JP2016218790A - Program, information processing terminal, information processing method, and information processing system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve possibility of prevention of use by impersonation concerning a service of the connection destination of a Web browser.SOLUTION: A program causes an information processing terminal to acquire session information for identifying a session related to a service to be provided by an information processor of the connection destination of a first Web browser started by the information processing terminal from the first Web browser, to transmit the acquired session information and the authentication information of a user to the information processor, to receive identification information stored by the information processor so as to be associated with the session information from the information processor when authentication based on the authentication information is successful, to start a second Web browser having an execution unit different from the first Web browser, and to cause the second Web browser to transmit the use request of the service including the identification information and the session information.SELECTED DRAWING: Figure 4

Description

The present invention relates to a program, an information processing terminal, an information processing method, and an information processing system.

  For a service provided via a web page displayed by a web browser (hereinafter referred to as a “web service”), an authentication method with higher security than an authentication method based on an ID and a password is introduced to the user. Can give you a sense of security. However, if convenience is reduced due to the introduction of a high-security authentication method, use of the service is avoided by the user.

  In order to ensure both security and convenience, biometric sensors are being installed in personal computers (PCs), smartphones, tablet terminals, and the like. In particular, the demand for biometric authentication is increasing in smart terminals such as smartphones and tablet terminals that are difficult to manually input IDs and passwords.

JP 2005-301577 A

  The smart browser Web browser does not have an interface for acquiring biometric information from a device such as a biometric sensor. Therefore, in order to use biometric authentication for Web services, for example, the following method can be considered.

  FIG. 1 is a diagram for explaining a method of using biometric authentication for a web service in a smart terminal. In FIG. 1, the standard browser is a standard Web browser in the OS (Operating System) of the smart terminal.

  First, the standard browser accesses a Web site related to a URL (Uniform Resource Locator) input by the user, and requests a web page (hereinafter referred to as an “authentication request page”) together with session information (session ID or cookie). Is obtained (S1).

  Subsequently, the standard browser activates a biometric authentication application (authentication application) based on the definition of the authentication request page (S2). At this time, the standard browser notifies the authentication application of the acquired session information.

  When the activated authentication application acquires the biometric information of the user via the biometric authentication sensor, the authentication application transmits an authentication request including the biometric information and the session information to the website (S3). The Web site executes authentication based on the biometric information, and returns an authentication result to the authentication application (S4).

  Here, the standard browser is not provided with a mechanism for the authentication application to notify the web page of its own activation source (route of broken arrow in FIG. 1).

  Therefore, the standard browser periodically inquires of the Web site about the authentication result according to the definition of the authentication request page after the authentication application is activated (S5). Session information is specified in the inquiry. The Web site permits the use of the service when the authentication performed regarding the session information specified in the inquiry is successful.

  However, in the method shown in FIG. 1, if a malicious third party can display a fake authentication request page on the smart terminal of a legitimate user and steal session information via the authentication request page, There is a possibility that the service can be used by impersonating the user. For example, the third party can use the service by making an inquiry similar to step S5 using the stolen session information.

  Therefore, in one aspect, an object of the present invention is to increase the possibility of preventing use by impersonation regarding a connection destination service of a Web browser.

  In one plan, the program stores, in the information processing terminal, session information for identifying a session related to a service provided by an information processing apparatus connected to a first Web browser activated in the information processing terminal. When the acquired session information and user authentication information are transmitted to the information processing apparatus and authentication based on the authentication information is successful, the information is associated with the session information. The identification information stored by the processing device is received from the information processing device, a second Web browser having a different execution unit from the first Web browser is activated, and the identification information and the session information are included. A service use request is transmitted to the second Web browser.

  According to one aspect, it is possible to increase the possibility of preventing the use of spoofing for the service connected to the Web browser.

It is a figure for demonstrating the method of utilizing biometric authentication regarding a web service in a smart terminal. It is a figure which shows the structural example of the information processing system in embodiment of this invention. It is a figure which shows the hardware structural example of the user terminal in embodiment of this invention. It is a figure which shows the function structural example of the user terminal and server apparatus in embodiment of this invention. It is a figure for demonstrating an example of the process sequence which a user terminal and a server apparatus perform.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 2 is a diagram illustrating a configuration example of the information processing system according to the embodiment of the present invention. In the information processing system 1 shown in FIG. 2, the user terminal 10 and the server device 20 are communicably connected via a network such as a LAN (Local Area Network) or the Internet. Note that the user terminal 10 may be connected to the network via wireless communication.

