JP2016153951A - Authentication cooperation system and authentication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent a fraudulent use of authentication information related to users even when the information is leaked from an authentication cooperation server.SOLUTION: The authentication cooperation system includes: a secrecy distributed decoding section 222 that decodes authentication information from at least two pieces of fragment data out of a plurality of pieces of fragment data generated from authentication information for use in authentication of a user in a service provision server 4 for providing a prescribed service, by secrecy distribution technology; and an authentication proxy section 223 that requests authentication of a user to the service provision server 4 using the authentication information decoded by the secrecy distributed decoding section 222. The fragment data is stored in an authentication cooperation server 1 and a storage area designated by a user other than the authentication cooperation server. When the user accesses from a terminal device 2 to the service provision server 4, the secrecy distributed decoding section 222 decodes the authentication information from the fragment data stored in the authentication cooperation server 1 and the fragment data stored in the storage area other than the authentication cooperation server.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an authentication cooperation system and an authentication method.

  Various services are provided on the Internet, and the opportunity for many users to use a plurality of services is increasing (Patent Document 1). For convenience, the user can use the user ID and password used when using the service for multiple services, continue to use the password once set for a long time, or use a weak password. It is. Due to such inappropriate password management, once the user ID and password are leaked from one of the service providers, unauthorized access to other services is performed using the leaked user ID and password. Password list attacks are increasing.

  Using different user IDs and passwords for each service and improving security by complicating passwords are effective against password list attacks. However, since storing a combination of a user ID and a password for each service is cumbersome for the user, an authentication cooperation service such as single sign-on is provided (Patent Documents 2, 3, and 4). Authentication linkage service requires a function to substitute the password in the HTTP form when authentication cannot be performed with the authentication protocol being used (for example, OpenID or SAML). There is. A user who is worried that his / her user ID and password are leaked from the provider of the authentication collaboration service and may be used illegally may hesitate to use the authentication collaboration service.

Special table 2012-527838 gazette JP-A-2005-209118 Japanese Unexamined Patent Publication No. 2009-223452 Japanese Patent Laid-Open No. 2000-259566

  In view of the above circumstances, the present invention provides an authentication system and an authentication method capable of preventing unauthorized use of authentication information related to a user even if information is leaked from an authentication cooperation server managed by a provider of the authentication cooperation service. With the goal.

  One aspect of the present invention is an authentication cooperation system including an authentication cooperation server and a terminal device, and a plurality of information generated by a secret sharing technique from authentication information used for authentication of a user in a service providing server that provides a predetermined service. A decryption unit that decrypts the authentication information from at least two of the fragment data, and an authentication agent that requests the service providing server to authenticate the user using the authentication information decrypted by the decryption unit; The fragment data is stored in the authentication cooperation server and a storage area other than the authentication cooperation server designated by the user, and the decryption unit is configured to allow the user to access the service providing server from the terminal device. Fragment data stored in the authentication cooperation server, fragment data stored in the storage area, An authentication coordination system characterized by decoding the al the authentication information.

  Further, according to one aspect of the present invention, in the authentication cooperation system described above, the storage area includes a storage unit provided in the terminal device used by a user, and the other than the terminal device used by the user. One of a storage unit provided in the terminal device and a storage unit provided in a device accessible from the terminal device used by the user is included.

  In addition, according to one aspect of the present invention, in the authentication collaboration system described above, a plurality of the storage areas are designated by a user, and the decryption unit includes the fragment data stored in the authentication collaboration server, and a plurality of the storages. The authentication information is decrypted from fragment data stored in any of the areas.

  One embodiment of the present invention is characterized in that, in the above-described authentication cooperation system, the decryption unit and the authentication proxy unit are provided in the terminal device.

  According to another aspect of the present invention, in the authentication collaboration system described above, the decryption unit and the authentication agent unit execute a program transmitted from the authentication collaboration server to the terminal device in the terminal device. It is characterized by comprising.

  One embodiment of the present invention is characterized in that, in the authentication collaboration system described above, the decryption unit and the authentication agent unit are provided in the authentication collaboration server.

  One embodiment of the present invention is an authentication method in an authentication collaboration system including an authentication collaboration server and a terminal device, and a secret sharing technique based on authentication information used for authentication of a user in a service providing server that provides a predetermined service A decryption step of decrypting the authentication information from at least two pieces of fragment data generated from the plurality of pieces of fragment data, and requesting the service providing server to authenticate the user using the authentication information decrypted in the decryption step And the fragment data is stored in the authentication cooperation server and a storage area other than the authentication cooperation server specified by the user, and the decoding step is performed by the user from the terminal device to the service. When accessing the providing server, the connection stored in the authentication collaboration server And data is an authentication method characterized by decoding the authentication information from the fragment data stored in the storage area.

  One embodiment of the present invention is the authentication method according to the above, wherein the storage area includes a storage unit provided in the terminal device used by a user, and the terminal other than the terminal device used by the user. One of a storage unit provided in the device and a storage unit provided in a device accessible from the terminal device used by the user is included.

  Further, according to one aspect of the present invention, in the authentication method described above, a plurality of the storage areas are designated by a user, and in the decryption step, fragment data stored in the authentication cooperation server and a plurality of the storage areas The authentication information is decrypted from the fragment data stored in any of the above.

  One embodiment of the present invention is characterized in that, in the authentication method described above, the terminal device executes the decryption step and the authentication agent step.

  In one embodiment of the present invention, in the authentication method described above, the decryption step and the authentication proxy step are performed by executing a program transmitted from the authentication cooperation server to the terminal device. It is characterized by.

  One embodiment of the present invention is characterized in that, in the authentication method described above, the authentication cooperation server executes the decryption step and the authentication agent step.

  According to the present invention, since one piece of fragment data among a plurality of pieces of fragment data generated by applying the secret sharing technique from the authentication information is stored in the authentication cooperation server, the authentication information can be obtained even if the piece of fragment data is leaked. Can prevent unauthorized use of authentication information.

