JP2022047506A - Information processing apparatus and control method for the same and program, and system - Google Patents

Abstract

To provide an apparatus, a control method, and a system for making it difficult to discriminate the presence or absence of registration of a user ID in a request source that has transmitted a region specification request, thereby reducing the security risk.SOLUTION: In an information processing system having a web client, an integrated server, and various servers, an integrated server 130 transmits, in response to a region specification request received from a client terminal, region information representing a corresponding region to the client terminal, and the integrated server includes: a network I/O that communicates with the Internet; a mapping information management unit that manages mapping information in which user information and the region information are associated with each other; a mapping information collation unit that, when receiving the region specification request including the user information for specifying a user from the client terminal, collates the region specification request with the mapping information in the mapping information management unit and specifies a corresponding region; and a region determination unit that determines a false region based on a user ID included in the region specification request.SELECTED DRAWING: Figure 6

Description

The present invention relates to a technique for responding to a region specifying request received from a client terminal via the Internet.

In recent years, the use of cloud services deployed on the Internet has been expanding. In cloud services, IT devices such as servers and network devices are centrally installed and operated in facilities called data centers, and Web application services are provided to users. Data centers are set up in each country or region, and companies that provide services worldwide deploy similar services to multiple data centers as needed.

Data such as a user's user ID, password, and e-mail address are managed independently for each data center accessed by the user from the viewpoint of personal information protection. The user decides the data center to access according to the physical area and the legal system, but different data centers have different URLs for accessing the service sites deployed in the data centers.

In response to this point, Patent Document 1 specifies a region in which a user is registered on an integrated server so that a user can access a service with a common URL, and a Web client is used for an authentication server in the specified region. Discloses how to send an authentication request.

Japanese Unexamined Patent Publication No. 2019-101668

As described above, the integrated server identifies the region where the user ID is registered and responds to the Web client. Further, the integrated server cannot specify the region in the case of an unregistered user ID, and therefore returns some error. When a malicious person accesses the integrated server with an appropriate user ID, it is possible to determine whether or not the used user ID is registered based on the response content from the integrated server. Therefore, if it is registered, there is a security problem such as being used for a password brute force attack using the user ID.

The present invention has been made to solve the above-mentioned problems, and an object of the present invention is to provide a technique for making it difficult to determine whether or not a user ID is registered by a region-specific response of an integrated server and reducing a security risk. ..

In order to solve this problem, for example, the information processing apparatus of the present invention has the following configuration. That is,
An information processing device that transmits region information representing a corresponding region to the client terminal in response to a region identification request received from a client terminal via the Internet.
Communication means to communicate with the Internet and
A management means for managing mapping information associated with user information and region information,
When a region identification request including user information for identifying a user is received from a client terminal via the communication means, a collation means for collating the mapping information of the management means and a collation means.
When the collation result of the collation means indicates that the corresponding user information exists in the mapping information, the corresponding region information is transmitted to the client terminal as a response.
When the collation result of the collation means indicates that the corresponding user information does not exist in the mapping information, the collation means has a response means for transmitting false region information as a response to the client terminal.

According to the present invention, it functions as an integrated server that manages mapping information between a user ID and a region, makes it difficult to determine whether or not a user ID is registered at a request source that requests region identification, and reduces security risk. It will be possible.

The figure which shows the network configuration of the information processing system in 1st Embodiment. The block diagram which shows the hardware configuration example of the information processing apparatus in 1st Embodiment. The block diagram which shows the functional structure of the Web client in 1st Embodiment. The flowchart which shows the operation at the time of the login process of the Web client in 1st Embodiment. The figure which shows an example of the login screen in 1st Embodiment. The block diagram which shows the functional structure of the integrated server in 1st Embodiment. The flowchart which shows the operation at the time of region specification processing of the integrated server in 1st Embodiment. The figure which shows an example of the hash value of a user ID and the mapping information of a region. The flowchart which shows the operation at the time of false region determination processing of the integrated server in 1st Embodiment. The flowchart which shows the operation at the time of false region determination processing of the integrated server in 2nd Embodiment. The figure which shows an example of the mapping information of the hash value of a user ID and a false region. The figure which shows the network configuration of the information processing system in 3rd Embodiment. The block diagram which shows the functional structure of the integrated server in 3rd Embodiment. The block diagram which shows the functional structure of the pseudo authentication server in 3rd Embodiment. The flowchart which shows the operation of the region identification process of the integrated server in 3rd Embodiment. The block diagram which shows the functional structure of the integrated server in 4th Embodiment. The block diagram which shows the functional structure of the authentication server in 4th Embodiment. The flowchart which shows the operation of the authentication process of the authentication server in 4th Embodiment. The block diagram which shows the functional structure of the Web client in 5th Embodiment. The flowchart which shows the operation at the time of the login process of the Web client in 5th Embodiment. The block diagram which shows the functional structure of the authentication server in 5th Embodiment. The flowchart which shows the operation at the time of the authentication processing of the authentication server in 5th Embodiment.

