JP2020201716A - Authentication system and authentication method - Google Patents

Abstract

To improve security concerns related to authentication required for access to a device.SOLUTION: The present invention is directed to an authentication system having one or more terminals, one or more devices to be accessed by the terminals, and an authentication server for authenticating the terminals. The authentication system is characterized by having first authentication means for, by using user information of a user utilizing the terminal, carrying out first authentication for authenticating the user, second authentication means for carrying out second authentication for authentication of the terminal by using terminal information of the terminal when the first authentication by the first authentication means is successful, and third authentication means for carrying out third authentication by using a one-time password when the second authentication by the second authentication means is successful.SELECTED DRAWING: Figure 1

Description

The present invention relates to an authentication system and an authentication method.

In order to operate the data held by the device installed on the edge side, user information (for example, user ID and password) is transmitted from the terminal to the device to perform user authentication.

Further, there is known a technique capable of further improving security by performing authentication using a one-time password together with user authentication (see, for example, Patent Document 1).

Japanese Unexamined Patent Publication No. 2008-197710

However, in the past, if both the user information and the one-time password were leaked, the data held by the device could be operated on any terminal. On the other hand, in general, the terminal that operates the data held by the device is often a specific terminal (for example, a terminal for an administrator who manages the device). Therefore, it is considered that the security can be further improved by performing the authentication using the information about the terminal.

An embodiment of the present invention has been made in view of the above points, and an object of the present invention is to improve security related to authentication for accessing a device.

In order to achieve the above object, the authentication system according to the embodiment of the present invention is an authentication system including one or more terminals, one or more devices to be accessed by the terminals, and an authentication server that authenticates the terminals. The first authentication means for performing the first authentication for authenticating the user and the first authentication by the first authentication means are successful using the user information of the user who uses the terminal. If this is the case, the second authentication means for performing the second authentication for authenticating the terminal using the terminal information of the terminal and the second authentication by the second authentication means are successful, one-time. It is characterized by having a third authentication means for performing a third authentication using a password.

It is possible to improve the security regarding authentication for accessing the device.

It is a figure which shows an example of the whole structure of the authentication system in Example 1. FIG. It is a sequence diagram which shows an example of the authentication process in Example 1. FIG. It is a figure which shows an example of the whole structure of the authentication system in Example 2. It is a sequence diagram which shows an example of the authentication process in Example 2. FIG. It is a figure which shows an example of the whole structure of the authentication system in Example 3. FIG. It is a sequence diagram which shows an example of the authentication process in Example 3. FIG. It is a figure which shows an example of the whole structure of the authentication system in Example 4. It is a sequence diagram which shows an example of the authentication process in Example 4. FIG. It is a figure which shows an example of the hardware configuration of a computer.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In the embodiment of the present invention, authentication is performed to access the device installed on the edge side (hereinafter, also referred to as "edge device") (more accurately, to access the data held by the edge device). At that time, the authentication system 1 capable of improving the security will be described.

[Example 1]
Hereinafter, Example 1 of the embodiment of the present invention will be described.

<Overall configuration (Example 1)>
First, the overall configuration of the authentication system 1 in the first embodiment will be described with reference to FIG. FIG. 1 is a diagram showing an example of the overall configuration of the authentication system 1 in the first embodiment.

As shown in FIG. 1, the authentication system 1 in the first embodiment includes one or more terminals 10, one or more edge devices 20, and an authentication server 30. The terminal 10, the edge device 20, and the authentication server 30 are communicably connected via, for example, a communication network N1 for authentication realized by a LAN (Local Area Network) or the like. However, the terminal 10 and the edge device 20, the edge device 20 and the authentication server 30, and the authentication server 30 and the terminal 10 may be connected so as to be able to communicate with each other via a dedicated communication network.

The terminal 10 is, for example, a terminal device used by an administrator or the like who manages the edge device 20. As the terminal 10, for example, a PC (personal computer), a tablet terminal, a smartphone, a wearable device, or the like can be used.

The edge device 20 is, for example, various control devices or control devices such as a PLC (Programmable Logic Controller).

The authentication server 30 is a server device used for authentication for the terminal 10 to access the edge device 20.

Here, the terminal 10 in the first embodiment has an information input unit 111 and a storage unit 120.

The information input unit 111 receives input of user information (for example, user ID and password) and terminal information (for example, terminal ID and password) and transmits the input to the edge device 20 and the authentication server 30. Further, the information input unit 111 transmits the one-time password transmitted from the authentication server 30 to the edge device 20.

The user ID is information that identifies a user who uses the terminal 10, and the terminal ID is information that identifies the terminal 10. As the user ID, for example, a unique character string assigned to each user of the terminal 10 can be used. Further, as the terminal ID, for example, a unique character string assigned to each terminal 10, a manufacturing unique number of the terminal 10, an IP (Internet Protocol) address assigned to the terminal 10, and the like can be used.

Various information (for example, temporary information used for authentication when accessing the edge device 20) is stored in the storage unit 120.

