JP2010055393A - Authentication system, authentication control method, and authentication control program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an authentication system capable of preventing opportunity for authentication data tampering while avoiding increase in installation cost. <P>SOLUTION: The authentication system comprises: an information terminal 20; an external storage device 10 connected to the information terminal and capable of externally controlling the information terminal; and a management device 30, 40 capable of performing authentication for an access request from the information terminal. The external storage device stores medium-unique information, acquires medium-unique information when the information terminal is activated while the external storage device is attached thereto, and controls transmission of the acquired medium-unique information to the management device through the information terminal. The management device stores registered medium-unique information that is pre-registered, receives transmitted medium-unique information, and performs first authentication for the access request based on the medium-unique information and the registered medium-unique information. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an authentication system, a management device, an external storage device, an authentication control method, a management device authentication control program, and an external storage device authentication control program.

  In a client / server system, in order to access a server (management apparatus) from a client (information terminal), it is often necessary to install dedicated software in advance on the client information terminal.

For this reason, when using an information terminal prepared in an environment where the user is away, the client dedicated software cannot be installed, and therefore the server cannot be accessed from the outside.
At this time, in order to access the server, it is necessary to prepare or carry an information terminal (for example, a notebook PC) in which the dedicated software is installed on the go.

As a technique for accessing the server without carrying the information terminal itself, there is a technique using an external storage medium.
Specifically, the server is accessed using a computer that can directly start an operating system from an external storage medium such as a USB memory, a flash disk, or a CD-ROM.
As a result, the operating system can be stored in a portable external storage medium, and the operating system can be started at any location using a computer in an environment such as a company, home, destination, or Internet cafe, and the client server Can be used as a system client.

However, when accessing the server using a method that starts from an external storage medium, in general authentication based on the user name and password, there is a risk that anyone can access the server if the user name and password are leaked, It is necessary to strengthen the authentication mechanism.
As a method for strengthening this authentication mechanism, hardware authentication is considered, and an authentication method using a USB token, an authentication using a TPM chip, and other various authentications can be cited.

  Further, as a technique related to such an authentication mechanism, for example, Patent Document 1 shown below can be cited.

In Patent Document 1, when a mobile terminal device accesses a DB card, the “hardware identification number” in the card and its own “hardware identification number” are collated, and whether or not the DB card can be accessed based on the collation result To decide.
Here, the “hardware identification number” is written in advance in the mobile terminal device or the DB card in order to associate the mobile terminal device with the DB card. That is, when the server device sets in advance the contents for writing to the mobile terminal device or the DB card, the “hardware identification number” is obtained from any one of the mobile terminal devices belonging to the same group. It is generated according to the read unique terminal identification information (manufacturing number), and the server device writes the hardware identification number in each group-compatible portable terminal device and each DB card used in those terminals. .
Therefore, the same hardware identification number is written as common access restriction information in each mobile terminal device and each DB card belonging to the same group.

In Patent Document 1, a security management system includes, for example, a server device installed on the company side in a company organization, a mobile client terminal (mobile terminal device) brought by each sales person, and a mobile terminal device. And a portable storage medium that is set and used.
Then, application software / databases and the like that are stored and managed on the server device side are externally provided to the portable terminal device side through a portable storage medium that can be carried around, and the database and the like are written into this storage medium and the terminal When distributing to the device, the server device sets the information for associating the terminal with the storage medium and takes various security measures, so that the application software / database etc. in the storage medium is illegal by a third party. The information is surely prevented from being copied or leaked.

In Patent Document 1, each sales person conducts a business activity while accessing the application software / database in the portable storage medium 3 while away from home, and the portable storage medium is taken from the terminal body at the end of the day of business. When it is extracted and set in the card reader / writer on the server device side, the server device collects and processes business records in the storage medium via the card reader / writer. The server device and the plurality of portable terminal devices can be detachably connected via a serial cable.
JP 2001-195311 A

  By the way, such an authentication method using a USB token and a hardware authentication method using a TPM chip have problems such as high introduction cost.

  In addition, when a unique information terminal is identified using a TPM (Trusted Platform Module) chip built in the PC, not all the information terminals to be used are mounted with the TPM chip. It is very difficult to apply to an environment that requires replacement, and it is necessary to carry a relatively heavy dedicated information terminal equipped with a TPM chip.

  In addition, in Patent Document 1, since the same terminal identification information (manufacturing number) is written in each portable terminal device and each DB card, the DB card and the terminal can be individually identified. By holding authentication data on the information terminal side that can be freely touched by the user, the strength of authentication weakens for security, such as increasing the chances of falsification of authentication data, and the possibility of unauthorized access to the server increases. There was a problem.

  An object of the present invention is to solve the problems of the related art described above, and it is not necessary to carry a dedicated information terminal equipped with a TPM chip or the like, and it is a relatively inexpensive authentication that can prevent unauthorized access to a server. A system, a management device, an external storage device, an authentication control method, a management device authentication control program, and an external storage device authentication control program are provided.

  In order to achieve the above object, an authentication system according to the present invention includes an information terminal, an external storage device connected to the information terminal and capable of controlling the information terminal from the outside, and an access request from the information terminal. A management device having an authentication function that permits authentication on the basis of the device for the access request, and the external storage device includes a medium unique information storage unit that stores medium unique information that is the identification information of the device. And terminal control means for controlling transmission of the stored medium-specific information as authentication data to the management apparatus via the information terminal, and the management apparatus is preliminarily used for identifying the external storage device. Registered medium unique information storage means for storing registered already registered medium unique information, medium registered information sent via the information terminal, and the already registered medium unique information. And a management-side control unit that executes a first authentication operation on the external storage device based on the authentication operation, and the management-side control unit authenticates the external storage device by the authentication operation. It is characterized by having a class-a access permitting function that permits an access request from the information terminal.

  The management device (in the authentication system) of the present invention connects an external storage device that can control the information terminal from the outside to the information terminal, and is configured to be communicable with the information terminal with the external storage device. A management apparatus having an authentication function that allows an access request on the premise of authenticating a device related to the access request, and stores registration medium specific information registered in advance to identify the external storage device Receiving the medium specific information transmitted from the registered medium specific information storage means and the information terminal with the external storage device that has acquired the medium specific information stored in the external storage device in advance; The first authentication is performed based on the registered medium unique information, and when the first authentication is successful, the management device from the information terminal with the external storage device is It is characterized a management-side control unit that allows access request, to include that.

  The external storage device (in the authentication system) of the present invention is an external storage device that is connected to an information terminal that can communicate with a management device via a communication network and can control the information terminal from the outside, and is a medium for identifying itself In order for the management device to perform first authentication related to an access request from the information terminal using the medium unique information to the management device using the medium unique information storage means storing the unique information, the information terminal itself And terminal control means for activating the information terminal in a state connected to the terminal, acquiring the medium-specific information, and controlling transmission to the management apparatus via the information terminal.

  The authentication control method (on the management device side) of the present invention is configured to connect an external storage device capable of controlling an information terminal from the outside to the information terminal, and to be able to communicate with the information terminal with the external storage device. An authentication control method using a management device having an authentication function that permits an access request from a device on the premise of authenticating the device related to the access request, and is medium-specific information stored in the external storage device in advance Is received from the information terminal as authentication data, and a first authentication operation for the external storage device is performed based on the already registered medium unique information registered in advance for identification of the external storage device and the medium unique information. When the external storage device is authenticated by the first authentication operation, a class A access request that allows an access request from the information terminal to the management device is permitted. It is characterized by allowing access.