Hereinafter, embodiments will be described in detail with reference to the accompanying drawings. The following embodiments do not limit the invention according to the claims. Although a plurality of features are described in the embodiment, not all of the plurality of features are essential for the invention, and the plurality of features may be arbitrarily combined. Further, in the attached drawings, the same or similar configurations are given the same reference numbers, and duplicate explanations are omitted.

[First Embodiment]
An example of a network configuration of an information processing system according to this embodiment will be described with reference to the block diagram of FIG.

The system has a Web client 101 connected to the Internet 100, an integrated server 130, and data centers 110 and 120. The Web client 101 is a client terminal equipped with a Web browser function, and can use Web technology such as cookie. The data centers 110 and 120 are independent of each other. In the embodiment, for convenience, the data center is distinguished by the identification name based on the area where the data center is installed, and hereinafter, the data center 110 is referred to as a US region and the data center 120 is referred to as an EU region.

A reverse proxy server 112, an authentication server 113, and a resource server 114 are connected to the computer network 111 in the US region 110. Further, the reverse proxy server 122, the authentication server 123, and the resource server 124 are connected to the computer network 121 in the EU region 120. A region is a term that refers to a certain range such as a country or a region, and the range of the region is not limited. Similar server configurations are constructed in the US region 110 and the EU region 120. The reverse proxy servers 112 and 122 have a role of distributing access requests from the outside to servers inside the network. For example, the reverse proxy server determines whether to distribute the URL path name to the authentication server or the resource server. The reverse proxy servers 112 and 122 are assigned different domain names unique to each region, and the domain names of the URLs are also different. Therefore, access will be separated for each region. Access from the Web client 101 to the reverse proxy server 112 is distributed to the authentication server 113 and the resource server 114. On the other hand, the access from the Web client 101 to the reverse proxy server 122 is distributed to the authentication server 123 and the resource server 124. Further, the reverse proxy servers 112 and 122 receive the access request. Therefore, the domain names and domains of the authentication server 113 and the resource server 114 are the same, and the domain names and domains of the authentication server 123 and the resource server 124 are also the same. The authentication servers 113 and 123 authenticate the request from the Web client 101. The resource server 114 provides the Web application service according to the authentication by the authentication server 113. Further, the resource server 124 provides the Web application service according to the authentication by the authentication server 123.

The integrated server 130 is a server that can communicate with the Web client 101, which is prepared for accepting a common URL worldwide. The integrated server 130 may be deployed in a data center different from the US region 110 and the EU region 120, or may be deployed in the US region 110 or the EU region 120. Further, the integrated server may be deployed in a plurality of data centers and a common URL may be assigned by using GeoDNS (not shown). GeoDNS is a mechanism for transferring a request from a client requesting access to a server close to the network. For example, when the Web client 101 requests access to the common URL of the integrated server and the location of the Web client 101 is close to the US region 110 on the network, the request is made to the integrated server 130 deployed in the US region 110. Transferred.

The Web client 101 and various servers have a basic configuration as an information processing device. FIG. 2 shows the hardware configuration of the information processing apparatus.

The information processing device includes a CPU 200, a RAM 201, a ROM 202, a network interface 203, an external storage device 204, a display device 205, and an input device 206.

The CPU 200 is a main body that controls the operation of each part constituting the information processing apparatus and executes various processes described later as those performed by the information processing apparatus. The RAM 201 is a memory for temporarily storing data and control information, and is a work area used by the CPU 200 when executing various processes. The ROM 202 stores fixed operation parameters, operation programs, and the like of the information processing apparatus.

The network interface 203 provides a function for connecting to and communicating with the Internet 100, the computer networks 111 and 121. The information processing device can send and receive data to and from an external device by means of the network interface 203.

The external storage device 204 is a device that stores data, and has an interface that accepts I / O commands for reading and writing data. The external storage device 204 may be a hard disk drive (HDD), a solid state drive (SSD), an optical disk drive, a semiconductor storage device, or other storage device. The external storage device 204 stores computer programs and data for causing the CPU 200 to execute each process described later as performed by the information processing device.

The display device 205 is, for example, an LCD (Liquid Crystal Display) or the like, and displays information necessary for the user. The input device 206 is, for example, a keyboard, a mouse, a touch panel, or the like, and receives necessary input from the user. The display device 205 and the input device 206 form a user interface.

The Web client 101 and various servers (112 to 114, 122 to 124, 130) have the basic configuration shown in FIG. 2 as described above, but may have a unique configuration according to the usage mode of the device. For example, if the Web client 101 is a smartphone, it will have an image pickup sensor and a line connection configuration in addition to the configuration shown in FIG. However, since the description of the unique configuration deviates from the essence of the present embodiment, it is omitted here.