The block diagram which shows the structural example of the authentication cooperation system in 1st Embodiment. The flowchart which shows the registration process in the terminal device 2 at the time of registering authentication information. The flowchart which shows the login process in the terminal device 2 when the user authentication in the service provision server 4 is performed. The sequence diagram which shows the 1st process example at the time of a user logging in to the service provision server 4 using an authentication cooperation system. The figure which shows the example of mounting of the process in step S100. The figure which shows the example of mounting of the process in step S150. The figure which shows the example of mounting of the process in step S200. The figure which shows the example of mounting of the process in step S250. The figure which shows the example of mounting of the process in step S300. The figure which shows the example of mounting of the process in step S350. The sequence diagram which shows the 2nd process example at the time of a user logging in to the service provision server 4 using an authentication cooperation system. The sequence diagram which shows the 3rd process example at the time of a user logging in to the service provision server 4 using an authentication cooperation system. The sequence diagram which shows the 4th process example at the time of a user logging in to the service provision server 4 using an authentication cooperation system. The block diagram which shows the structural example of the authentication cooperation system in 2nd Embodiment. The sequence diagram which shows the process example at the time of a user logging in to the service provision server 4 using an authentication cooperation system.

  In the authentication cooperation system and the authentication method according to the embodiment of the present invention, a secret sharing technique is applied to authentication information used for user authentication in a service providing server that provides a predetermined service, and is divided into a plurality of pieces of fragment data. A plurality of pieces of fragment data are individually stored in a storage area designated by the user and an authentication collaboration server that provides an authentication collaboration service. Fragment data obtained by applying the secret sharing technique has a characteristic that cannot be used for authentication unless it is decrypted in combination with other fragment data. Due to this characteristic, even if fragment data stored in the authentication cooperation server is leaked, it is possible to prevent unauthorized use of authentication information about the user. Hereinafter, an authentication cooperation system and an authentication method according to an embodiment will be described with reference to the drawings.

(First embodiment)
FIG. 1 is a block diagram illustrating a configuration example of an authentication collaboration system according to the first embodiment. The authentication collaboration system includes an authentication collaboration server 1 and one or a plurality of terminal devices 2. The authentication cooperation server 1 and the terminal device 2 can communicate with each other via the network 3. The terminal device 2 can receive a service by communicating with the service providing server 4 that provides a predetermined service via the network 3. The terminal device 2 can be accessed by communicating with the cloud storage 5 via the network 3, and can store data in the cloud storage 5 and read out the data. A user receives a service provided by the service providing server 4 by using the terminal device 2.

  The authentication linkage server 1 includes a management information storage unit 11, a program storage unit 12, a fragment data storage unit 13, a user authentication unit 14, a program distribution unit 15, a fragment data control unit 16, and a network I / F (network interface) unit. 17.

  The management information storage unit 11 stores management information for each user. The management information is used to determine whether or not the terminal device 2 has a right to use the authentication cooperation service when a request to use the authentication cooperation service is received from the terminal device 2. The management information is, for example, a combination of an identification number stored in a SIM (Subscriber Identity Module) and line information pre-assigned to the terminal device 2, or identification information pre-assigned to the terminal device 2 and SIM identification. A combination of a number and information for identifying a user. The identification information assigned in advance to the terminal device 2 is, for example, a MAC address or a manufacturing number. The information specifying the user is, for example, biometric information such as a fingerprint, a password, or the like.

  The program storage unit 12 stores program data to be transmitted to the terminal device 2. The program data includes a secret sharing decryption program and an authentication agent program.

  The secret sharing decryption program uses the secret sharing technique (Secret Sharing) to divide the authentication information about the user into a plurality of fragment data and to decrypt the authentication information from two or more pieces of fragment data in the terminal device 2. This is a program to be executed. The fragment data is data that can decrypt the authentication information by combining at least two fragment data. Such fragment data can be obtained by using a known technique. Note that N pieces of fragment data may be generated from the authentication information, and the authentication information may be decrypted from M (N ≧ M) pieces of piece data out of the N pieces. The authentication agent program is a program for causing the terminal device 2 to execute an authentication request in the service providing server 4 using authentication information about the user. For example, the authentication information includes a user ID and a password for identifying the user.

  The fragment data storage unit 13 stores, for each user, one piece of fragment data among a plurality of pieces of fragment data obtained by using the secret sharing technique for the authentication information regarding the user. Note that binary data may be used as the fragment data, or a character string represented by a predetermined character code may be used.

  When the user authentication unit 14 receives a request for using the authentication cooperation service from the terminal device 2 via the network I / F unit 17, the user authentication unit 14 determines that the terminal device 2 is based on the management information stored in the management information storage unit 11. It is determined whether or not the user has a right to use the authentication linkage service. The program distribution unit 15 transmits the program stored in the program storage unit 12 via the network I / F unit 17 to the terminal device 2 determined that the user authentication unit 14 has the right to receive the authentication cooperation service. To do.

  When the fragment data control unit 16 receives the fragment data from the terminal device 2 via the network I / F unit 17, the fragment data control unit 16 stores the fragment data in the fragment data storage unit 13. When the fragment data control unit 16 stores the fragment data in the fragment data storage unit 13, the fragment data control unit 16 stores the information identifying the user who uses the terminal device 2 that has transmitted the fragment data and the fragment data in association with each other. When fragment data is requested from the terminal device 2 via the network I / F unit 17, the fragment data control unit 16 reads the fragment data from the fragment data storage unit 13 and transmits the fragment data via the network I / F unit 17. To send. When the fragment data control unit 16 transmits the fragment data to the terminal device 2, the fragment data control unit 16 reads out from the fragment data storage unit 13 fragment data associated with information for identifying a user who uses the requesting terminal device 2.

  The network I / F unit 17 is connected to the network 3 and communicates with the terminal device 2 and the service providing server 4 via the network 3. The network I / F unit 17 supplies information received via the network 3 to the user authentication unit 14, the program distribution unit 15, and the fragment data control unit 16. Further, the network I / F unit 17 transmits information received from the user authentication unit 14, the program distribution unit 15, and the fragment data control unit 16 to the information destination via the network 3.

  The terminal device 2 includes a fragment data storage unit 21, a calculation device 22, an input unit 23, an output unit 24, and a network I / F unit 25. The fragment data storage unit 21 stores one piece of fragment data different from the fragment data stored in the authentication cooperation server among the plurality of pieces of fragment data.