  The authentication control method (on the information terminal side) of the present invention uses an external storage device that is connected to an information terminal that can communicate with a management device and can control the information terminal from the outside, and the information terminal with this external storage device An authentication control method for authenticating an access request to the management device from the management device, wherein the external storage device is connected to the information terminal and starts the information terminal from the external storage device, In order to acquire medium-specific information stored in an external storage device and perform first authentication on the management device with respect to an access request from the information terminal to the management device using the medium-specific information. The information is transmitted to the management apparatus via the information terminal, and the first authentication is executed.

  An authentication control program for a management apparatus according to the present invention connects an external storage device capable of controlling an information terminal from the outside to the information terminal, and is configured to be communicable with the information terminal with the external storage device. An authentication control program for a management apparatus capable of realizing various functions in a computer provided with a management apparatus provided with an authentication function that allows authentication on the premise of authentication of a device related to the access request, A reception control function for receiving and controlling the medium specific information stored in the external storage device from the information terminal as authentication data, the registered medium specific information registered in advance for identification of the external storage device, and the medium specific information Based on the first authentication operation execution function for executing the first authentication operation on the external storage device and the first authentication operation. Wherein when authenticating the external storage device is characterized in that to achieve and a class access acceptable ability to permit an access request from said information terminal to said management device, to the computer.

  An authentication control program for an external storage device according to the present invention uses an external storage device that is connected to an information terminal that can communicate with a management device and can control the information terminal from the outside, and from the information terminal with the external storage device. An authentication control program for an external storage device capable of realizing various functions in a computer provided in the information terminal with an external storage device in order to authenticate an access request to the management device by the management device, When the information terminal is activated from the external storage device in a state where the external storage device is connected to the information terminal, an information acquisition function for acquiring medium specific information stored in the external storage device in advance and the medium specific information are used. In order for the management apparatus to perform first authentication related to access permission from the information terminal to the management apparatus, A terminal control function to execute the management apparatus transmits the control to the first authentication towards via the information terminal, the functions including being characterized in that to realize the computer.

  According to the present invention, by using an external storage device, authentication can be realized using equipment that can be obtained at a lower cost than an information terminal with a built-in USB token or TPM chip, etc., and illegally copied to another external storage device. An excellent authentication system, management device, external storage device, authentication control method, authentication control program for management device, and authentication for external storage device that can prevent unauthorized access such as access to the server from the operating system A control program can be provided.

[First Embodiment]
(Basic configuration of authentication system)
First, the basic configuration of the authentication system will be described. As shown in FIG. 1, the authentication system 1 of the present invention includes a client computer 20 as an information terminal, and an external storage device that is connected (or detachably attached) to the information terminal and that can control the information terminal from the outside. 10 and a server computer 30 and an authentication device 40 that constitute a management device 2 that is configured to be communicable with the information terminal with the external storage device and enables authentication regarding an access request from the information terminal. It is said.
Here, the management device 2 has an authentication function that allows an access request from the information terminal on the premise of authentication of a device (information terminal and / or external storage device) related to the access request.

The external storage device 10 includes medium-specific information storage means 12 that stores medium-specific information for identifying itself (which is its own identification information), and the medium when the information terminal is activated while connected to the information terminal. The system includes an operating system 14 and a medium specific information acquisition module 16 as terminal control means for acquiring specific information and controlling transmission to the management apparatus via the information terminal.
The terminal control means includes a transmission control function (0th transmission control function) that controls transmission of the stored medium-specific information as authentication data toward the management apparatus via the information terminal.

The authentication device 40 constituting the management device 2 includes registered medium specific information storage means (registered medium) that stores registered medium specific information (registered medium specific information) registered in advance for identification for identifying the external storage device. Medium unique information data table 42 as unique information storage means) and the transmitted medium specific information are received, and a first request relating to an access request from the information terminal is received based on the medium specific information and the registered medium specific information. And an authentication control module 43 as a management-side control unit that permits an access request to the management device from the information terminal with the external storage device when the first authentication is successful. Yes.
The management-side control means has a function of executing a first authentication operation on the external storage device based on the already registered medium unique information and the medium unique information sent via the information terminal.
The management-side control means includes a class-a access permission function that permits an access request from the information terminal to the management device when the external storage device is authenticated by the authentication operation.

  In such an authentication system, an operating system and an external storage medium including software having a client function are carried, so that the operating system for connecting the external storage device to a computer such as a place to go can be started without having to carry the terminal itself. Authentication and access to the server.

  Here, some external storage devices such as a hard disk, a USB memory, a CF card, an SD card, and a CD-ROM have information unique to each medium such as a serial number and a vendor ID in an area that can be extracted from the program.

In the above authentication system, software having the client function of the server client system is installed together with the operating system on an external storage medium that is convenient to carry. When accessing the server, software such as the serial number of the external storage device is used. In addition, information based on uniquely determined information unique to the external storage medium that cannot be copied to another medium is requested.
As a result, unauthorized access such as access to the server from an operating system illegally copied to another external storage medium can be prevented.

  In the above-described authentication system, an external storage device such as a USB memory or an SD card is used, so that authentication using the external storage device can be performed even with equipment that can be obtained at a lower cost than a PC with a built-in USB token or TPM chip. Can be realized.

  In this way, when accessing a server using an operating system started from a detachable external storage medium, software including the operating system of the external storage medium by medium authentication that performs authentication using unique information of the starting medium Even if the software is copied, the copied software is not allowed to access the server, and unauthorized use can be prevented.

  Hereinafter, an example of a more detailed embodiment of the “authentication system” of the present invention will be specifically described with reference to the drawings.

(Overall configuration of authentication system)
First, the specific configuration of the authentication system according to the present embodiment will be described from the overall configuration, and then the detailed configuration of each unit will be described. FIG. 1 is a block diagram showing an example of the overall schematic configuration of the authentication system according to the first embodiment of the present invention.

As shown in FIG. 1, the authentication system 1 of the present embodiment is connected to a client computer 20 as an information terminal and a client computer 20 (or is detachably mounted), and can control the client computer 20 from the outside. The external storage device 10 and the management device 2 configured to be able to communicate with the client computer 20 with the external storage device via the communication network CN and authenticate access permission (access request) from the client computer 20 are configured. The server computer 30 and the authentication device 40 are configured to be included.
The client computer 20, the authentication device 40, and the server computer 30 are communicatively connected to each other via a network path that is a wired / wireless communication network CN.
Here, the management apparatus 2 has an authentication function that allows an access request from the information terminal on the premise of authentication of a device related to the access request.

  The external storage device 10 includes the medium unique information storage unit 12 storing medium unique information for identifying itself (which is its own identification information), and the client computer 20 in a state in which the external storage device 10 is connected to the client computer 20. When activated, it includes an operating system 14 as a terminal control means 13 and a medium specific information acquisition module 16 that acquires the medium specific information and controls transmission to the management apparatus via the client computer 20. .

  The external storage device 10 includes a client computer 20 such as a USB port, a CF card slot, a PC card interface, a removable media interface such as a CD-ROM drive, and various smart media interfaces. Connected in a way that can be started.

