JP2013145457A - Program and network system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a program and a network system capable of improving convenience of users in cloud computing and performing an authentication with improved security.SOLUTION: A group of a user ID is determined. When matching of the user ID and a password is satisfied and an access is from a network in a company, the authentication of the user who belongs to a first group is permitted. When the matching of the user ID and the password is satisfied and there is an access from the network in the company, or matching of the user ID and password and matching of certification information are satisfied, the authentication of the user ID who belongs to a second group is permitted.

Description

  The present invention relates to a program and a network system.

  Conventionally, there is an authentication server that authenticates a user based on a user ID and a password. Also, in recent years, a system called cloud computing has made it possible for users to access from anywhere via the Internet, and it has become possible to improve user convenience.

  Further, as a conventional technique, there is a technique in which a terminal acquires line identification information from a server and performs settlement processing when the line identification information is stored in advance on the terminal side (see FIG. 1 and paragraph 0009 of Patent Document 1). ).

JP 2006-261991 A

  Conventionally, a terminal often transmits a user ID and a password to an authentication server via an intranet, and there has been a situation in which security is ensured on a closed network.

  On the other hand, in cloud computing, since it is a wide-area network, the user ID and password input from the terminal are transmitted to the authentication server via the Internet, which is wiretapping compared to the authentication system in the intranet. There is a high possibility that security problems such as spoofing will occur.

  The present invention has been made in view of the above-described problems, and it is an object of the present invention to provide a program and a network system capable of performing authentication with improved user convenience and enhanced security in cloud computing.

  (1) The present invention is a program for an authentication server connected to a terminal via the Internet, and the user ID and password received from the terminal are registered in advance in an authentication database. A first determination unit that determines whether or not the first condition that satisfies the first condition is satisfied, and address information of the transmission source of the terminal are registered in the authentication database in advance. A second determination unit that determines whether or not the second condition is set to match the address information as a second condition, and certification information received from the terminal is registered in the authentication database in advance. A third determination unit that determines whether or not the third condition that satisfies the third condition is that it matches the proof information, and a group determination that determines the group of the user ID And an authentication determination unit that determines permission or non-permission of authentication of the user ID, and when the authentication determination unit satisfies the first condition and the second condition, When the user ID belonging to the group is permitted to be authenticated and the first condition and the second condition are satisfied, or when the first condition and the third condition are satisfied, The present invention relates to a program that permits authentication of a user ID to which the user belongs.

  The present invention also relates to an information storage medium readable by a computer and storing the program. The present invention also relates to an authentication server including the above-described units. The “address information” is, for example, an IP (Internet Protocol) address of a gateway of an organization network.

  According to the present invention, authentication permission is determined by different methods / flows for user IDs belonging to the first group and user IDs belonging to the second group, so that convenience and security can be improved while responding to the group. Appropriate authentication can be performed.

  For example, according to the present invention, for a user ID belonging to the first group (for example, a user ID of a group in the development department), the user ID and password are registered in advance in the authentication database. If they match, and if the address information of the transmission source of the terminal matches the address information registered in the authentication database in advance (for example, the IP address of the gateway of the company network), authentication is permitted. In addition, for user IDs belonging to the second group (for example, the user ID of the sales department group), (A) the user ID and password match the user ID and password registered in the authentication database in advance. When the address information of the transmission source of the terminal matches the address information registered in the authentication database in advance, or (B) the user ID and the password are registered in the authentication database in advance. Authentication is permitted when it matches the password and when the certification information received from the terminal matches the certification information registered in the authentication database in advance.

  That is, according to the present invention, when the IP address of the gateway of the company network is registered in the authentication database in advance, the user ID belonging to the first group (for example, the user ID of the group in the development department) It is possible to restrict access from other networks and prohibit access from outside networks. For user IDs belonging to the second group (for example, user IDs of the sales department group), even if the access is from an external network, the certification information received from the terminal is registered in the authentication database in advance. Authentication is permitted when it matches the proof information. Thus, according to the present invention, for terminals belonging to the first group, by limiting the transmission source of the terminals to, for example, the IP address of the gateway of the company network (restricted to access from the in-house network), Security can be increased. In addition, for terminals belonging to the second group, even if the transmission source of the terminal is not the IP address of the gateway of the company network, for example (for example, access from an external network), the certification information Authentication is allowed on condition of match. Thus, according to the present invention, it is possible to provide an authentication system with improved security and convenience.

  (2) Further, when the terminal is a terminal having a user ID belonging to the second group, the program of the present invention is configured so that the second condition is satisfied when the first condition and the second condition are satisfied. The computer may further function as a communication control unit that performs a process of transmitting the certification information to a terminal having a user ID belonging to a group.

  According to the present invention, the user ID and password registered in advance in the authentication database for the terminal of the user ID belonging to the second group (for example, the user ID of the sales department group) are registered. And when the address information of the transmission source of the terminal matches the address information registered in the authentication database in advance (for example, the IP address of the gateway of the company network), the process of transmitting the certification information I do.

  That is, according to the present invention, when the IP address of the gateway of the company network is registered in the authentication database in advance, the transmission source of the terminal of the user ID belonging to the second group is the IP address of the gateway of the company network (in-house The authentication server transmits the certification information. Therefore, according to the present invention, security can be enhanced by restricting the provision of certification information to, for example, terminals from within the company.

