JP2012032993A - Authentication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an authentication system with high security, securing that an authentication result is transmitted only to a terminal requesting the authentication.SOLUTION: When a main server 3 receives an authentication request from a first terminal 2, pair information generation means 311 generates and stores pair information of a first code and a second code. The first code is transmitted to the first terminal 2 along with a sub server 4 to form a first route to the sub server 4 by the first code from the first terminal 2. The second code is transmitted from the main server 3 only to the sub server 4. When the first code received in the first route formation is collated and matched by the sub server 4, the corresponding second code is transmitted from the sub server 4 to the first terminal 2, so as to form a second route to the main server 3 by the pair information from the first terminal 2, of the first code from the main server 3 and the second code from the sub server 4. The main server 3 transmits the result acquired by collating the pair information received in the second route formation with the stored pair information, as the authentication result of the authentication request.

Description

  The present invention is provided by an authentication provider when a service provider that provides various services to a user using an IP network such as the Internet and an authentication provider that provides an authentication service for authenticating a user who receives the service cooperate with each other. It relates to an authentication system.

  Conventionally, when a user uses a WEB service on a PC, an authentication linkage mechanism is known in which a service provider that provides a service and an authentication provider that authenticates a user are known, and the PC to be used is not limited The authentication method using a fixed ID / password is mainly used to authenticate users. For example, OpenID is an ID for confirming the identity of a user configured in the URL format of the WEB site, and can be used on various WEB sites corresponding to OpenID (Non-patent Document 1).

  In addition, while it is natural to have one mobile phone per person, in order to improve the security of authentication on a PC, authentication is performed using a pre-registered mobile phone exclusively owned by the user. A method is known (Patent Document 1).

OpenID.ne.jp, http://www.openid.ne.jp/

JP 2007-193762 A

  However, in such authentication cooperation, the authentication result of the user by the authentication provider is transferred to the service provider via a terminal that the user wants to receive the service. Therefore, even if the authentication of the user by the authentication provider is successful, if the result of the successful authentication is exploited by a malicious third party using another terminal in the process of being transmitted to the terminal that made the authentication request There is a threat that this third party impersonates and misuses the service.

  Further, in the authentication of a user with a fixed ID / password, there is a threat of spoofing by a malicious third party due to theft / leakage of ID / password. In addition, when a mobile phone is used in combination, it is necessary to register a mobile phone that can be used in advance, and there is still a problem in terms of convenience to be widely used.

  Accordingly, an object of the present invention is to provide an authentication system with high security in which an authentication result is transmitted only to a terminal that has requested authentication. It is another object of the present invention to provide an authentication system with improved convenience when a terminal such as a mobile phone is used in combination.

  In order to solve such a problem, the present invention relates to a first terminal, a main server, and a secondary server connected via a network, and the first terminal, the main server, and the secondary server cooperated to authenticate the authentication result. An authentication system that can be acquired by one terminal, wherein the first terminal receives authentication request means for transmitting an authentication request signal to the main server, and receives the first code from the main server, the first code to the sub server When a second code is received from the secondary server, a second code verification request signal including the second code and the first code received from the main server is received. A second route forming means for transmitting to the main server; and a result receiving means for receiving an authentication result from the main server. The main server responds to the authentication request each time an authentication request signal is received from the first terminal. 1st code and 2nd code are produced | generated, the 1st code | cord | chord produced | generated for every authentication request signal and 2nd code are matched, the pair information production | generation means to which it memorize | stores in a main server memory | storage part, When the second code verification request signal is received from the first terminal and the first route control means for transmitting the two codes to the secondary server and the first code to the first terminal, the first code stored in the main server storage unit A second code collating unit for collating the two codes with the received second code, and a result transmitting unit for transmitting the collation result of the second code collating unit to the first terminal as an authentication result for the authentication request, When the server receives the first code and the second code received from the main server, the data acquisition means for storing the first code and the second code in the secondary server storage unit, and the second code request signal from the first terminal, A first code collating means for collating the received first code with the received first code and determining whether or not they match, and a second code corresponding to the first code collated with the first code collating means There is provided an authentication system comprising: a second path control means for transmitting the second code request signal to the transmission source of the second code request signal. As a result, the authentication result can be transmitted only to the terminal that is the transmission source of the authentication request signal.

  In such an authentication system, the first code is preferably a session key. Thereby, the session key generated every time the authentication request signal is received as the first code can be used.

  In the authentication system, the second code is preferably secret information. Thereby, the confidentiality with respect to the pair information of the first code and the second code is increased, and the reliability of the authentication result transmission to the terminal that is the transmission source of the authentication request signal can be improved.

  In the authentication system, in the main server, the pair information generation unit generates, for each authentication request signal, access source information that specifies the first terminal obtained during communication of the authentication request from the first terminal; Corresponding to the second code and stored in the main server storage unit, the first route control means transmits the access source information associated with the pair information generating means together with the first code and the second code to the sub server, and the sub server Then, the data acquisition means stores the access source information in the secondary server storage unit in association with the first code and the second code, and the second route control means specifies the transmission source of the second code request signal in the access source information. It is preferable that the second code is transmitted when the first terminal is used. As a result, the sender of the authentication request signal can be more strictly confirmed, and the reliability of the authentication result transmission to the terminal that is the sender of the authentication request signal can be improved.