The medium unique information storage unit 12 has medium unique information such as a hardware unique vendor ID and serial number that can uniquely recognize the medium.
Also, the vendor ID and device ID can be combined. Alternatively, subsystem vendor IDs can be combined as necessary.
For example, in the case of smart media, a code in an IDI (ID information fields) area can be used.

The operating system 14 is configured so that the client computer 20 can be directly activated from the external storage device 10.
As the operating system 14, various OSs can be adopted, and a network OS is preferable. Further, a standard OS such as a secure OS may be customized.
The medium specific information acquisition module 16 performs processing for acquiring medium specific information on the operating system 14.

Thereby, the terminal control means 13 connects itself to the information terminal in order to perform the first authentication relating to the access permission from the information terminal to the management apparatus using the medium specific information. In this state, the information terminal may be activated to acquire the medium-specific information and perform transmission control toward the management device via the information terminal.
The terminal control means 13 may include a transmission control function (0th transmission control function) for controlling transmission of the stored medium-specific information as authentication data to the management apparatus via the information terminal.

  The authentication device 40 constituting the management device includes registered medium specific information storage means (registered medium specific information) that stores registered medium specific information (registered medium specific information) registered in advance for identification for identifying the external storage device. Medium specific information data table 42 as information storage means) and the transmitted medium specific information are received, and a first request relating to an access request from the information terminal is received based on the medium specific information and the registered medium specific information. And an authentication control module 43 serving as a management-side control unit that permits an access request to the management device from the information terminal with the external storage device when the first authentication is successful. .

The medium specific information data table 42 has registered medium specific information in which medium specific information of the external storage device 10 that is permitted to be accessed is registered and listed.
The authentication control module 43 has a function of executing a first authentication operation on the external storage device based on the already-registered medium specific information and the medium specific information sent via the information terminal.
Further, the authentication control module 43 has a class-a access permission function that allows an access request from the information terminal to the management device when the external storage device is authenticated by the authentication operation.

  Here, the authentication device 40 may be implemented as software in the server computer 30. In this case, a single management device can be configured collectively.

  The client computer 20, the server computer 20, and the authentication device 40 operate under program control. If they have a network-related communication function, they have a desktop, laptop computer, and other wireless / wired communication functions. Any computer such as an information device, an information home appliance, or a similar computer may be used, regardless of whether it is mobile or fixed.

The hardware configuration of the client computer 20, the server computer 20, and the authentication device 40 includes a display unit (screen) for displaying various information and the like on the display screen of the display unit (various input fields, etc.) ) Operation input unit (for example, keyboard, mouse, various buttons, display operation unit <button on screen>, touch panel, etc.), transmission / reception unit or communication unit for transmitting / receiving various signals / data ( Modem), a storage unit (for example, a memory, a hard disk, etc.) for storing various programs and various data, and a control unit (for example, a CPU, MPU, DSP, etc.) for controlling these.
However, the client computer 20 is preferably a thin client (network computer). In this case, a hard disk or the like in the storage unit is not necessary.

(About operation)
(Overall outline operation)
Next, the overall operation of the authentication system having the above configuration will be described.

  In the authentication control procedure showing the operation in the authentication system according to the present embodiment, an external storage device that can control the information terminal from the outside is connected to (or detachably attached to) the information terminal, and information with this external storage device is attached. The access request from the information terminal formed so as to be communicable with the terminal is intended to use a management apparatus having an authentication function that is permitted on the premise of authentication of a device related to the access request.

In this authentication control procedure, as a basic procedure on the management device side, medium-specific information stored in advance in the external storage device is received as authentication data from the information terminal (for example, step A15 shown in FIG. 2: reception control step or Reception control function), a first authentication operation for the external storage device is executed based on the registered medium unique information registered in advance for identification of the external storage device and the medium unique information (for example, FIG. 2). Step A16: first authentication operation execution step or function), a class A access that permits an access request from the information terminal to the management device when the external storage device is authenticated by the first authentication operation. A procedure for performing permission (for example, step A17 shown in FIG. 2: a-class access permission step or function) is performed.
That is, the medium specific information transmitted from the information terminal with the external storage device that has previously acquired the medium specific information stored in the external storage device is received, and the medium specific information and the registered medium specific information registered in advance are received. And when the first authentication is successful, an access request to the management device from the information terminal with the external storage device is permitted.

  In addition, this authentication control procedure uses an external storage device that can be connected (or detachably attached) to an information terminal that can communicate with the management device and can control the information terminal from the outside, and the information with this external storage device. An access request from a terminal to the management apparatus is authenticated by the management apparatus.

  In this authentication control procedure, as a basic procedure on the information terminal side, the information terminal is activated from the external storage device in a state where the external storage device is connected to the information terminal (for example, step A12 shown in FIG. 2). The medium specific information stored in the external storage device is acquired (for example, step A13 shown in FIG. 2), and the first authentication related to the access request from the information terminal to the management device using the medium specific information is managed. In order to perform in the apparatus, the medium specific information is controlled to be transmitted to the management apparatus via the information terminal (for example, step A14 shown in FIG. 2), and a procedure for executing the first authentication is performed.

(Detailed operation)
Details of these various operation processing procedures will be described below with reference to FIG. FIG. 2 is a flowchart illustrating an example of a processing procedure in the authentication system of FIG.

First, by using the operation input unit possessed by the server computer 30 or the authentication device 40, the authentication device 40 allows an access permission condition (for example, an external storage device) to permit access (access request) to the server computer 30. 10 medium specific information or information based on the medium specific information) is registered in the medium specific information data table 42 (step A11: medium specific information registration step or medium specific information registration function shown in FIG. 2).
Thereby, the registered medium unique information is stored in the medium unique information database 42.

  Next, when the external storage device 10 is connected (attached) to the client computer 20 (or when the client computer 20 is turned on in the attached state), the client computer 20 operates on the operating system installed in the external storage device 10. The system 14 is controlled to be activated, and various functions as a network computer can be realized (step A12: activation control step or activation control function shown in FIG. 2).

Subsequently, when the operating system 14 is activated, the medium specific information acquisition module operates.
The medium specific information acquisition module 16 of the external storage device 10 acquires medium specific information from the medium specific information storage means 12 (step A13 shown in FIG. 2: medium specific information acquisition step or medium specific information acquisition function).

Thereafter, the client computer 20 transmits an access request to the server computer 30 and attempts to access the server computer 30 (step A14 in FIG. 2: access request (medium specific information) transmission step or access request transmission function). .
This access request includes medium-specific information of the external storage device 10.

On the other hand, the server computer 30 receives an access request (including medium-specific information) from the client computer 20.
Then, the server computer 30 can inquire whether there is matching information (registered medium specific information) in the medium specific information data table 42 of the authentication device 40 (step A15: medium shown in FIG. 2). Specific information reception control step or medium specific information reception control function).

The authentication control module 43 of the authentication device 40 determines whether or not the external storage device 10 used for activation in the client computer 20 conforms to the access permission condition defined in step A11 (shown in FIG. 2). Step A16: Access permission condition determination step or access permission condition determination function).
Here, in the present embodiment, the first authentication is performed as the determination of the access permission condition. In this first authentication, the authentication control module 43 of the authentication device 40 uses the medium unique information of the external storage device 10 transmitted from the client computer 20 and the registered medium unique information registered in the authentication device 40 in advance. And match.