Further, the edge device 20 in the first embodiment has a user authentication unit 211, a one-time password verification request unit 212, and a storage unit 220.

The user authentication unit 211 authenticates the user using the user information transmitted from the terminal 10. That is, the user authentication unit 211 verifies whether or not the user information transmitted from the terminal 10 is correct (that is, whether or not it is stored in the storage unit 220).

When the one-time password verification request unit 212 receives the one-time password from the terminal 10, the one-time password verification request unit 212 transmits the one-time password verification request to the authentication server 30.

Various information (for example, user information used for user authentication (that is, correct user information), etc.) is stored in the storage unit 220. In addition, the storage unit 220 also stores data and the like that the terminal 10 desires to access.

Further, the authentication server 30 in the first embodiment has a terminal authentication unit 311, a one-time password generation unit 312, a one-time password verification unit 313, and a storage unit 320.

The terminal authentication unit 311 performs terminal authentication using the terminal information transmitted from the terminal 10. That is, the terminal authentication unit 311 verifies whether or not the terminal information transmitted from the terminal 10 is correct (that is, whether or not it is stored in the storage unit 320).

The one-time password generation unit 312 generates a one-time password and stores it in the storage unit 220 when the terminal authentication by the terminal authentication unit 311 is successful (that is, when the terminal information transmitted from the terminal 10 is correct). Then, the one-time password generation unit 312 transmits this one-time password to the terminal 10.

The one-time password verification unit 313 verifies whether or not the one-time password transmitted from the edge device 20 matches the corresponding one-time password stored in the storage unit 320. Then, the one-time password collation unit 313 transmits this collation result to the edge device 20.

Various information (for example, terminal information used for terminal authentication (that is, correct terminal information), etc.) is stored in the storage unit 320. Further, the storage unit 320 stores the one-time password generated by the one-time password generation unit 312.

The configuration of the authentication system 1 shown in FIG. 1 is an example, and may be another configuration. For example, the authentication server 30 is communicably connected to the terminal 10 and the edge device 20 via the Internet, and provides functions such as terminal authentication, one-time password generation, and one-time password verification in the form of a cloud service. You may.

<Authentication processing (Example 1)>
Next, in the authentication system 1 in the first embodiment, the flow of the authentication process for the terminal 10 to access the edge device 20 will be described with reference to FIG. FIG. 2 is a sequence diagram showing an example of the authentication process in the first embodiment.

First, the information input unit 111 of the terminal 10 accepts the input of user information (user ID and password) (step S101). The user of the terminal 10 may enter user information on the user authentication screen displayed on the terminal 10, for example.

When the information input unit 111 of the terminal 10 receives the input of the user information (user ID and password), the information input unit 111 transmits the user information to the corresponding edge device 20 (step S102).

Upon receiving the user information, the user authentication unit 211 of the edge device 20 performs user authentication (step S103). That is, the user authentication unit 211 of the edge device 20 verifies whether or not this user information is stored in the storage unit 220. When the user information is stored in the storage unit 220, the user authentication unit 211 assumes that the user authentication is successful, while when the user information is not stored in the storage unit 220, the user authentication unit 211 , It is assumed that user authentication has failed. In the following, the description will be continued assuming that the user authentication is successful.

If the user authentication unit 211 of the edge device 20 succeeds in user authentication, the user authentication unit 211 transmits a one-time password transmission request to the terminal 10 (step S104). Here, the one-time password transmission request includes the edge ID of the edge device 20. The edge ID is information for identifying the edge device 20, and the edge ID includes, for example, a unique character string assigned to each edge device 20, a manufacturing unique number of the edge device 20, and an IP assigned to the edge device 20. Addresses and the like can be used. If the user authentication in step S103 fails, the user authentication unit 211 of the edge device 20 may transmit information indicating that the user authentication has failed to the terminal 10.

Upon receiving the one-time password transmission request, the information input unit 111 of the terminal 10 accepts the input of the terminal information (terminal ID and password) (step S105). The user of the terminal 10 may enter the terminal information on the terminal authentication screen displayed on the terminal 10, for example.

In step S105 above, the terminal information is input by the user, but the present invention is not limited to this. For example, when the terminal information is stored in the storage unit 120, the information input unit 111 may read the terminal information.

When the information input unit 111 of the terminal 10 receives the input of the terminal information (terminal ID and password) (or when the terminal information is read from the storage unit 120), the information input unit 111 transmits a one-time password generation request to the authentication server 30. (Step S106). Here, the one-time password generation request is transmitted from the terminal information (or terminal information read from the storage unit 120) input in step S105 above and from the edge device 20 in step S104 above. The edge ID is included.

Upon receiving the one-time password generation request, the terminal authentication unit 311 of the authentication server 30 performs terminal authentication (step S107). That is, the terminal authentication unit 311 of the authentication server 30 verifies whether or not the terminal information included in the generation request is stored in the storage unit 320. When the terminal information is stored in the storage unit 320, the terminal authentication unit 311 assumes that the terminal authentication is successful, while when the terminal information is not stored in the storage unit 320, the terminal authentication unit 311 , It is assumed that the terminal authentication has failed. In the following, the description will be continued assuming that the terminal authentication is successful.