  The authentication system further includes a second terminal having at least relay means for acquiring the second code request signal from the first terminal without passing through the network and transferring the second code request signal to the secondary server via the network. The first route forming means of one terminal preferably transmits the second code request signal to the second terminal. This makes it possible to use a portable terminal in combination even if it is not registered in advance during the authentication process.

  In the authentication system, the secondary server further includes a second terminal confirmation unit that enables transmission of the second code on the condition that the second terminal is confirmed to be a user-registered terminal. Is preferred. As a result, the user and the terminal are registered in advance and the user can be authenticated.

  According to the present invention, it is possible to provide an authentication system with high security in which an authentication result is transmitted only to a terminal that has requested authentication. In addition, it is possible to provide an authentication system with improved convenience when using a mobile terminal.

It is a figure for demonstrating the authentication system by this invention. It is a figure for demonstrating the authentication cooperation system using an authentication system. It is a figure for demonstrating the main server memory | storage part of an authentication main server apparatus. It is a figure for demonstrating the secondary server memory | storage part of an authentication secondary server apparatus. It is a flowchart of the authentication cooperation system using an authentication system. It is a process flowchart of a service terminal. It is a process flowchart of an authentication main server apparatus. It is a process flowchart of an authentication secondary server apparatus.

  Hereinafter, an authentication system according to the present invention will be described with reference to the drawings. FIG. 1 is a configuration diagram of an authentication system according to the present invention. An authentication system 1 shown in FIG. 1 includes a first terminal 2 (service terminal 2) operated by a user to receive authentication, a second terminal 6 (portable terminal 6) possessed by the user of the first terminal 2, and A main server 3 (authentication main server device 3) and a secondary server 4 (authentication secondary server device 4) provided by an authentication provider are connected via a network 5.

  FIG. 2 is a diagram for explaining an authentication cooperation system using the authentication system of FIG. The authentication cooperation system shown in FIG. 2 is configured such that a service providing server device 7 for providing a service by a service provider that performs authentication cooperation is connected to the authentication system 1 via a network 5. At this time, the authentication provider that performs authentication cooperation provides the authentication result from the authentication main server device 3 to the service provider server device 7 of the service provider via the service terminal 2 that is authenticated in the process of requesting the provision of the service.

  The service terminal 2 receives provision of a predetermined service from the service providing server device 7 via the network 5. At this time, the service terminal 2 transmits a service provision request to the service provision server device 7 and obtains a user authentication result necessary for the service provision authorization process performed by the service provision server device 7. 7 receives an authentication transfer request sent from the authentication provider to the authentication provider, transmits an authentication request, and obtains an authentication result obtained in cooperation with the authentication main server device 3 and the authentication sub server device 4 via the network 5 Presented to the providing server device 7 by transfer. Therefore, a first terminal communication unit 23 that performs communication with the authentication main server device 3, the authentication sub server device 4, and the service providing server device 7 through the network 5, and a first terminal control unit that performs various controls of the service terminal 2. 21 and a first terminal operation unit 22 for processing various input operations to the service terminal 2 by the user.

  The first terminal control unit 21 is a service provision request transmission process, an authentication transfer request reception process, an authentication request transmission process, a session key reception process that is a form of the first code, and a form of the second code. It controls processing such as unique code request processing, session key / unique code pair information verification request processing, and authentication result reception / transfer processing. Therefore, the authentication request unit 211, the first path forming unit 212, the second path forming unit 213, and the result receiving unit 214 are provided.

  The authentication request unit 211 performs authentication based on the authentication transfer request to the authentication main server device 3 of the service providing server device 7 received in response to the service providing request transmitted from the first terminal control unit 21 to the service providing server device 7. An authentication request is transmitted to the main server device 3.

  When the first path forming unit 212 receives the session key from the authenticator server device 3, the first path forming unit 212 presents the received session key as the second code request signal in the present invention to the mobile terminal 6 without going through the network 5. 6 is relayed and transmitted to the authentication secondary server apparatus 4 to form a session key verification path (that is, the first path in the present invention). The first path forming unit 212 transmits the session key received from the authentication main server device 3 directly to the authentication sub server device 4 via the network 5 without relaying the mobile terminal 6 to verify the session key. The path may be formed.

  When the second path forming unit 213 receives the unique code from the authentication secondary server device 4, the second path forming unit 213 receives a unique code collation request including the session key received from the authentication primary server device 3 and the unique code received from the authentication secondary server device 4 (that is, , The second code verification request signal in the present invention) is transmitted to the authenticating server device 3, and a unique code verification path (that is, the second path in the present invention) is formed. At this time, the second path forming unit 213 periodically transmits a unique code request to the authentication sub server device 4 at a predetermined interval after the first path forming unit 212 starts forming a session key verification path. Then, the unique code is received from the authentication secondary server apparatus 4 as an OK response to the unique code request only when the verification of the session key is completed in the authentication secondary server apparatus 4.