Next, the functional configuration of the Web client 101 according to the present embodiment will be described with reference to the block diagram of FIG. The configuration shown in FIG. 3 represents a functional configuration when the CPU 200 of the Web client 101 executes a program as a Web client.

The Web client 101 includes a display control unit 300, an input reception unit 301, a region specification request transmission unit 302, a region specification result reception unit 303, an authentication server determination unit 304, an authentication request transmission unit 305, and an authentication result reception unit 306. For convenience of explanation, it is assumed that the hardware of the Web client 101 has the configuration shown in FIG.

The display control unit 300 displays a login screen on the display device 205. Further, the display control unit 300 displays a login success screen and a login failure screen on the display device 205 according to the authentication result described later.

The input receiving unit 301 receives input of a user ID and a password from the input device 206 on the login screen displayed by the display control unit 300.

The region specifying request transmitting unit 302 transmits a region specifying request including the user ID received by the input receiving unit 301 as user information to the integrated server 130.

The region identification result receiving unit 303 receives the region identification result transmitted from the integrated server 130.

The authentication server determination unit 304 determines an authentication server to send an authentication request based on the region received by the region identification result receiving unit 303.

The authentication request transmission unit 305 transmits an authentication request based on the user ID and password received by the input reception unit 301 to the authentication server determined by the authentication server determination unit 304.

The authentication result receiving unit 306 receives the authentication result transmitted from the authentication server.

Next, the processing procedure at the time of login processing of the Web client 101 according to the present embodiment will be described with reference to the flowchart of FIG.

First, in S400, the display control unit 300 acquires a login screen from the integrated server 130 and displays it on the display device 205. FIG. 5 shows an example of the displayed login screen. The login screen 500 is composed of a user ID input area 501, a password input area 502, and a button 503 for confirming the input information. The login screen is not limited to the acquisition from the integrated server 130, and may be acquired from, for example, the external storage device 204.

Next, in S401, the input receiving unit 301 accepts the input of the user ID and password for the login screen from the user (S401). Here, the user inputs the user ID in the user ID input area 501 of the login screen 500 and the password in the password input area 502 using the input device 206, and confirms the input by pressing the button 503.

Upon confirming the input of the user ID and password, the region identification request transmission unit 302 transmits the region identification request to the integrated server 130 in S402. Here, the region specifying request includes at least the user ID received by the input receiving unit 301. The integrated server 130 identifies the region in which the user ID is registered based on the received region identification request, and responds to the Web client 101. The process of specifying the region by the integrated server 130 will be described later.

In S403, the region identification result receiving unit 303 receives the region identification result from the integrated server 130.

Next, in S404, the authentication server determination unit 304 determines the authentication server to be transmitted of the authentication request based on the received region identification result. For example, when the region specified that the user ID is registered is the US region 110, the authentication server determination unit 304 determines the authentication server 113 of the US region 110 as the transmission target of the authentication request. Similarly, when the region specified that the user ID is registered is the EU region 120, the authentication server determination unit 304 determines the authentication server 123 of the EU region 120 as the transmission target of the authentication request.

In S405, the authentication request transmission unit 305 transmits the authentication request to the authentication server determined as the transmission target. This authentication request includes at least the user ID and password accepted by the input receiving unit 301. The URL specified at the time of transmission is a URL having a domain name unique to the US region 110 when the authentication server 113 of the US region 110 is determined as the transmission target of the authentication request. Further, when the authentication server 123 of the EU region 120 is determined as the transmission target of the authentication request, the URL has a domain name unique to the EU region 120. The authentication server authenticates the user based on the user ID and password included in the received authentication request, and responds the authentication result to the requesting Web client 101.

In S406, the authentication result receiving unit 306 receives the authentication result transmitted from the authentication server. Then, in S407, the authentication result receiving unit 306 determines whether the received authentication result is "success" or "failure". If it is successful (YES in S407), the display control unit 300 displays the login success screen on the display device 205 in S408 (S408). In addition, the response from the authentication server includes an instruction to set the authentication token to Cookie. On the other hand, when the authentication result is "failure" (NO in S407), the display control unit 300 displays the login failure screen on the display device 205 in S409.

Next, the functional configuration of the integrated server 130 according to the present embodiment will be described with reference to the block diagram of FIG. The configuration shown in FIG. 6 represents a functional configuration when the CPU 200 of the integrated server 130 executes a program for functioning as the integrated server. For convenience of explanation, it is assumed that the hardware of the integrated server 130 has the configuration shown in FIG.

The integrated server 130 includes a region identification request receiving unit 600, a user ID conversion unit 601, a mapping information management unit 602, a mapping information collation unit 603, a region determination unit 604, and a region identification result transmission unit 605.

The region specifying request receiving unit 600 receives the region specifying request transmitted from the Web client 101 via the network interface 203.

The user ID conversion unit 601 converts the user ID included in the region identification request into a hash value.