  The user terminal 10 is an information processing apparatus that is used by a user to receive provision of a Web service or the like. For example, smart terminals such as smartphones and tablet terminals may be used as the user terminals 10. Alternatively, a PC (Personal Computer) or the like may be used as the user terminal 10.

  The server device 20 is one or more computers that provide Web services to the user terminal 10. In the present embodiment, the web service refers to a service provided via a web page displayed on a web browser.

  FIG. 3 is a diagram illustrating a hardware configuration example of the user terminal according to the embodiment of the present invention. The user terminal 10 in FIG. 3 includes a drive device 100, an auxiliary storage device 102, a memory device 103, a CPU 104, an interface device 105, a display device 106, an input device 107, and a biometric sensor 108 that are connected to each other via a bus B. Etc.

  A program for realizing processing in the user terminal 10 is provided by the recording medium 101. When the recording medium 101 on which the program is recorded is set in the drive device 100, the program is installed from the recording medium 101 to the auxiliary storage device 102 via the drive device 100. However, the program need not be installed from the recording medium 101 and may be downloaded from another computer via a network. The auxiliary storage device 102 stores the installed program and also stores necessary files and data.

  The memory device 103 reads the program from the auxiliary storage device 102 and stores it when there is an instruction to start the program. The CPU 104 realizes functions related to the user terminal 10 in accordance with a program stored in the memory device 103. The interface device 105 is used as an interface for connecting to a network. The display device 106 displays a GUI (Graphical User Interface) or the like by a program. The input device 107 is, for example, a touch panel, a button, a keyboard, a mouse, or the like, and is used for inputting various operation instructions. The biometric authentication sensor 108 acquires biometric information of the user such as information indicating fingerprint characteristics, information indicating facial characteristics, or information indicating characteristics of palm veins.

  An example of the recording medium 101 is a portable recording medium such as a CD-ROM, a DVD disk, a USB memory, or a memory card. An example of the auxiliary storage device 102 is an HDD (Hard Disk Drive) or a flash memory. Both the recording medium 101 and the auxiliary storage device 102 correspond to computer-readable recording media.

  The server device 20 may have a hardware configuration similar to that of a general computer.

  FIG. 4 is a diagram illustrating a functional configuration example of the user terminal and the server device according to the embodiment of the present invention. In FIG. 4, programs such as a web browser 11 and an authentication application 12 are installed in the user terminal 10.

  The Web browser 11 is a program that causes the user terminal 10 to execute processing such as acquisition of a Web page including HTML (HyperText Markup Language) data and the like based on HTTP (HyperText Transfer Protocol) communication and display of a screen based on the Web page. It is. For example, the web browser 11 may be a standard web browser in the OS (Operating System) of the user terminal 10.

  The authentication application 12 causes the CPU 104 of the user terminal 10 to function as the session information acquisition unit 121, the authentication request transmission unit 122, the authentication result reception unit 123, and the browser activation unit 124.

  The session information acquisition unit 121 acquires, from the Web browser 11, session information regarding a connection destination (access destination) service (service provided by the server device 20) of the Web browser 11. The Web browser 11 accesses a service corresponding to a URL (Uniform Resource Locator) input by the user and acquires session information related to the service. The session information is information for identifying a session related to the service. For example, a session ID or Cookie may be used as session information.

  The authentication request transmission unit 122 acquires the user's biometric information via the biometric authentication sensor 108 and transmits an authentication request including the biometric information and the session information acquired by the session information acquisition unit 121 to the server device 20. To do.

  The authentication result receiving unit 123 receives the result (authentication result) of the authentication process executed by the server device 20 in response to the authentication request. When the authentication is successful, the authentication result includes secret information. The secret information is identification information indicating (certifying) that authentication has succeeded. In order to ensure high security, it is desirable that secret information be generated for every successful authentication. However, the secret information may be generated at regular intervals or in other units depending on the level of security required. For example, a random number may be used as secret information.