  The result receiving unit 214 receives the authentication result from the authentication main server device 3 as a response to the unique code verification request transmitted by the second route forming unit 213 and transfers it to the service providing server device 7.

  The first terminal operation unit 22 includes a keyboard, a numeric keypad, a mouse, an external input terminal, and the like. The first terminal operation unit 22 accepts an input operation of a user who uses the service terminal 2, for example, a service provision ID necessary for receiving a service provision from a service provider and information related to an authentication service that the user wants to use, that is, an authentication It is used to acquire information about the provider's authenticator server device 3 and an ID / password to be transmitted to the authentication provider.

  The first terminal communication unit 23 is an interface that communicates with the authentication main server device 3, the authentication sub server device 4, and the service providing server device 7 through the network 5.

  The service terminal 2 includes a first terminal output unit (not shown) configured by a liquid crystal display (LCD), a speaker, an external output terminal, and the like. The first terminal output unit displays the processing screen when the service terminal 2 transmits and receives various requests, and presents the session key received from the authenticator server device 3 to the mobile terminal 6. , Converted to character, two-dimensional barcode, etc. and output.

  The authentication main server device 3 is a server that authenticates the service terminal 2 in conjunction with the authentication sub server device 4. When the authentication main server device 3 receives the authentication request from the service terminal 2, the authentication main server device 3 generates and stores pair information of the session key and the unique code for each authentication request. Further, the authentication main server device 3 acquires access source information for the authentication request received from the service terminal 2 and stores it in association with the session key and unique code pair information. The authenticating server device 3 transmits a session key, a unique code, and access source information associated with the authenticating secondary server device 4 so that a unique code matching route can be formed via the session key matching route. At the same time, the session key is transmitted to control the session key verification path. Further, the authentication main server device 3 receives the unique code verification request from the service terminal 2, compares the unique code with the stored pair information and the received pair information, and uses the verification result as the authentication request authentication result. Output as. Therefore, the authentication main server device 3 includes a main server communication unit 33 that communicates with the authentication sub server device 4 and the service terminal 2 through the network 5, and a main server control unit 31 that performs various controls of the authentication main server device 3. The main server storage unit 32.

  The main server control unit 31 includes an authentication request reception process, an access source information acquisition process, a pair information generation process, a pair information and session key transmission process, a unique code verification request reception and a unique code verification process, an authentication result Control of processing such as transmission processing and pair information erasure processing is performed. For this reason, it has pair information generation means 311, first route control means 312, second code verification means 313, and result transmission means 314.

  When the pair information generation unit 311 receives the authentication request from the service terminal 2, the pair information generation unit 311 generates pair information of the session key and the unique code. Here, the session key is used for specifying access from the terminal and forming the first route. The unique code is used when forming the second path for confirming that the first path has been correctly passed. When generating a unique code, various generation methods can be considered, but it is preferable to generate secret information that is not easily guessed by a malicious third party and is not used for purposes other than forming the second path, Further, it is preferable that the unique code is generated so as to be unique to the session key so that the unique code having the same value is not commonly used for a plurality of different session keys. Further, the pair information generation unit 311 associates the generated pair information with the acquired access source information and stores it in the main server storage unit 32 described later.

  The first path control unit 312 transmits the session key, the unique code, and the access source information associated by the pair information generation unit 311 to the authentication sub server device 4 through the main server communication unit 33. The first route control means 312 transmits only the session key from the pair information to the service terminal 2 through the main server communication unit 33.

  When receiving the unique code verification request from the service terminal 2, the second code verification unit 313 acquires access source information from the service terminal 2 and determines whether the access source information matches the access source information stored in the main server storage unit 32. Further, it is determined whether the session key / unique code pair information included in the unique code verification request matches the session key / unique code pair information stored in the main server storage unit 32, and the verification result is output. .

  The result transmission unit 314 transmits the verification result output by the second code verification unit 313 to the service terminal 2 as an authentication result for the authentication request received from the service terminal 2. When the authentication result is transmitted by the result transmitting unit 314 and a certain time has elapsed, the associated session key, unique code, and access source information that have been transmitted by the main server control unit 31 are deleted from the main server communication unit 33. .

  The main server storage unit 32 is a storage device such as a ROM, a RAM, or a magnetic hard disk, stores various programs and various data, and associates the session key and unique code generated by the pair information generation unit 311 with the access source information. Add and remember. The access source information is information that can be used to identify the terminal at a certain timing, such as IP address and MAC address, unique information of the service terminal 2 that can obtain source information other than the destination at the time of transmission, and connection information at the time of transmitting the authentication request. It is.