The mapping information management unit 602 stores, holds, and manages the mapping information between the hash value of the user ID registered in each region and the region in which the user is registered in the external storage device 204. The hash value of the user ID is stored in order to protect the user ID that can be personal information.

The mapping information collation unit 603 collates (or searches) with the mapping information management unit 602 using the hash value of the user ID calculated by the user ID conversion unit as a key, determines whether or not it exists (verification result), and If it exists, identify the relevant region.

The region determination unit 604 determines a false region based on the user ID included in the region identification request.

The region identification result transmission unit 605 transmits the region information representing either the region specified by the mapping information collation unit 603 or the false region determined by the region determination unit 604 as the region identification result via the network interface 203. , Sent to the Web client 101.

Next, the region specifying process of the integrated server 130 according to the present embodiment will be described with reference to the flowchart of FIG. 7.

First, in S700, the region specifying request receiving unit 600 receives the region specifying request transmitted from the Web client 101. Then, in S701, the user ID conversion unit 601 calculates the hash value of the user ID included in the received region identification request.

Next, in S702, the mapping information collation unit 603 collates the mapping information of the region from the mapping information management unit 602 based on the hash value of the user ID obtained in S701.

FIG. 8 shows an example of mapping information between the hash value of the user ID and the region managed by the mapping information management unit 602. “User_id_hash” in the first field is the hash value of the user ID, and “region” in the second field is the registered region of the user. As described above, the reason why the user ID is hashed and managed is that the user ID may correspond to personal information.

In S703, the mapping information collation unit 603 determines whether or not a hash value matching the hash value obtained in the calculation of S701 exists in the mapping information. In other words, the mapping information collation unit 603 determines whether or not the user ID is registered.

When a matching hash value is found (YES in S703), in S704, the region identification result transmission unit 605 transmits the region associated with the matching hash value to the Web client 101 as the region identification result.

On the other hand, when the mapping information is not found (NO in S703), the region determination unit 604 determines a false region in S705. Then, in S706, the region identification result transmission unit 605 transmits a false region as the region identification result to the Web client 101.

Here, a method of determining a false region in S705 will be described with reference to the flowchart of FIG.

First, the region determination unit 604 assigns a salt (a predetermined value or a predetermined character string) to the user ID included in the region identification request in S900. Then, the region determination unit 604 calculates in S901 the output of the hash function with the assigned character string as an input as a hash value. Then, the region determination unit 604 regards the hash value calculated in S902 as a numerical value, divides it by the total number of regions, and obtains the remainder value. Next, the region determination unit 604 determines in S903 the region corresponding to the residual value as a false region.

For example, in the present embodiment, the total number of regions is 2, and if the remainder value is 0, the US region is determined, and if the remainder value is 1, the EU region is determined as a false region. As a result, a false region is uniquely determined from the user ID, so that the same region identification result is returned each time even if a region identification request is transmitted multiple times for the same user ID. Therefore, it is possible to make it difficult to determine whether or not the user ID is registered in any region.

The method of uniquely determining a false region from the user ID is not limited to this, and for example, the addition of the salt of S900 may be omitted, and the hash value is calculated in S701 instead of being calculated in S901. The hash value of the user ID may be substituted. Also, when the user ID is registered in any region, the region identification result that the integrated server 130 responds to before and after that changes from a false region to a true region, so the user ID is registered based on this change. The region may be determined. In order to solve this, the salt, hash function, and hash value calculation algorithm may be changed periodically for some or all user IDs.

As described above, the integrated server 130 of the present embodiment responds to a region identification request for a user ID that is not registered in any region by a false region uniquely determined from the user ID. Therefore, it is possible to make it difficult for the user of the request source (Web client) to determine whether or not the user ID is registered by the region identification request.

In the present embodiment, the integrated server 130 transmits the region in which the user ID is registered as the region identification result, and the Web client 101 determines the authentication server from the region, but the present invention is not limited to this. For example, the integrated server 130 may transmit a URL and a domain for accessing the authentication server of the region in which the user ID is registered as a region identification result. This makes it possible to omit the authentication server determination process by the Web client 101 and control the destination of the authentication request on the integrated server 130.

Further, in the present embodiment, the region in which the user is registered is specified, but the region is not limited to this. For example, in order to determine the authentication / authorization server of the device or client service, the region where the device or client service is registered may be specified. Further, in order to control the authentication target of the authentication request transmitted by the Web client, the organization or realm in which the user is registered may be specified.

[Second Embodiment]
In the first embodiment, the method of determining a false region uniquely determined each time a region identification request is received in the region identification process by the integrated server 130 has been described.

In the second embodiment, an example will be described in which the same region identification result is returned each time even if the region identification request is transmitted a plurality of times for the same user ID. Then, in the second embodiment, an example will be described in which the integrated server 130 uses the false mapping information in which the user ID and the false region information are associated with each other, in addition to the mapping information shown in the first embodiment. .. The network configuration example, the hardware configuration example, the function configuration example, and the login process by the Web client 101 are the same as those in the first embodiment, and thus the description thereof will be omitted.