  The browser activation unit 124 activates a new execution unit (process) of the Web browser 11 when the authentication is successful. That is, a process different from the process of the Web browser 11 from which the session information is acquired is started. The browser activation unit 124 notifies the newly activated Web browser 11 of the URL of the connection destination service, secret information, and session information. The newly activated Web browser 11 transmits a service use request including the secret information and the session information to the URL.

  The server device 20 includes a session establishment unit 21, an authentication request reception unit 22, an authentication unit 23, a secret information generation unit 24, an authentication result transmission unit 25, a service provision unit 26, and the like. Each of these units is realized by processing that one or more programs installed in the server device 20 cause the CPU of the server device 20 to execute. The server device 20 also uses the secret information storage unit 27. The secret information storage unit 27 can be realized using, for example, an auxiliary storage device of the server device 20 or a storage device that can be connected to the server device 20 via a network.

  In response to a service access request from the Web browser 11 of the user terminal 10, the session establishment unit 21 establishes a session related to the service. The session establishment unit 21 generates session information for identifying the session, and returns the session information to the Web browser 11 by including the session information in a response to the access request.

  The authentication request receiving unit 22 receives the authentication request transmitted by the authentication request transmitting unit 122 of the user terminal 10. The authentication unit 23 authenticates the biometric information included in the authentication request. The secret information generation unit 24 generates secret information when the authentication unit 23 succeeds in authentication. The secret information generation unit 24 stores the generated secret information in the secret information storage unit 27 in association with the session information included in the authentication request.

  The authentication result transmission unit 25 transmits the authentication result to the user terminal 10. If the authentication is successful, the authentication result includes secret information.

  In response to the service use request, the service providing unit 26 determines whether or not the service is permitted based on the session information and the secret information included in the use request. When the session information and secret information included in the use request are stored in the secret information storage unit 27, the service providing unit 26 permits the use of the service and executes a process for providing the service. To do.

  Hereinafter, processing procedures executed by the user terminal 10 and the server device 20 will be described. FIG. 5 is a diagram for explaining an example of a processing procedure executed by the user terminal and the server device.

  In step S101, the Web browser 11 receives an instruction to access the service from the user. Specifically, the Web browser 11 receives an input of a URL corresponding to the service (hereinafter referred to as “connection destination URL”). Subsequently, the Web browser 11 transmits an access request to the service to the connection destination URL (S102).

  When receiving the access request, the session establishment unit 21 of the server device 20 generates session information (S103). For example, a session ID or Cookie may be generated as session information. Subsequently, the session establishment unit 21 returns a response including the session information (S104). The response includes a Web page (hereinafter referred to as “authentication page”) including an activation command for the authentication application 12.

  When receiving the response, the Web browser 11 activates the authentication application 12 according to the definition of the authentication page included in the response (S105). Subsequently, the Web browser 11 notifies the authentication application 12 of the connection destination URL and the session information included in the response (S106). Subsequently, the Web browser 11 ends the process of the Web browser 11 according to the definition of the authentication page (S107).

  On the other hand, when the authentication application 12 is activated, the session information acquisition unit 121 acquires the session information notified in step S106. Subsequently, the authentication request transmission unit 122 acquires the user's biometric information via the biometric authentication sensor 108 (S108). Subsequently, the authentication request transmission unit 122 transmits an authentication request including the biometric information and the session information acquired by the session information acquisition unit 121 to the connection destination URL (S109).

  When the authentication request reception unit 22 of the server device 20 receives the authentication request, the authentication unit 23 determines whether the session information included in the authentication request is correct (S110). For example, the session information generated in step S103 is stored in the memory of the server device 20, and it is determined whether or not the session information received in step S110 matches the session information stored in the memory. May be.

  If the session information is correct (Yes in S110), the authentication unit 23 authenticates the biometric information (S111). The biometric authentication may be performed using a known method. When the biometric authentication is successful (Yes in S111), the secret information generation unit 24 generates, for example, a random number as secret information (S112). The secret information generation unit 24 stores the generated secret information in the secret information storage unit 27 in association with the session information included in the authentication request. Information other than the random number may be confidential information.