  The arithmetic device 22 executes various processes by executing an arbitrary program. The arithmetic device 22 includes, for example, a storage unit that stores a program, a memory that temporarily stores information and data, and an arithmetic processing unit that executes the program read into the memory. The arithmetic device 22 functions as the authentication request unit 221 by executing a program stored in advance. The computing device 22 functions as the secret sharing decryption unit 222 and the authentication proxy unit 223 by executing the secret sharing decryption program and the authentication proxy program transmitted from the authentication cooperation server 1. The terminal device 2 may include the authentication requesting unit 221 separately from the computing device 22 without causing the computing device 22 to execute the program and function as the authentication requesting unit 221. Further, when causing the arithmetic device 22 to execute a program and function as the authentication request unit 221, a Web browser may operate as the authentication request unit 221.

  The authentication request unit 221 makes a user authentication request and a response to the authentication collaboration server 1 when using the authentication collaboration server 1 or when using the service providing server 4 using fragment data. The secret sharing decryption unit 222 generates a plurality of fragment data by applying a secret sharing technique to the authentication information, or decrypts the authentication information from the plurality of fragment data. The authentication proxy unit 223 makes a request for user authentication and a response to the service providing server 4 using the decrypted authentication information.

  The input unit 23 receives a user operation and inputs information according to the received operation. The input information is supplied to the arithmetic unit 22. The input unit 23 is, for example, a sensor that acquires biological information such as a keyboard, a mouse, and a fingerprint. The output unit 24 outputs information output from the arithmetic device 22 to the user. The output unit 24 is a display, a speaker, a printer, or the like, for example, and provides the user with information that can be perceived by the user.

  The network I / F unit 25 is connected to the network 3 and communicates with the authentication cooperation server 1 and the service providing server 4 via the network 3. The network I / F unit 25 supplies information received via the network 3 to the arithmetic device 22. In addition, the network I / F unit 25 transmits information received from the arithmetic device 22 to the information destination via the network 3.

  FIG. 2 is a flowchart showing a registration process in the terminal device 2 when registering authentication information. When the registration process is started in the terminal device 2, the input unit 23 receives server information indicating the service providing server 4 corresponding to the authentication information to be registered (step S11). The computing device 22 selects the service providing server 4 based on the input server information.

  When the service providing server 4 is selected, the authentication request unit 221 transmits information for requesting user authentication to the authentication collaboration server 1 to register the authentication information to the authentication collaboration server 1 (step S12). . When the authentication requesting unit 221 is requested by the authentication cooperation server 1 for management information for authenticating the user, the authentication requesting unit 221 supplies a message requesting the user to input management information to the output unit 24. The authentication request unit 221 acquires the management information input by the user from the input unit 23, and transmits the management information to the authentication collaboration server 1 (S13).

  The authentication request unit 221 determines whether or not the authentication in the authentication cooperation server 1 is successful (step S14), and when the authentication is not successful (step S14: NO), the registration process is terminated. When the authentication is successful (step S14: YES), the authentication request unit 221 receives the secret sharing decryption program transmitted from the authentication cooperation server 1, and causes the secret sharing decryption program to be executed (step S15).

  The secret sharing decryption unit 222 configured by the arithmetic device 22 executing the secret sharing decryption program supplies a message requesting input of authentication information to the output unit 24. The secret sharing decryption unit 222 acquires authentication information input by the user from the input unit 23 (step S16). The secret sharing decryption unit 222 generates a plurality of fragment data by applying a secret sharing technique to the acquired authentication information (step S17). The secret sharing decryption unit 222 combines any one of the plurality of pieces of fragment data and the server information, transmits the combined information to the authentication cooperation server 1, and stores it in the fragment data storage unit 13. Also, the secret sharing decryption unit 222 associates other fragment data of the plurality of fragment data with the server information, stores them in the storage area designated by the user (step S18), and ends the registration process. The secret sharing decryption unit 222 may include server information in the fragment data.

  The storage area designated by the user is any one of the fragment data storage unit 21 included in the terminal device 2, the fragment data storage unit 21 included in the other terminal device 2, or the cloud storage 5. For example, when designating a storage area, the user defines an identifier that uniquely identifies a device having the storage area, an IP address that identifies a cloud service, and information indicating a folder in which fragment data is stored.

  When the fragment data generated in step S17 is the first fragment data and the second fragment data, the first fragment data is stored in the fragment data storage unit 13 of the authentication cooperation server 1, and the second fragment is stored. Data is stored in the fragment data storage unit 21 or the cloud storage 5. The second fragment data may be stored in either the fragment data storage unit 21 or the cloud storage 5, or may be stored in both. Further, when the fragment data generated in step S17 is three or more pieces of fragment data, different pieces of fragment data may be stored in the authentication cooperation server 1, the plurality of terminal devices 2, and the cloud storage 5, respectively.

  FIG. 3 is a flowchart showing login processing in the terminal device 2 when user authentication is performed in the service providing server 4. When the login process is started in the terminal device 2, the input unit 23 receives server information indicating the service providing server 4 that requests user authentication. The computing device 22 selects the service providing server 4 based on the input server information. The authentication request unit 221 accesses the service providing server 4 indicated by the server information (step S21), and transmits information requesting user authentication to the authentication cooperation server 1 (step S22).

  When the authentication requesting unit 221 is requested by the authentication cooperation server 1 for management information for authenticating the user, the authentication requesting unit 221 supplies a message requesting the user to input management information to the output unit 24. The authentication request unit 221 acquires management information input by the user from the input unit 23, and transmits the management information to the authentication collaboration server 1 (step S23).

  The authentication request unit 221 determines whether or not the authentication in the authentication cooperation server 1 is successful (step S24), and when the authentication is not successful (step S24: NO), the login process is terminated. When the authentication is successful (step S24: YES), the authentication request unit 221 receives the secret shared decryption program and the authentication proxy program transmitted from the authentication cooperation server 1, and executes the secret distributed decryption program and the authentication proxy program. (Step S25).

  The arithmetic device 22 functions as the secret sharing decryption unit 222 by executing the secret sharing decryption program. The arithmetic device 22 functions as the authentication proxy unit 223 by executing the authentication proxy program. At this time, the arithmetic unit 22 executes the respective programs of the authentication request unit 221, the secret sharing decryption unit 222, and the authentication proxy unit 223 in parallel. The secret sharing decryption unit 222 receives the fragment data corresponding to the user who has been successfully authenticated from the authentication cooperation server 1, and acquires the fragment data from the storage area designated by the user (step S26). The storage area designated by the user is the fragment data storage unit 21 included in the terminal device 2, the fragment data storage unit 21 included in the other terminal device 2, or the cloud storage 5.