  (3) The present invention is a network system in which a terminal and an authentication server are connected via the Internet, and a user ID and password received from the terminal are registered in advance in an authentication database. A first determination unit that determines whether or not the first condition that satisfies the first condition is satisfied, and address information of the transmission source of the terminal are registered in the authentication database in advance. A second determination unit that determines whether or not the second condition is set to match the address information as a second condition, and certification information received from the terminal is registered in the authentication database in advance. A third determination unit for determining whether or not the third condition is satisfied, the third condition being to match the proof information, and a group for determining the group of the user ID And when the authentication determination unit satisfies the first condition and the second condition, the first determination unit determines whether the user ID authentication is permitted or not permitted. When the user ID belonging to the group is permitted to be authenticated and the first condition and the second condition are satisfied, or when the first condition and the third condition are satisfied, A communication control unit that performs processing of permitting authentication of a user ID to which the terminal belongs, and transmitting a Web browser in which file downloading is prohibited and a user ID and password input from the input unit to the authentication server And the communication control unit transmits the certification information to the authentication server when the certification information is set in advance in the Web browser.

  According to the present invention, authentication permission is determined by different methods / flows for user IDs belonging to the first group and user IDs belonging to the second group, so that convenience and security can be improved while responding to the group. Appropriate authentication can be performed.

  In addition, the terminal of the present invention transmits the certification information to the authentication server when the certification information is set in advance in a special Web browser in which file download is prohibited. Therefore, according to the present invention, it is possible to prompt the user to use a special Web browser in which file download is prohibited in order to allow authentication. Further, by promoting the use of a special Web browser in which file download is prohibited, file download can be prevented and security can be further improved.

An example of the network diagram of this embodiment. An example of the functional block diagram of this embodiment. 3A, 3B, and 3C are explanatory diagrams of data stored in a database. 4A and 4B are flowcharts of an access success / failure flow. FIG. 5 is a flowchart of an OTP confirmation flow and a certification information confirmation flow. FIGS. 6A and 6B are flowcharts of a certification information provision flow. The flowchart figure which shows the flow of the process of this embodiment. The flowchart figure which shows the flow of the process of this embodiment.

  Hereinafter, this embodiment will be described. In addition, this embodiment demonstrated below does not unduly limit the content of this invention described in the claim. In addition, all the configurations described in the present embodiment are not necessarily essential configuration requirements of the present invention.

1. Network FIG. 1 is an example of a network diagram of the present embodiment. The authentication server 10 (ID provider) of the present embodiment performs user authentication based on information (data) transmitted from the user terminal 20.

  The authentication server 10 is connected to a plurality of terminals 20 via a network. For example, the authentication server 10 of the present embodiment is connected to each terminal 20-A to 20-E constituting a small network 30 such as a company or school via the Internet. Further, the authentication server 10 is connected to the terminal 20-F of the user A's home 41, the terminal 20-B brought back from the company by the user B, the terminal 20-G of the home 43 of the user C, and the portable terminal 20 of the user D via the Internet. -H (for example, a smartphone) can be connected. Note that the terminal 20 of this embodiment is connected to the authentication server 10 by wire or wirelessly.

  The authentication server 10 is connected to an authentication database 11 that stores information such as a user ID and a password via a network (intranet or the Internet). The authentication server 10 performs processing for referring to data registered in the authentication database 11. Further, the authentication server 10 can instruct the authentication database 11 to register new data, delete data, and change data.

  The authentication server 10 is connected to various servers (service providing servers) such as a mail server 31, a file server 32, a shopping server 33, and a photo server 34 via a network. For example, the mail server 31 provides a mail service related to the user ID that the authentication server 10 permits authentication. In addition, the file server 32 provides a file service related to the user ID permitted by the authentication server 10 for authentication. In addition, the shopping server 33 provides a shopping service related to the user ID that the authentication server 10 permits authentication. In addition, the photo server 34 provides a photo service related to the user ID that the authentication server 10 has authorized. In other words, the user only needs to remember one user ID and password, and if authentication to the authentication server 10 is permitted, single sign-on that can receive service from various servers 31 to 34 becomes possible. . Note that, when data such as authentication permission or disapproval is transmitted between the authentication server 10 and the various servers 31 to 34, the data may be encrypted using an electronic signature or the like.

2. Configuration FIG. 2 is an example of a functional block diagram of the network system of the present embodiment. Note that the network system according to the present embodiment does not have to include all the units illustrated in FIG. 2 and may have a configuration in which some of the units are omitted.

  First, the function of the authentication server 10 will be described. The storage unit 170 serves as a work area for the processing unit 100 and the like, and its function can be realized by hardware such as RAM (VRAM).

  The information storage medium 180 can be read by a computer, and the information storage medium 180 stores programs, data, and the like. That is, the information storage medium 180 stores a program for causing a computer to function as each unit of the present embodiment (a program for causing a computer to execute processing of each unit). That is, the processing unit 100 can perform various processes of the present embodiment based on data read from a program (data) stored in the information storage medium 180.

  For example, the information recording medium 180 is an optical disk (CD, DVD), a magneto-optical disk (MO), a magnetic disk, a hard disk, a magnetic tape, a memory (ROM), a memory card, or the like.

  The processing unit 100 performs various processes of the present embodiment based on a program (data) stored in the storage unit 170. Note that the processing unit 100 of the present embodiment reads the program and data stored in the information storage medium 180, stores the read program and data in the storage unit 170, and performs processing based on the program and data. Also good.

