing server). Packet.

  Note that the numbers of SSE21, IBE22, SSC31, ISC32, and terminal device 4 may be arbitrary. Moreover, SSE21, IBE22, SSC31, and ISC32 are not restricted to being configured by independent casings, but may have a configuration accommodated in the same casing.

  Next, the configuration of the SSE 21 that is a “communication setting device” will be described in detail.

  As illustrated in FIG. 2, the SSE 21 includes a packet transmission / reception unit 211 and a setting unit 212.

  The packet transmission / reception unit 211 includes, for example, a communication module, and transmits / receives packets to / from the terminal device 4, the SSC 31, and the IBE 22. For example, the packet transmitting / receiving unit 211 receives various SIP signals transmitted from the terminal device 4 or the SSC 31.

  When receiving the SIP signal, for example, the packet transmitting / receiving unit 211 receives from the terminal device 4 a connection request signal (INVITE packet PI) for requesting a connection between the terminal device 4 and its communication destination.

  Further, the packet transmission / reception unit 211 (“transmission unit”) executes “transmission processing”, and transmits the connection request signal transmitted from the terminal device 4 to the SSC 31 (authentication device).

  For example, the packet transmission / reception unit 211 receives from the terminal device 4 a “disconnection request signal” for requesting to disconnect the connection between the terminal device 4 and the communication destination. Hereinafter, a case where the “disconnection request signal” is the BYE packet PB will be described as an example.

  The BYE packet PB here is a packet indicating that the terminal device 4 is requesting disconnection of the connection with the communication destination in accordance with, for example, RFC2060.

  Further, the packet transmitting / receiving unit 211 receives the connection instruction signal CA or the disconnection instruction signal CC transmitted from the SSC 31.

  The “connection instruction signal CA” is a signal that instructs to permit connection between the terminal device 4 and its communication destination. The “disconnect instruction signal CC” is a signal instructing prohibition of connection between the terminal device 4 and its communication destination.

  Further, the packet transmitting / receiving unit 211 (“setting information receiving unit”) receives connection permission setting information 401 or connection prohibition setting information 402 described later transmitted from the SSC 31.

  The setting unit 212 permits the connection between the terminal device 4 and its communication destination according to the connection instruction signal CA from the SSC 31. In this case, the setting unit 212 connects the terminal device 4 and its communication destination based on the connection permission setting information 401 received by the packet transmitting / receiving unit 211.

  Further, the setting unit 212 prohibits connection between the terminal device 4 and its communication destination in accordance with the disconnection instruction signal CC from the SSC 31. In this case, the setting unit 212 disconnects the connection between the terminal device 4 and its communication destination based on the connection prohibition setting information 402 received by the packet transmitting / receiving unit 211.

  More specifically, the setting unit 212 rewrites the connection enable / disable setting information 405 stored therein according to either the connection permission setting information 401 or the connection prohibition setting information 402. Then, using the rewritten connection availability setting information 405, the opening / closing of the firewall is controlled.

  For example, the setting unit 212 changes the firewall setting so as to open a port number corresponding to a session connecting the terminal device 4 and its communication destination according to the setting content indicated by the connection permission setting information 401.

  Further, the setting unit 212 changes the firewall setting so as to close the port number corresponding to the session connecting the terminal device 4 and its communication destination according to the setting content indicated by the connection prohibition setting information 402.

  Next, the configuration of the SSC 31 that is the “authentication apparatus” will be described in detail.

  As shown in FIG. 3, the SSC 31 includes a packet transmission / reception unit 311, a packet identification unit 312, an authentication unit 313, a subscriber data storage unit 314, a setting information generation unit 315, a connection control instruction unit 316, It has a condition storage unit 317, a regulation unit 318, and a notification unit 319.

  The packet transmission / reception unit 311 includes, for example, a communication module, and transmits / receives a packet to / from the SSE 21 or the ISC 32.

  The packet transmitting / receiving unit 311 (“receiving unit”) executes “reception processing” and receives various SIP signals transmitted from the SSE 21 or the ISC 32.

  In this “reception process”, the packet transmission / reception unit 311 (reception unit) receives, for example, a connection request signal (INVITE packet PI) received by the SSE 21 from the terminal device 4 and transmitted from the SSE 21.

  For example, when a connection request signal is transmitted from the terminal device 4, the packet transmission / reception unit 311 receives a “connection permission signal” from the ISC 32.

  Hereinafter, a case where the “connection permission signal” is an OK packet PO corresponding to the connection request signal transmitted from the terminal device 4 will be described as an example.

  The “OK packet PO” here is a packet indicating that a request from a client is received and identified at the request destination, for example. When the state of the OK packet PO is represented by a status code defined by RFC (Request For Comment) 2616, it corresponds to a status code “200”.

  For example, the packet transmission / reception unit 311 receives from the SSE 21 a disconnection request signal (BYE packet PB) that the SSE 21 has received from the terminal device 4 and transmitted.

  For example, when a disconnection request signal is transmitted from the terminal device 4, the packet transmission / reception unit 311 receives a “disconnect permission signal” from the ISC 32.

  Hereinafter, a case where the “disconnection permission signal” is an OK packet PO corresponding to the disconnection request signal (BYE packet PB) transmitted from the terminal device 4 will be described as an example.

  The packet transmitting / receiving unit 311 transmits various SIP signals to the SSE 21 or the ISC 32.

  For example, when the authentication of the user by the authentication unit 313 is successful, the packet transmission / reception unit 311 transmits an INVITE packet PI requesting connection between the terminal device 4 and its communication destination to the ISC 32.

  Further, the packet transmitting / receiving unit 311 disconnects instructing the SSE 21 to prohibit the connection or the connection instruction signal CA instructing the SSE 21 to permit the connection between the terminal device 4 and the communication destination. The instruction signal CC is transmitted to the SSE 21.

  Further, the packet transmitting / receiving unit 311 (“setting information transmitting unit”) transmits the connection permission setting information 401 or the connection prohibition setting information 402 generated by the setting information generating unit 315 to the SSE 21 (communication setting device).