When the terminal authentication is successful, the one-time password generation unit 312 of the authentication server 30 generates a one-time password and stores it in the storage unit 220 (step S108). The one-time password may be generated by any method. As an example, the one-time password generation unit 312 may generate a random character string having a predetermined number of characters, and then use a character string obtained by combining this character string and time information as a one-time password. The time information may be, for example, time information indicating the time when the terminal authentication is successful, or time information indicating the time when the random character string is generated.

If the one-time password generation unit 312 stores the one-time password in the storage unit 320 by using, for example, the time information included in the one-time password and the edge ID included in the one-time password generation request as keys. Good. As a result, the storage unit 320 stores the history of the one-time password for each edge device 20.

However, the present invention is not limited to this, and the one-time password generation unit 312 uses, for example, the time information included in the one-time password and the edge ID included in the one-time password generation request, and the latest one for each edge ID. Only the time password may be stored in the storage unit 320.

Next, the one-time password generation unit 312 of the authentication server 30 transmits the one-time password generated in step S108 to the terminal 10 (step S109).

When the information input unit 111 of the terminal 10 receives the one-time password, the information input unit 111 transmits the one-time password to the edge device 20 (step S110).

Upon receiving the one-time password, the one-time password verification request unit 212 of the edge device 20 transmits the one-time password verification request to the authentication server 30 (step S111). Here, the one-time password verification request includes the one-time password transmitted from the terminal 10 in step S110 and the edge ID of the edge device 20.

When the one-time password verification unit 313 of the authentication server 30 receives the one-time password verification request, the one-time password verification unit 313 collates the one-time password (step S112). That is, the one-time password collation unit 313 uses the edge ID included in the collation request to check whether the one-time password included in the collation request matches the corresponding one-time password stored in the storage unit 320. Check whether or not.

Specifically, for example, when a one-time password is composed of time information and a character string, the one-time password collation unit 313 has an edge ID included in the collation request and a one-time password included in the collation request. Using the time information of the password as a key, one one-time password is specified from the one-time passwords stored in the storage unit 320. Then, the one-time password collation unit 313 determines whether or not the character string of the one-time password included in the collation request matches the character string of the specified one-time password.

If the character string of the one-time password included in the verification request and the character string of the specified one-time password match, the one-time password verification unit 313 considers that the verification is successful. On the other hand, if the character string of the one-time password included in the verification request does not match the character string of the specified one-time password, the one-time password verification unit 313 assumes that the verification has failed. In the following, the explanation will be continued assuming that the one-time password has been successfully collated.

The one-time password collation unit 313 of the authentication server 30 transmits the collation result of step S112 (that is, the collation result indicating success of collation) to the edge device 20 (step S113).

When the one-time password verification requesting unit 212 of the edge device 20 receives the verification result indicating the verification success, the one-time password verification request unit 212 transmits the authentication result indicating the authentication success to the terminal 10 (step S114). As a result, the terminal 10 can access the edge device 20. When the one-time password verification request unit 212 of the edge device 20 receives the verification result indicating the verification failure, the one-time password verification request unit 212 transmits the authentication result indicating the authentication failure to the terminal 10.

As described above, in the authentication system 1 in the first embodiment, a one-time password is generated when the terminal authentication on the authentication server 30 side is successful in addition to the user authentication on the edge device 20 side. As a result, in the authentication system 1 of the first embodiment, for example, even if the user information is leaked, the one-time password is not generated unless the terminal authentication is successful, so that when the terminal 10 accesses the edge device 20. It is possible to improve the security regarding authentication of.

[Example 2]
Hereinafter, Example 2 of the embodiment of the present invention will be described. In Example 2, the differences from Example 1 will be mainly described, the same components as those in Example 1 will be given the same reference numerals, and duplicate explanations will be omitted.

<Overall configuration (Example 2)>
First, the overall configuration of the authentication system 1 in the second embodiment will be described with reference to FIG. FIG. 3 is a diagram showing an example of the overall configuration of the authentication system 1 in the second embodiment.

As shown in FIG. 3, the authentication system 1 in the second embodiment includes one or more terminals 10, one or more edge devices 20, and a monitoring control system 60. Further, the monitoring control system 60 includes an authentication server 30, a monitoring control server 40, and a shared storage unit 50.

In the second embodiment, the terminal 10 and the edge device 20 are directly connected by, for example, a communication cable or the like. Further, the terminal 10 and the authentication server 30 are communicably connected via the communication network N1. Further, the edge device 20 and the monitoring control server 40 are communicably connected to each other via a control communication network N2 realized by, for example, a LAN or the like.

The terminal 10 and the edge device 20, the authentication server 30 and the terminal 10, and the edge device 20 and the monitoring control server 40 may be connected so as to be able to communicate with each other via a dedicated communication network.