The details of the false region determination process (S705 in FIG. 7) in the second embodiment will be described with reference to the flowchart of FIG.

First, in S1000, the mapping information collation unit 603 collates the false mapping information in the mapping information management unit 602 using the hash value of the user ID calculated in S701 as a key. FIG. 11 shows an example of false mapping information (stored and held in the external storage device 204) managed by the mapping information management unit 602. “User_id_hash” in the first field is the hash value of the user ID, and “fake_region” in the second field is false region information corresponding to the hash value of the user ID that has responded in the past.

In S1001, the mapping information collation unit 603 determines whether or not there is a matching hash value in the false mapping information.

If it exists (YES in S1001), the region determination unit 604 determines in S1002 the region associated with the found hash value as a false region.

On the other hand, when the matching hash value does not exist (when S1001 is NO), the region determination unit 604 determines the region at S1003, for example, at random. Then, in S1004, the mapping information management unit 602 additionally registers the hash value of the false region and the user ID determined in S1003 in the false mapping information.

As a result, a false region for a predetermined user ID is uniquely determined, so that the same region identification result is returned each time even if a region identification request is transmitted multiple times for the same user ID. Therefore, it is possible to make it difficult to determine whether or not the user ID is registered in any region. Although the method of randomly determining the region in S1003 has been described, the present invention is not limited to this.

For example, the source IP address of the region identification request received by S700 may be analyzed, and the region geographically distant from the source may be stored as mapping information. In general, as the physical distance increases, the communication speed tends to decrease, so that it is possible to reduce the frequency of sending an authentication request to the authentication server by an attacker.

As described above, according to the information processing system according to the present embodiment, the integrated server 130 is a false region uniquely determined from the user ID in response to the region identification request for the user ID not registered in any region. Respond. Therefore, it is possible to make it difficult to determine whether or not the user ID is registered by the region identification request.

[Third Embodiment]
In the first embodiment, the method of determining a false region uniquely determined each time a region identification request is received in the region identification process by the integrated server 130 has been described.

In the third embodiment, a method will be described in which the integrated server returns the region of the pseudo-authentication server that does not perform the authentication process as a false region. Since the hardware configuration example is the same as that of the first embodiment, the description thereof will be omitted.

An example of the network configuration of the information processing system according to the present embodiment will be described with reference to the block diagram of FIG.

In this embodiment, in addition to the network configuration of the first embodiment, a data center 1240 has been added, and the data center 1240 will be referred to as an AN region hereafter. A pseudo-authentication server 1242 is connected to the computer network 1241 in the AN region 1240.

In this embodiment, the pseudo-authentication server exists only in the AN region 1240, but is not limited thereto. The pseudo-authentication server may exist in a plurality of regions, or may be in a region in which an authentication server exists.

Next, the functional configuration of the integrated server 130 according to the present embodiment will be described with reference to the block diagram of FIG. The configuration shown in FIG. 13 represents a functional configuration when the CPU 200 of the integrated server 130 executes a program for functioning as the integrated server. For convenience of explanation, it is assumed that the hardware of the integrated server 130 has the configuration shown in FIG.

The integrated server 130 includes an attacker determination unit 1306 in addition to the configuration of the first embodiment. Since 1300 to 1305 are the same as 600 to 605, the description thereof will be omitted. The attacker determination unit 1306 determines whether or not the Web client is an attacker based on the region identification request transmitted from the Web client 101 and its incidental information.

Next, the functional configuration of the pseudo-authentication server 1242 according to the present embodiment will be described with reference to the block diagram of FIG. The configuration shown in FIG. 14 represents a functional configuration when the CPU 200 of the pseudo-authentication server 1242 executes a program for functioning as the pseudo-authentication server. For convenience of explanation, it is assumed that the hardware of the pseudo-authentication server 1242 has the configuration shown in FIG.

The pseudo authentication server 1242 includes an authentication request receiving unit 1400, a pseudo authentication unit 1401, an issuing unit 1402, and an authentication result transmitting unit 1403.

The authentication request receiving unit 1400 receives the authentication request transmitted from the Web client 101 via the network interface 203.

The pseudo-authentication unit 1401 performs pseudo-authentication for the authentication request received by the authentication request receiving unit 1400. Pseudo-authentication may be a process that always returns an authentication failure, or only the malformed authentication request may be verified in the same manner as the normal authentication process.

For example, if the authentication servers 113 and 114 have a restriction that the user ID of the authentication request includes a specific character and the user ID of the authentication request does not contain the specific character, an invalid format error is returned to the Web client. Then. In that case, the pseudo authentication unit 1401 verifies whether the user ID of the authentication request contains a specific character as in the case of the authentication server, and if not, responds to the Web client with an invalid format error. do.