  The packet identification unit 312 identifies the type of packet transmitted from the SSE 21 or ISC 32, respectively.

  More specifically, the packet identification unit 312 determines that each packet from the SSE 21 or ISC 32 is an INVITE packet PI (connection request signal), an OK packet PO (connection permission signal) corresponding to the INVITE packet PI, and a BYE packet PB. (Disconnection request signal), an OK packet PO (disconnection permission signal) corresponding to the BYE packet PB, or a REGISTER packet PR (registration request signal) described later is identified.

  The authentication unit 313 executes “authentication processing”, and the “identification information” included in the connection request signal (INVITE packet PI) from the terminal device 4 is “registered identification information 403” in the subscriber data storage unit 314. Whether or not the user authentication is successful (that is, authentication success or failure) is determined based on whether or not the user is registered.

  In addition, although it does not specifically limit about the identification information contained in INVITE packet PI from the terminal device 4 which the authentication part 313 uses for authentication, In the following description example, the identification information contained in the header of INVITE packet PI The case of (the IP address or port number of the terminal device 4) will be described as an example. The IP address here may be either a global address or a private address.

  If the identification information included in the INVITE packet PI from the terminal device 4 is registered in the registration identification information 403, the authentication unit 313 has succeeded in authenticating the user. It is determined that the user is a valid user registered in.

  Further, when the identification information included in the INVITE packet PI from the terminal device 4 is not registered in the registration identification information 403, the authentication unit 313 did not succeed in authenticating the user, that is, the authentication failed. The authenticated person is determined to be an unauthorized user who is not registered in the registration identification information 403.

  The subscriber data storage unit 314 executes “subscriber data storage processing” and stores the IP address and port number of the terminal device 4 in the registration identification information 403.

  The “registration identification information 403” here is identification information of the terminal device 4 (IP address and port number of the terminal device 4) registered in advance to uniquely identify each terminal device 4 used by the user. It is information which shows.

  Furthermore, the IP address registered in the registration identification information 403 may be either a global address or a private address.

  In the authentication system, a DHCP (Dynamic Host Configuration Protocol) server that automatically assigns an IP address to the terminal device 4 that has accessed the network 1 is provided from the viewpoint of simplifying the setting of the IP address in the terminal device 4. It may be provided.

  In this case, the packet transmission / reception unit 311 receives the IP address of the terminal device 4 from the DHCP server. The subscriber data storage unit 314 stores the received IP address in the registration identification information 403.

  The subscriber data storage unit 314 stores, in the registration identification information 403, the IP address and port number of the terminal device 4 for which registration is requested by the “registration request signal”. In this explanation example, the case where the “registration request signal” is a “REGISTER packet PR” which is one of SIP signals will be described as an example.

  The setting information generation unit 315 uses connection permission setting information 401 used by the SSE 21 when setting to permit connection between the terminal device 4 and the communication destination, or a connection prohibition setting used by the SSE 21 when setting to prohibit the connection. Information 402 is generated.

  More specifically, the setting information generation unit 315 generates “connection permission setting information 401” for the SSE 21 to open a port number for connecting the terminal device 4 and its communication destination.

  For example, as shown in FIG. 4A, the connection permission setting information 401 is information that associates a transmission source, a transmission destination, and a port number for establishing a connection between the transmission source and the transmission destination. It is.

  Also, the setting information generation unit 315 generates “connection prohibition setting information 402” for closing the port number for the SSE 21 to connect the terminal device 4 and its communication destination.

  For example, as shown in FIG. 4B, the connection prohibition setting information 402 is information that associates a transmission source, a transmission destination, and a port number for disconnecting the connection between the transmission source and the transmission destination. It is.

  The connection control instruction unit 316 executes “connection control instruction processing”, and when the authentication unit 313 determines that the user authentication is successful, the terminal device 4 and its communication destination are transmitted to the SSE 21 (communication setting device). To allow connection with. In this case, the packet transmitting / receiving unit 311 transmits a connection instruction signal CA to the SSE 21.

  Further, in the “connection control instruction process”, the connection control instruction unit 316 sends a disconnect request signal for requesting disconnection of the connection between the terminal device 4 and the communication destination to the SSE 21. The terminal device 4 is instructed to be prohibited from being connected to the communication destination. In this case, the packet transmitting / receiving unit 311 transmits a disconnection instruction signal CC to the SSE 21.

  The restriction condition storage unit 317 stores restriction condition information 404.

  The restriction condition information 404 is related to the use of the network 1 by the terminal device 4 when the authentication of the user by the authentication unit 313 fails, that is, when the authentication unit 313 determines that the authenticated person is an unauthorized user. It is information which shows the regulation conditions for applying regulation. The data structure of the regulation condition information 404 is not particularly limited. Further, the regulation condition information 404 may be editable by an administrator.

  Based on the regulation conditions indicated by the regulation condition information 404, the regulation unit 318 provides various regulations (for example, lockout) regarding the use of the network 1 to the user who is determined to be an unauthorized user by the authentication unit 313. ) Is executed.

  The restriction unit 318 restricts an unauthorized user based on whether or not the user of the terminal device 4 satisfies the restriction condition indicated by the restriction condition information 404. This restriction condition is, for example, a predetermined number of times for restricting the use of the network 1 according to the number of authentication failures of the user of the terminal device 4. In this case, when the number of authentication failures is greater than the predetermined number, the restriction unit 318 places restrictions on unauthorized users.

  When the unauthorized unit identified by the authentication by the authenticating unit 313 is restricted, the notifying unit 319 notifies the administrator that the restriction has been applied. Here, the method for notifying the administrator is not particularly limited. For example, a general notification method such as outputting an alarm sound for notification, displaying a notification screen, and transmitting a notification message may be used. Good. Note that the administrator who receives the notification from the notification unit 319 may perform an operation for releasing the restriction by the restriction unit 318.