  The secret sharing decryption unit 222 decrypts the authentication information from the received fragment data and the acquired fragment data, and supplies the authentication information to the authentication proxy unit 223 (step S27). The authentication proxy unit 223 transmits the authentication information supplied from the secret sharing decryption unit 222 to the selected service providing server 4 (step S28) and logs into the service providing server 4 (step S29). The authentication agent unit 223 deletes the received fragment data and the decrypted authentication information from the memory of the terminal device 2 (step S30), and ends the login process.

  When the storage area specified by the user is the fragment data storage unit 21 or the cloud storage 5 included in the other terminal device 2, the authentication proxy unit 223 also stores the fragment data acquired from the other terminal device 2 or the cloud storage 5. It deletes from the memory etc. of the terminal device 2.

  Here, preparation before the operation start in the authentication cooperation server 1 will be described. An administrator who operates and manages the authentication collaboration server 1 introduces a user management infrastructure (for example, LDAP) that manages users who provide the authentication collaboration service. The administrator confirms the access method to the service providing server 4 from the password login form, and registers the access method in the authentication cooperation server 1. The access method to be registered is, for example, a method using (login query = http: // “address of service providing server 4” /login.do?user= “userID” & pass = “password”).

  The administrator develops a program that causes the computing device 22 to function as the secret sharing decryption unit 222 and a program that causes the computing device 22 to function as the authentication proxy unit 223 in the terminal device 2. For such a program, for example, RIA (Rich Internet Applications) is used. The administrator negotiates with the service provider who operates the service providing server 4 to permit the login using the authentication linkage server 1. At this time, the number of persons per day who perform the authentication agency and that the communication block is not implemented in the service providing server 4 are confirmed. The administrator causes the authentication collaboration server 1 to start accepting a user request. In conjunction with the operation of the authentication linkage server 1, the administrator discloses user management in the user management system and opens a support window.

  Next, preparations before starting operation in the terminal device 2 will be described. The user operates the terminal device 2 to access the authentication collaboration server 1 to perform user registration, download a program from the authentication collaboration server 1, and install it in the terminal device 2. The program may be, for example, an application program executed on the OS or a browser add-on executed on the Web browser. The user secures a storage area where one or a plurality of fragment data can be written and read, and registers the secured storage area in the downloaded program.

  The user registers management information that can be used for identification of the user in the authentication cooperation server 1. The management information may use a SIM identification number or a terminal number. The user registers the authentication information of the service providing server 4 used by the user among the service providing servers 4 for which the authentication proxy using the authentication linkage server 1 is performed. Registration of authentication information is performed by the registration process shown in FIG. The registration of authentication information may be performed using, for example, a user interface provided from the authentication cooperation server 1. A plurality of pieces of fragment data generated from the registered authentication information are individually managed by the storage area secured by the user and the authentication cooperation server 1.

  FIG. 4 is a sequence diagram illustrating a first processing example when a user logs in to the service providing server 4 using the authentication collaboration system according to the first embodiment. In the first processing example shown in the figure, fragment data is stored in the authentication collaboration server 1 and the terminal device 2. That is, the storage area designated by the user is the fragment data storage unit 21 provided in the terminal device 2.

  In the terminal device 2, when the authentication request unit 221 detects access to the service providing server 4 selected by the user's operation, the authentication requesting unit 221 requests user authentication from the authentication cooperation server 1 (step S100). In the authentication collaboration server 1, when the user authentication unit 14 receives a user authentication request from the terminal device 2, the user authentication unit 14 requests management information from the requesting terminal device 2. In the terminal device 2, when the authentication request unit 221 receives a request for management information, the authentication request unit 221 transmits the management information to the authentication cooperation server 1. Based on the management information received from the terminal device 2 and the management information stored in the management information storage unit 11, the user authentication unit 14 is operated by the user operating the terminal device 2 or the terminal device 2 as an authentication cooperation service. Whether or not you have the right to use The user authentication unit 14 transmits the determination result to the terminal device 2 (step S150).

  In the authentication cooperation server 1, when the authentication in step S150 is successful, the program distribution unit 15 reads the secret sharing decryption program and the authentication proxy program stored in the program storage unit 12 and transmits them to the terminal device 2 ( Step S200). In the terminal device 2, the program received from the authentication cooperation server 1 is executed. In the authentication collaboration server 1, the fragment data control unit 16 reads the fragment data corresponding to the user who has been successfully authenticated in step S150 from the fragment data storage unit 13, and transmits the read fragment data to the terminal device 2 (step S250). . In the terminal device 2, the secret sharing decryption unit 222 configured by executing the secret sharing decryption program receives the fragment data from the authentication cooperation server 1.

  In the terminal device 2, the secret sharing decryption unit 222 reads the fragment data from the storage area designated by the user, and decrypts the authentication information from the read fragment data and the received fragment data (step S300). The authentication agent unit 223 transmits the authentication information decrypted by the secret sharing decryption unit 222 to the service providing server 4 and requests user authentication (step S350).

  Hereinafter, the process in each step from step S100 to step S350 will be described in more detail. FIG. 5 is a diagram illustrating an implementation example of the processing in step S100. FIG. 5 shows steps S100A, S100B, and S100C, which are three implementation examples of step S100.

  In step S100A, in the terminal device 2, when the authentication request unit 221 detects access to the login screen (https: // "service providing server address" / login) of the service providing server 4 (step S101), this access is performed. Is replaced with a request for user authentication to the authentication cooperation server 1 (step S102). In the authentication collaboration server 1, the user authentication unit 14 generates pair information that combines the identifier of the requesting terminal device 2 and the access destination (https: // “service providing server address” / login), A request for user authentication is accepted (step S103).

  In step S100B, a dedicated browser add-on is introduced in the terminal device 2 in accordance with a user operation (step S111). When the dedicated browser add-on detects access to the login screen (https: // “service providing server address” / login) of the service providing server 4 (step S112), pair information is generated and transmitted to the authentication collaboration server 1. (Step S113). In the authentication collaboration server 1, when receiving the pair information from the terminal device 2, the user authentication unit 14 accepts it as a user authentication request (step S114).

  In step S100C, in the terminal device 2, the authentication request unit 221 accesses the Web site on the authentication cooperation server 1 that provides login to the service providing server 4 (step S121). In the authentication collaboration server 1, when detecting access to the website from the terminal device 2, the user authentication unit 14 receives a request for user authentication (step S122).