The issuing unit 1402 issues a pseudo-authentication result based on the result of the pseudo-authentication unit 1401. In the case of authentication failure, the same pseudo authentication result as the authentication result at the time of authentication failure in the authentication servers 113 and 114 is issued. Alternatively, as a pseudo-authentication result, a pseudo-authentication token having the same format as the authentication token issued when the authentication servers 113 and 114 are successfully authenticated may be issued. The pseudo authentication token is a token that is set in Cookie on the Web client 101 like a normal authentication token, but cannot be used.

The authentication result transmission unit 1403 transmits the pseudo authentication result issued by the issuance unit 1402 to the Web client 101 via the network interface 203.

Next, the region specifying process of the integrated server 130 according to the present embodiment will be described with reference to the flowchart of FIG.

Since S1500 to S1502 are the same as S700 to S702 in the first embodiment, the description thereof will be omitted.

In S1503, the attacker determination unit 1306 determines whether or not the Web client 101 is an attacker. Ancillary information received together with the region identification request is used for the determination process. For example, the IP address that is the source information of the region identification request is acquired as incidental information, and if it is a specific IP address or an IP address range, it is determined to be an attacker. Further, it is also possible to cause only the legitimate Web client 101 to transmit a specific character string as incidental information together with the region identification request, and determine whether or not the attacker is based on the presence or absence of the incidental information.

Further, the attacker determination unit 1306 may associate the collation result of the mapping information collation unit 1303 with the incidental information of the region identification request and store it as a region identification request history, which may be used for the attacker determination. The IP address, which is incidental information, is saved in association with the matching result, and if the same IP address has a matching failure history more than a certain number of times within a predetermined time, it is determined that the region identification request from the IP address is an attacker. You may.

When it is determined that the person is not an attacker (when S1503 is NO), in S1504, the mapping information collating unit 1303 determines whether or not the hash value obtained by the calculation of S1501 exists in the mapping information as in S703. do.

When a matching hash value is found (YES in S1504), in S1505, the region identification result transmission unit 1305 transmits the region identification result to the Web client 101 in the same manner as in S704.

On the other hand, if it is determined to be an attacker (YES in S1503) or if the mapping information cannot be found (NO in S1504), the region determination unit 1304 determines a false region in S1506. Then, in S1507, the region identification result transmission unit 1305 transmits a false region as the region identification result to the Web client 101 as in S706.

Here, the method of determining the false region in S1506 is the same as the flowchart of FIG. However, in S902 and S903, the region of the pseudo authentication server is used instead of the region of the authentication server.

The region determination unit 1304 regards the hash value calculated in S902 as a numerical value, divides it by the total number of regions of the pseudo authentication server, and obtains the remainder value. Next, the region determination unit 1304 determines in S903 the region of the pseudo-authentication server corresponding to the remainder value as a false region.

As described above, the integrated server 130 of the present embodiment responds to a region identification request for a user ID that is not registered in any region by a false region uniquely determined from the user ID. Furthermore, a false region is also responded to the requester (Web client) determined to be an attacker. At that time, the false region is selected from the region of the pseudo authentication server. Therefore, it is difficult for the user of the request source (Web client) to determine whether or not the user ID is registered by the region identification request, and the burden on the authentication server can be reduced by using the pseudo authentication server.

[Fourth Embodiment]
In the third embodiment, the method of returning the region of the pseudo-authentication server that does not perform the authentication process as a false region in the region identification process by the integrated server 130 has been described.

In the fourth embodiment, a method will be described in which the integrated server determines whether or not the Web client is an attacker and notifies the authentication server to omit the authentication process of the authentication server. Since the network configuration example and the hardware configuration example are the same as those in the first embodiment, the description thereof will be omitted.

Next, the functional configuration of the integrated server 130 according to the present embodiment will be described with reference to the block diagram of FIG. The configuration shown in FIG. 16 represents a functional configuration when the CPU 200 of the integrated server 130 executes a program for functioning as the integrated server. For convenience of explanation, it is assumed that the hardware of the integrated server 130 has the configuration shown in FIG.

The integrated server 130 includes an attacker information notification unit 1607 in addition to the configuration of the third embodiment. Since 1600 to 1606 are the same as 1300 to 1306, the description thereof will be omitted. The attacker information notification unit 1307 notifies each authentication server of the information of the Web client determined to be an attacker by the attacker determination unit 1606. The information to be notified may be any information that can identify the attacker, and information such as the IP address of the Web client can be used.

Next, the region specifying process of the integrated server 130 according to the present embodiment is the same as the flowchart of FIG. 15, but is different in some processes, so only the process will be described.

In S1503, the attacker determination unit 1606 determines whether or not the Web client 101 is an attacker. The determination method is the same as that of the third embodiment, but when it is determined that the attacker is an attacker, the attacker information notification unit 1607 notifies each authentication server of the attacker information.