  Subsequently, the authentication result transmission unit 25 returns a response including the authentication result by the authentication unit 23 (S113). When biometric authentication is successful and secret information is generated, the authentication result indicates success of authentication and includes the secret information. On the other hand, when the session information is not correct (No in S110) or when biometric authentication fails (No in S111), the authentication result indicates a failure in authentication.

  Upon receiving the authentication result, the authentication result receiving unit 123 determines whether or not the authentication result indicates successful authentication (S114). If the authentication result indicates successful authentication (Yes in S114), the browser activation unit 124 activates a new process for the Web browser 11 (S115). Subsequently, the browser activation unit 124 notifies the activated web browser 11 of the session information, secret information, and connection destination URL (S116). The session information and the connection destination URL are the session information and the connection destination URL notified in step S106. The secret information is secret information included in the authentication result. However, the URL to be accessed in the authentication result may be included. That is, the URL to be accessed when the authentication is successful may be determined in the server device 20. In this case, the URL may be notified to the Web browser 11. By doing so, the URL of the connection destination can be controlled on the server device 20 side.

  When the web browser 11 is a standard browser such as a smart terminal, the authentication application 12 cannot notify the web page displayed on the web browser 11 that is the starting source of the authentication application 12, Information can be notified to the web browser 11 started by itself.

  Subsequently, the authentication application 12 ends (S117). If the authentication result indicates that the authentication has failed (No in S114), steps S115 and S116 are not executed, and the authentication application 12 ends. Therefore, in this case, step S118 and subsequent steps are not executed.

  Subsequently, the newly activated Web browser 11 transmits a service use request to the connection destination URL (S118). The use request includes the session information and secret information notified in step S116. In step S116, a URL in which session information and secret information are added as option information may be notified to the connection destination URL. In this case, in step S118, the Web browser 11 may transmit an HTTP request addressed to the URL.

  When the service use request is received, the service providing unit 26 determines whether or not the set of session information and secret information included in the use request is stored in the secret information storage unit 27 (S119). ). When the set of the session information and the secret information is stored in the secret information storage unit 27 (Yes in S119), the service providing unit 26 executes a process for providing the service (S120). The process may be a Web page generation process for inputting input parameters for the service, or may be a process for executing the service itself.

  Subsequently, the service providing unit 26 returns a response to the service use request to the Web browser 11 (S121). The response may include a web page for inputting input parameters for the service, or may be a service execution result. Note that if the set of session information and secret information included in the service use request is not stored in the secret information storage unit 27 (No in S119), step S120 is not executed. In this case, in step S121, for example, a response indicating an error may be returned.

  As described above, according to the present embodiment, the Web browser 11 having a different execution unit (process) from the Web browser 11 that acquires the session information is newly activated, and the new Web browser 11 includes the biological information. An authentication request is made. If the authentication is successful, the secret information is transmitted only to the authentication request source including the correct biometric information. The new Web browser 11 is permitted to use the service by presenting the secret information. According to such a configuration, even if the session information acquired by the first Web browser 11 is stolen by a malicious third party via a phishing site or the like, the third party It is difficult to obtain confidential information necessary to obtain permission for use. Therefore, according to the present embodiment, it is possible to increase the possibility of preventing the use of the service by impersonation of the third party.

  In the present embodiment, an example in which the authentication information acquired from the user by the authentication application 12 is biometric information has been shown, but the present embodiment may be applied to authentication information other than biometric information. For example, the authentication application 12 may acquire information recorded on the IC card as authentication information. Further, the authentication application 12 may acquire an ID and a password as authentication information. Other authentication information may be acquired by the authentication application 12. In step S111, an authentication process suitable for each authentication information may be executed.

  In the present embodiment, the process is an example of the execution unit of the Web browser 11. However, according to an OS (Operating System) that manages the execution unit of the Web browser 11, threads and the like are included in the Web browser 11. It may be an execution unit.

  In the present embodiment, the user terminal 10 is an example of an information processing terminal. The server device 20 is an example of an information processing device. The session information acquisition unit 121 is an example of an acquisition unit. The authentication request transmission unit 122 is an example of a transmission unit or a first transmission unit. The authentication result receiving unit 123 is an example of a receiving unit or a first receiving unit. The browser activation unit 124 is an example of an activation unit. The authentication request receiving unit 22 is an example of a second receiving unit. The secret information generation unit 24 is an example of a generation unit. The authentication result transmission unit 25 is an example of a second transmission unit. The service providing unit 26 is an example of a permission unit. The secret information is an example of identification information. The URL is an example of destination information.