  FIG. 6 is a diagram illustrating an implementation example of the processing in step S150. FIG. 6 shows steps S150A and S150B, which are two implementation examples of step S150. In step S150A, in the authentication collaboration server 1, the user authentication unit 14 determines whether the user operating the terminal device 2 or the terminal device 2 has the right to use the authentication collaboration service. A request is made to the device 2 (step S151).

  In the terminal device 2, the authentication request unit 221 outputs a message requesting the user to input management information to the output unit 24, and acquires the management information input by the user from the input unit 23 (step S152). . The authentication request unit 221 transmits the acquired management information to the authentication cooperation server 1 (step S153). In the authentication cooperation server 1, the user authentication unit 14 performs user authentication by comparing the management information received from the terminal device 2 with the management information stored in the management information storage unit 11 (step S154). For example, when management information that matches the received management information is stored in the management information storage unit 11, it is determined that the user has a right to use the authentication cooperation service.

  In step S150B, in the authentication collaboration server 1, the user authentication unit 14 determines whether the user operating the terminal device 2 or the terminal device 2 has the right to use the authentication collaboration service. A request is made to the device 2 (step S161). In the terminal device 2, the authentication request unit 221 outputs to the output unit 24 a message confirming whether or not the set management information can be transmitted to the authentication cooperation server 1, and inputs a confirmation result from the user. Obtained from the unit 23 (step S162). The authentication request part 221 transmits management information to the authentication cooperation server 1, when the acquired confirmation result is permission of transmission (step S163).

  In the authentication cooperation server 1, the user authentication unit 14 performs user authentication by comparing the management information received from the terminal device 2 with the management information stored in the management information storage unit 11 (step S164). The management information used in step S150 is, for example, a combination of a session ID and an identification number stored in the SIM, or a combination of a MAC address, a SIM identification number, and user biometric information. Use advanced authentication that combines multiple elements.

  FIG. 7 is a diagram illustrating an implementation example of the processing in step S200. FIG. 7 shows steps S200A, S200B, and S200C, which are three implementation examples of step S200. In step S200A, the program distribution unit 15 transmits the secret sharing decryption program and the authentication proxy program as RIA to the browser of the session that has been successfully authenticated in step S150 (step S201). The secret sharing decryption program and the authentication proxy program may be an application configured with, for example, JavaFX (registered trademark). In the terminal device 2, the arithmetic unit 22 executes the received secret sharing decryption program and authentication proxy program (step S 202), and notifies the authentication cooperation server 1 that the secret sharing decryption unit 222 and the authentication proxy unit 223 have been activated. Notification is made (step S203).

  In step S200B, the program distribution unit 15 transmits the secret sharing decryption program and the authentication proxy program as the OS application before user authentication is performed (step S210). The user authentication unit 14 transmits an authentication result indicating that the user authentication is successful to the terminal device 2 (step S211). In the terminal device 2, when receiving the authentication result, the arithmetic device 22 executes the finely distributed decryption program and the authentication proxy program received in advance (step S 212), and the secret shared decryption unit 222 and the authentication proxy unit 223. Is notified to the authentication collaboration server 1 (step S213).

  In step S200C, the program distribution unit 15 transmits the secret sharing decryption program and the authentication proxy program as browser add-ons before user authentication is performed (step S220). The user authentication unit 14 transmits an authentication result indicating that the user authentication is successful to the terminal device 2 (step S221). In the terminal device 2, when receiving the authentication result, the arithmetic device 22 executes the finely distributed decryption program and the authentication proxy program received in advance (step S 222), and the secret shared decryption unit 222 and the authentication proxy unit 223. Is notified to the authentication collaboration server 1 (step S223).

  FIG. 8 is a diagram showing an implementation example of the processing in step S250. FIG. 8 shows step S250A, which is one implementation example of step S250. In step S250A, in the authentication linkage server 1, the fragment data control unit 16 requests the terminal device 2 to confirm the secret sharing decryption program executed in the terminal device 2 and the authenticated session (step S251). . In the terminal device 2, the secret sharing decryption unit 222 transmits request confirmation response information including information regarding the program constituting itself and information regarding the session authenticated in step S150 to the authentication collaboration server 1 (step S252). Here, the information related to the program constituting the secret sharing decryption unit 222 is, for example, an identification number included in the secret sharing decryption program. The information related to the session authenticated in step S150 is a session ID or the like.

  In the authentication collaboration server 1, the fragment data control unit 16 confirms that the authentication for the terminal device 2 is successful and the program transmitted from the authentication collaboration server 1 is used (step S253). When the confirmation is completed, the fragment data control unit 16 reads the corresponding user fragment data stored in the fragment data storage unit 13. The fragment data control unit 16 transmits the read fragment data to the terminal device 2 (step S254). In the terminal device 2, when receiving the fragment data corresponding to the authenticated user, the secret sharing decryption unit 222 transmits a reception completion indicating that the fragment data has been received to the authentication cooperation server 1 (step S255). In the authentication cooperation server 1, when the fragment data control unit 16 receives the completion of reception from the terminal device 2 and confirms reception of the fragment data at the terminal device 2, the fragment data control unit 16 completes the transmission of the fragment data (step S256).

  FIG. 9 is a diagram illustrating an implementation example of the processing in step S300. FIG. 9 shows steps S300A and S300B, which are two implementation examples of step S300. In step S300A, in the terminal device 2, the secret sharing decryption unit 222 reads the fragment data specified by the user and stored in the fragment data storage unit 21 (step S301). The secret sharing decryption unit 222 decrypts the authentication information by combining the fragment data received from the authentication cooperation server 1 and the read fragment data (step S302).

  In step S300B, in the terminal device 2, the secret sharing decryption unit 222 reads fragment data stored in a predetermined storage area (step S311). The predetermined storage area is a storage area designated by the user when the fragment data is generated, or a storage area managed by the secret sharing decryption unit 222. The fragment data storage unit 21 or the arithmetic unit 22 It is a storage unit provided. The secret sharing decryption unit 222 decrypts the authentication information by combining the fragment data received from the authentication cooperation server 1 and the read fragment data (step S312).