  Next, an operation in which the authentication system according to the first embodiment having the above configuration permits or prohibits connection between the terminal device 4 and the communication destination based on the authentication result of the user will be described.

  First, a case where connection between the terminal device 4 and another device (not shown) that is a transmission destination of a packet from the terminal device 4 is permitted will be described.

  As illustrated in FIG. 5, the terminal device 4 transmits to the SSE 21 an INVITE packet PI (connection request signal) for requesting permission to connect to the packet transmission destination.

  The packet transmitting / receiving unit 211 of the SSE 21 receives the INVITE packet PI from the terminal device 4 and transmits the received INVITE packet PI to the SSC 31.

  The packet transmission / reception unit 311 (reception unit) of the SSC 31 receives the INVITE packet PI transmitted from the SSE 21.

  The authentication unit 313 determines whether or not the IP address of the terminal device 4 included in the header of the INVITE packet PI from the SSE 21 is registered in the registration identification information 403 in the subscriber data storage unit 314. Is authenticated (step S1). When the IP address of the terminal device 4 is registered in the registration identification information 403, the authentication unit 313 determines that the user has been successfully authenticated.

  When it is determined that the authentication is successful, the packet transmitting / receiving unit 311 of the SSC 31 transmits the INVITE packet PI to the ISC 32.

  When the ISC 32 receives the INVITE packet PI (connection request signal) from the SSC 31, the ISC 32 transmits an OK packet PO (connection permission signal) indicating that the connection request signal has been received and identified at the communication destination to the SSC 31. .

  When the packet transmission / reception unit 311 receives the OK packet PO from the ISC 32, the setting information generation unit 315 of the SSC 31 sets the SSE 21 to permit the connection between the terminal device 4 that is the transmission source of the connection request signal and the communication destination. Connection permission setting information 401 to be generated is generated.

  Further, the connection control instruction unit 316 of the SSC 31 instructs the SSE 21 to permit the connection between the terminal device 4 and its communication destination (step S2).

  When instructing connection permission, the packet transmitting / receiving unit 311 of the SSC 31 transmits a connection instruction signal CA and connection permission setting information 401 to the SSE 21.

  The setting unit 212 of the SSE 21 permits the connection between the terminal device 4 and its communication destination according to the connection instruction signal CA from the SSC 31. For example, the setting unit 212 uses the connection permission setting information 401 from the SSC 31 to change the firewall setting so that the port number of the session connecting the terminal device 4 and its communication destination can be opened.

  With the above, a series of operations for allowing the authentication system of the first embodiment to permit connection between the terminal device 4 and its communication destination is completed.

  Next, a case where the authentication system according to the first embodiment disconnects the connection between the terminal device 4 and the communication destination will be described.

  As illustrated in FIG. 6, when the terminal device 4 is connected to the communication destination and the communication using the connection is terminated (for example, at the end of the call), the terminal device 4 requests to disconnect the connection. BYE packet PB (disconnect request signal) is transmitted to the SSE 21.

  The SSE 21 receives the BYE packet PB from the terminal device 4 and transmits the received BYE packet PB to the SSC 31.

  The packet transmission / reception unit 311 of the SSC 31 transmits the BYE packet PB received from the SSE 21 to the ISC 32.

  When receiving the BYE packet PB from the SSC 31, the ISC 32 transmits an OK packet PO (disconnection permission signal) corresponding to the BYE packet PB (disconnection request signal) to the SSC 31.

  When the setting information generation unit 315 of the SSC 31 receives the OK packet PO (disconnection permission signal) from the ISC 32, the connection prohibition setting information 402 for the SSE 21 to perform the setting for prohibiting the connection between the terminal device 4 and its communication destination. Is generated.

  Further, the connection control instruction unit 316 of the SSC 31 instructs the SSE 21 to prohibit the connection between the terminal device 4 and its communication destination (step S3).

  When instructing the prohibition of connection, the packet transmitting / receiving unit 311 of the SSC 31 transmits the disconnection instruction signal CC and the connection prohibition setting information 402 to the SSE 21.

  The setting unit 212 of the SSE 21 prohibits connection between the terminal device 4 and its communication destination in accordance with the disconnection instruction signal CC from the SSC 31. For example, the setting unit 212 uses the connection prohibition setting information 402 from the SSC 31 to change the firewall setting so as to close the port number of the session connecting the terminal device 4 and its communication destination.

  With the above, a series of operations for prohibiting the connection between the terminal device 4 and its communication destination is completed by the authentication system of the first embodiment.

  Next, the operation of the SSC 31 when a packet transmitted from the SSE 21 or ISC 32 is received will be described in detail.

  As shown in FIG. 7, the packet transmission / reception unit 311 receives a packet transmitted from either the SSE 21 or the ISC 32 (step S11).

  The packet identification unit 312 identifies the type of packet from the SSE 21 or ISC 32 (step S12).

  First, an operation when the packet identifying unit 312 identifies that the packet from the SSE 21 is the INVITE packet PI (connection request signal) in step S12 will be described.

  When identifying the INVITE packet PI, the authentication unit 313 determines whether the IP address registered in the header of the INVITE packet PI from the SSE 21 is registered in the registration identification information 403 in the subscriber data storage unit 314. Based on the above, it is determined whether or not the user authentication is “successful” (step S13).

  If the IP address in the header of the INVITE packet PI is registered in the registration identification information 403, the authentication unit 313 determines that the user has been successfully authenticated. In this case, the packet transmitting / receiving unit 311 transmits the INVITE packet PI (connection request signal) shown in FIG. 5 to the ISC 32 (step S14).

  On the other hand, when the authentication unit 313 determines that the user authentication has failed in step S13, the restriction unit 318 determines whether or not the restriction condition indicated by the restriction condition information 404 in the restriction condition storage part 317 is satisfied ( Step S15). When the restriction unit 318 determines that the restriction condition is satisfied (for example, when the number of authentication failures is equal to or less than a predetermined number), the packet transmission / reception unit 311 executes the process of step S11 again.