FIG. 3 is an example of a table that stores a session key, a unique code, and access source information in the main server storage unit 32. In FIG. 3, a session key 321, a unique code 322, access source information 323, and access time 324 are stored in association with each other. The access source information of the service terminal 2 obtained by receiving the authentication request, which is obtained from the timer (not shown) and stored at the access time 324 by acquiring the time at which the authentication request is received, is stored in the access source information 323.
For example, the access source information of the service terminal 2 that transmitted the authentication request received at 15:30:00 on 2010/07/10 is 192.168.1.mmm aa: bb: cc: dd, and the session key for this is aaaaa The unique code is stored in association with xxxxx. Similarly, the access source information of the service terminal 2 that sent the authentication request received at 15:35:00 on 2010/07/10 is 192.168.1.nnn
ee: ff: gg: hh is stored in association with the session key bbbbb and the unique code yyyyy.

  The main server communication unit 33 is an interface that communicates with the authentication secondary server device 4 and the service terminal 2 through the network 5.

  The authentication secondary server device 4 receives and stores the associated session key, unique code, and access source information from the authentication main server device 3. Also, the authentication secondary server device 4 receives the session key from the service terminal 2 from the portable terminal 6 that relays the session key, performs session key verification, and transmits a unique code to the service terminal 2 when the session key verification is successful. The server authenticates the service terminal 2 in conjunction with the authentication main server device 3 by controlling the unique code verification path. For this reason, the authentication secondary server device 4 includes a secondary server communication unit 43 that communicates with the authentication main server device 3 and the service terminal 2 through the network 5, and a secondary server control unit 41 that performs various controls of the authentication secondary server device 4. And a secondary server storage unit 42.

  The secondary server control unit 41 receives data from the authentication main server device 3, receives a session key verification request and session key verification processing, unique code request processing and unique code transmission processing, access source information acquisition processing, Control of processing such as pair information erasure processing and registration confirmation processing of the portable terminal 6 is performed. For this reason, it has data acquisition means 411, first code collation means 412, second route control means 413, and second terminal confirmation means 414.

  The data acquisition unit 411 receives the associated session key, unique code, and access source information from the authenticator server device 3 and stores them in the sub server storage unit 42 described later.

  When receiving the session key from the service terminal 2 from the mobile terminal 6 that relays the session key from the service terminal 2, the first code verification unit 412 verifies whether or not the session key corresponding to the received session key is stored in the secondary server storage unit 42. , Output the verification result. When a session key transmitted directly from the service terminal 2 without relaying the mobile terminal 6 is received, it is similarly verified whether the session key corresponding to the received session key is stored in the secondary server storage unit 42. May be.

  The second route control means 413 transmits the unique code to the service terminal 2 that is the transmission source of the session key when the first code matching means 412 matches the matching. At this time, the second route control means 413 periodically receives a unique code request from the service terminal 2 at a predetermined interval, and the first code matching means 412 completes the matching of the session key and succeeds in the matching. Only when the unique code is transmitted as a response to the unique code request. When the unique code request is received, the first code collating means 412 confirms whether or not the collation has been completed. If the collation is successful and the collation is OK, an OK response including the unique code is obtained. If the NG response not included is not verified, a WAITING response is generated and transmitted. When the unique code is transmitted by the second route control means 413 and the fixed time has elapsed, the associated session key, unique code and access source information transmitted by the secondary server control unit 41 are deleted from the secondary server storage unit 42. The

  When the second terminal confirmation unit 414 receives the user registration information from the portable terminal 6 that relays the session key from the service terminal 2, the second terminal confirmation unit 414 confirms whether the portable terminal 6 is a terminal registered in advance. The unique code transmission of the second route control means 413 is controlled, and the verification NG is returned. If the mobile terminal 6 has been registered as a user, the second route control means 413 causes the unique code to be transmitted based on the collation result of the first code collation means 412. However, if the portable terminal 6 has not been registered as a user, the unique code is not transmitted even if the first code matching means 412 matches the matching. As a method for confirming a terminal registered in advance, there are various methods such as authentication of the user of the portable terminal 6 and confirmation of a terminal model that can be relayed.

  The secondary server storage unit 42 is a storage device such as a ROM, a RAM, or a magnetic hard disk, stores various programs and various data, and receives a session key, a unique code, and an access source received from the authentication main server device 3 by the data acquisition unit 411. Information is stored in association with each other.

FIG. 4 is an example of a table that stores the session key, unique code, and access source information in the secondary server storage unit 42. In FIG. 4, a session key 421, a unique code 422, access source information 423, an access expiration date 424, and a session key collation status 425 are stored in association with each other. Corresponding to each field of the table of the main server storage unit 32 in FIG. The correspondence relationship is that the session key 321 is the session key 421, the unique code 322 is the unique code 422, and the access source information 323 is the access source information 423. The access time 324 and the access expiration date 424 have a relationship between the times when the session key verification request can be received based on the time when the authentication request is received. The session key verification status 425 is a field indicating whether session key verification has been performed based on a session key verification request, whether verification is OK or verification NG.
For example, in FIG. 4, the session key 421, unique code 422, and access source information 423 store the same values as the session key 321, unique code 322, and access source information 323 in FIG. The access expiration date 424 is set for 5 minutes with respect to the access time 324. The session key verification status 425 indicates that when the session key is aaaaa, the session key verification is performed and “OK” is stored in the verification OK state. When the session key is bbbbb, the session key verification is not yet performed. Stores “not yet”.