  The processing unit 100 (processor) performs various processes using the main storage unit in the storage unit 170 as a work area. The functions of the processing unit 100 can be realized by hardware such as various processors (CPU, DSP, etc.) and programs.

  The processing unit 100 includes a communication control unit 111, a determination unit 112, a group determination unit 113, and an authentication determination unit 114.

  The communication control unit 111 performs a process of transmitting / receiving data to / from the terminal 20 via a network (intranet or the Internet).

  For example, the communication control unit 111 performs a process of receiving a user ID and password transmitted by the terminal 20. Further, the communication control unit 111 may transmit authentication permission or disapproval to the terminal 20.

  In addition, the communication control unit 111 performs processing for transmitting and receiving data to and from the authentication database 11 and various servers such as the mail server 31, the file server 32, the shopping server 33, and the photo server 34 via a network (intranet or the Internet). For example, the communication control unit 111 may transmit authentication permission or disapproval to the various servers 31 to 34.

  In particular, when the terminal 20 is a terminal 20 having a user ID belonging to the second group, the communication control unit 111 according to the present embodiment uses the first condition of the first determination unit 112A and the second determination unit 112B. When the second condition is satisfied, a process of transmitting certification information to the terminal 20 of the user ID belonging to the second group is performed.

  The determination unit 112 makes a determination for authentication. In particular, the determination unit 112 of the present embodiment includes a first determination unit 112A, a second determination unit 112B, and a third determination unit 112C.

  The first determination unit 112A sets the first condition that the first condition is that the user ID and password received from the terminal 20 match the user ID and password registered in the authentication database 11 in advance. Judge whether to meet or not.

  Whether or not the second determination unit 112B satisfies the second condition where the second condition is that the address information of the transmission source of the terminal 20 matches the address information registered in the authentication database 11 in advance. Judging.

  The third determination unit 112C determines whether or not the third condition satisfies the third condition that the certification information received from the terminal 20 matches the certification information registered in the authentication database 11 in advance. to decide.

  The group determination unit 113 determines a group of user IDs. In this embodiment, it is referred to the user information registered in the authentication database 11 to which group a user ID belongs among two or more groups (for example, first and second groups). judge.

  The authentication determination unit 114 determines permission or non-permission of user ID authentication. Then, the authentication determination unit 114 permits authentication of user IDs belonging to the first group when the first condition of the first determination unit 112A and the second condition of the second determination unit 112B are satisfied. When the first condition of the first determination unit 112A and the second condition of the second determination unit 112B are satisfied, or the first condition of the first determination unit 112A and the third condition of the third determination unit 112C When the above condition is satisfied, authentication of user IDs belonging to the second group is permitted.

  The authentication server 10 includes an authentication database 11. Information such as a user ID, password, address information, and certification information is registered (stored and stored) in the authentication database 11. In the present embodiment, information may be registered in the authentication database 11 in advance based on input information from the administrator. Information update processing and information deletion processing may be performed based on input information from the administrator. In the present embodiment, the authentication server 10 may perform registration processing. For example, the authentication server 10 may register a user ID, a password, and the like based on a registration request from the terminal 20. In the present embodiment, the authentication server 10 may perform an update process. For example, the authentication server 10 may update the user ID, password, and the like based on an update request from the terminal 20. In the present embodiment, the authentication server 10 may perform the deletion process. For example, the authentication server 10 may delete the user ID, password, and the like based on a deletion request from the terminal 20. In this embodiment, the storage unit (storage area) of the authentication database 11 is physically separated from the storage unit 170 (storage area) of the authentication server 10, but the authentication database 11 is stored in the storage unit 170 of the authentication server 10. These data may be stored.

  In addition, the processing unit 100 of the present embodiment may include a Web processing unit that functions as a Web server. For example, the Web processing unit receives data transmitted by the Web browser 210 of the terminal 20 through processing of transmitting data in response to a request from the Web browser 210 installed in the terminal 20 through HTTP (Hypertext Transfer Protocol). Process. In particular, in this embodiment, the Web processing unit provides a login screen for performing user authentication, and performs processing for receiving user information such as a user ID and a password transmitted by the Web browser 210 of the terminal 20. May be.

  The terminal 20 is a computer, a smartphone, a tablet computer, a mobile phone, a game machine, or the like.

  The storage unit 270 serves as a work area for the processing unit 200 and the like, and its function can be realized by hardware such as RAM (VRAM).

  The information storage medium 280 can be read by a computer, and the information storage medium 280 stores programs, data, and the like. That is, the information storage medium 280 stores a program for causing a computer to function as each unit of the present embodiment (a program for causing a computer to execute the processing of each unit). That is, the processing unit 200 can perform various processes of the present embodiment based on data read from a program (data) stored in the information storage medium 280.

  For example, the information recording medium 280 is an optical disk (CD, DVD), a magneto-optical disk (MO), a magnetic disk, a hard disk, a magnetic tape, a memory (ROM), a memory card, or the like.

  The processing unit 200 performs various processes of the present embodiment based on a program (data) stored in the storage unit 270. Note that the processing unit 200 according to the present embodiment reads a program or data stored in the information storage medium 280, stores the read program or data in the storage unit 270, and performs processing based on the program or data. Also good.

  The processing unit 200 (processor) performs various processes using the main storage unit in the storage unit 270 as a work area. The functions of the processing unit 200 can be realized by hardware such as various processors (CPU, DSP, etc.) and programs.