  As mentioned above, although the Example of this invention was explained in full detail, this invention is not limited to such specific embodiment, In the range of the summary of this invention described in the claim, various deformation | transformation・ Change is possible.

Regarding the above description, the following items are further disclosed.
(Appendix 1)
In the information processing terminal,
Session information for identifying a session related to a service provided by an information processing apparatus connected to a first Web browser activated in the information processing terminal is acquired from the first Web browser;
Transmitting the acquired session information and user authentication information to the information processing apparatus;
When the authentication based on the authentication information is successful, the identification information associated with the session information and stored by the information processing device is received from the information processing device,
Activating a second web browser having a different execution unit from the first web browser, and causing the second web browser to transmit a use request for the service including the identification information and the session information.
A program characterized by causing processing to be executed.
(Appendix 2)
The receiving process receives the identification information and destination information related to the service from the information processing apparatus,
The process of transmitting causes the second Web browser to execute transmission to the destination indicated by the destination information for the use request of the service including the identification information and the session information.
The program according to supplementary note 1, characterized in that:
(Appendix 3)
The program according to appendix 1 or 2, wherein the identification information has a different value for each successful authentication.
(Appendix 4)
Information processing terminal
Session information for identifying a session related to a service provided by an information processing apparatus connected to a first Web browser activated in the information processing terminal is acquired from the first Web browser;
The acquired session information and the user authentication information input by the user are transmitted to the information processing apparatus,
When the authentication based on the authentication information is successful, the identification information associated with the session information and stored by the information processing device is received from the information processing device,
Activating a second web browser having a different execution unit from the first web browser, and causing the second web browser to transmit a use request for the service including the identification information and the session information.
An information processing method characterized by causing a process to be executed.
(Appendix 5)
The receiving process receives the identification information and destination information related to the service from the information processing apparatus,
The process of transmitting causes the second Web browser to execute transmission to the destination indicated by the destination information for the use request of the service including the identification information and the session information.
The information processing method according to appendix 4, characterized in that:
(Appendix 6)
6. The information processing method according to appendix 4 or 5, wherein the identification information has a different value for each successful authentication.
(Appendix 7)
An information processing terminal,
An acquisition unit that acquires, from the first Web browser, session information for identifying a session related to a service provided by the information processing apparatus connected to the first Web browser activated in the information processing terminal;
A transmission unit that transmits the acquired session information and the user authentication information input by the user to the information processing apparatus;
A receiving unit that receives identification information associated with the session information and stored by the information processing device when authentication based on the authentication information is successful;
An activation unit that activates a second web browser having a different execution unit from the first web browser and transmits the service use request including the identification information and the session information to the second web browser. When,
An information processing terminal comprising:
(Appendix 8)
The receiving unit receives the identification information and destination information related to the service from the information processing apparatus,
The activation unit causes the second Web browser to execute transmission to the destination indicated by the destination information for the use request of the service including the identification information and the session information.
The information processing terminal according to appendix 7, wherein
(Appendix 9)
The information processing terminal according to appendix 7 or 8, wherein the identification information has a different value for each successful authentication.
(Appendix 10)
An information processing system including an information processing terminal and an information processing apparatus connected to the information processing terminal via a network,
The information processing terminal
An acquisition unit that acquires, from the first Web browser, session information for identifying a session related to a service provided by the information processing apparatus connected to the first Web browser activated in the information processing terminal;
A first transmitter that transmits the acquired session information and the user authentication information input by the user to the information processing apparatus;
A first receiving unit that receives identification information associated with the session information and stored by the information processing device from the information processing device when authentication based on the authentication information is successful;
An activation unit that activates a second web browser having a different execution unit from the first web browser and transmits the service use request including the identification information and the session information to the second web browser. And
The information processing apparatus includes:
A second receiving unit for receiving the session information and the authentication information;
An authentication unit that authenticates the received authentication information;
A generator that generates the identification information corresponding to the received session information when authentication is successful, and stores the identification information in the storage unit in association with the session information;
A second transmission unit that transmits the generated identification information to the information processing terminal;
In response to receiving the use request for the service, when the identification information and the session information included in the use request are stored in the storage unit, the permission unit permits the provision of the service.
An information processing system characterized by this.
(Appendix 11)
The first receiving unit receives the identification information and destination information related to the service from the information processing apparatus,
The activation unit causes the second Web browser to execute transmission to the destination indicated by the destination information for the use request of the service including the identification information and the session information.
The information processing system according to supplementary note 10, characterized by that.
(Appendix 12)
12. The information processing system according to appendix 10 or 11, wherein the identification information has a different value for each successful authentication.