In the second embodiment, the edge device 20 transmits the measured value to the monitoring control server 40 at predetermined time intervals. These measured values are stored in the storage unit 220. The measured value is a value measured by a sensor or the like connected to the edge device 20 via a communication network to measure the sensing target. The measured value differs depending on the sensing target, and examples thereof include temperature, humidity, pressure, flow rate, and voltage.

The monitoring control server 40 is a server that generates control values for the edge device 20 to control the control target, and transmits the control values to the edge device 20 according to the measured values received from the edge device 20. As a result, the edge device 20 can control the control target according to this control value. Examples of the control value include measured values that are targeted in order to optimally operate the controlled object. The control value transmitted from the monitoring control server 40 to the edge device 20 is stored in the storage unit 220.

At least one of the measured value successfully transmitted from the edge device 20 to the monitoring control server 40 and the control value successfully transmitted from the monitoring control server 40 to the edge device 20 is the authentication server 30 and the monitoring control server 40. It is stored in the shared storage unit 50 that is shared and used between the two (that is, the shared storage unit 50 stores the measured value that succeeded in transmission and / and the control value that succeeded in transmission).

Here, the authentication server 30 in the second embodiment has a terminal authentication unit 311, a one-time password generation unit 312, and a storage unit 320. The authentication server 30 in the second embodiment does not have the one-time password verification unit 313.

The one-time password generation unit 312 in the second embodiment generates a one-time password and transmits it to the terminal 10 when the terminal authentication by the terminal authentication unit 311 is successful. At this time, the one-time password generation unit 312 in the second embodiment generates a one-time password using the measured value or the control value stored in the shared storage unit 50. The one-time password transmitted to the terminal 10 is then transmitted to the edge device 20 by the terminal 10.

For example, a character string obtained by combining a predetermined number of control values in the past from a predetermined time point may be generated, and then the hash value of this character string may be used as a one-time password. Specifically, for example, using the time when the edge device 20 receives the user information transmitted from the terminal 10, the control values a ₁ , a ₂ , ..., A ₁₀ for the past 10 are set from this time. After generating the combined character string "a ₁ a ₂ ... a ₁₀ ", the hash value of this character string is used as the one-time password. Any hash function may be used as the hash function for calculating the hash value.

Further, the edge device 20 in the second embodiment has a user authentication unit 211, a one-time password generation unit 213, a one-time password authentication unit 214, and a storage unit 220. The edge device 20 in the second embodiment does not have the one-time password verification requesting unit 212.

The one-time password generation unit 213 generates a one-time password when the user authentication by the user authentication unit 211 is successful. At this time, the one-time password generation unit 213 acquires the measured value or the control value from the storage unit 220, and then generates the one-time password using the measured value or the control value. At this time, as the one-time password generation method, the same generation method as the one-time password generation unit 312 of the authentication server 30 is used. As described above, in the second embodiment, one-time passwords are generated from each other by using the same generation method previously agreed between the authentication server 30 and each edge device 20.

The one-time password authentication unit 214 authenticates the one-time password. That is, the one-time password authentication unit 214 verifies whether or not the one-time password transmitted from the terminal 10 and the one-time password generated by the one-time password generation unit 213 match.

<Authentication processing (Example 2)>
Next, in the authentication system 1 in the second embodiment, the flow of the authentication process for the terminal 10 to access the edge device 20 will be described with reference to FIG. FIG. 4 is a sequence diagram showing an example of the authentication process in the second embodiment.

Since steps S201 to S203 of FIG. 4 are the same as steps S101 to S103 of FIG. 2, the description thereof will be omitted.

Following step S203, the one-time password generation unit 213 of the edge device 20 generates a one-time password when the user authentication is successful (step S204). At this time, the one-time password generation unit 213 acquires the measured value or the control value from the storage unit 220, and then generates the one-time password using the measured value or the control value.

For example, one-time password generation unit 213, by using the time at which the user information edge device 20 receives transmitted from the terminal 10, the control value a ₁ from the time of the last 10 _minutes, a _2, · · ·, The a ₁₀ is acquired from the shared storage unit 50, and a character string “a ₁ a ₂ ... a ₁₀ ” is generated by combining these control values. Then, the one-time password generation unit 213 uses the hash value of this character string as the one-time password.

However, the above-mentioned one-time password generation method is an example, and any method can be used as long as it is a generation method using the control value or the measured value stored in the shared storage unit 50. For example, instead of the time when the edge device 20 receives the user information transmitted from the terminal 10, a predetermined time or a time calculated by a predetermined method may be used. Further, instead of acquiring the control values for the past 10 units from the shared storage unit 50, a predetermined number of control values (or measured values) may be acquired from the shared storage unit 50, or may be determined in advance. The number of control values (or measured values) calculated by the method may be acquired from the shared storage unit 50. Further, even if both the control value and the measurement value are acquired from the shared storage unit 50 instead of either the control value or the measurement value, and a one-time password is generated using both the control value and the measurement value. Good.

In addition to this, the one-time password generation unit 213 may use the edge ID of the edge device 20 to generate the one-time password. Specifically, for example, the hash value may be calculated after further combining the edge ID with the above character string.