  If the authentication control module 43 of the authentication device 40 determines in step A16 that there is matching information in the medium specific information data table 42, the authentication control module 43 performs a process of permitting access from the client computer 20 to the server computer 30. (Step A17: access permission control step or access permission control function shown in FIG. 2).

On the other hand, if the authentication control module 43 of the authentication device 40 determines in step A16 that there is no matching information, the authentication control module 43 performs processing for disabling connection to the server computer 30 (step A17 in FIG. 2). Access non-permission control step or access non-permission control function).
For example, a message indicating that the user is not permitted can be notified to shut down the power supply of the client computer 20.

Here, the step consisting of the above step A16, step A17, and step A18 can be said to be an example of an authentication control step or an authentication control function.
In this authentication control function, the first authentication is performed based on the medium unique information and the registered medium unique information registered in advance, and when the first authentication is successful, the information terminal from the information terminal with the external storage device is used. Authentication control for permitting access to the management apparatus can be performed.
The above step A15 can also be called a reception control step or a reception control function. With this reception control function, the medium specific information transmitted from the information terminal with the external storage device that has previously acquired the medium specific information stored in the external storage device can be reception-controlled.

Furthermore, the step consisting of the above steps A12 and A13 can be said to be an example of an information acquisition step or an information acquisition function.
In this information acquisition function, when the information terminal is activated from the external storage device in a state where the external storage device is connected to the information terminal, medium specific information stored in the external storage device in advance can be acquired.

Furthermore, the above step A14 can be said to be an example of a terminal control step or a terminal control function.
In this terminal control function, in order for the management device to perform first authentication relating to access permission from the information terminal using the medium specific information to the management device, the medium specific information is transmitted via the information terminal. The transmission can be controlled toward the management apparatus to execute the first authentication.

As described above, according to the present embodiment, the following effects can be obtained.
That is, the first effect is that device authentication is performed based on the medium-specific information of the operating system boot medium itself when accessing the server.

The second effect is that unauthorized access to the server by a duplicate product can be prevented.
Even if the operating system or medium specific information acquisition module is illegally copied to the external storage device, access from the external storage device to the server is not permitted at the authentication stage of the authentication device, preventing unauthorized use. This is because it can.

  The third effect is that an external storage medium including an operating system can be used and authentication can be performed using information unique to the medium itself, so that a separate authentication-dedicated device such as an IC card or a USB dongle is not required in addition to the boot medium. It is.

  The fourth effect is that any medium type can be used as long as it can acquire medium-specific information such as a vendor ID and serial number and can store an operating system without requiring a special device. It is.

  The fifth effect is that the connection management can be performed by the authentication apparatus because the connection destination is authenticated instead of the terminal side.

  The sixth effect is that even if it is used from a PC on the go, the operating system started from the external storage device registered in the authentication device is connected to the server as an access condition. Even if the server is accessed from a virus-infected PC, the operating system booted from the external storage device is used and the internal disk itself is not used, so that the server can be accessed safely.

Further, in Patent Document 1, as compared with the case where authentication information is managed on the server side, the authentication data is held on the terminal side that can be freely touched by the terminal user, thereby increasing the chance of falsification of the authentication data. However, in this embodiment, the security strength is increased in that authentication information is managed on the server side that cannot be touched by the terminal user.
In the client server system, the data itself may not be placed on the terminal side.

  Here, a part of each block in the block diagram shown in FIG. 1 may have a software module configuration that is functionalized by a program executable by a computer.

  That is, the physical configuration is, for example, one or a plurality of CPUs (or one or a plurality of CPUs and one or a plurality of memories), etc., but the software configuration by each unit (circuit / means) is exhibited by the CPU by controlling the program. A plurality of functions are expressed as components by a plurality of units (means).

  When the CPU dynamically expresses a dynamic state (a state in which each procedure constituting the program is executed) executed by the program, each unit (means) is configured in the CPU. In a static state in which the program is not executed, the entire program (or each program part included in the configuration of each unit) that realizes the configuration of each unit is stored in a storage area such as a memory.

  Each of the units and modules (means) described above may be configured so that a computer functionalized by a program can be realized together with the functions of the program, or a plurality of functions that are permanently functionalized by specific hardware. You may comprise with the apparatus which consists of an electronic circuit block. Therefore, these functional blocks can be realized in various forms by hardware only, software only, or a combination thereof, and is not limited to any one.

[Second Embodiment]
Next, a second embodiment according to the present invention will be described with reference to FIG. In the following, description of the substantially similar configuration of the first embodiment will be omitted, and only different parts will be described. FIG. 3 is a block diagram showing an example of the second embodiment of the authentication system of the present invention.

  In the first embodiment described above, the authentication control is performed only by the first authentication as the access permission condition. However, in the present embodiment, the second authentication is performed in addition to the first authentication as the access permission condition. And it is set as the structure which performs the authentication control by 3rd authentication.

  Specifically, as shown in FIG. 3, the authentication system 100 of the present embodiment includes a terminal specific information acquisition module 118, a user information data table 144 as registered user information storage means, and a registered terminal specific information storage means. It differs from the first embodiment in that it has a terminal unique information data table 146 and a terminal unique information storage means 122.

  The terminal-specific information storage unit 122 stores terminal-specific information that identifies the client computer 120 itself that is an information terminal (that is, its own identification information).

  The terminal unique information data table 146 (registered terminal unique information storage means or registered terminal unique information storage means) is registered terminal unique information (registered terminal unique information registered in advance for identification of the client computer 120 (information terminal)). Information).

  The user information data table 144 (registered user information storage means or registered user information storage means) stores user information related to the user of the client computer 120 (information terminal) in advance and stores it as registered user information (registered user information). Yes.

  The terminal specific information acquisition module 118 operates when the external storage device 110 is connected to the client computer 120, the operating system 114 starts, and the medium specific information acquisition module 116 starts to operate. The terminal specific information possessed by the client computer 120 is Terminal-specific information in the storage unit 122 is acquired.

  Here, the terminal-specific information is information that can uniquely identify the client computer 120 such as a CPU ID, a MAC address, and a hard disk ID, or a combination thereof.

The authentication device 140 includes a user information data table 144 and a terminal specific information data table 146 in addition to the configuration of the first embodiment.
When the client computer 120 activated from the external storage device 110 accesses the server computer 130, the authentication device 140 uses the first authentication based on the medium specific information, the second authentication based on the terminal specific information, and the user information. Access permission is determined by the third authentication combination.

  For example, “a specific external storage device can be accessed only by a specific client computer” or “a specific computer can be accessed only by a specific user of a client computer started from a specific external storage device” Can be set as follows.

Here, the configuration of the operating system 114, the medium specific information acquisition module 116, and the terminal specific information acquisition module 118 can be said to be an example of the terminal control means 113.
As a configuration example of the terminal control unit 113, the functions of the modules 116 and 118 may be incorporated in the operating system 114.
In one mode of the terminal control unit 113, it can be said that the control function is exhibited when one or more programs stored in the external storage device 110 are executed by the CPU of the client computer 120.