The method of determining the false region in S1506 is the same as the flowchart of FIG. 9, and the false region is determined from the authentication server as in the first embodiment.

Next, the functional configurations of the authentication servers 113 and 114 according to the present embodiment will be described with reference to the block diagram of FIG.

The authentication servers 113 and 123 include an authentication request receiving unit 1700, an authentication information management unit 1701, an authentication unit 1702, an issuing unit 1703, an attacker information utilization unit 1704, a pseudo authentication unit 1705, and an authentication result transmission unit 1706, respectively.

The authentication request receiving unit 1700 receives the authentication request transmitted from the Web client 101 via the network interface 203.

The authentication information management unit 1701 stores and manages the authentication information associated with the user ID and password of the user registered in each authentication server in the external storage device 204.

The authentication unit 1702 authenticates the user by collating the authentication request received by the authentication request receiving unit 1700 with the authentication information managed by the authentication information management unit 1701.

Issuing unit 1703 issues an authentication token indicating that the user has been authenticated.

The attacker information utilization unit 1704 stores and retains the attacker information notified from the integrated server 130. In addition, whether or not the Web client 101 that sent the authentication request is an attacker is determined based on the stored attacker information.

The pseudo-authentication unit 1705 performs pseudo-authentication for the authentication request determined by the attacker information utilization unit 1704 as an attacker, as in the pseudo-authentication unit 1401 of the integrated server in the third embodiment. In that case, the issuing unit 1703 issues the pseudo-authentication result based on the result of the pseudo-authentication unit 1705, similarly to the issuing unit 1402 of the integrated server in the third embodiment.

The authentication result transmission unit 1706 transmits the authentication token or the pseudo-authentication result issued by the issuance unit 1703 to the Web client 101 via the network interface 203.

Next, the authentication process of the authentication servers 113 and 123 according to the present embodiment will be described with reference to the flowchart of FIG.

First, in S1800, the authentication request receiving unit 1700 receives the authentication request transmitted from the Web client 101.

Next, in S1801, the attacker information utilization unit 1704 determines whether or not the Web client 101 to which the authentication request is transmitted is an attacker. If it is determined that the attacker is (YES in S1801), the process proceeds to S1807. If it is determined that the attacker is not (NO in S1801), the process proceeds to S1802.

Next, in S1802, the authentication unit 1702 collates the user ID and password included in the authentication request received in S1800 with the authentication information managed by the authentication information management unit 1701.

When the user ID is registered in the authentication information management unit 1701 and the passwords match (when S1803 is YES), the issuing unit 1703 issues an authentication token in S1804. Then, in S1805, the authentication result transmission unit 1706 transmits the authentication token as the authentication result to the Web client 101. On the other hand, when the passwords do not match (when S1803 is NO), in S1806, the authentication result transmission unit 1706 transmits the authentication result to the Web client 101 as an authentication failure.

Next, in S1807, the pseudo-authentication unit 1705 performs pseudo-authentication, and the issuing unit 1703 issues the pseudo-authentication result. Since the pseudo-authentication and the issuance of the pseudo-authentication result are the same as those in the third embodiment, the description thereof will be omitted.

Next, in S1808, the authentication result transmission unit 1706 transmits the pseudo authentication result issued by the issuing unit 1402 to the Web client 101 via the network interface 203.

As described above, in the present embodiment, the integrated server 130 determines whether or not the Web client 101 is an attacker and notifies the authentication servers 113 and 123, instead of the authentication process of the authentication server. Perform pseudo authentication. This makes it possible to reduce the load on each authentication server in response to an attacker's request without installing a pseudo authentication server.

[Fifth Embodiment]
In the first embodiment, the method of determining a false region uniquely determined each time a region identification request is received in the region identification process by the integrated server 130 has been described.

In the fifth embodiment, an example in which the authentication server identifies and responds to a region on behalf of the integrated server will be described. Since the network configuration example and the hardware configuration example are the same as those in the first embodiment, the description thereof will be omitted.

First, the functional configuration of the Web client 101 according to the fifth embodiment will be described with reference to the block diagram of FIG. The configuration shown in FIG. 19 represents a functional configuration when the CPU 200 of the Web client 101 executes a program as a Web client.

The Web client 101 includes a display control unit 1900, an input reception unit 1901, an authentication server determination unit 1902, an authentication request transmission unit 1903, an authentication result reception unit 1904, and an authentication request retransmission unit 1905. For convenience of explanation, it is assumed that the hardware of the Web client 101 has the configuration shown in FIG.

The display control unit 1900 displays a login screen on the display device 205. Further, the display control unit 1900 displays a login success screen and a login failure screen on the display device 205 according to the authentication result described later.

The input receiving unit 1901 receives input of a user ID and a password from the input device 206 on the login screen displayed by the display control unit 1900.