Next, the one-time password generation unit 213 of the edge device 20 transmits a one-time password transmission request to the terminal 10 (step S205). Here, the one-time password transmission request includes the edge ID of the edge device 20 and the time information used for generating the one-time password in step S204 (that is, user information transmitted from the terminal 10, for example). Is included, such as time information indicating the time received by the edge device 20).

When the information input unit 111 of the terminal 10 receives the one-time password transmission request, it accepts the input of the terminal information (terminal ID and password) in the same manner as in step S105 of FIG. 2 (step S206).

When the information input unit 111 of the terminal 10 receives the input of the terminal information (terminal ID and password) (or when the terminal information is read from the storage unit 120), the information input unit 111 transmits a one-time password generation request to the authentication server 30. (Step S207). Here, the one-time password generation request is transmitted from the terminal information (or terminal information read from the storage unit 120) input in step S206 above and from the edge device 20 in step S205 above. The edge ID and time information are included.

Similar to step S107 in FIG. 2, the terminal authentication unit 311 of the authentication server 30 performs terminal authentication when receiving the one-time password generation request (step S208).

The one-time password generation unit 312 of the authentication server 30 generates a one-time password when the terminal authentication is successful (step S209). At this time, the one-time password generation unit 312 generates the one-time password by the same generation method as in step S204 described above, using the time information included in the generation request.

For example, one-time password generation unit 312, the control value _a 1 of the past 10 minutes from the time that the time information _indicates, a 2, · · _·, acquires _{a 10} from the shared memory unit 50, these control values The combined character string "a ₁ a ₂ ... a ₁₀ " is generated. Then, the one-time password generation unit 312 uses the hash value of this character string as the one-time password. When the edge ID is used to generate the one-time password in step S204, the one-time password generation unit 312 also uses the edge ID to generate the one-time password.

In this way, the one-time password generation unit 312 generates the one-time password by the same method as the one-time password generation unit 213. Therefore, as described above, a method for generating a one-time password is previously agreed between the authentication server 30 and each edge device 20. The method of generating the one-time password may be different for each edge device 20 (that is, for each edge ID), or for each group of edge devices 20 classified by a certain standard (for example, the same type). It may be different for each group in which the edge device 20 is in the same group).

Next, the one-time password generation unit 312 of the authentication server 30 transmits the one-time password generated in step S209 to the terminal 10 (step S210).

When the information input unit 111 of the terminal 10 receives the one-time password, the information input unit 111 transmits the one-time password to the edge device 20 (step S211).

Upon receiving the one-time password, the one-time password authentication unit 214 of the edge device 20 authenticates the one-time password (step S212). That is, the one-time password authentication unit 214 verifies whether or not the one-time password transmitted from the terminal 10 matches the one-time password generated in step S204.

If the one-time password transmitted from the terminal 10 and the one-time password generated in step S204 above match, the one-time password authentication unit 214 assumes that the authentication is successful. On the other hand, if the one-time password transmitted from the terminal 10 and the one-time password generated in step S204 above do not match, the one-time password authentication unit 214 assumes that the authentication has failed.

Then, the one-time password authentication unit 214 of the edge device 20 transmits the authentication result in the above step S212 to the terminal 10 (step S213). When the authentication result indicating the success of the authentication is transmitted to the terminal 10, the terminal 10 can access the edge device 20. On the other hand, when the authentication result indicating the authentication failure is transmitted to the terminal 10, the terminal 10 is denied access to the edge device 20.

As described above, in the authentication system 1 in the second embodiment, whether or not the one-time password generated after the user authentication on the edge device 20 side and the one-time password generated after the terminal authentication on the authentication server 30 side match. To verify. At this time, the edge device 20 and the authentication server 30 generate a one-time password by a method agreed in advance with each other using at least one of a control value and a measured value. As a result, even in the authentication system 1 in the second embodiment, for example, even if the user information is leaked, the one-time password is not generated unless the terminal authentication is successful, so that when the terminal 10 accesses the edge device 20. It is possible to improve the security regarding authentication of.

[Example 3]
Hereinafter, Example 3 of the embodiment of the present invention will be described. In Example 3, the differences from Example 2 will be mainly described, the same components as those in Example 2 will be given the same reference numerals, and duplicate explanations will be omitted.

<Overall configuration (Example 3)>
First, the overall configuration of the authentication system 1 in the third embodiment will be described with reference to FIG. FIG. 5 is a diagram showing an example of the overall configuration of the authentication system 1 in the third embodiment.

As shown in FIG. 5, the authentication system 1 in the third embodiment includes one or more terminals 10, one or more edge devices 20, and a monitoring control system 60. Further, the monitoring control system 60 includes an authentication server 30, a monitoring control server 40, and a shared storage unit 50.

In the third embodiment, the terminal 10 and the edge device 20 are directly connected by, for example, a communication cable or the like. Further, the terminal 10 and the authentication server 30 and the edge device 20 and the authentication server 30 are communicably connected via the communication network N1, and the edge device 20 and the monitoring control server 40 are connected via the communication network N2. It is connected so that it can communicate.