DESCRIPTION OF SYMBOLS 1 Information processing system 10 User terminal 11 Web browser 12 Authentication application 20 Server apparatus 21 Session establishment part 22 Authentication request reception part 23 Authentication part 24 Secret information generation part 25 Authentication result transmission part 26 Service provision part 27 Secret information storage part 100 Drive apparatus 101 Recording medium 102 Auxiliary storage device 103 Memory device 104 CPU
105 Interface device 106 Display device 107 Input device 108 Biometric sensor 121 Session information acquisition unit 122 Authentication request transmission unit 123 Authentication result reception unit 124 Browser activation unit B bus

Claims (6)

In the information processing terminal,
Session information for identifying a session related to a service provided by an information processing apparatus connected to a first Web browser activated in the information processing terminal is acquired from the first Web browser;
Transmitting the acquired session information and user authentication information to the information processing apparatus;
When the authentication based on the authentication information is successful, the identification information associated with the session information and stored by the information processing device is received from the information processing device,
Activating a second web browser having a different execution unit from the first web browser, and causing the second web browser to transmit a use request for the service including the identification information and the session information.
A program characterized by causing processing to be executed. The receiving process receives the identification information and destination information related to the service from the information processing apparatus,
The process of transmitting causes the second Web browser to execute transmission to the destination indicated by the destination information for the use request of the service including the identification information and the session information.
The program according to claim 1.   The program according to claim 1 or 2, wherein the identification information has a different value for each successful authentication. Information processing terminal
Session information for identifying a session related to a service provided by an information processing apparatus connected to a first Web browser activated in the information processing terminal is acquired from the first Web browser;
The acquired session information and the user authentication information input by the user are transmitted to the information processing apparatus,
When the authentication based on the authentication information is successful, the identification information associated with the session information and stored by the information processing device is received from the information processing device,
Activating a second web browser having a different execution unit from the first web browser, and causing the second web browser to transmit a use request for the service including the identification information and the session information.
An information processing method characterized by causing a process to be executed. An information processing terminal,
An acquisition unit that acquires, from the first Web browser, session information for identifying a session related to a service provided by the information processing apparatus connected to the first Web browser activated in the information processing terminal;
A transmission unit that transmits the acquired session information and the user authentication information input by the user to the information processing apparatus;
A receiving unit that receives identification information associated with the session information and stored by the information processing device when authentication based on the authentication information is successful;
An activation unit that activates a second web browser having a different execution unit from the first web browser and transmits the service use request including the identification information and the session information to the second web browser. When,
An information processing terminal comprising: An information processing system including an information processing terminal and an information processing apparatus connected to the information processing terminal via a network,
The information processing terminal
An acquisition unit that acquires, from the first Web browser, session information for identifying a session related to a service provided by the information processing apparatus connected to the first Web browser activated in the information processing terminal;
A first transmitter that transmits the acquired session information and the user authentication information input by the user to the information processing apparatus;
A first receiving unit that receives identification information associated with the session information and stored by the information processing device from the information processing device when authentication based on the authentication information is successful;
An activation unit that activates a second web browser having a different execution unit from the first web browser and transmits the service use request including the identification information and the session information to the second web browser. And
The information processing apparatus includes:
A second receiving unit for receiving the session information and the authentication information;
An authentication unit that authenticates the received authentication information;
A generator that generates the identification information corresponding to the received session information when authentication is successful, and stores the identification information in the storage unit in association with the session information;
A second transmission unit that transmits the generated identification information to the information processing terminal;
In response to receiving the use request for the service, when the identification information and the session information included in the use request are stored in the storage unit, the permission unit permits the provision of the service.
An information processing system characterized by this.

Images