  The processing unit 200 includes a web browser 210 and a communication control unit 211. The terminal 20 can display information from a Web server specified by a URL (Uniform Resource Locator) via the Internet using the Web browser 210. For example, when the authentication is permitted in the authentication server 10, the terminal 20 displays the mail information (user received mail, transmitted mail, etc.) of the user ID of the terminal 20 from the mail server 31 having the Web server function. Can be made. Further, the web browser 210 of the present embodiment may be a web browser in which file download is prohibited.

  The communication control unit 211 performs processing for transmitting / receiving data to / from the authentication server 10, various servers 31 to 34, and the like via a network. For example, the communication control unit 211 performs a process of transmitting the user ID and password input from the input unit 220 to the authentication server 10. Further, the communication control unit 211 may transmit the certification information to the authentication server 10 when the certification information is set in the Web browser 210 in advance. Further, the communication control unit 211 may receive the authentication determination result (permitted or not permitted) from the authentication server 10. Further, the communication control unit 211 may receive mail information related to the user ID of the terminal 20 from the mail server 31 when authentication is permitted by the authentication server 10.

  The input unit 220 is an input device (controller) for inputting input information from the user (operator), and outputs the user input information to the processing unit 200. The input unit 220 of this embodiment may include a detection unit that detects user input information (input signal). For example, the input unit 220 detects input information of a keyboard and detects a touch position (touch position) of a touch panel display.

  The input unit 220 may be an input device including an acceleration sensor that detects triaxial acceleration, a gyro sensor that detects angular velocity, and an imaging unit. The input unit 220 also includes a terminal 20 (smart phone, mobile phone, mobile terminal, portable game device) integrated with an input device.

  The display unit 290 outputs Web browser information and images, and the function can be realized by a CRT, LCD, touch panel display, HMD (head mounted display), or the like.

3. Method of Processing of Present Embodiment 3.1 Overview The authentication server 10 of the present embodiment employs a method of performing grouping for a plurality of users in an organization and performing authentication according to each group. That is, the authentication server 10 employs a method of determining a group of user IDs of the terminal and determining permission or non-permission of user ID authentication based on the group to which the user ID belongs.

  For example, the authentication server 10 (1) The first condition is that the first condition is that the user ID and password received from the terminal match the user ID and password registered in the authentication database 11 in advance. And (2) address information (for example, the IP address of the gateway of the company network) in which the address information of the transmission source of the terminal is registered in the authentication database 11 in advance. A second determination for determining whether or not the second condition is satisfied as a second condition, and (3) a proof in which the certification information received from the terminal is registered in the authentication database 11 in advance A third determination is made to determine whether or not the third condition is satisfied with the third condition being coincident with the information. And the authentication server 10 permits the authentication of the user ID belonging to the first group (for example, the user ID of the group of the development department) when the first condition and the second condition are satisfied, and the first condition When the second condition is satisfied or when the first condition and the third condition are satisfied, authentication of a user ID belonging to the second group (for example, a user ID of the sales department group) is permitted.

  In this way, authentication is determined by different methods / flows for user IDs belonging to the first group and user IDs belonging to the second group, so that convenience and security can be improved and appropriate according to the group. Authentication can be performed. That is, when the IP address of the gateway of the company network is registered in the authentication database 11 in advance, the user ID belonging to the first group (for example, development group) should be restricted to access from the in-house network. Can increase security. In addition, user IDs belonging to the second group (for example, sales group) can be accessed from the internal network, and even if the access is from an external network, the proof information is matched. Allow authentication for the condition. As described above, in the present embodiment, the convenience of the second group of users is increased so that the user can be accessed from the outside network while enhancing the security.

3.2 Authentication Database 3.2.1 User Information FIG. 3A is an example of user information registered in the authentication database 11. The user information includes a user ID (user identification information, user name), a password, and a group ID (group identification information) to which the user belongs. In addition, the user information may include a seed number (seed number) of OTP (OTP is an abbreviation for one-time password) and certification information. If the OTP seed number and certification information are not registered, NULL is set. The password, group ID, OTP seed number, and certification information are registered in association with the user ID. The certification information of this embodiment is one piece of identified information (character string consisting of alphabets and numbers) per user, and different certification information is given to each user. FIG. 3A shows user information of the XX company whose organization ID is 1. In this embodiment, user information is managed for each organization.

3.2.2 Organization Information FIG. 3B is an example of organization information registered in the authentication database 11. For example, the organization information includes an organization ID (organization identification information), an organization name, and an IP address of the network of the organization (IP address of a gateway of the network). That is, the organization name and the IP address of the organization network are registered in association with the organization ID.

3.2.3 Flow pattern (processing pattern)
FIG. 3C is an example of various flow patterns (processing patterns, processing types) registered in the authentication database 11. For example, as shown in FIG. 3C, the patterns (types) of the access success / failure flow, the OTP confirmation flow (one-time password confirmation flow), the certification information confirmation flow, and the certification information addition flow are associated with the group ID. ) Is registered.

3.2.3.1 Access Success / Failure Flow First, the access success / failure flow will be described. The access success / failure flow is a processing flow for determining success or failure of access from the user terminal 20 to the authentication server 10.