The terminal 10 and the edge device 20, the edge device 20 and the authentication server 30, the authentication server 30 and the terminal 10, and the edge device 20 and the monitoring control server 40 are connected so as to be able to communicate with each other via a dedicated communication network. You may be.

Here, the edge device 20 in the third embodiment has a user authentication unit 211, a one-time password generation unit 213, a one-time password authentication unit 214, an edge authentication request unit 215, and a storage unit 220.

The edge authentication request unit 215 transmits an edge authentication request to the authentication server 30 when the user authentication by the user authentication unit 211 is successful. Further, the storage unit 220 in the third embodiment also stores edge information (for example, an edge ID and a password) used for edge authentication.

Further, the authentication server 30 in the third embodiment has a terminal authentication unit 311, a one-time password generation unit 312, an edge authentication unit 314, and a storage unit 320.

When the edge authentication unit 314 receives the edge authentication request from the edge device 20, the edge authentication unit 314 performs edge authentication. That is, the edge authentication unit 314 verifies whether or not the edge information included in the edge authentication request transmitted from the edge device 20 is correct (that is, whether or not it is stored in the storage unit 320). Further, the storage unit 320 in the third embodiment also stores edge information (that is, correct edge information) used for edge authentication.

<Authentication processing (Example 3)>
Next, in the authentication system 1 in the third embodiment, the flow of the authentication process for the terminal 10 to access the edge device 20 will be described with reference to FIG. FIG. 6 is a sequence diagram showing an example of the authentication process in the third embodiment.

First, the information input unit 111 of the terminal 10 accepts input of user information (user ID and password) and terminal information (terminal ID and password) (step S301). The user of the terminal 10 may enter the user information and the terminal information on the authentication screen displayed on the terminal 10, for example.

In step S301 described above, the terminal information is input by the user, but the present invention is not limited to this. For example, when the terminal information is stored in the storage unit 120, the information input unit 111 may read the terminal information.

When the information input unit 111 of the terminal 10 receives the input of the user information (user ID and password) and the terminal information (terminal ID and password), the information input unit 111 transmits the user information and the terminal information to the corresponding edge device 20 (step). S302).
Upon receiving the user information and the terminal information, the user authentication unit 211 of the edge device 20 performs user authentication (step S303). That is, the user authentication unit 211 of the edge device 20 verifies whether or not this user information is stored in the storage unit 220. When the user information is stored in the storage unit 220, the user authentication unit 211 assumes that the user authentication is successful, while when the user information is not stored in the storage unit 220, the user authentication unit 211 , It is assumed that user authentication has failed. In the following, the description will be continued assuming that the user authentication is successful.

Next, the one-time password generation unit 213 of the edge device 20 generates a one-time password when the user authentication is successful, as in step S204 of FIG. 4 (step S304). That is, the one-time password generation unit 213 acquires the measured value or the control value from the storage unit 220, and then generates the one-time password by using the measured value or the control value.

Next, the edge authentication request unit 215 of the edge device 20 transmits the edge authentication request to the authentication server 30 (step S305). Here, the edge authentication request includes the edge information (edge ID and password) of the edge device 20, the terminal information transmitted from the terminal 10 in the above step S302, and the one-time password generation in the above step S304. Includes time information used.

When the edge authentication unit 314 of the authentication server 30 receives the edge authentication request from the edge device 20, it performs edge authentication (step S306). That is, the edge authentication unit 314 of the authentication server 30 verifies whether or not the edge information included in the edge authentication request is stored in the storage unit 320. When the edge information included in the edge authentication request is stored in the storage unit 320, the edge authentication unit 314 assumes that the edge authentication is successful, while the edge information included in the edge authentication request is stored in the storage unit 320. If it is not stored in, the edge authentication unit 314 assumes that the edge authentication has failed. In the following, the description will be continued assuming that the edge authentication is successful. If the edge authentication fails, information indicating that the edge authentication has failed is transmitted to the edge device 20.

The one-time password generation unit 312 of the authentication server 30 generates a one-time password when the edge authentication is successful (step S307). At this time, the one-time password generation unit 312 generates a one-time password by the same generation method as in step S304 described above, using the time information included in the edge authentication request.

When the one-time password is generated, the terminal authentication unit 311 of the authentication server 30 performs terminal authentication (step S308). That is, the terminal authentication unit 311 of the authentication server 30 verifies whether or not the terminal information included in the edge authentication request is stored in the storage unit 320. When the terminal information is stored in the storage unit 320, the terminal authentication unit 311 assumes that the terminal authentication is successful, while when the terminal information is not stored in the storage unit 320, the terminal authentication unit 311 , It is assumed that the terminal authentication has failed. In the following, the description will be continued assuming that the terminal authentication is successful. If the terminal authentication fails, information indicating that the terminal authentication has failed is transmitted to the edge device 20.

Next, the one-time password generation unit 312 of the authentication server 30 transmits the one-time password generated in step S307 to the terminal 10 (step S309). That is, the one-time password generation unit 312 transmits the one-time password generated in step S307 to the terminal 10 indicated by the terminal ID included in the edge authentication request.