  FIG. 10 is a diagram illustrating an implementation example of the processing in step S350. FIG. 10 shows step S350A, which is one implementation example of step S350. In the terminal device 2, the authentication agent 223 accesses the service providing server 4 using the user name and password included in the authentication information decrypted in step S300 (step S351). For example, the authentication agent 223 transmits an access request including (http: // “address of the service providing server 4” /login.do?user= “userID” & pass = “password”) to the service providing server 4. Upon receiving the access request, the service providing server 4 transmits a logged-in HTTP response to the terminal device 2 that has transmitted the access request (step S352). In the terminal device 2, the authentication agent unit 223 deletes the received fragment data and the decrypted authentication information from the memory of the terminal device 2 (step S353).

  Hereinafter, a processing example when the user logs in to the service providing server 4 in the authentication cooperation system, which is different from the processing example shown in FIG. FIG. 11 is a sequence diagram illustrating a second processing example when the user logs in to the service providing server 4 using the authentication cooperation system. The second processing example shown in FIG. 11 is different from the first processing example shown in FIG. 4 in that fragment data is stored in the cloud storage 5 designated by the user and the authentication collaboration server 1. That is, the storage area designated by the user is the cloud storage 5.

  In FIG. 11, the processing from step S100 to step S250 is the same as the processing of the same step number in FIG. When the terminal device 2 receives the fragment data from the authentication cooperation server 1, the secret sharing decryption unit 222 reads the fragment data from the cloud storage 5 via the network I / F unit 25 (step S400). The secret sharing decryption unit 222 decrypts the authentication information from the read fragment data and the fragment data received from the authentication cooperation server 1 (step S300). Hereinafter, the processing in step S350 is the same processing as step S350 in the first processing example, and thus description thereof is omitted.

  FIG. 12 is a sequence diagram illustrating a third processing example when a user logs in to the service providing server 4 using the authentication cooperation system. In the third processing example shown in FIG. 12, the point that the fragment data is stored in the terminal device 2 and the cloud storage 5 designated by the user and the authentication cooperation server 1 is the first processing example shown in FIG. And different.

  In FIG. 12, the processing from step S100 to step S250 is the same as the processing of the same step number in FIG. When the terminal device 2 receives the fragment data from the authentication cooperation server 1, the secret sharing decryption unit 222 reads the fragment data from the fragment data storage unit 21 of the device, but fails to read for some reason (step S450). ). The reason for the failure in reading is, for example, a failure such as the fragment data being overwritten with other data, or the fragment data storage unit 21 has failed.

  When the secret sharing decryption unit 222 detects that the fragment data cannot be read from the fragment data storage unit 21 of the apparatus, the secret sharing decryption unit 222 reads the fragment data from the cloud storage 5 via the network I / F unit 25 (step S500). The secret sharing decryption unit 222 decrypts the authentication information from the read fragment data and the fragment data received from the authentication cooperation server 1 (step S300). Hereinafter, the processing in step S350 is the same processing as step S350 in the first processing example, and thus description thereof is omitted.

  FIG. 13 is a sequence diagram illustrating a fourth processing example when the user logs in to the service providing server 4 using the authentication cooperation system. In the fourth processing example shown in FIG. 13, the point that the fragment data is stored in the other terminal device 2 and the cloud storage 5 designated by the user and the authentication cooperation server 1 is the first processing shown in FIG. 4. It differs from the processing example.

  In FIG. 13, the processing from step S100 to step S250 is the same as the processing of the same step number in FIG. When the terminal device 2 receives the fragment data from the authentication cooperation server 1, the secret sharing decryption unit 222 reads the fragment data from the cloud storage 5 via the network I / F unit 25, but fails to read for some reason. (Step S550). The reason for the failure in reading is, for example, a failure that has occurred in the network 3 between the terminal device 2 and the cloud storage 5, or a failure that has occurred in the cloud storage 5 itself.

  When the secret sharing decryption unit 222 detects that the fragment data cannot be read from the cloud storage 5, the secret sharing decryption unit 222 receives the fragment data from the fragment data storage unit 21 provided in the other terminal device 2 via the network I / F unit 25. Read (step S600). The secret sharing decryption unit 222 decrypts the authentication information from the read fragment data and the fragment data received from the authentication cooperation server 1 (step S300). Hereinafter, the processing in step S350 is the same processing as step S350 in the first processing example, and thus description thereof is omitted.

  As described above, the user designates another terminal device 2 or cloud storage 5 as a storage area for storing fragment data other than the authentication cooperation server 1, or designates a plurality of storage areas for storing fragment data. be able to. Thereby, even when a failure occurs in the fragment data storage unit 21 of the terminal device 2 used by the user or a failure occurs in the network between the terminal device 2 and the cloud storage 5, the user can If the fragment data can be read from any of the specified storage areas, the authentication collaboration system can provide an authentication collaboration service. Further, the user only needs to store or manage the storage area in which the fragment data is stored, and it is not necessary to store the contents of the authentication information, so that convenience is improved.

  According to the authentication cooperation system in the first embodiment, the authentication information regarding the user is divided into a plurality of pieces of fragment data by the secret sharing decryption unit 222 and stored separately in the authentication cooperation server 1 and the storage area designated by the user. The Since authentication information cannot be decrypted by using only one piece of fragment data, even if fragment data leaks from the authentication cooperation server 1 managed by the authentication cooperation service provider, the authentication information related to the user is illegally used. Can be prevented. When logging in to the service providing server 4 using the authentication cooperation service, in the terminal device 2, the secret sharing decryption unit 222 decrypts the authentication information by combining a plurality of pieces of fragment data, and the authentication proxy unit 223 uses the authentication information. Login to the service providing server 4. With this configuration, it is possible to perform an authentication proxy using the authentication collaboration service without having the decrypted authentication information existing outside the authentication collaboration server 1 or the like.

  In addition, since the authentication linkage system divides and manages the user authentication information into a plurality of pieces of fragment data, the user cannot operate the terminal device 2 to decrypt the authentication information, so that the authentication information cannot be obtained. The possibility of leakage of authentication information can be reduced. In addition, the authentication linkage system provides authentication linkage without giving the user any anxiety that the user's own authentication information is stored outside, for example, anxiety that leakage of authentication information or unauthorized use may occur. Service can be provided. Moreover, the authentication cooperation system can ensure confidentiality, availability, and safety by applying the secret sharing technique to feature information such as a combination of the user name and password of the user. As a result, the authentication cooperation system can perform login authentication to the service providing server 4 that can be used with peace of mind by the user.