  FIG. 4A shows the A pattern of the access success / failure flow. The A pattern will be described. First, it is determined whether or not the access is from an organization network (step S1). That is, the authentication server 10 determines whether the address information of the transmission source of the terminal 20 matches the address information registered in the authentication database 11 in advance (whether the second condition of the second determination unit 112B is satisfied). Or). For example, the authentication server 10 detects the IP address of the transmission source (access source) of the terminal 20 from the packet information received from the terminal 20, and the IP address of the transmission source of the terminal is an IP address registered in the authentication database. To determine whether or not. For example, when the IP address of the transmission source of the terminal 20-A is “122.200.243.240”, as shown in FIG. 3B, the IP address of the transmission source of the terminal 20-A is the authentication database. 11, it can be determined that the access is from the network of “XX company”. That is, it is determined that the access is from an organization (XX company) network.

  If the access is from the organization network (Y in step S1), it is determined to be successful (step S2). On the other hand, if the access is not from the organization network (N in step S1), that is, outside the organization (for example, If the access is from a network outside of “XX Company”), it is determined as failure (step S3). According to the example of FIG. 3C, the group of the development department, the sales department, and the management department determines success / failure of access by the pattern A flow.

  FIG. 4B is a conditional expression of the B pattern of the access success / failure flow. The B pattern will be described. First, it is determined whether or not the access is from an organization network (step S5). If the access is from an organization network (Y in step S5), it is determined whether or not the current time is within a predetermined time zone (for example, from 9 am to 6 pm) (step S6). If the current time is within the predetermined time zone (Y in step S6), it is determined that the process is successful (step S7). On the other hand, if the access is not from the organization network (N in step S5), or if the current time is not in the predetermined time zone (N in step S6), it is determined as a failure (step S8). According to the example of FIG. 3C, the part-time job group determines whether access is successful or unsuccessful in the pattern B flow. In the present embodiment, other patterns of access success / failure flow may be prepared. For example, when the domain name of the IP address of the terminal transmission source includes a specific character string (for example, “jp”), it is determined to be successful, and the domain name of the IP address of the terminal transmission source is the specific character string. If it is not included, a flow for determining failure may be prepared as a C pattern.

3.2.3.2 OTP Confirmation Flow Next, the OTP confirmation flow (one-time password confirmation flow) will be described. The OTP confirmation flow is a processing flow for determining whether or not OTP confirmation is required for a user terminal.

  FIG. 5 is an OTP confirmation flow of the A pattern. For example, it is determined whether the access is from an organization network (step S10). That is, as described above, the authentication server 10 determines whether or not the address information of the transmission source of the terminal 20 matches the address information registered in the authentication database 11 in advance (the second determination unit 112B has the second information). Whether or not the condition is satisfied). If the access is from the organization network (Y in step S10), it is determined that the access is unnecessary (step S11). If the access is not from the organization network (N in step S10), that is, outside the organization (for example, “ If the access is from a network outside the company “XX”, it is determined that it is necessary (step S12). According to the example of FIG. 3C, the development department, the management department, the sales department, and the part-time job determine whether OTP confirmation is necessary or not by the flow of pattern A. In the present embodiment, other patterns of the OTP confirmation flow may be prepared.

3.2.3.3 Certification Information Confirmation Flow Next, the certification information confirmation flow will be described. The certification information confirmation flow is a processing flow for determining whether certification information needs to be confirmed for a user terminal.

  In the present embodiment, the proof information confirmation flow of the A pattern employs the same flow as the A pattern of the OTP confirmation flow. Further, according to the example of FIG. 3C, the development department, the management department, the sales department, and the part-time job determine the necessity / unnecessity of confirmation of the certification information in the pattern A flow. In this embodiment, a unique certification information confirmation flow may be set, or a plurality of types of certification information confirmation flows may be set.

3.2.3.4 Certification Information Assignment Flow Next, the certification information provision flow will be described. The certification information provision flow is a processing flow for determining whether or not to provide certification information to a user terminal.

  FIG. 6A is a flow of providing A pattern proof information. For example, it is determined whether the access is from an organization network (step S20). That is, as described above, the authentication server 10 determines whether or not the address information of the transmission source of the terminal 20 matches the address information registered in the authentication database 11 in advance (the second determination unit 112B has the second information). Whether or not the condition is satisfied). If the access is from the organization network (Y in step S20), it is determined that the access is granted (step S21). If the access is not from the organization network (N in step S20), that is, outside the organization (for example, “○ If it is an access from a network outside the company, it is determined not to be granted (step S22). According to the example of FIG. 3C, the sales department determines whether or not to provide certification information in the pattern A certification information provision flow.

  FIG. 6B is a B pattern certification information provision flow. It is determined that the B pattern is not always given (step S23). That is, it is determined that the certification information is not always given regardless of the network inside or outside the organization (for example, XX company). According to the example of FIG. 3C, it is determined that the development unit, the management unit, and the part-time job do not give certification information in the pattern B flow. In this way, security can be further improved by not providing certification information to a group for which access from an external network is prohibited.

3.2.4 Explanation of one-time password In this embodiment, since access from an external network has security problems such as fraud and theft, it is possible to access a specific group that may be accessed from an external network. An OTP generation program that generates an OTP (one-time password) having the same algorithm as that of the authentication server 10 is installed in a terminal 20 of a user (for example, a sales department user), and authentication using the one-time password is performed.