  On the other hand, when the regulation unit 318 determines that the regulation condition is not satisfied, the regulation unit 318 determines that the person who is determined to be an unauthorized user based on the regulation condition indicated by the regulation condition information 404 is a network. Various restrictions (for example, lockout) regarding use of 1 are applied (step S16).

  Further, the notification unit 319 notifies the administrator that the regulation unit 318 has regulated unauthorized users (step S17).

  Next, an operation when the packet identifying unit 312 identifies that the packet from the ISC 32 is the OK packet PO in step S12 will be described.

  When identifying the packet as an OK packet, the packet identification unit 312 determines whether the OK packet is an OK packet PO (connection permission signal) corresponding to the connection request signal (INVITE packet PI) from the terminal device 4, or It is further determined whether the packet is an OK packet (disconnection permission signal) corresponding to the disconnection request signal (BYE packet PB) from the terminal device 4.

  The setting information generation unit 315 generates either the connection permission setting information 401 or the connection prohibition setting information 402 according to the OK packet type determination result by the packet identification unit 312 (step S18).

  More specifically, in step S18, the setting information generation unit 315 connects the terminal device 4 and the communication destination when the packet identification unit 312 determines that the OK packet from the ISC 32 is a “connection permission signal”. Connection permission setting information 401 for authorizing the connection is generated.

  In step S18, the setting information generation unit 315 prohibits connection between the terminal device 4 and the communication destination when the packet identification unit 312 determines that the OK packet from the ISC 32 is a “disconnect permission signal”. Connection prohibition setting information 402 is generated.

  The packet transmitting / receiving unit 311 (setting information transmitting unit) transmits the connection permission setting information 401 or the connection prohibition setting information 402 generated by the setting information generating unit 315 to the SSE 21 (step S19).

  Next, an operation when the packet identifying unit 312 identifies that the packet from the SSE 21 or the ISC 32 is “REGISTER packet PR” (registration request signal) in step S12 will be described.

  When identifying the REGISTER packet PR, the packet identification unit 312 writes the identification information (IP address or port number) of the terminal device 4 into the registration identification information 403, thereby transferring the identification information to the registration identification information 403. And register. Note that the subscriber data storage unit 314 stores the registration identification information 403 in which the identification information of the terminal device 4 for which registration is requested is newly written (step S20). Thus, a series of processing by the SSC 31 is completed.

  Next, an operation when the authentication system of the first embodiment permits the connection between the terminal device 4 and a communication destination existing in a network other than the network 1 based on a user authentication result will be described. In this example, the IP address included in the INVITE packet PI (connection request signal) is a global address that is an IP address that can identify the terminal device 4 in another network.

  As shown in FIG. 8, first, the terminal device 4 transmits an INVITE packet PI (connection request signal) to the SSE 21 in order to request connection with a communication destination.

  The SSE 21 receives the INVITE packet PI from the terminal device 4 and transmits the received INVITE packet PI to the SSC 31.

  In the SSC 31, when the packet transmission / reception unit 311 receives the INVITE packet PI from the SSE 21, the packet identification unit 312 identifies the INVITE packet PI.

  At this time, the authentication unit 313 determines whether or not the user authentication is “successful” based on whether or not the identification information registered in the header of the INVITE packet PI from the SSE 21 is registered in the registration identification information 403. It discriminate | determines (step S31).

  When the identification information in the header HD of the INVITE packet PI is registered in the registration identification information 403, the authentication unit 313 determines that the user has been successfully authenticated. In this case, the packet transmitting / receiving unit 311 transmits the INVITE packet PI from the SSE 21 to the ISC 32.

  The ISC 32 receives the INVITE packet PI from the SSC 31. In this example, the destination of the INVITE packet PI is a network other than the network 1. Therefore, the ISC 32 transmits the received INVITE packet PI to the IBE 22.

  The IBE 22 transmits the INVITE packet PI received from the ISC 32 to a communication destination existing in another network that is the transmission destination.

  Thereafter, the IBE 22 receives an OK packet PO (connection permission signal) transmitted from a communication destination existing in another network in response to the INVITE packet PI. Subsequently, the IBE 22 transmits an OK packet PO from another network to the ISC 32.

  The ISC 32 receives the OK packet PO from the IBE 22 and transmits the received OK packet PO to the SSC 31.

  In the SSC 31, the packet transmitting / receiving unit 311 receives the OK packet PO (connection permission signal) from the ISC 32.

  In this case, the setting information generation unit 315 generates connection permission setting information 401 for permitting the connection between the terminal device 4 and its communication destination when the SSE 21 opens the firewall (step S32).

  In addition, the connection control instruction unit 316 instructs the SSE 21 to permit the connection between the terminal device 4 and its communication destination. The packet transmitting / receiving unit 311 transmits the connection permission setting information 401 and the connection instruction signal CA generated by the setting information generating unit 315 to the SSE 21.

  The packet transmitting / receiving unit 211 of the SSE 21 receives the connection instruction signal CA and the connection permission setting information 401 from the SSC 31.

  The setting unit 212 of the SSE 21 permits the connection between the terminal device 4 and its communication destination according to the connection instruction signal CA received by the packet transmitting / receiving unit 211 (step S33). For example, the setting unit 212 uses the connection permission setting information 401 from the SSC 31 to change the firewall setting so as to open a port number for establishing a session between the terminal device 4 and its communication destination.

  With the above, a series of operations for allowing the authentication system of the first embodiment to permit connection between the terminal device 4 and a communication destination existing in a network other than the network 1 based on the user authentication result is completed. To do.

  Next, an operation when the authentication system of the first embodiment disconnects the terminal device 4 from a communication destination existing in a network other than the network 1 will be described.

  As shown in FIG. 9, first, the terminal device 4 transmits a BYE packet PB (disconnection request signal) to the SSE 21 in order to request disconnection of the connection between itself and the communication destination.