When the information input unit 111 of the terminal 10 receives the one-time password, the information input unit 111 transmits the one-time password to the edge device 20 (step S310).

Subsequent steps S311 to S312 are the same as steps S212 to S213 of FIG. 4, and thus the description thereof will be omitted.

As described above, in the authentication system 1 in the third embodiment, the one-time password is generated after the edge device 20 is authenticated by the authentication server 30. As a result, for example, the terminal 10 can access only the predetermined edge device 20 (that is, the edge device 20 for which edge authentication is successful), so that when the terminal 10 accesses the edge device 20. It is possible to further improve the security related to authentication.

[Example 4]
Hereinafter, Example 4 of the embodiment of the present invention will be described. In the fourth embodiment, the differences from the third embodiment will be mainly described, the same components as those in the third embodiment will be given the same reference numerals, and duplicate description will be omitted.

<Overall configuration (Example 4)>
First, the overall configuration of the authentication system 1 in the fourth embodiment will be described with reference to FIG. 7. FIG. 7 is a diagram showing an example of the overall configuration of the authentication system 1 in the fourth embodiment.

As shown in FIG. 7, the authentication system 1 in the fourth embodiment includes one or more terminals 10, one or more edge devices 20, and a monitoring control system 60. Further, the monitoring control system 60 includes an authentication server 30, a monitoring control server 40, and a shared storage unit 50.

Here, the terminal 10 in the fourth embodiment has an information input unit 111, a one-time password acquisition request unit 112, and a storage unit 120.

The one-time password acquisition request unit 112 transmits a one-time password acquisition request to the authentication server 30 at predetermined time intervals. That is, the one-time password acquisition requesting unit 112 inquires the authentication server 30 whether or not the one-time password is generated by polling or the like, and acquires the one-time password as a result of the inquiry.

<Authentication processing (Example 4)>
Next, in the authentication system 1 in the fourth embodiment, the flow of the authentication process for the terminal 10 to access the edge device 20 will be described with reference to FIG. FIG. 8 is a sequence diagram showing an example of the authentication process in the fourth embodiment.

Since steps S401 to S407 of FIG. 8 are the same as steps S301 to S307 of FIG. 6, the description thereof will be omitted.

When the one-time password is generated, the terminal authentication unit 311 of the authentication server 30 performs terminal authentication (step S308). That is, the terminal authentication unit 311 of the authentication server 30 verifies whether or not the terminal information included in the edge authentication request is stored in the storage unit 320. When the terminal information is stored in the storage unit 320, the terminal authentication unit 311 assumes that the terminal authentication is successful, while when the terminal information is not stored in the storage unit 320, the terminal authentication unit 311 , It is assumed that the terminal authentication has failed.

Then, when the terminal authentication is successful, the terminal authentication unit 311 of the authentication server 30 stores the one-time password generated in step S407 in the storage unit 320 in association with the terminal information. In the following, the description will be continued assuming that the terminal authentication is successful.

The one-time password acquisition request unit 112 of the terminal 10 transmits a one-time password acquisition request to the authentication server 30 at predetermined time intervals (step S409). Here, the one-time password acquisition request includes terminal information (terminal ID and password).

When the terminal authentication unit 311 of the authentication server 30 receives the one-time password acquisition request, the terminal authentication unit 311 acquires the one-time password associated with the terminal information included in the acquisition request from the storage unit 320, and acquires the one-time password. Is transmitted to the terminal 10 (step S410). When the one-time password associated with the terminal information included in the acquisition request is not stored in the storage unit 320, for example, information indicating that the one-time password has not been generated is transmitted to the terminal 10. To.

Subsequent steps S411 to S413 are the same as steps S310 to S312 in FIG. 6, and their description thereof will be omitted.

As described above, in the authentication system 1 in the fourth embodiment, the terminal 10 polls the authentication server 30, and the terminal 10 acquires the one-time password generated by the authentication server 30. Thereby, as in the third embodiment, the security related to the authentication when the terminal 10 accesses the edge device 20 can be further improved.

<Hardware configuration>
Finally, the hardware configuration of each terminal 10, each edge device 20, and the authentication server 30 included in the authentication system 1 according to the embodiment of the present invention will be described. These terminals 10, the edge device 20, and the authentication server 30 can be realized by using, for example, the hardware configuration of the computer 900 shown in FIG. Further, the monitoring control server 40 and the shared storage unit 50 can also be realized by using, for example, the hardware configuration of the computer 900 shown in FIG.

The computer 900 shown in FIG. 9 includes an input device 901, a display device 902, an external I / F 903, a RAM (Random Access Memory) 904, a ROM (Read Only Memory) 905, a processor 906, and a communication I / F 907. And an auxiliary storage device 908. Each of these hardware is connected so as to be able to communicate with each other via the bus B.

The input device 901 is, for example, a keyboard, a mouse, a touch panel, or the like. The display device 902 is, for example, a display or the like. The edge device 20, the authentication server 30, and the like do not have to have at least one of the input device 901 and the display device 902.