  For example, in the OTP generation program installed in the terminal 20 (or the generation program of the OTP generation apparatus) and the OTP generation program installed in the authentication server 10, the algorithm and the seed number (seed number) are the same. As a result, the OTP generated on the terminal side (OTP generation device side given to the user) matches the OTP generated on the authentication server. For example, the one-time password generation program performs a process of generating a one-time password based on the time and seed number (seed number) at a predetermined cycle (every 30 seconds). In the present embodiment, authentication is performed for a specific group such as a sales department including a one-time password verification process. However, control may be performed so that the one-time password verification process is not performed.

3.2.5 Explanation of Certification Information In the present embodiment, certification information is assigned to the terminal 20 of a user belonging to a specific group such as a sales department. For example, when the terminal 20 is a terminal 20 having a user ID belonging to the second group (for example, the group of the sales department), the authentication server 10 stores the user ID and password received from the terminal 20 in advance in the authentication database. 11 is registered in advance in the authentication database 11 when the user ID and password registered in the terminal 11 match (when the first condition of the first determination unit 112A satisfies the first condition) and the transmission source address information of the terminal 20. When it matches the address information (when the second condition of the second determination unit 112B is satisfied), the process of transmitting the certification information to the terminal of the user ID belonging to the second group is performed. Further, the terminal 20 communicates between the terminal 20 and the authentication server 10 using a Web browser. For example, when the terminal 20 receives the certification information from the authentication server 10, the terminal 20 transmits the certification information to the Web browser. Process to memorize as cookie. A “cookie” is an HTTP cookie and indicates information stored in a Web browser.

  For example, referring to FIG. 1, it is assumed that the IP address (122.200.243.240) of the gateway of the network 30 of “XX company” is registered in the authentication database 11. As shown in FIG. 1, for example, when the user B of the sales department is in the company, the authentication server 10 is accessed from the terminal 20 -B connected to the in-house network, and the authentication is permitted. Receive certification information from. That is, the certification information is stored as a cookie in the Web browser of the terminal 20-B. Then, the user B of the sales department takes home the terminal 20-B, for example, connects the terminal 20-B to a home network, and the terminal 20-B accesses the authentication server 10 via the Internet using a Web browser. The input user ID, password, and certification information set as a cookie of the Web browser are transmitted to the authentication server 10. The authentication server 10 permits authentication when the user ID, password, and certification information received from the terminal 20-B match the user ID, password, and certification information registered in the authentication database 11.

  As described above, the present embodiment provides a mechanism by which the terminal 20-B can acquire certification information when the authentication server 10 is permitted to authenticate the terminal 20-B used by the user B of the sales department. . In other words, according to the present embodiment, the certification information can be acquired simply by logging in the authentication server 10 normally as a user ID of the business group from the in-house network using the Web browser, so that convenience can be improved. Further, the authentication server 10 can strengthen the security by giving the certification information to the access from the in-house network. Note that the authentication server 10 may set an expiration date (for example, an expiration date valid for 7 days from the date when the certification information is granted) in the certification information given to the user's terminal. When the information is received, the certification information may be processed as invalid. In this way, security can be further enhanced.

3.2.6 Others In this embodiment, the authentication server 10 refers to user information, organization information, various flows, and the like registered in the authentication database 11. Further, the authentication server 10 may perform user information, organization information, various flow registration processing, update processing, and deletion processing in response to a request from the terminal 20. In this embodiment, the administrator can manage the authentication database, and can perform user information, organization information, reference of various flows, registration, change, deletion, and the like based on input information from the administrator. . Further, based on input information from the administrator, the flow can be changed, added, deleted, and the like.

3.3 Process Flow FIGS. 7A and 7B are flowcharts showing a process flow of the authentication server 10 of this embodiment. First, the authentication server 10 receives a user ID and a password from the terminal 20 (step S100).

  Next, the source IP address of the received terminal 20 is confirmed (step S101). For example, the authentication server 10 detects the source IP address from the packet information received from the terminal 20. For example, when the IP address of the transmission source of the terminal 20-A is “122.200.243.240”, as shown in FIG. 3B, the network of “XX company” with organization ID = 1 It can be determined that the access is from. On the other hand, when the source IP address of the terminal 20-A is not registered in the authentication database, access from a network outside the company (outside the organization) (from an unspecified terminal on the Internet, an unspecified network) Access).

  Then, it is determined whether or not the user ID and password received from the terminal 20 are correct (step S102). That is, it is determined whether or not the user ID and password received from the terminal 20 match the user ID registered in the authentication database 11 and the password (corresponding to the user ID).

  When the user ID and password received from the terminal 20 are correct, that is, the user ID and password received from the terminal 20 match the user ID registered in the authentication database 11 and the password (corresponding to the user ID). If yes (Y in step S102), the process proceeds to step S103. On the other hand, when the user ID and password received from the terminal 20 are not correct, that is, the user ID and password received from the terminal 20 are the user ID registered in the authentication database 11 (corresponding to the user ID). If it does not match the password (N in Step S102), it is determined that the authentication is not permitted (Step S113).

  Next, the group ID of the received user ID is determined (step S103). That is, as shown in FIG. 3A, the group ID is determined with reference to the group ID corresponding to the user ID registered in the authentication database 11. For example, when the received user ID is “userA”, the group ID of “userA” is “1”.

  Next, it is determined whether the access is successful based on the group ID (step S104). As shown in FIG. 3C, since an access success / failure flow pattern is set for each group ID, access success or failure is determined based on the pattern corresponding to the group ID.