  The SSE 21 receives the BYE packet PB from the terminal device 4 and transmits the BYE packet PB to the SSC 31.

  The SSC 31 transmits the BYE packet PB received from the SSE 21 to the ISC 32.

  The ISC 32 receives the BYE packet PB from the SSC 31. In this example, the destination of the BYE packet PB is a network other than the network 1. Therefore, the ISC 32 transmits the received BYE packet PB to the IBE 22.

  The IBE 22 transmits the BYE packet PB from the ISC 32 to a transmission destination existing in another network.

  Thereafter, the IBE 22 receives an OK packet PO (disconnection permission signal) transmitted from a communication destination existing in another network in response to the BYE packet PB (connection request signal). Subsequently, the IBE 22 transmits the received OK packet PO to the ISC 32.

  The ISC 32 receives the OK packet PO from the IBE 22 and transmits the received OK packet PO to the SSC 31.

  In the SSC 31, the packet transmission / reception unit 311 receives an OK packet PO (disconnection permission signal) from the ISC 32.

  In this case, the setting information generation unit 315 generates connection prohibition setting information 402 for prohibiting connection between the terminal device 4 and its communication destination when the SSE 21 closes the firewall (step S41).

  Further, the connection control instruction unit 316 of the SSC 31 instructs the SSE 21 to prohibit connection between the terminal device 4 and its communication destination. The packet transmitting / receiving unit 311 transmits the connection prohibition setting information 402 and the disconnection instruction signal CC generated by the setting information generating unit 315 to the SSE 21.

  The packet transmitting / receiving unit 211 of the SSE 21 receives the disconnection instruction signal CC and the connection prohibition setting information 402 from the SSC 31.

  Subsequently, the setting unit 212 of the SSE 21 prohibits connection between the terminal device 4 and its communication destination in accordance with the disconnection instruction signal CC received by the packet transmitting / receiving unit 211 (step S42). For example, the setting unit 212 uses the connection prohibition setting information 402 from the SSC 31 to change the firewall setting so as to close the port number of the session connecting the terminal device 4 and its communication destination.

  With the above, a series of operations for disconnecting the connection between the terminal device 4 and a communication destination existing in a network other than the network 1 is completed by the authentication system of the first embodiment.

  As described above, according to the authentication system of the first embodiment, when the authentication of the user by the authentication unit 313 is successful, the SSC 31 is connected to the terminal device 4 with respect to the SSE 21 that accommodates the user terminal device 4. An instruction is given to allow connection with the communication destination. In addition, when the communication using the connection between the terminal device 4 and the communication destination ends (for example, at the end of a call), the SSC 31 instructs the SSE 21 to prohibit the connection between the terminal device 4 and the communication destination. To do.

  That is, the session for connecting the terminal device 4 and its communication destination is disconnected simultaneously with the end of communication using the connection. Therefore, the user authentication performed before connecting the terminal device 4 and its communication destination can be invalidated as the connection ends. As a result, user authentication can be performed strictly, and the security of the authentication system is improved.

  Further, according to the first embodiment, control for permitting or prohibiting connection between the terminal device 4 and the communication destination (for example, firewall opening / closing control) is performed only by cooperation between the SSC 31 and the SSE 21 in the network 1. It is possible.

Thereby, the component for performing the process for the authentication for permitting the connection between the terminal device 4 and the communication destination (for example, the service providing server) and the control of the connection to the terminal device 4 or the communication destination. It does not have to be provided.
(Embodiment 2)
Next, an authentication system according to the second embodiment will be described.

  As shown in FIG. 10, the configuration of the authentication system of the second embodiment is almost the same as the example shown in FIG.

  However, the authentication system of the second embodiment has an SSC 31A instead of the SSC 31 of the first embodiment.

  In the authentication system of the second embodiment, a NAT (Network Address Translation) device 23 is provided between the SSC 31A and the SSE 21. Here, the NAT device 23 is provided from the viewpoint of safety and the viewpoint of saving the number of global addresses.

  The NAT device 23 mutually transmits an IP address (private address) used only in a predetermined range (for example, subnet) in the network 1 and an IP address (global address) for identifying the terminal device 4 on the Internet or the like. It is an “identification information conversion device” that plays the role of conversion.

  That is, the NAT device 23 performs “identification information” with respect to the identification information (private address and old port number of the terminal device 4) included in a predetermined location of the connection request signal from the terminal device 4 transmitted from the SSE 21. Convert "(network address conversion). By this identification information conversion, the NAT device 23 generates new identification information (global address and new port number of the terminal device 4).

  Further, the NAT device 23 transmits a connection request signal including the identification information obtained by converting the identification information to the SSC 31A.

  When the NAT device 23 performs network address conversion on the INVITE packet PI, as shown in FIG. 11, a header HD (“predetermined location”) in which additional information such as a transmission destination is registered in the INVITE packet PI. ), The global address of the terminal device 4 after the network address conversion is registered as the identification information of the terminal device 4.

  On the other hand, network address conversion by the NAT device 23 is not performed on the identification information of the terminal device 4 in the payload RD which is the data body excluding the header HD from the INVITE packet PI.

  Therefore, in the payload RD, the private address of the terminal device 4 is registered as the identification information of the terminal device 4. In this example, the information registered in the payload RD is the SIP signal itself.

  In the second embodiment, both the global address and the private address of the terminal device 4 are registered in registration identification information 403A described later in cooperation with the SSC 31A and the NAT device 23.

  Further, the SSC 31A authenticates the user after determining that the global address and the private address in the connection request signal are properly associated with each other in the registration identification information 403A in the subscriber data storage unit 314. .

  Next, the configuration of the SSC 31A of the second embodiment will be described in detail.

  As shown in FIG. 12, the SSC 31A is basically the same as the configuration of the SSC 31 shown in FIG.

  However, the packet transmission / reception unit 311 of the second embodiment receives the private address and global address of the terminal device 4 from the NAT device 23. At this time, the packet transmitting / receiving unit 311 also receives a registration request signal (REGISTER packet PR) for requesting registration of a private address or a global address from the NAT device 23.