  In the authentication cooperation system, the authentication information can be updated in the same manner as the registration process shown in FIG. For example, when the fragment data is stored in the fragment data storage unit 13 and the storage area designated by the user in step S18, the existing fragment data may be overwritten and updated. Alternatively, the authentication linkage server 1 receives the authentication information to be updated from the terminal device 2 operated by the user, generates a program for overwriting and updating the existing fragment data with the fragment data generated from the received authentication information. The program may be transmitted to the terminal device 2. Further, the authentication collaboration server 1 may receive a request for deleting authentication information in the authentication collaboration system, that is, a request for deletion of all fragment data from the terminal device 2 operated by the user. When receiving the request for deletion, the authentication collaboration server 1 may delete the fragment data corresponding to the user from the fragment data storage unit 13 and request the terminal device 2 to delete the fragment data.

(Second Embodiment)
FIG. 14 is a block diagram illustrating a configuration example of the authentication collaboration system according to the second embodiment. The authentication collaboration system includes an authentication collaboration server 1A and one or a plurality of terminal devices 2A. The authentication collaboration server 1 </ b> A and the terminal device 2 </ b> A can communicate with each other via the network 3. The terminal device 2A can receive a predetermined service by communicating with the service providing server 4 via the network 3. Further, the terminal device 2A is accessible by communicating with the cloud storage 5 via the network 3, and can store data in the cloud storage 5 and read the data. The user receives a service provided by the service providing server 4 by using the terminal device 2A.

  The authentication cooperation server 1A includes a management information storage unit 11, a fragment data storage unit 13, a user authentication unit 14, a fragment data control unit 16, a secret sharing decryption unit 18, and an authentication proxy unit 19. The authentication collaboration server 1A is different from the authentication collaboration server 1 in the first embodiment in that it includes a secret sharing decryption unit 18 and an authentication proxy unit 19 in place of the program storage unit 12 and the program distribution unit 15. In the authentication collaboration server 1A, the same components as those included in the authentication collaboration server 1 are denoted by the same reference numerals, and description thereof is omitted.

  The secret sharing decryption unit 18 generates a plurality of fragment data by applying a secret sharing technique to the authentication information, or decrypts the authentication information from the plurality of fragment data. The authentication agent unit 19 makes a request for user authentication and a response to the service providing server 4 using the decrypted authentication information.

  The terminal device 2A includes a fragment data storage unit 21, an arithmetic device 22, an input unit 23, an output unit 24, a network I / F unit 25, and a fragment data control unit 26. The terminal device 2A is different from the terminal device 2 in the first embodiment in that it includes a fragment data control unit 26. In the terminal device 2A, the same components as those included in the terminal device 2 are denoted by the same reference numerals, and description thereof is omitted.

  The fragment data control unit 26 stores the fragment data received from the authentication cooperation server 1 </ b> A via the network I / F unit 25 in the fragment data storage unit 21. The fragment data control unit 26 reads the fragment data from the fragment data storage unit 21 when the fragment data is requested from the authentication cooperation server 1A. The fragment data control unit 26 transmits the read fragment data to the authentication cooperation server 1A via the network I / F unit 25.

  FIG. 15 is a sequence diagram illustrating a processing example when a user logs in to the service providing server 4 using the authentication cooperation system according to the second embodiment. In the processing example shown in the figure, fragment data is stored in the authentication cooperation server 1A and the terminal device 2A. That is, the storage area designated by the user is the fragment data storage unit 21 provided in the terminal device 2.

  In the terminal device 2A, when the authentication request unit 221 detects access to the service providing server 4 selected by the user's operation, the authentication requesting unit 221 requests user authentication from the authentication cooperation server 1A (step S100).

  In the authentication collaboration server 1A, when receiving a user authentication request from the terminal device 2A, the user authentication unit 14 requests management information from the requesting terminal device 2A. In the terminal device 2, when the authentication request unit 221 receives a request for management information, the authentication request unit 221 transmits the management information to the authentication cooperation server 1A. Based on the management information received from the terminal device 2A and the management information stored in the management information storage unit 11, the user authentication unit 14 is operated by the user operating the terminal device 2A or the terminal device 2A as an authentication cooperation service. It is determined whether or not the user has the right to receive the use (step S150). When it is determined that the secret sharing decryption unit 18 has the right to use the authentication cooperation service and the authentication is successful, the secret sharing decryption unit 18 requests the terminal device 2A for fragment data (step S700).

  In the terminal device 2A, the fragment data control unit 26 reads the fragment data from the fragment data storage unit 21 when receiving the fragment data request from the authentication cooperation server 1A. The fragment data control unit 26 transmits the read fragment data to the authentication collaboration server 1A (step S750).

  In the authentication linkage server 1A, when the secret sharing decryption unit 18 receives the fragment data from the terminal device 2A, the secret sharing decryption unit 18 acquires the fragment data from the fragment data storage unit 13 via the fragment data control unit 16. The fragment data acquired via the fragment data control unit 16 is fragment data corresponding to the user who has been successfully authenticated in step S150. The secret sharing decryption unit 18 decrypts the authentication data from the fragment data received from the terminal device 2A and the fragment data acquired from the fragment data storage unit 13 (step S800). The authentication agent unit 19 transmits the authentication information decrypted by the secret sharing decryption unit 18 to the service providing server 4 and requests user authentication (step S350).

  As described above, in the authentication collaboration system in the second embodiment, fragment data generation and authentication information decryption performed in the terminal device 2 in the authentication collaboration system in the first embodiment, and the service providing server 4 are provided. The authentication cooperation server 1 </ b> A makes a request for user authentication with respect to. The authentication collaboration system according to the second embodiment is the same as the authentication collaboration system according to the first embodiment, except that fragment data generation, authentication information decryption, and user authentication requests are performed by the authentication collaboration server 1A. Operate. For example, in the authentication cooperation system in the second embodiment, the authentication information registration process shown in FIG. 2 is performed in the same manner. However, input / output to / from the user is performed with communication via the network 3.

  According to the authentication cooperation system in the second embodiment, the authentication information about the user is divided into a plurality of pieces of fragment data by the secret sharing decryption unit 18, and is stored separately in the authentication cooperation server 1 and the storage area designated by the user. The Since authentication information cannot be decrypted by using only one piece of fragment data, even if fragment data leaks from the authentication cooperation server 1A managed by the authentication cooperation service provider, the authentication information related to the user is illegally used. Can be prevented. When logging in to the service providing server 4 using the authentication cooperation service, in the authentication cooperation server 1A, the secret sharing decryption unit 18 decrypts the authentication information by combining a plurality of pieces of fragment data, and the authentication agent 19 provides the authentication information. The login to the service providing server 4 is executed. With this configuration, it is possible to perform an authentication proxy using the authentication cooperation service without storing authentication information in the authentication cooperation server 1.