The external I / F 903 is an interface with an external device. The external device includes a recording medium 903a and the like. The computer 900 can read or write the recording medium 903a or the like via the external I / F 903. For example, one or more programs that realize the authentication process described in each embodiment of the embodiment of the present invention may be recorded on the recording medium 903a. The recording medium 903a includes, for example, a CD (Compact Disc), a DVD (Digital Versatile Disk), an SD memory card, a USB memory card, and the like.

The RAM 904 is a volatile semiconductor memory that temporarily holds programs and data. The ROM 905 is a non-volatile semiconductor memory capable of holding programs and data even when the power is turned off.

The processor 906 is, for example, a CPU (Central Processing Unit) or the like. The authentication process described in each embodiment of the embodiment of the present invention is realized by causing one or more programs to be executed by the processor 906.

The communication I / F 907 is an interface for connecting the computer 900 to the communication. The auxiliary storage device 908 is, for example, an HDD (Hard Disk Drive), an SSD (Solid State Drive), or the like, and is a non-volatile storage device that stores programs and data. The auxiliary storage device 908 stores, for example, one or more programs that realize the authentication process described in each embodiment of the embodiment of the present invention.

The terminal 10, the edge device 20, the authentication server 30, the monitoring control server 40, the shared storage unit 50, and the like in the embodiment of the present invention are realized by using the computer 900 shown in FIG. The terminal 10, the edge device 20, the authentication server 30, the monitoring control server 40, the shared storage unit 50, and the like in the embodiment of the present invention may be realized by using two or more computers 900. Further, the computer 900 may include a plurality of memories (RAM 904, ROM 905, auxiliary storage device 908, etc.) and a plurality of processors 906.

<Summary>
As described above, the authentication system 1 according to the embodiment of the present invention performs one-time password authentication using not only user information but also terminal information. Therefore, even if the user authentication is leaked, it is possible to prevent the edge device 20 from being illegally accessed, and it is possible to realize higher security. Further, for example, in the second embodiment, since the edge device 20 does not need to communicate with the authentication server 30, the edge device 20 is in the offline state (that is, the edge device 20 is not connected to the communication network N2). Also, the terminal 10 can access the edge device 20.

The present invention is not limited to the above-described embodiments specifically disclosed, and various modifications and modifications can be made without departing from the description of the scope of claims.

1 Authentication system 10 Terminal 20 Edge device 30 Authentication server 40 Monitoring control server 50 Shared storage unit 60 Monitoring control system 111 Information input unit 112 One-time password acquisition request unit 120 Storage unit 211 User authentication unit 212 One-time password verification request unit 213 One Time password generator 214 One-time password authentication unit 215 Edge authentication request unit 220 Storage unit 311 Terminal authentication unit 312 One-time password generation unit 313 One-time password verification unit 314 Edge authentication unit 320 Storage unit

Claims (7)

An authentication system including one or more terminals, one or more devices to be accessed by the terminals, and an authentication server that authenticates the terminals.
A first authentication means for performing a first authentication for authenticating the user using the user information of the user who uses the terminal, and
When the first authentication by the first authentication means is successful, the second authentication means for performing the second authentication for authenticating the terminal by using the terminal information of the terminal, and the second authentication means.
If the second authentication by the second authentication means is successful, the third authentication means that performs the third authentication using the one-time password and the third authentication means.
An authentication system characterized by having. Each device has a storage means for storing the history of the one-time password.
The third authentication means is
The authentication according to claim 1, wherein the third authentication is performed by verifying whether or not the one-time password transmitted to the device to be accessed by the terminal is stored in the storage means. system. A character string obtained by combining a time information indicating the time when the device to be accessed by the terminal receives the user information and a random character string having a predetermined number of characters is generated as the one-time password and stored in the storage means. The authentication system according to claim 2, further comprising a first generation means for storing. The device is a control device that controls a predetermined control target.
The claim is characterized in that it has a second generation means for generating the one-time password by using at least one of the measured value measured by the controlled object and the control value for controlling the controlled object. The authentication system according to 1. The second generation means is
The authentication system according to claim 4, wherein the one-time password is generated by using at least one of the measured value and the control value in a predetermined number before a predetermined time point. The third authentication means is
4. The third authentication is performed by verifying whether or not the one-time password generated by the authentication server and the one-time password generated by the device match. The authentication system according to 5. An authentication method used in an authentication system that includes one or more terminals, one or more devices that are access targets of the terminals and controls a predetermined control target, and an authentication server that authenticates the terminals.
The first authentication procedure for performing the first authentication for authenticating the user by using the user information of the user who uses the terminal, and
When the first authentication is successful in the first authentication procedure, the second authentication procedure for performing the second authentication for authenticating the terminal by using the terminal information of the terminal, and the second authentication procedure.
If the second authentication is successful in the second authentication procedure, a one-time password is generated using at least one of the measured value measured by the controlled object and the control value for controlling the controlled object. Generation procedure and
A third authentication procedure for performing a third authentication using the one-time password generated in the generation procedure, and
Authentication method with.

Images