  Further, when the NAT device 23 also converts the port number to the network address, the packet transmitting / receiving unit 311 sends the new port number that is the port number after the network address conversion and the old port number before the network address conversion from the NAT device 23. Receive.

  Further, the subscriber data storage unit 314 according to the second embodiment executes “subscriber data storage processing” and stores the registration identification information 403A in a state in which the private address received by the packet transmission / reception unit 311 is associated with the global address. To do.

  As shown in FIG. 13, the registration identification information 403A includes the private address of the terminal device 4 before the network address conversion by the NAT device 23, and the global address of the terminal device 4 after the network address conversion by the NAT device 23. Is information that associates.

  When a DHCP server is provided in the authentication system from the viewpoint of simplifying the setting of the IP address in the terminal device 4, the subscriber data storage unit 314 has the private address received by the packet transmission / reception unit 311 from the DHCP server. Or the global address is stored in the registration identification information 403A.

  Further, when the NAT device 23 also converts the port number into the network address, the subscriber data storage unit 314 receives the new port number after the network address conversion received by the packet transmitting / receiving unit 311 and the old port number before the network address conversion. Are stored in the registered identification information 403A.

  The authentication unit 313 determines that each of the global address in the header HD (predetermined location) of the connection request signal from the NAT device 23 and the private address of the terminal device 4 in the payload RD of the connection request signal are subscribers. The user is authenticated based on whether or not it is registered in association with the registration identification information 403A in the data storage unit 314.

  That is, the authentication unit 313 determines that the global address in the header HD (predetermined location) of the connection request signal from the NAT device 23 and the private address of the terminal device 4 in the payload RD of the connection request signal are The user is authenticated based on whether or not it is stored in association with the subscriber data storage unit 314.

  If the global address in the header HD of the connection request signal and the private address in the payload RD are registered in association with each other in the registration identification information 403A, the authentication unit 313 determines that the user has been successfully authenticated.

  Next, an operation in which the authentication system of the second embodiment having the above configuration permits a connection between the terminal device 4 and its communication destination based on the authentication result of the user will be described.

  In the second embodiment, the operation for permitting the connection between the terminal device 4 and the communication destination is basically the same as the operation shown in FIG. 5 in the first embodiment.

  However, the network address conversion by the NAT device 23 is performed on the INVITE packet PI (connection request signal) received by the SSE 21 from the terminal device 4 and transmitted.

  More specifically, the source IP address (identification information) registered in the header HD (predetermined location) of the INVITE packet PI from the SSE 21 is converted from a private address to a global address.

  At this time, in step S1 shown in FIG. 5, the authentication unit 313 uses the registration identification information 403A in the subscriber data storage unit 314 to store the global address in the header HD of the connection request signal and the private address in the payload RD, respectively. The user is authenticated based on whether it is registered in association with it (step S1). When the private address and the global address of the terminal device 4 included in the connection request signal are registered in association with the registration identification information 403A, the authentication unit 313 determines that the user has been successfully authenticated. .

  If the port number in the header HD is also converted by the NAT device 23, the SSC 31 has registered the new port number and the old port number in the connection request signal in association with each other in the registration identification information 403A. Authenticate users based on how.

  When the authentication by the authentication unit 313 is successful, the packet transmission / reception unit 311 transmits an INVITE packet PI (connection request signal) to the ISC 32.

  The subsequent operations performed by the authentication system of the second embodiment are the same as the operations of the authentication system of the first embodiment shown in FIG.

  That is, when the packet transmission / reception unit 311 receives an OK packet PO (connection permission signal) corresponding to the connection request signal from the ISC 32, the connection control instruction unit 316 of the SSC 31A permits the connection between the terminal device 4 and its communication destination. (Step S2). When instructing connection permission, the packet transmitting / receiving unit 311 transmits a connection instruction signal CA and connection permission setting information 401 to the SSE 21.

  The setting unit 212 of the SSE 21 permits the connection between the terminal device 4 and its communication destination in accordance with the connection instruction signal CA from the SSC 31A.

  With the above, a series of operations for allowing the authentication system of the second embodiment to permit connection between the terminal device 4 and its communication destination is completed based on the authentication result of the user.

  Note that the operation in which the authentication system of the second embodiment prohibits the connection between the terminal device 4 and its communication destination is basically the same as the operation shown in FIG.

  Next, an operation in which the authentication system according to the second embodiment permits connection between the terminal device 4 and a communication destination existing in a network other than the network 1 based on a user authentication result will be described.

  In the second embodiment, the operation for permitting the connection between the terminal device 4 and a communication destination in a network other than the network 1 is basically the same as the operation shown in FIG. 8 in the first embodiment. .

  However, the network address conversion by the NAT device 23 is performed on the INVITE packet PI (connection request signal) received by the SSE 21 from the terminal device 4 and transmitted.

  At this time, in the process of step S31 shown in FIG. 8, the authentication unit 313 of the SSC 31A determines that the private address in the header HD (predetermined location) and the private address in the payload RD are registered identification information in the subscriber data storage unit 314. The user is authenticated based on whether it is registered in association with 403A (step S31).

  If the global address in the header HD of the INVITE packet PI and the private address in the payload RD are registered in association with the registration identification information 403A, the authentication unit 313 determines that the user has been successfully authenticated. In this case, the packet transmitting / receiving unit 311 transmits the INVITE packet PI from the SSE 21 to the ISC 32.

  The subsequent operations performed by the authentication system of the second embodiment are the same as the operations of the authentication system of the first embodiment shown in FIG.

  That is, the ISC 32 transmits the INVITE packet PI from the SSC 31 to a communication destination in a network other than the network 1 via the IBE 22.

  Further, the ISC 32 receives an OK packet (connection permission signal) corresponding to the INVITE packet PI from a network other than the network 1 via the IBE 22. Further, the ISC 32 transmits the connection permission signal to the SSC 31A.