  Further, the authentication cooperation server 1A performs a process of generating fragment data from the authentication information and a process of decoding authentication information from the fragment data, so that the user can use the authentication cooperation service without causing a computation load on the terminal device 2A. You can receive the offer.

  The provider who provides the authentication cooperation service, in the authentication cooperation system in the first embodiment and the second embodiment, according to the number of users to whom the service is provided, the computation load in the authentication cooperation server, the operation system, and the like. Either of the authentication linkage systems can be selected.

  In the authentication cooperation system in each embodiment described above, a configuration has been described in which the secret sharing decryption unit performs a process of generating a plurality of fragment data from the authentication information and a process of decrypting the authentication information from the plurality of fragment data. However, different components or functional units may perform the process of generating a plurality of fragment data from the authentication information and the process of decrypting the authentication information from the plurality of fragment data. For example, instead of the secret sharing decryption unit, a secret sharing unit that generates a plurality of fragment data from the authentication information and a decryption unit that decrypts the authentication information from the plurality of fragment data may be provided.

  You may make it implement | achieve all or one part of the authentication cooperation server in embodiment mentioned above, and all or one part of a terminal device with a computer. For example, it is realized by recording a program for realizing each component included in the authentication cooperation server in a computer-readable recording medium, causing the computer system to read and execute the program recorded in the recording medium. Also good. Here, the “computer system” includes an OS and hardware such as peripheral devices. The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Further, the “computer-readable recording medium” is a program that dynamically holds a program for a short time, like a communication line when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In this case, a volatile memory inside a computer system serving as a server or a client in that case may be included and a program held for a certain period of time. Further, the program may be for realizing a part of the above-described constituent elements, and may be realized by combining the above-described constituent elements with a program already recorded in a computer system. It may be realized by using hardware such as PLD (Programmable Logic Device) or FPGA (Field Programmable Gate Array).

  The embodiment of the present invention has been described in detail with reference to the drawings. However, the specific configuration is not limited to this embodiment, and includes designs and the like that do not depart from the gist of the present invention.

  It can also be applied to uses where it is indispensable to reduce the possibility of leakage of authentication information related to users in the authentication cooperation system.

  DESCRIPTION OF SYMBOLS 1,1A ... Authentication cooperation server, 2, 2A ... Terminal device, 3 ... Network, 4 ... Service provision server, 5 ... Cloud storage, 11 ... Management information storage part, 12 ... Program storage part, 13 ... Fragment data storage part, DESCRIPTION OF SYMBOLS 14 ... User authentication part, 15 ... Program delivery part, 16 ... Fragment data control part, 17 ... Network I / F part, 18 ... Secret sharing decoding part, 19 ... Authentication acting part, 21 ... Fragment data storage part, 22 ... Calculation Device: 23 ... Input unit, 24 ... Output unit, 25 ... Network I / F unit, 26 ... Fragment data control unit, 221 ... Authentication request unit, 222 ... Secret shared decryption unit, 223 ... Authentication agent unit

Claims (12)

An authentication collaboration system comprising an authentication collaboration server and a terminal device,
A decryption unit that decrypts the authentication information from at least two pieces of fragment data among a plurality of pieces of fragment data generated from secret information used for authentication of a user in a service providing server that provides a predetermined service;
An authentication agent that requests the service providing server to authenticate the user using the authentication information decrypted by the decryption unit, and
The fragment data is stored in the authentication cooperation server and a storage area other than the authentication cooperation server specified by the user,
The decryption unit decrypts the authentication information from fragment data stored in the authentication cooperation server and fragment data stored in the storage area when a user accesses the service providing server from the terminal device. An authentication linkage system characterized by this. Access to the storage area from a storage unit provided in the terminal device used by the user, a storage unit provided in the terminal device other than the terminal device used by the user, and the terminal device used by the user One of the memory | storage parts provided in the apparatus which can be included. The authentication cooperation system of Claim 1 characterized by the above-mentioned. A plurality of the storage areas are designated by the user,
The decryption unit decrypts the authentication information from fragment data stored in the authentication cooperation server and fragment data stored in any of the plurality of storage areas. 3. The authentication linkage system according to any one of 2 above. The authentication decoding system according to any one of claims 1 to 3, wherein the decryption unit and the authentication agent unit are provided in the terminal device. The authentication cooperation according to claim 4, wherein the decryption unit and the authentication agent unit are configured by a program transmitted from the authentication cooperation server to the terminal device being executed in the terminal device. system. The authentication cooperation system according to any one of claims 1 to 3, wherein the decryption unit and the authentication agent unit are provided in the authentication cooperation server. An authentication method in an authentication collaboration system comprising an authentication collaboration server and a terminal device,
A decryption step of decrypting the authentication information from at least two pieces of fragment data among a plurality of pieces of fragment data generated by a secret sharing technique from authentication information used for authentication of a user in a service providing server that provides a predetermined service;
An authentication agent step of requesting the service providing server to authenticate the user using the authentication information decrypted in the decrypting step, and
The fragment data is stored in the authentication cooperation server and a storage area other than the authentication cooperation server specified by the user,
The decrypting step decrypts the authentication information from the fragment data stored in the authentication cooperation server and the fragment data stored in the storage area when a user accesses the service providing server from the terminal device. An authentication method characterized by that. Access to the storage area from a storage unit provided in the terminal device used by the user, a storage unit provided in the terminal device other than the terminal device used by the user, and the terminal device used by the user Any of the memory | storage parts provided in the apparatus which can be included is included. The authentication method of Claim 7 characterized by the above-mentioned. A plurality of the storage areas are designated by the user,
The decryption step includes decrypting the authentication information from fragment data stored in the authentication collaboration server and fragment data stored in any of the plurality of storage areas. 9. The authentication method according to any one of items 8. The authentication method according to any one of claims 7 to 9, wherein the terminal device executes the decryption step and the authentication agent step. The authentication method according to claim 10, wherein the decryption step and the authentication agent step are performed by executing a program transmitted from the authentication cooperation server to the terminal device. The authentication method according to any one of claims 7 to 9, wherein the authentication cooperation server executes the decryption step and the authentication agent step.

Images