  The secondary server communication unit 43 is an interface that communicates with the authentication main server device 3, the service terminal 2, and the mobile terminal 6 through the network 5.

  The network 5 is connected to the service providing server device 7, the authentication main server device 3, the authentication sub server device 4, the service terminal 2, and the mobile terminal 6, and is connected to a wide area communication network such as the Internet or an IP network such as a closed communication network, or a mobile phone. It is a telephone communication network.

  The mobile terminal 6 is a device that forms a session key collation route carried by a user such as a mobile phone. The mobile terminal 6 relays the session key acquired from the service terminal 2 and transmits it to the authentication sub server device 4. For this reason, the mobile terminal 6 includes a relay unit 61.

  The relay unit 61 acquires the session key presented from the service terminal 2 without going through the network 5, and transmits the session key obtained from the service terminal 2 through the network 5 to the authentication secondary server device 4. For example, when a session key converted into a two-dimensional barcode is displayed on the screen of the service terminal 2, the service terminal is read without using the network 5 by reading and decoding the two-dimensional barcode using a camera (not shown). Get the session key from 2.

  Further, the portable terminal 6 has an input unit and a storage unit (not shown), and when the session key is transmitted to the authentication secondary server device 4, the user inputs or uses the authentication secondary server device 4 held in the portable terminal 6. User registration information is sent together and used for user authentication.

  The service providing server device 7 is a server that provides a service to the service terminal 2. When the service provision request is received from the service terminal 2, the presented authentication transfer request to the authenticator server device 3 is transmitted to the service terminal 2. The authentication result sent from the authenticator server device 3 is received via the service terminal 2 and an authorization process is performed. If the authentication result is successful, the service is provided to the service terminal 2.

  Next, the overall flow of the authentication collaboration system in FIG. 2 will be described with reference to FIG. Note that the processing flow described below is controlled by a program executed by the first terminal control unit 21, the main server control unit 31, the sub server control unit 41, the mobile terminal 6, and the service providing server device 2.

  As shown in FIG. 5, the overall flow of the authentication collaboration system is as follows. The service terminal 2 presents the authentication main server device 3 to the service providing server device 7 and transmits a service providing request (step S1). Start. The service providing server device 7 that has received the service providing request transmits an authentication transfer request to the authenticating server device 3 to the service terminal 2 (step S2).

  The authentication request unit 211 of the service terminal 2 transmits an authentication request to the authentication main server device 3 in accordance with the authentication transfer request to the authentication main server device 3 received from the service providing server device 2 (step S3). The authenticator server device 3 that has received the authentication request first obtains access source information from the service terminal 2 that is the transmission source of the authentication request. Further, the pair information generating unit 311 of the authentication main server device 3 generates pair information of a session key and a unique code, and stores it in the main server storage unit 32 in association with the acquired access source information (step S4).

  Next, the first path control means 312 of the authentication main server device 3 transmits the session key, unique code, and access source information to the authentication sub server device 4 (step S5). The data acquisition unit 411 of the authentication secondary server device 4 stores the session key, the unique code, and the access source information received from the authentication main server device 3 in association with each other in the secondary server storage unit 42 (step S6).

  Further, the first route control means 312 of the authenticator server device 3 transmits a session key to the service terminal 2 (step S7). The first route forming means 212 of the service terminal 2 displays the session key received from the authenticator server device 3 on the screen (step S8). Thereafter, the first path forming means 212 of the service terminal 2 sends a session key verification result request (that is, a unique code request) for session key path formation with a session key to the authentication secondary server apparatus 4 and thereafter session key verification. Until a successful result (that is, an OK response including a unique code) is obtained (step S10).

When receiving the unique code request, the second route control means 413 of the authentication secondary server device 4 confirms whether or not the session key verification is performed on the received session key (step S11), and the session key verification is not yet performed. If there is no response, a session key unmatched response (WAITING response) is returned (step S12).

  In the mobile terminal 6, the session key displayed on the screen of the service terminal 2 is input by the user's operation (step S9). Thereafter, in response to the user's operation, the relay means 61 of the portable terminal 6 transmits a session key to the authentication secondary server device 4 (step S13).

  The first code verification unit 412 of the authentication secondary server device 4 determines whether or not the session key received from the portable terminal 6 matches the session key received and stored from the authentication main server device 3, and the result is determined as a session. Stored as a key verification result (step S14).

  When the second path control means 413 of the authentication secondary server device 4 receives the unique code request from the service terminal 2 after determining the success of the session key verification (step S16), the second route control means 413 acquires the access source and sends it from the authentication main server device 3. It is determined whether or not it matches the sent access source, and an OK response including a unique code is transmitted to the service terminal 2 only when the access source matches and the session key verification result is successful (step S17). . In other cases, a failure message due to an NG response is issued and the process is terminated.