The terminal control unit 113 may have a function of acquiring the terminal specific information together with the medium specific information and performing transmission control toward the management device. That is, the terminal control means 113 has a first transmission control function for transmitting the terminal specific information for the information terminal together with the medium specific information as authentication data to the management apparatus via the information terminal.
Further, the terminal control means 113 can have a function of controlling transmission of user information input from the information terminal to the management apparatus together with the medium specific information and the terminal specific information. That is, the terminal control means 113 has a second transmission control function for controlling transmission of user information externally input to the information terminal to the management apparatus as authentication data together with the medium specific information and the terminal specific information.

The authentication control module 143 serving as a management-side control unit receives the medium specific information and the terminal specific information, and when the first authentication is successful, the authentication control module 143 performs a first operation based on the terminal specific information and the registered terminal specific information. And a function of permitting the access request when the second authentication is successful.
That is, the authentication control module 143 as the management-side control means operates when the external storage device is authenticated by the first authentication operation, and is transmitted from the registered terminal unique information and the information terminal. A second authentication operation execution function for executing a second authentication operation on the information terminal based on the terminal specific information may be provided.
Further, the authentication control module 143 has a class b access permission function that allows an access request from the information terminal to the management apparatus when the information terminal is authenticated by the second authentication operation by the second authentication operation execution function. May be provided.

Further, the authentication control module 143 receives the medium specific information, the terminal specific information, and the user information. When the second authentication is successful, the authentication control module 143 performs a third operation based on the user information and the registered user information. A function of authenticating and permitting the access request when the third authentication is successful can be provided.
That is, the authentication control module 143 as the management-side control unit operates when the information terminal is authenticated by the second authentication operation, and includes the registered user information and the user information transmitted from the information terminal. And a third authentication operation execution function for executing a third authentication operation for the user of the information terminal.
Further, the authentication control module 143 allows the access request from the information terminal to the management device when the user of the information terminal is authenticated by the third authentication operation by the third authentication operation execution function. An access permission function may be provided.
Further, the authentication control module 143 may have a function of performing the third authentication operation in combination with user authentication using a user name and password, public key authentication, and biometric authentication.

(About operation)
Next, details of the operation will be described with reference to the flowchart of FIG.
FIG. 4 is a more complicated version of the conditions for permitting access to the server in step A11 than in FIG. 2, and the flow in step A11 is replaced by steps B11 and B12. In addition, after step A13, step B13 for acquiring unique information of the client computer 120 is added.
In step S16, steps A161, A162, and A163 shown in FIG. 5 need to be executed.

In the authentication control procedure in the operation in the present embodiment, the management apparatus side first receives the medium specific information as authentication data, and acquires the terminal specific information stored in the information terminal in advance. The information is received together with the terminal-specific information transmitted from the information terminal with the device (step A15: reception control step or reception control function shown in FIG. 4). That is, the authentication data includes terminal-specific information stored in advance in the information terminal.
Next, it operates when the external storage device is authenticated by the first authentication operation, and based on the registered terminal specific information registered in advance for identification of the information terminal and the terminal specific information The second authentication operation for the information terminal is executed (step A162 shown in FIG. 5: second authentication operation execution step or function).
Furthermore, when the information terminal is authenticated by the second authentication operation, b-class access permission that allows an access request from the information terminal to the management apparatus is performed (step A17: b-class access permission shown in FIG. 4). Step or function).
That is, when the first authentication is successful, the second authentication is further performed based on the terminal specific information and the registered terminal specific information registered in advance, and when the second authentication is successful, A procedure for granting an access request can be performed.

In this authentication control procedure, when the medium-specific information and the terminal-specific information are received as authentication data, the user information input from the information terminal is transmitted from the information terminal with the external storage device acquired. (Step A15: reception control step or reception control function). That is, the authentication data includes user information input from the information terminal.
Further, the information terminal is activated when the information terminal is authenticated by the second authentication operation, and the third information is applied to the user of the information terminal based on the registered user information in which the user information is registered in advance and the user information. The authentication operation is executed (step A163 shown in FIG. 5: third authentication operation execution step or function).
Next, when the user of the information terminal is authenticated by the third authentication operation, class c access permission for permitting an access request from the information terminal to the management apparatus is performed (step A17: c shown in FIG. 4). Class access permission step or function).
That is, when the second authentication is successful, a third authentication is further performed based on the user information and registered user information registered in advance, and the access request is issued when the third authentication is successful. You can take steps to allow.

Further, in this authentication control procedure, when performing the third authentication operation, user authentication using a user name and password, public key authentication, and biometrics authentication are performed in combination. Can also be allowed.
This will be described in detail below.

First, in step B11, in addition to the medium specific information (or information based on the medium specific information) of the external storage device described in the first embodiment, the authentication apparatus 140 includes a user name, a password, etc. And the terminal specific information (or information based on the terminal specific information) of the client computer 120 in the medium specific information data table 142, the user information data table 144, and the terminal specific information data table 146, respectively. Registration is performed (step B11 shown in FIG. 4: medium unique information registration step or medium unique information registration function, terminal unique information registration step or terminal unique information registration function, user information registration step or user information registration function).
As a result, the registered medium unique information is stored in the medium unique information data table 142. The terminal unique information data table 146 stores registered terminal unique information. Furthermore, registered user information is stored in the user information data table 144.

Then, a combination of these pieces of information is associated as an access permission condition (step B12 shown in FIG. 4: access permission condition generation step or access permission condition generation function).
That is, the access permission condition is that all conditions of the registered medium unique information, the registered terminal unique information, and the registered user information are satisfied.

  Next, when the external storage device 110 is connected (attached) to the client computer 120 (or when the client computer is turned on in the connected state), the client computer 120 is connected to the operating system 114 installed in the external storage device 110. Is activated, and various functions as a network computer can be realized (step A12: activation control step or activation control function shown in FIG. 4).

Subsequently, when the operating system 114 is activated, the medium specific information acquisition module 116 operates.
The medium specific information acquisition module 116 of the external storage device 110 acquires medium specific information from the medium specific information storage unit 112 (step A13 shown in FIG. 4: medium specific information acquisition step or medium specific information acquisition function).

Furthermore, the terminal specific information acquisition module 118 operates when the operating system 114 is activated or when the medium specific information acquisition module operates.
The terminal specific information acquisition module 118 of the external storage device 110 acquires terminal specific information from the terminal specific information storage unit 122 (step B13 shown in FIG. 4: terminal specific information acquisition step or terminal specific information acquisition function).

Furthermore, during any step after the operating system 114 is started, the user authentication control function possessed by the operating system 114 itself or another user authentication control function prompts the user to input user information.
Thereby, based on the user's operation input from the client computer 120, the operating system 114 acquires user information (user information acquisition step or user information acquisition function).

Thereafter, the client computer 120 transmits an access request to the server computer 130 and attempts to access the server computer 130 (step A14: access request transmission step or access request transmission function shown in FIG. 4).
This access request includes medium specific information of the external storage device 110, terminal specific information of the client computer 120, and user information input from the client computer 120 with the external storage device 110.

On the other hand, the server computer 130 receives an access request (including medium-specific information, terminal-specific information, and user information) from the client computer 120.
The server computer 130 then sends information that matches the access permission conditions (registered medium specific information, registered terminal) to the medium specific information data table 142, terminal specific information data table 146, and user information data table 144 of the authentication device 140. Processing for inquiring whether there is specific information or registered user information) can be performed (step A15 shown in FIG. 4: medium specific information reception control step or medium specific information reception control function, terminal specific information reception control step or terminal specific information) Reception control function, user information reception control step or user information reception control function).