  For example, as shown in FIG. 3A, “userA” has a group ID “1” and an access success / failure flow is an A pattern. Therefore, as shown in FIG. 4A, when “userA” is an access from the network of an organization (for example, XX company), it is determined that the access is successful (Y in step S2 and step S104). On the other hand, when “userA” is an access from other than the network of the organization (for example, XX company), it is determined that the access has failed (N in Step S3 and Step S104).

  Also, for example, as shown in FIG. 3A, “userF” has a group ID “4” and an access success / failure flow is a B pattern. Therefore, as shown in FIG. 4B, when “userF” accesses from the network of the organization (for example, XX company), the current time is within a predetermined time zone (for example, 2:00 pm). If there is, it is determined that the access is successful (step S7, Y in step S104). On the other hand, even when “userF” is accessed from a network other than the organization (for example, XX company) or when “userF” is accessed from the network of the organization (for example, XX company), the current time is predetermined. If it is a time other than the time zone (for example, 11:00 pm), it is determined that the access has failed (N in Step S8 and Step S104).

  If it is determined that access is successful (Y in step S104), the process proceeds to step S105. On the other hand, if it is determined that the access has failed (N in step S104), it is determined whether or not the group ID = 2 (step S114). That is, it is determined whether the group is a specific group (for example, the second group). If the group ID = 2 (Y in step S114), the process proceeds to step S105. If the group ID = 2 is not satisfied (N in step S114), it is determined that the authentication is not permitted (step S113).

  Next, it is determined whether or not to confirm the one-time password (OTP) (step S105). As shown in FIG. 3C, since the OTP confirmation flow pattern is set for each group ID, it is determined whether or not to confirm the OTP based on the flow pattern corresponding to the group ID.

  For example, as shown in FIG. 3A, “userA” has a group ID “1” and the OTP confirmation flow is an A pattern. Therefore, as shown in FIG. 5, when “userA” is an access from the network of an organization (for example, XX company), it is judged that OTP confirmation is unnecessary (step S11), and the one-time password is not confirmed (step S11). N) in step S105. On the other hand, if “userA” is an access from other than the network of the organization (for example, XX company), it is determined that OTP confirmation is necessary (step S12), and the one-time password is confirmed (Y in step S105). .

  When confirming the one-time password (Y in step S105), the terminal requests the one-time password (step S106), and determines whether the one-time password received from the terminal is correct (step S107). . That is, it is determined whether or not the one-time password generated by the authentication server 10 matches the one-time password received from the terminal 20. If the one-time password is correct, that is, if the one-time password generated by the authentication server 10 matches the one-time password received from the terminal 20 (Y in step S107), the process proceeds to step S108. On the other hand, if the one-time password is not correct, that is, if the one-time password generated by the authentication server 10 does not match the one-time password received from the terminal 20 (N in step S107), it is determined that authentication is not permitted ( Step S113).

  Next, it is determined whether or not to confirm the certification information (step S108). As shown in FIG. 3C, since a certification information confirmation flow pattern is set for each group ID, it is determined whether or not to confirm certification information based on the flow pattern corresponding to the group ID. .

  For example, as shown in FIG. 3A, “userA” has a group ID “1” and the certification information confirmation flow is an A pattern. Therefore, as shown in FIG. 5, if “userA” is an access from the network of an organization (for example, XX company), it is judged that confirmation of certification information is unnecessary (step S11), and certification information is not confirmed (step S11). N of step S108). On the other hand, if “userA” is an access from other than the network of the organization (for example, XX company), it is determined that the certification information needs to be confirmed (step S12), and the certification information is confirmed (Y in step S108). .

  When confirming the certification information (Y in step S108), it is determined whether the certification information received from the terminal is correct (step S109). That is, it is determined whether the certification information received from the terminal 20 matches the certification information corresponding to the user ID registered in the authentication database 11 in advance. For example, when the certification information transmitted from the terminal 20-B having the user ID “userB” is “rg2b9i4g7px”, the certification information “rg2b9i4g7px” corresponding to the user ID “userB” registered in the authentication database 11 is used. ", It is determined that the certification information is correct. If the certification information is correct (Y in step S109), the process proceeds to step S110. On the other hand, when the certification information is not correct (N in step S109), it is determined that the authentication is not permitted (step S113).

  Next, it is determined whether or not to provide certification information (step S110). As shown in FIG. 3C, since a proof information grant flow pattern is set for each group ID, it is determined whether or not proof information is given based on the flow pattern corresponding to the group ID. .

  For example, as shown in FIG. 3A, “userB” has the group ID “2” and the certification information provision flow is the A pattern. Therefore, as shown in FIG. 6A, if “userB” is an access from the network of an organization (for example, XX company), it is determined that certification information is to be given (step S21, Y in step S110). On the other hand, if “userB” is an access from other than the network of the organization (for example, XX company), it is determined that the certification information is not given (N in Step S22 and Step S110).

  Also, for example, as shown in FIG. 3A, “userA” has a group ID “1” and the certification information provision flow has a B pattern. Therefore, as shown in FIG. 6B, it is determined that no certification information is given regardless of whether or not “userA” is an access from the in-house network of the XX company (step S23, N in step S110). .

  When the certification information is given (step S110: Y), the certification information is transmitted to the terminal 20 (step S111). Then, after step S111 or N in step S110, it is determined that the authentication is permitted (step S112). The process ends here.