When the service terminal 2 receives the unique code by the OK response, the second path forming unit 213 transmits a unique code collation request including the unique code and the session key to the authentication main server device 3 (step S18). At this time, when the service terminal 2 receives a failure message as an NG response, the service terminal 2 displays that fact and ends the process.

When the authentication main server device 3 receives the unique code verification request, the second code verification unit 313 receives the session key and unique code stored in the main server storage unit 32, and the session key and unique code received from the service terminal 2. In comparison, unique code verification is performed (step S19), and the result is returned to the service terminal 2 as an authentication result (step S20).

  The service terminal 2 transmits the received authentication result to the service providing server device 7 (step S21). The service providing server device 7 determines the received authentication result (step S22), and when it is confirmed that the authentication is successful, the service providing server device 7 starts providing the service to the service terminal 2.

Next, a detailed processing flow of the service terminal 2 will be described with reference to FIG.
As shown in FIG. 6, the authentication cooperation processing flow of the service terminal 2 is a service provision request including information related to an authentication provider specified by the user to the service provision server device 7 by the first terminal control unit 21 and a service provision ID. Is started (step S100).

  When the first terminal control unit 21 transmits a service provision request to the service providing server device 7, it returns and receives an authentication result transfer request from the service providing server device 7 to the authentication provider designated by the user (step S101). The authentication request unit 211 transmits an authentication request based on the authentication result transfer request to the authenticator server device 3 corresponding to the authentication provider (step S102).

When the authentication request unit 211 transmits an authentication request to the authenticator server device 3, the authentication request unit 211 returns and receives a session key from the first route control unit 312 of the authenticator server device 3 (step S103).
The first path forming unit 212 converts the session key received from the authenticator server device 3 into a two-dimensional barcode so that the mobile terminal 6 can capture the session key, and displays it on the screen (step S104).

  Thereafter, the first path forming means 212 transmits a unique code request including the session key to the authentication secondary server apparatus 4 (step S105), and waits until a response is received from the authentication secondary server apparatus 4 (step S106). When the OK response including the unique code is received from the authentication secondary server device 4 (step S106—Yes), the second path forming means 213 receives the session key previously received from the authentication main server device 3 and the authentication secondary server device 4. A unique code verification request including the received unique code is transmitted to the authentication main server apparatus 3 (step S107). And it waits for a process until the response from the authentication main server apparatus 3 is received (step S108). When the response is received (step S108-Yes), the result receiving unit 214 transfers the contents to the service providing server device 7 (step S109), and the process of this routine is finished.

  In step S106, when a WAITING response that does not include the unique code is received from the authentication secondary server apparatus 4 (step S106-No), after waiting for a predetermined time, the process returns to step S105, and the first path forming unit 212 receives the unique response. Send a code request. When a NO response not including a unique code is received from the authentication secondary server device 4 (not shown), this routine is terminated assuming that the session key is inappropriate.

Next, a detailed processing flow of the authenticator server device 3 will be described with reference to FIG.
As shown in FIG. 7, the authentication cooperation processing flow of the authenticator server device 3 is started by receiving an authentication request from the service terminal 2 (step S200).

  When receiving the authentication request from the authentication request unit 211 of the service terminal 2, the pair information generation unit 311 acquires the access source information from the access source service terminal 2 (step S201), and generates a session key and a unique code (step S201). S202), the session key 321, the unique code 322, and the access source information 323 are stored in association with the main server storage unit 32, respectively.

  Then, the first route control unit 312 transmits the session key 321, the unique code 322, and the access source information 323 to the authentication sub server device 4 (step S203). Then, the first route control unit 312 transmits the session key 321 to the service terminal 2 (step 204).

  Thereafter, the process waits until a unique code verification request is received from the second route forming means 213 of the service terminal 2. When a unique code verification request including a session key and a unique code is received from the service terminal 2 (step S205—Yes), the main server storage unit 32 stores the session key 321 and the unique code 322 corresponding to the session key received from the service terminal 2. And determines whether the set of session key and unique code matches (step S206). When the combination of the session key and the unique code is matched and the collation is successful (step S207-Yes), the result transmitting unit 314 generates a collation success OK response (step S208) and transmits the result to the service terminal 2 (step S208). Step S209).

  In step S207, if the pair of the session key and the unique code does not match and collation fails (step S207-No), the result transmission unit 314 generates a collation failure NG response (step S210) and sends the result to the service terminal 2. Transmit (step S209).

Next, a detailed processing flow of the authentication secondary server apparatus 4 will be described with reference to FIG.
As shown in FIG. 8, the authentication cooperation processing flow of the authentication secondary server apparatus 4 receives the data of the session key 321, the unique code 322, and the access source information 323 from the authentication main server apparatus 3 (step S300). Start.

  Upon receiving the session key 321, unique code 322, and access source information 323 from the authentication main server device 3, the data acquisition unit 411 stores the session key 421, unique code 422, and access source information 423 in the secondary server storage unit 42. The data is stored in association with each other (step S301). Thereafter, the process waits until a session key is received from the service terminal 2 and the portable terminal 6 (step S302).