  The authentication device 140 determines whether or not the external storage device used for activation by the client computer 120 conforms to the access permission condition defined in step A11 (step A16: access permission condition shown in FIG. 4). Judgment step or access permission condition judgment function).

(Details of authentication control)
Here, in the present embodiment, first authentication, second authentication, and third authentication are performed as the determination of the access permission condition.
That is, as shown in FIG. 5, the authentication control module 143 of the authentication device 140 determines whether or not the medium specific information matches as the first authentication (step A161 in FIG. 5: first authentication step or First authentication function or first authentication operation execution function).
In this first authentication, the medium specific information of the external storage device 110 transmitted from the client computer 120 is checked against the registered medium specific information (registered medium specific information) registered in advance in the authentication apparatus 140. .

If the authentication control module 143 of the authentication apparatus 140 determines in step A161 that the medium specific information does not match, the process proceeds to step A18.
On the other hand, if it is determined in step A161 that the medium-specific information matches (when the external storage device is authenticated by the authentication operation), a first step of permitting an access request from the information terminal to the management device Is cleared (class a access permission function).
If it is determined in step A161 that the medium specific information matches, the authentication control module 143 of the authentication apparatus 140 determines whether the terminal specific information matches as the second authentication (step in FIG. 5). A162: second authentication step or second authentication function or second authentication operation execution function).
In the second authentication, the terminal unique information transmitted from the client computer 120 is checked against registered terminal unique information (registered terminal unique information) registered in advance in the authentication device 140.

In step A162, if the authentication control module 143 of the authentication device 140 determines that the terminal-specific information does not match, the process proceeds to step A18.
On the other hand, when it is determined in step A162 that the terminal-specific information matches (when the information terminal is authenticated by the second authentication operation by the second authentication operation execution function), the information terminal for the management apparatus The second stage of permitting the access request is cleared (class b access permission function).
If it is determined in step A162 that the terminal-specific information matches, the authentication control module 143 of the authentication device 140 determines whether the user information matches as the third authentication (FIG. 5). Step A163: Third authentication step or third authentication function or third authentication operation execution function).
In the third authentication, the user information transmitted from the client computer 120 and the registered user information (registered user information) registered in advance in the authentication device 140 are collated.

If the authentication control module 143 of the authentication apparatus 140 determines in step A163 that the user information does not match, the process proceeds to step A18.
On the other hand, when it is determined in step A163 that the user information matches (when the user of the information terminal is authenticated by the third authentication operation by the third authentication operation execution function), the information terminal for the management device This means that the third stage of permitting the access request from is cleared (class c access permission function).
If it is determined in step A163 that the user information matches, the authentication control module 143 of the authentication apparatus 140 proceeds to step A17.

  Next, when the authentication apparatus 40 determines in step A16 (steps A161, A162, and A163) that there is information that matches the medium specific information data table 142, the terminal specific information data table 146, and the user information data table 144, Performs processing for permitting access (access request) from the client computer 20 to the server computer 30 (step A17: access permission control step or access permission control function shown in FIG. 4).

  On the other hand, if the authentication apparatus 40 determines in step A16 (steps A161, A162, A163) that no matching information exists even in one condition in step A16, the authentication apparatus 40 refuses connection to the server computer 30. (Step A17 in FIG. 4: access non-permission control step or access non-permission control function).

Here, the step consisting of the above steps A16 to A18 is an example of an authentication control step or an authentication control function.
Further, the above step A15 includes the reception control step or the reception control function.
In the authentication control function, when the first authentication is successful, second authentication is performed based on the terminal unique information and preregistered registered terminal unique information, and when the second authentication is successful. A function of permitting the access request may be provided.

In the reception control function, a function of receiving and controlling the terminal specific information and the medium specific information together with the user information transmitted from the information terminal with the external storage device that has acquired the user information input from the information terminal. May be provided.
In this case, in the authentication control function, when the second authentication is successful, third authentication is performed based on the user information and registered user information registered in advance, and the third authentication is successful. May have a function of permitting the access request.

  Further, in the authentication control function, the third authentication is performed by combining user authentication using a user name and a password, public key authentication, and biometric authentication, and the access is permitted when each of these authentications is successful. May be provided.

Furthermore, the step consisting of the above steps A12 and A13 can be said to be an example of an information acquisition step or an information acquisition function. Furthermore, the above step A14 is an example of a terminal control step or a terminal control function.
In addition, the first authentication, the second authentication, and the third authentication do not necessarily need to be performed, but only the first authentication, the first authentication, and the second authentication as in the first embodiment. Only authentication may be used. In this case, in the access request transmission function (terminal control function) in step A14, a zeroth transmission control function for controlling transmission of the stored medium specific information as authentication data to the management apparatus via the information terminal A first transmission control function for transmitting terminal specific information for the information terminal together with the medium specific information as authentication data to the management device via the information terminal, and user information externally input to the information terminal Each case of the 2nd transmission control function which carries out transmission control to the management device as authentication data with medium specific information and the terminal specific information may be provided.

Here, in the present embodiment, the user authentication of the user name password is dealt with, but it is also possible to combine with an existing authentication method such as public key authentication or biometric authentication.
Biometrics authentication includes, for example, fingerprint authentication, palm shape (palm width and finger length) authentication, retina (recognition of capillaries pattern of eye retina) authentication, iris authentication, face authentication, blood vessel (vein pattern) Examples include authentication, voice (voice print) authentication, ear shape authentication, DNA authentication, handwriting authentication, keystroke (keystroke speed and timing wrinkle) authentication, lip movement authentication, and blink (amount of change in black eye area) authentication.

  Other configurations, other steps or functions, and the effects thereof are the same as those in the above-described embodiment. In the above description, the operation content of each step described above, the constituent elements of each unit, and the functions thereof may be programmed (software program) and executed by a computer.

In this case, an external storage device that can control the information terminal from the outside is connected (or detachably attached) to the information terminal, and an access request from the information terminal is formed so as to be communicable with the information terminal with the external storage device. The management apparatus authentication control program is capable of realizing various functions in a computer provided with a management apparatus provided with an authentication function that is permitted on the premise of authentication of the device relating to the access request.
In addition, the management device from the information terminal with the external storage device is connected to an information terminal that can communicate with the management device (or is detachably mounted) and can control the information terminal from the outside. Since the management device authenticates the access request to the external storage device, it can be an external storage device authentication control program capable of realizing various functions in a computer provided in the information terminal with the external storage device.

  Furthermore, the method described above can also be realized by a computer reading a program from a recording medium and executing it. That is, the structure which recorded the above-mentioned program on the information recording medium may be sufficient.

[Other variations]
Also, although the apparatus and method according to the present invention have been described according to some specific embodiments thereof, the embodiments described in the text of the present invention can be used without departing from the spirit and scope of the present invention. Various modifications are possible.

  For example, the number, position, shape, and the like of the constituent members are not limited to the above-described embodiment, and can be set to a suitable number, position, shape, and the like in practicing the present invention. That is, in the above embodiment, the case where the number of external storage devices connected to the information terminal is one is shown. However, the present invention does not limit the number of such devices, but a USB memory, a CF card, a CD-ROM. A plurality of external storage devices such as DVDs and external HDDs (each having the same type or a different type of OS) may be connected to the information terminal.