3.4 Example Using SSL Client Certificate The authentication server 10 according to the present embodiment adds a terminal requesting certification information to verification of certification information (or instead of verification of certification information) Authentication using an SSL (Secure Socket Layer) client certificate transmitted from the server may be performed. When performing such authentication, an SSL client certificate is set in advance in the Web browser of the terminal 20.

  For example, the terminal 20 makes an HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) connection to the authentication server 10, and the authentication server 10 requests the terminal 20 for an SSL client certificate. Then, the terminal 20 transmits an SSL client certificate to the authentication server 10. Then, the authentication server 10 decrypts the signed SSL client certificate and acquires the public key of the client (terminal 20). The terminal 20 adds a digest to the sent message and encrypts it with the private key that the terminal 20 has. Then, the authentication server 10 decrypts the message using the public key of the terminal 20, creates a message digest from the decrypted message, and compares it with the message digest added by the terminal 20. When the match is confirmed, a message that has not been tampered with is received from the reliable terminal 20, and it is determined that authentication is permitted.

3.5 Example of Using a Special Web Browser In this embodiment, when a Web browser 50 in which file download is prohibited is set in the terminal 20 and certification information is set in the Web browser 50 in advance as a cookie. The certification information may be transmitted to the authentication server 10. In this way, it is possible to prompt the user to use a special Web browser 50 that is prohibited from downloading files. Further, by promoting the use of a special Web browser 50 in which file download is prohibited, file download can be prevented and security can be further improved.

  For example, as shown in FIG. 1, it is assumed that a special Web browser 50 in which file download is prohibited is installed in a personal terminal 20-H of userD (for example, a smartphone or a personal computer). Then, certification information is set in advance in the web browser 50 (certification information is set as a cookie of the web browser). Note that the certification information may be set in the Web browser of the terminal 20-H based on the input from the administrator.

  Then, userD is permitted to authenticate to the authentication server 10 from the private terminal 20-H even in an external network, and can log in to a service providing server such as the mail server 31, which is more convenient. A network system can be realized. In addition, security information can be managed for the private terminal 20-H by enabling the certification information to be set only in the special Web browser 50 without being set in the normal Web browser.

3.6 Others In this embodiment, as an example of multi-factor authentication other than the user ID / password, authentication using certification information, OTP verification, SSL client certificate, etc. has been described, but other multi-factor authentication is performed. You may do it.

  In this embodiment, as an example of the user ID / password determination process, the authentication server has described the determination process using a password stored in advance in the authentication database. However, without storing the password in the authentication database, The user ID / password determination process may be delegated to another system.

10 authentication server, 11 authentication database, 100 processing unit, 111 communication control unit,
112 determination unit, 112A first determination unit, 112B second determination unit,
112C third determination unit, 113 group determination unit, 114 authentication determination unit,
170 storage unit, 180 information storage medium,
20 terminals, 200 processing unit, 210 Web browser, 211 communication control unit,
220 input unit, 270 storage unit, 280 information storage medium, 290 display unit,
50 Web browsers forbidden to download

Claims (3)

A program for an authentication server connected to a terminal via the Internet,
A first determination is made as to whether or not the first condition that the user ID and password received from the terminal match the user ID and password registered in the authentication database in advance is a first condition. The determination part of
A second determination unit configured to determine whether or not the second source condition is that the address information of the transmission source of the terminal matches the address information registered in advance in the authentication database; When,
A third determination unit that determines whether or not the third condition is that the third condition is that the certification information received from the terminal matches the certification information registered in advance in the authentication database; ,
A group determination unit for determining a group of the user ID;
As an authentication determination unit for determining permission or non-permission of authentication of the user ID, the computer functions,
The authentication determination unit
When the first condition and the second condition are satisfied, the authentication of the user ID belonging to the first group is permitted,
When the first condition and the second condition are satisfied, or when the first condition and the third condition are satisfied, authentication of a user ID belonging to the second group is permitted. Program to do. In claim 1,
When the terminal is a terminal having a user ID belonging to the second group, the proof is given to the terminal having the user ID belonging to the second group when the first condition and the second condition are satisfied. A program that causes a computer to further function as a communication control unit that performs processing for transmitting information. A network system in which a terminal and an authentication server are connected via the Internet,
The authentication server is
A first determination is made as to whether or not the first condition that the user ID and password received from the terminal match the user ID and password registered in the authentication database in advance is a first condition. The determination part of
A second determination unit configured to determine whether or not the second source condition is that the address information of the transmission source of the terminal matches the address information registered in advance in the authentication database; When,
A third determination unit that determines whether or not the third condition is that the third condition is that the certification information received from the terminal matches the certification information registered in advance in the authentication database; ,
A group determination unit for determining a group of the user ID;
An authentication determination unit that determines permission or non-permission of authentication of the user ID,
The authentication determination unit
When the first condition and the second condition are satisfied, the authentication of the user ID belonging to the first group is permitted,
When the first condition and the second condition are satisfied, or when the first condition and the third condition are satisfied, authentication of user IDs belonging to the second group is permitted,
The terminal is
Web browsers that are prohibited from downloading files;
A communication control unit that performs processing for transmitting the user ID and password input from the input unit to the authentication server,
The communication control unit
A network system, wherein the certification information is transmitted to the authentication server when the certification information is set in advance in the Web browser.

Images