  When the session key is received and the first code verification unit 412 confirms that the session key registered in the session key 421 has been received (step S302-Yes), then the transmission source is the service terminal 2 (that is, the unique code). It is determined whether or not a request has been received (step S303). When the transmission source is the same service terminal 2 as the access source information 423 (step S303—Yes), the second route control unit 413 has received the same session key as the received session key from the portable terminal 6 (that is, the session It is determined whether or not the key has been verified (step S304). If the session key verification has been completed (step S304-Yes), it is further determined whether or not the session key verification is OK (step S305). If the session key verification is OK (step S305-Yes), the second path control unit 413 reads the unique code corresponding to the session key from the unique code 422 (step S306), and generates an OK response including the unique code. Then, the result is transmitted to the service terminal 2 (step S308).

  In step S304, if it is neither session key verification OK nor session key verification NG, that is, if it is not verified (step S304-No), a WAITING response is generated and transmitted to the service terminal 2 (step S309), and step S302. Return to.

  In step S305, if the session key verification is not OK, that is, if the session key verification is NG (step S305-No), an NG response is generated (step S310), and the result is sent to the service terminal 2. Transmit (step S308).

  In step S303, when the transmission source is not the same service terminal 2 as the access source information 423 (step S303-No), the second terminal confirmation unit 414 receives the session key from the portable terminal 6 permitted to connect to the authentication secondary server device 4. (That is, whether a session key verification request has been received) is determined (step S311). When the session key is received from the portable terminal 6 permitted to connect to the authentication secondary server device 4 (step S311-Yes), the first code verification unit 412 receives the session key registered in the session key 421. The session key verification OK result is stored in the secondary server storage unit 42 in association with the session key 421 (step S312), and the session key verification OK result is output to the mobile terminal 6 (step S314). Return to S302.

  If the session key is not received from the portable terminal 6 permitted to connect to the authentication secondary server device 4 in step S311 (step S311-No), the result of the session key verification NG is that the session key is not properly received. Is stored in the secondary server storage unit 42 in association with the session key 421 (step S313), the result of the session key verification NG is output to the session key transmission source (step S314), and the process returns to step S302.

  The present invention is not limited to the above-described embodiment, and many changes and modifications can be made. For example, in step S7 in FIG. 5, the authentication main server device 3 transmits the session key to the service terminal 2. However, the authentication sub server device 4 information (URL) and the like are transmitted together with the session key. May be.

  In step S4 in FIG. 5, the authenticator server device 3 generates a session key and a unique code. At this time, the generation time of the session key and the unique code is stored, and the elapsed time up to step S20 May be restricted.

  As a method for transferring the session key from the service terminal 2 to the portable terminal 6, a two-dimensional barcode converted from the session key is displayed on the service terminal 2 and read by the camera of the portable terminal 6, and a character string is displayed. A service using terminal in which the user inputs it using the keyboard of the mobile terminal 6, and the service terminal 2 transmits a DTMF (Dial Tone Multi Frequency) signal in which the session key is converted and received by the microphone of the mobile terminal 6; Various methods are conceivable, such as connecting the mobile terminal 6 by non-contact communication such as wireless LAN or bluetooth (registered trademark) and transferring a session key.

  Further, when confirming the association of IDs for authenticating the users of the authentication provider, the second route forming means 213 is sent from the first terminal operation unit 22 of the service terminal 2 in the unique code verification request transmission process. A unique code verification request including the input ID may be transmitted, and the main server control unit 31 may perform ID verification. In addition, in the transmission process of the session key verification request, if the relay means 61 transmits the session key from the portable terminal 6 to the authentication sub server apparatus 4 with the ID added, the service terminal 2 can authenticate the authentication sub server apparatus. The ID can be received together with the unique code from 4, and the ID can be added to the unique code verification request. If an ID is sent from the portable terminal 6 to the authentication sub server apparatus 4, the ID can be transmitted from the authentication sub server apparatus 4 to the authentication main server apparatus 3 in association with the session key and used for ID verification. Furthermore, the unique code verification request may be transmitted including not only the ID but also a password for authenticating the user of the authentication provider. At this time, the second code verification unit 313 receives the unique code verification request including the ID / password for authenticating the user of the authentication provider in the reception process of the unique code verification request, and verifies the ID / password. Is included in the verification result of the access source information and the pair information, and both the user and the terminal can be authenticated as the verification result of the second code verification unit 313.

  Further, when the session key is transmitted from the portable terminal 6 to the authentication sub server device 4, the user of the person who operates the portable terminal 6 may be authenticated. Thereby, it becomes possible to limit the portable terminal 6 which can be used. As an example of the authentication method, a portable terminal that uses an ID and a password, uses a certificate stored in the portable terminal 6, uses a certificate stored in an IC card using the IC card communication function of the portable terminal 6, Various methods are conceivable, such as reading biometric information in step 6 and transmitting and comparing feature amounts to a server, and transmitting a touch or acceleration change pattern to the portable terminal and comparing it with a pre-stored one. In addition, to strengthen authentication, the mobile terminal ID of the mobile terminal 6, the browser type of the service terminal 2 used for access, the current location information acquired by the GPS installed in the service terminal 2 and the mobile terminal 6, etc. are transmitted. However, each may be compared with a registered one. Further, network access sources may be restricted.