  As the external storage device, for example, a semiconductor memory such as ROM, RAM, flash memory or SRAM and an integrated circuit, or a removable medium such as a USB memory or a memory card including them, an optical disk, a magneto-optical disk, a magnetic recording medium, or the like is used. Furthermore, a flexible disk, CD-ROM, CD-R, CD-RW, FD, DVDROM, HDDVD (HDDVD-R-SL <1 layer>, HDDVD-R-DL <2 layers>, HDDVD-RW- SL, HDDVD-RW-DL, HDDVD-RAM-SL), DVD ± R-SL, DVD ± R-DL, DVD ± RW-SL, DVD ± RW-DL, DVD-RAM, Blu-Ray Disk <registered trademark > (BD-R-SL, BD-R-DL, BD-RE-SL, BD-RE-DL), M , ZIP, magnetic card, magnetic tape, SD card, memory stick, non-volatile memory card, IC card, and other portable media, external hard disk storage, etc. Good.

  The management apparatus according to an embodiment of the present invention is configured to connect an external storage device capable of controlling an information terminal from the outside to the information terminal and to be able to communicate with the information terminal with the external storage device. Is a management apparatus having an authentication function that allows an access request from a device on the premise of authenticating the device related to the access request, and stores registration medium specific information registered in advance to identify the external storage device The medium unique information transmitted from the stored registered medium unique information storage means and the information terminal with the external storage device that has previously acquired the medium unique information stored in the external storage device is received, and the medium unique information And first information based on the registered medium specific information, and when the first authentication is successful, the management device from the information terminal with the external storage device And a management-side control unit for permitting that access request.

  Furthermore, an external storage device according to an embodiment of the present invention is an external storage device that is connected to an information terminal capable of communicating with a management device via a communication network and can control the information terminal from the outside, and identifies itself. Medium-specific information storage means storing medium-specific information to be performed, and the management device to perform first authentication related to an access request from the information terminal using the medium-specific information to the management device. Terminal control means for starting up the information terminal in a state connected to the information terminal, acquiring the medium-specific information, and controlling transmission to the management device via the information terminal.

  Further, in the authentication system in the above embodiment, the communication structure between the information terminal and the management apparatus is not limited to the client server system, and the peer-to-peer in which the terminals form a network without passing through the server and transmit / receive data to / from each other. (Peer To Peer) Communication system may be used. In that case, the management apparatus may be a master terminal in a peer-to-peer system.

  In addition, the “system” in the above embodiments refers to a logical collection of a plurality of devices, and it does not matter whether the devices of each configuration are in the same housing.

Further, in the present specification, the steps shown in the flowchart include processes that are executed in parallel or individually even if they are not necessarily processed in time series, as well as processes that are executed in time series according to the described procedure. It is a waste. Also, the order in which the program procedures (steps) are executed can be changed.
For example, the first authentication, the second authentication, the third authentication, and other authentications are not necessarily in this order.

  Further, in “communication”, wireless communication and wired communication as well as communication in which wireless communication and wired communication are mixed, that is, wireless communication is performed in a certain section and wired communication is performed in another section. There may be. Further, communication from one device to another device may be performed by wired communication, and communication from another device to one device may be performed by wireless communication.

  The types of interfaces formed in the communication structure between the external storage device and the information terminal are, for example, a parallel interface, a USB interface, IEEE 1394, a network such as a LAN or WAN, or the like, or will be developed in the future. Any interface can be used.

Further, each external storage device and authentication device may exist alone or may be used in a state of being incorporated in a certain device (for example, an electronic device). Is not limited to this, but includes various aspects.
Furthermore, it may be a case where a part is software and a part is realized by hardware, and a part is stored on a storage medium, and is read as needed. It may be as a thing.

  The scope of the invention is not limited to the illustrated example. Further, the above embodiments include various stages, and various inventions can be extracted by appropriately combining a plurality of disclosed constituent elements. That is, examples include combinations of the above-described embodiments, or any of them and any of the modifications.

INDUSTRIAL APPLICABILITY The present invention can be used in general computer systems, and more specifically, in a client / server system such as a thin client system in which it is necessary to limit users and terminals to be connected in security, an external device that can carry a client. It can be used when booting from an operating system stored in a storage device.
It can also be used in areas where it is necessary to prevent unauthorized access and use of server assets by unauthorized duplication software.

It is a block diagram which shows an example of the whole structure of the authentication system by the 1st Embodiment of this invention. It is a flowchart which shows an example of the process sequence in the authentication system by the 1st Embodiment of this invention. It is a block diagram which shows an example of the whole structure of the authentication system by the 2nd Embodiment of this invention. It is a flowchart which shows an example of the process sequence in the authentication system by the 2nd Embodiment of this invention. It is a flowchart which shows an example of the detailed process sequence of the process sequence of FIG.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1,100 Authentication system 2,102 Management apparatus 10,110 External storage device 12,112 Medium specific information storage means 13,113 Control means for terminals 14,114 Operating system 16,116 Medium specific information acquisition module 20,120 Computer for client (Information terminal)
30, 130 Server computer (management device)
40, 140 Authentication device (management device)
42, 142 Medium unique information data table (registered medium unique information storage means)
43, 143 Authentication control module (management side control means)
118 Terminal-specific information acquisition module
122 Terminal-specific information storage means 144 User information data table (user information storage means)
146 Terminal unique information data table (registered terminal unique information storage means)

Claims (18)