  When the packet transmission / reception unit 311 receives a connection permission signal from the ISC 32, the setting information generation unit 315 of the SSC 31A has connection permission setting information for allowing the connection between the terminal device 4 and its communication destination when the SSE 21 opens the firewall. 401 is generated (step S32).

  In addition, the connection control instruction unit 316 instructs the SSE 21 to permit the connection between the terminal device 4 and the communication destination. When instructing connection permission, the packet transmitting / receiving unit 311 transmits a connection instruction signal CA and connection permission setting information 401 to the SSE 21.

  The setting unit 212 of the SSE 21 permits connection between the terminal device 4 and its communication destination according to the connection instruction signal CA from the SSC 31A (step S33). At this time, the setting unit 212 uses the connection permission setting information 401 from the SSC 31A to change the firewall setting so that a port number for establishing a session between the terminal device 4 and the communication destination can be opened. To do.

  As described above, in the second embodiment, a series of operations for permitting connection between the terminal device 4 and a communication destination existing in a network other than the network 1 is completed.

  Note that the operation in which the authentication system of the second embodiment prohibits connection between the terminal device 4 and a communication destination existing in a network other than the network 1 is basically the same as the operation illustrated in FIG. 9.

  As described above, according to the second embodiment, the SSC 31A determines whether the global address and the private address in the connection request signal are properly associated with each other in the registration identification information 403A in the subscriber data storage unit 314. Based on this, the user is authenticated. Thereby, for example, it becomes possible to perform stricter authentication than the authentication system of the first embodiment that authenticates a user using either a global address or a private address.

It is a figure which shows the structure of the authentication system according to Embodiment 1 of this invention. It is a figure which shows the structure of SSE shown in FIG. It is a figure which shows the structure of SSC shown in FIG. (A) It is a figure which shows an example of the data structure of the connection permission setting information shown in FIG. (B) It is a figure which shows an example of the data structure of the connection prohibition setting information shown in FIG. It is a figure which shows the sequence when the authentication system of Embodiment 1 permits the connection with a terminal device and its communication destination based on an authentication result. It is a figure which shows a sequence when the authentication system of Embodiment 1 prohibits a connection with a terminal device and its transmission destination. It is a flowchart which shows operation | movement of SSC when a packet is received from SSE or ISC. It is a figure which shows a sequence when the authentication system of Embodiment 1 permits the connection of a terminal device and the communication destination in networks other than the network shown in FIG. 1 based on an authentication result. FIG. 3 is a diagram illustrating a sequence when the authentication system according to the first embodiment prohibits connection between a terminal device and a communication destination in a network other than the network illustrated in FIG. 1. It is a figure which shows the structure of the authentication system according to Embodiment 2 of this invention. It is a figure which shows the data structure of the INVITE packet (connection request signal) in case network address conversion is performed. It is a figure which shows the structure of SSC shown in FIG. It is a figure which shows an example of the data structure of the registration identification information shown in FIG.

Explanation of symbols

1 Network 2 Packet Transfer Layer 3 Service Control Layer 21 SSE
211 Packet transmission / reception unit 212 Setting unit 22 IBE
23 NAT device 31, 31A SSC
311 Packet transmission / reception unit 312 Packet identification unit 313 Authentication unit 314 Subscriber data storage unit 315 Setting information generation unit 316 Connection control instruction unit 317 Restriction condition storage unit 318 Restriction unit 319 Notification unit 32 ISC
4 Terminal device 401 Connection permission setting information 402 Connection prohibition setting information 403, 403A Registration identification information 404 Restriction condition information 405 Connection permission setting information

Claims (9)