  Further, in the processing for the unique code request, the authentication secondary server device 4 returns a message in which the unique code has already been transmitted for the second and subsequent accesses even if the access is from the correct session key and access source. In the case where an unauthorized user steals a unique code before a legitimate user, it may be possible to know that the legitimate user has been stolen.

  The authenticator server device 3 may further check whether the access source at the time of the unique code verification request is the same as the access source acquired in step S4 when the service provision request is received.

As a method for receiving the unique code from the authentication secondary server device 4, a unique code request is transmitted from the service terminal 2 to the authentication secondary server device 4 after the first route forming means 212 starts forming the session key verification route. The case where the unique code is provided by the OK response has been described, but there is a method in which the unique code request is not transmitted. In this case, when the authentication secondary server apparatus 4 receives the session key verification request of the portable terminal 6 and determines that the session key received by the first code verification unit 412 is registered in the session key 421 of the secondary server storage unit 42. The second route control means 413 generates an OK response, specifies the access source information 423 corresponding to the session key from the secondary server storage unit 42, determines the destination service terminal 2 based on the access source information, and is unique. Send OK response with code.

1 ... Authentication system 2 ... First terminal (service terminal)
DESCRIPTION OF SYMBOLS 21 ... 1st terminal control part 211 ... Authentication request means 212 ... 1st path | route formation means 213 ... 2nd path | route formation means 214 ... Result receiving means 22 ... 1st terminal operation part 23 ... 1st terminal communication part 3 ... Main server (authentication main server apparatus)
31 ... Main server control unit 311 ... Pair information generating unit 312 ... First route control unit 313 ... Second code collating unit 314 ... Result transmitting unit 32 ... Main server storage unit 33 ... Main server communication unit 4 ... Sub server (authentication sub server device)
41 ... sub server control unit 411 ... data acquisition unit 412 ... first code collation unit 413 ... second path control unit 414 ... second terminal confirmation unit 42 ... sub server storage unit 43 ... secondary server communication unit 5 ... network 6 ... second terminal (mobile terminal)
61: Relay means 7: Service providing server device

Claims (6)

An authentication system in which a first terminal, a main server, and a secondary server are connected via a network, and the first terminal that requested authentication of the result of the first terminal, the main server, and the secondary server cooperating and authenticating can be obtained,
The first terminal is
Authentication request means for transmitting an authentication request signal to the main server;
First path forming means for receiving a first code from the main server and transmitting a second code request signal including the first code to the sub server;
Receiving a second code from the secondary server, a second path forming means for transmitting a second code verification request signal including the second code and the first code received from the main server to the main server;
A result receiving means for receiving an authentication result from the main server;
The main server is
Each time an authentication request signal is received from the first terminal, a first code and a second code corresponding to the authentication request are generated, and the first code and the second code generated for each authentication request signal are associated with each other. Pair information generating means to be stored in the server storage unit;
First path control means for transmitting the associated first code and second code to the sub-server and transmitting the first code to the first terminal;
A second code collating means for collating the second code stored in the main server storage unit with the received second code when a second code collation request signal is received from the first terminal;
A result transmitting means for transmitting the verification result in the second code verification means to the first terminal as an authentication result for the authentication request;
The secondary server is
Data acquisition means for storing the first code and the second code received from the main server in association with each other in the secondary server storage unit;
Receiving a second code request signal from the first terminal, collating the first code of the secondary server storage unit with the received first code, and determining whether or not they match,
An authentication system comprising: a second path control unit that transmits a second code corresponding to the first code that has been verified by the first code verification unit to the transmission source of the second code request signal.   The authentication system according to claim 1, wherein the first code is a session key.   The authentication system according to claim 1, wherein the second code is secret information. In the main server:
The pair information generating means associates the access source information for identifying the first terminal obtained during communication of the authentication request from the first terminal with the first code and the second code generated for each authentication request signal. Store in the main server storage unit,
The first route control means transmits the access source information associated by the pair information generation means together with the first code and the second code to the sub server,
In the secondary server,
The data acquisition means stores the access source information in the secondary server storage unit in association with the first code and the second code,
The second path control means transmits the second code when the transmission source of the second code request signal is the first terminal specified by the access source information. The authentication system described in. Further, the second terminal having at least relay means for acquiring the second code request signal from the first terminal without passing through the network and transferring the second code request signal to the sub server via the network,
The authentication system according to any one of claims 1 to 4, wherein the first route forming unit of the first terminal transmits the second code request signal to the second terminal. The said secondary server further has a 2nd terminal confirmation means which enables transmission of a 2nd code on the condition that the said 2nd terminal was able to confirm that it was a user registered terminal. Authentication system.

Images