An information terminal, an external storage device connected to the information terminal and capable of controlling the information terminal from the outside, and an authentication function that accepts an access request from the information terminal on the premise of authentication of the device related to the access request A management device comprising:
The external storage device is
Medium specific information storage means for storing medium specific information which is the identification information of the self,
Terminal control means for controlling transmission of the stored medium-specific information as authentication data to the management apparatus via the information terminal;
Including
The management device
Registered medium specific information storage means for storing already registered medium specific information registered in advance for identification of the external storage device;
Management-side control means for executing a first authentication operation on the external storage device based on the already-registered medium-specific information and the medium-specific information sent via the information terminal;
Including
The management-side control means comprises an a-class access permission function that allows an access request from the information terminal to the management device when the external storage device is authenticated by the authentication operation. . The authentication system according to claim 1,
The information terminal includes a terminal specific information storage unit that stores terminal specific information that is identification information of the terminal,
The management device further includes registered terminal unique information storage means for storing already registered terminal unique information registered in advance for identification of the information terminal,
The terminal control means of the external storage device is:
Having a first transmission control function for transmitting terminal-specific information for the information terminal together with the medium-specific information as authentication data to the management device via the information terminal;
The management side control means of the management device comprises:
The second storage device operates when the external storage device is authenticated by the first authentication operation, and is applied to the information terminal based on the registered terminal unique information and the terminal unique information transmitted from the information terminal. A second authentication operation execution function for executing the authentication operation;
A b-class access permission function that allows an access request from the information terminal to the management device when the information terminal is authenticated by the second authentication operation by the second authentication operation execution function;
An authentication system characterized by comprising: The authentication system according to claim 2,
The management device
Further includes registered user information storage means for previously registering user information related to the user of the information terminal and storing it as already registered user information;
The terminal control means of the external storage device is:
A second transmission control function for controlling transmission of user information externally input to the information terminal to the management apparatus as authentication data together with the medium specific information and the terminal specific information;
The management side control means includes
The third authentication operation that is activated when the information terminal is authenticated by the second authentication operation and is applied to the user of the information terminal based on the registered user information and the user information transmitted from the information terminal. A third authentication operation execution function for executing
A c-class access permission function for permitting an access request from the information terminal to the management apparatus when a user of the information terminal is authenticated by the third authentication operation by the third authentication operation execution function; An authentication system characterized by The authentication system according to claim 3,
The management side control means includes
An authentication system, wherein the third authentication operation is performed by combining user authentication using a user name and a password, public key authentication, and biometric authentication. An external storage device that can control the information terminal from the outside is connected to the information terminal, and is configured to be communicable with the information terminal with the external storage device. A management device with an authentication function that allows authentication on the premise of
Registered medium specific information storage means for storing registered medium specific information registered in advance to identify the external storage device;
The medium specific information transmitted from the information terminal with the external storage device that has previously acquired the medium specific information stored in the external storage device is received, and based on the medium specific information and the registered medium specific information Management-side control means for performing a first authentication and permitting an access request to the management device from the information terminal with the external storage device when the first authentication is successful;
A management device comprising: An external storage device connected to an information terminal capable of communicating with a management device via a communication network and capable of controlling the information terminal from the outside,
Medium unique information storage means for storing medium unique information for identifying itself;
In order for the management device to perform first authentication related to an access request from the information terminal to the management device using the medium-specific information, the information terminal is activated while connected to the information terminal. Terminal control means for acquiring the medium-specific information and controlling transmission to the management apparatus via the information terminal;
An external storage device. An external storage device that can control the information terminal from the outside is connected to the information terminal, and is configured to be communicable with the information terminal with the external storage device. An authentication control method using a management device having an authentication function that allows authentication on the premise of
Medium-specific information stored in advance in the external storage device is received as authentication data from the information terminal;
Performing a first authentication operation on the external storage device based on the registered medium unique information registered in advance for identification of the external storage device and the medium unique information;
When the external storage device is authenticated by the first authentication operation, class A access permission that allows an access request from the information terminal to the management device is performed.
An authentication control method characterized by the above. The authentication control method according to claim 7,
The authentication data includes terminal specific information stored in the information terminal in advance,
It operates when the external storage device is authenticated by the first authentication operation, and is registered in the information terminal based on the registered terminal specific information registered in advance for identification of the information terminal and the terminal specific information. Performing the second authentication operation,
When the information terminal is authenticated by the second authentication operation, b-class access permission for allowing an access request from the information terminal to the management device is performed.
An authentication control method characterized by the above. The authentication control method according to claim 8,
The authentication data includes user information input from the information terminal,
Third authentication that is activated when the information terminal is authenticated by the second authentication operation and that is applied to the user of the information terminal based on the registered user information in which the user information is registered in advance and the user information. Perform the action,
When the user of the information terminal is authenticated by the third authentication operation, class c access permission for permitting an access request from the information terminal to the management device is performed.
An authentication control method characterized by the above. The authentication control method according to claim 9, wherein
In performing the third authentication operation, authentication is performed by combining user authentication with a user name and password, public key authentication, and biometric authentication.
An authentication control method characterized by the above. Using an external storage device connected to an information terminal capable of communicating with the management device and capable of controlling the information terminal from the outside, an access request for the management device from the information terminal with the external storage device is sent to the management device An authentication control method for authenticating,
Starting the information terminal from the external storage device in a state where the external storage device is connected to the information terminal,
Acquiring medium specific information stored in advance in the external storage device,
In order for the management device to perform first authentication related to an access request from the information terminal to the management device using the medium-specific information, the medium-specific information is directed to the management device via the information terminal. Performing transmission control and executing the first authentication;
An authentication control method characterized by the above. The authentication control method according to claim 11,
When acquiring the medium specific information, it is acquired together with terminal specific information stored in a specific storage area of the information terminal in advance,
When performing transmission control of the medium specific information, transmission control is performed together with the terminal specific information in order to perform second authentication using the terminal specific information in the management apparatus, and the second authentication is performed together with the first authentication. To perform authentication,
An authentication control method characterized by the above. The authentication control method according to claim 12,
When acquiring the medium specific information and the terminal specific information, it is acquired together with user information input from the information terminal,
When transmission control of the medium specific information and the terminal specific information is performed, transmission control is performed together with the user information in order to perform third authentication using the user information in the management device, and the first authentication and second authentication are performed. The third authentication is executed together with the authentication of 2.
An authentication control method characterized by the above. An external storage device that can control the information terminal from the outside is connected to the information terminal, and is configured to be communicable with the information terminal with the external storage device. An authentication control program for a management apparatus capable of realizing various functions in a computer provided with a management apparatus having an authentication function that is allowed on the premise of authentication with respect to
A reception control function for receiving and controlling medium specific information stored in the external storage device in advance as authentication data from the information terminal;
A first authentication operation execution function for executing a first authentication operation on the external storage device based on previously registered medium unique information registered in advance for identification of the external storage device and the medium unique information;
A-class access permission function that allows an access request from the information terminal to the management device when the external storage device is authenticated by the first authentication operation;
An authentication control program for a management apparatus that causes the computer to realize the above. The management device authentication control program according to claim 14,
In the reception control function,
The computer realizes a function of receiving and controlling the medium specific information together with the terminal specific information transmitted from the information terminal with the external storage device that has acquired the terminal specific information stored in the information terminal in advance,
It operates when the external storage device is authenticated by the first authentication operation, and is registered in the information terminal based on the registered terminal specific information registered in advance for identification of the information terminal and the terminal specific information. A second authentication operation execution function for executing the second authentication operation;
A b-class access permission function that permits an access request from the information terminal to the management device when the information terminal is authenticated by the second authentication operation by the second authentication operation execution function;
Is further realized by the computer. The management device authentication control program according to claim 15,
In the reception control function,
The computer realizes a function of receiving and controlling the terminal specific information and the medium specific information together with the user information transmitted from the information terminal with the external storage device that has acquired the user information input from the information terminal,
Third authentication that is activated when the information terminal is authenticated by the second authentication operation and that is applied to the user of the information terminal based on the registered user information in which the user information is registered in advance and the user information. A third authentication operation execution function for executing the operation;
A c-class access permission function that allows an access request from the information terminal to the management device when the user of the information terminal is authenticated by the third authentication operation by the third authentication operation execution function;
Is further realized by the computer. The management device authentication control program according to claim 16,
In the third authentication operation execution function,
An authentication control program for a management apparatus characterized in that a function for performing authentication that combines user authentication using a user name and password, public key authentication, and biometrics authentication is included in the content, and the computer realizes the function. Using an external storage device connected to an information terminal capable of communicating with the management device and capable of controlling the information terminal from the outside, an access request for the management device from the information terminal with the external storage device is sent to the management device An authentication control program for an external storage device capable of realizing various functions in a computer provided in the information terminal with an external storage device for authentication,
When the information terminal is activated from the external storage device in a state where the external storage device is connected to the information terminal, an information acquisition function for acquiring medium-specific information stored in the external storage device in advance,
In order for the management device to perform first authentication related to access permission from the information terminal using the medium specific information to the management device, the medium specific information is directed to the management device via the information terminal. A terminal control function for performing transmission control and executing the first authentication;
An authentication control program for an external storage device that causes the computer to implement a function including:

Images