A terminal device used by a user, an authentication device that authenticates the user, and a communication setting that is connected to the terminal device and the authentication device and controls connection between the terminal device and a communication destination of the terminal device An authentication system comprising a device,
The authentication device
A subscriber data storage unit for storing identification information for identifying the terminal device;
A receiving unit for receiving a connection request signal for requesting permission of connection between the terminal device and the communication destination from the communication setting device;
An authentication unit for determining whether or not the identification information included in the connection request signal received by the reception unit is stored in the subscriber data storage unit;
When the authentication unit determines that the identification information is stored in the subscriber data storage unit, the communication setting device is instructed to permit connection between the terminal device and the communication destination, When a disconnection request signal for requesting disconnection of the connection between the terminal device and the communication destination is transmitted from the communication setting device, the connection between the terminal device and the communication destination is made to the communication setting device. A connection control instruction unit that instructs to prohibit
The communication setting device includes:
A transmission unit that transmits the connection request signal transmitted from the terminal device to the authentication device;
When the connection control instruction unit is instructed to permit the connection between the terminal device and the communication destination, the connection control instruction unit is configured to permit the connection between the terminal device and the communication destination. An authentication system comprising: a setting unit configured to prohibit connection between the terminal device and the communication destination when instructed to prohibit connection between the terminal device and the communication destination. The identification information included in a predetermined location of the connection request signal transmitted from the communication setting device is subjected to identification information conversion, and the connection request signal including the identification information converted into the identification information is authenticated. An identification information conversion device that transmits to the device,
The subscriber data storage unit stores beforehand the identification information of the terminal device and the identification information converted by the identification information conversion device in association with each other,
The authentication unit stores the subscriber information in which the identification information included in the connection request signal transmitted from the identification information conversion device and the identification information converted by the identification information conversion device are stored in the subscriber data. Determine whether it is stored in association with each other,
The connection control instruction unit determines that the authentication unit determines that the identification information included in the connection request signal and the identification information converted from the identification information are stored in association with each other in the subscriber data storage unit. In this case, the communication setting device is instructed to permit connection between the terminal device and the communication destination, and a disconnection request signal for requesting disconnection of the connection between the terminal device and the communication destination is received. 2. The authentication system according to claim 1, wherein, when transmitted from the communication setting device, the communication setting device is instructed to prohibit connection between the terminal device and the communication destination. An authentication device connected to a communication setting device that controls connection between a terminal device used by a user and a communication destination of the terminal device,
A subscriber data storage unit for storing identification information for identifying the terminal device;
A receiving unit for receiving a connection request signal for requesting permission of connection between the terminal device and the communication destination from the communication setting device;
An authentication unit for determining whether or not the identification information included in the connection request signal received by the reception unit is stored in the subscriber data storage unit;
When the authentication unit determines that the identification information is stored in the subscriber data storage unit, the communication setting device is instructed to permit connection between the terminal device and the communication destination, When a disconnection request signal for requesting disconnection of the connection between the terminal device and the communication destination is transmitted from the communication setting device, the connection between the terminal device and the communication destination is made to the communication setting device. An authentication device having a connection control instruction unit for instructing to prohibit the connection. When the authentication unit determines that the identification information is stored in the subscriber data storage unit, connection permission setting information including a port number for the communication setting device to connect the terminal device and the communication destination When the disconnection request signal is transmitted from the communication setting device, the communication setting device generates connection prohibition setting information including a port number for disconnecting the connection between the terminal device and the communication destination. A setting information generation unit to
When the connection control instruction unit instructs the communication setting device to permit connection between the terminal device and the communication destination, the connection control setting unit transmits the connection permission setting information to the communication setting device, and the connection control A setting information transmitting unit for transmitting the connection prohibition setting information to the communication setting device when the instruction unit instructs the communication setting device to prohibit the connection between the terminal device and the communication destination; The authentication apparatus according to claim 3, further comprising: The authentication device performs identification information conversion on the identification information included in a predetermined location of the connection request signal transmitted from the communication setting device, and includes the connection including the identification information converted into the identification information. Connected to an identification information conversion device for transmitting a request signal to the authentication device;
The subscriber data storage unit stores beforehand the identification information of the terminal device and the identification information converted by the identification information conversion device in association with each other,
The authentication unit stores the subscriber information in which the identification information included in the connection request signal transmitted from the identification information conversion device and the identification information converted by the identification information conversion device are stored in the subscriber data. Determine whether it is stored in association with each other,
The connection control instruction unit determines that the authentication unit determines that the identification information included in the connection request signal and the identification information converted from the identification information are stored in association with each other in the subscriber data storage unit. In this case, the communication setting device is instructed to permit connection between the terminal device and the communication destination, and a disconnection request signal for requesting disconnection of the connection between the terminal device and the communication destination is received. 5. The authentication according to claim 3 or 4, wherein, when transmitted from the communication setting device, the communication setting device is instructed to prohibit connection between the terminal device and the communication destination. apparatus. A communication setting device connected to a terminal device used by a user and an authentication device for authenticating the user,
A transmission unit that transmits a connection request signal for requesting permission of connection between the terminal device and the communication destination of the terminal device transmitted from the terminal device to the authentication device;
When the authentication device is instructed to permit the connection between the terminal device and the communication destination, the authentication device is set to permit the connection between the terminal device and the communication destination. A communication setting device having a setting unit configured to prohibit connection between the terminal device and the communication destination when instructed to prohibit connection with the communication destination.   The setting unit permits connection between the terminal device and the communication destination using connection permission setting information including a port number for connecting the terminal device and the communication destination transmitted from the authentication device. The connection between the terminal device and the communication destination using the connection prohibition setting information including the port number for disconnecting the connection between the terminal device and the communication destination transmitted from the authentication device. The communication setting device according to claim 6, wherein the communication setting device is set so as to be prohibited. A terminal device used by a user, an authentication device that authenticates the user, and a communication setting that is connected to the terminal device and the authentication device and controls connection between the terminal device and a communication destination of the terminal device An authentication method in an authentication system comprising an apparatus,
A transmission process in which the communication setting device transmits a connection request signal for requesting permission of connection between the terminal device and the communication destination transmitted from the terminal device to the authentication device;
A subscriber data storage process in which the authentication device stores identification information for identifying the terminal device;
A receiving process in which the authentication apparatus receives the connection request signal transmitted in the transmission process from the communication setting apparatus;
Authentication for determining whether or not identification information for identifying the terminal device included in the connection request signal received in the reception process is stored in the subscriber data storage process. Processing,
When the authentication apparatus determines in the authentication process that the identification information is stored in the subscriber data storage process, the authentication apparatus establishes a connection between the terminal apparatus and the communication destination. When a disconnection request signal is transmitted from the communication setting device for instructing permission and requesting disconnection of the connection between the terminal device and the communication destination, the terminal device is sent to the communication setting device. A connection control instruction process for instructing to prohibit connection with the communication destination;
When the communication setting apparatus is instructed by the authentication apparatus to permit connection between the terminal apparatus and the communication destination in the connection control instruction process, the connection between the terminal apparatus and the communication destination is permitted. If the authentication device instructs to prohibit the connection between the terminal device and the communication destination in the connection control instruction process, the connection between the terminal device and the communication destination is prohibited. An authentication method having a setting process to be set. The authentication system performs identification information conversion on the identification information included in a predetermined location of the connection request signal transmitted from the communication setting device, and the connection includes the identification information converted into the identification information. When comprising an identification information conversion device that transmits a request signal to the authentication device,
In the subscriber data storage process, the identification information of the terminal device and the identification information converted by the identification information conversion device are stored in advance in association with each other,
In the authentication process, the identification information included in the connection request signal transmitted from the identification information conversion device and the identification information converted by the identification information conversion device are stored in the subscriber data storage. Determine whether it is stored in association with the process,
In the connection control instruction process, if the identification information included in the connection request signal and the identification information converted from the identification information are stored in association with each other in the subscriber data storage process, If determined, a disconnection request signal for instructing the communication setting device to permit connection between the terminal device and the communication destination and requesting disconnection of the connection between the terminal device and the communication destination 9. The authentication method according to claim 8, wherein when the communication setting device is transmitted from the communication setting device, the communication setting device is instructed to prohibit connection between the terminal device and the communication destination. .

Images