The authentication server determination unit 1902 determines a first authentication server and a second authentication server to send an authentication request.

The authentication request transmission unit 1903 transmits the first authentication request based on the user ID and password received by the input reception unit 1901 to the first authentication server determined by the authentication server determination unit 1902.

The authentication result receiving unit 1904 receives the authentication result transmitted from the authentication server.

The authentication request retransmission unit 1905 transmits the second authentication request based on the user ID and password received by the input reception unit 1901 to the second authentication server determined by the authentication server determination unit 1902.

Next, the processing procedure at the time of login processing of the Web client 101 according to the fifth embodiment will be described with reference to the flowchart of FIG.

First, in S2000, the display control unit 1900 acquires a login screen from the integrated server 130 and displays it on the display device 205. Since the login screen to be displayed is the same as that of the first embodiment, the description thereof will be omitted.

Next, in S2001, the input reception unit 1901 accepts the input of the user ID and password for the login screen from the user. Here, the user inputs the user ID in the user ID input area 501 of the login screen 500 and the password in the password input area 502 using the input device 206, and confirms the input by pressing the button 503.

In S2002, the authentication server determination unit 1902 determines the first authentication server to which the authentication request is transmitted, in response to the confirmation of the input of the user ID and the password. For example, when the IP address of the Web client 101 is close to the US region 110, the authentication server determination unit 1902 determines the authentication server 113 of the US region 110 as the first authentication server. Similarly, when the IP address of the Web client 101 is close to the EU region 120, the authentication server determination unit 1902 determines the authentication server 123 of the EU region 120 as the first authentication server. In this way, by determining the authentication server close to the Web client used by the user as the first authentication server, there is a high possibility that the user can be authenticated by the first authentication request described later.

Next, in S2003, the authentication request transmission unit 1903 transmits the first authentication request to the first authentication server determined as the transmission target. This authentication request includes at least the user ID and password accepted by the input reception unit 1901. The URL specified at the time of transmission is a URL having a domain name unique to the US region 110 when the authentication server 113 of the US region 110 is determined as the transmission target of the authentication request. Further, when the authentication server 123 of the EU region 120 is determined as the transmission target of the authentication request, the URL has a domain name unique to the EU region 120. The authentication server authenticates the user or determines the region based on the user ID and password included in the received authentication request, and responds to the requesting Web client 101 as the authentication result. The user authentication by the authentication server and the region determination process will be described later.

In S2004, the authentication result receiving unit 1904 receives the authentication result transmitted from the first authentication server. Then, in S2005, the authentication result receiving unit 1904 determines whether the received authentication result is an authentication token or a region. If it is an authentication token (YES in S2005), in S2006, the display control unit 1900 displays a login success screen on the display device 205. On the other hand, when the authentication result is a region (when S2005 is NO), in S2007, the authentication server determination unit 1902 determines a second authentication server to be retransmitted of the authentication request based on the received region. .. For example, when the received region is the US region 110, the authentication server determination unit 1902 determines the authentication server 113 of the US region 110 as the second authentication server. Similarly, if the received region is the EU region 120, the authentication server determination unit 1902 determines the authentication server 123 of the EU region 120 as the second authentication server.

Next, in S2008, the authentication request retransmission unit 1905 transmits the second authentication request to the second authentication server determined as the transmission target. This authentication request includes at least the user ID and password accepted by the input reception unit 1901. The URL specified at the time of transmission is a URL having a domain name unique to the US region 110 when the authentication server 113 of the US region 110 is determined as the transmission target of the authentication request. Further, when the authentication server 123 of the EU region 120 is determined as the transmission target of the authentication request, the URL has a domain name unique to the EU region 120. The authentication server authenticates the user or determines the region based on the user ID and password included in the received authentication request, and responds to the requesting Web client 101 as the authentication result.

In S2009, the authentication result receiving unit 1904 receives the authentication result transmitted from the second authentication server. Then, in S2010, the authentication result receiving unit 1904 determines whether the received authentication result is an authentication token or a region. If it is an authentication token (YES in S2010), in S2006, the display control unit 1900 displays a login success screen on the display device 205. On the other hand, when the authentication result is a region (when S2010 is NO), the display control unit 1900 displays a login failure screen on the display device 205 in S2011.

Next, the functional configurations of the authentication servers 113 and 123 according to the fifth embodiment will be described with reference to the block diagram of FIG. The configuration shown in FIG. 21 represents a functional configuration when the CPU 200 of the authentication servers 113 and 123 executes a program for functioning as an authentication server. For convenience of explanation, it is assumed that the hardware of the authentication servers 113 and 123 has the configuration shown in FIG.

The authentication servers 113 and 123 are the authentication request receiving unit 2100, the authentication information management unit 2101, the authentication unit 2102, the issuing unit 2103, the user ID conversion unit 2104, the mapping information management unit 2105, the mapping information collation unit 2106, and the region determination unit 2107, respectively. , The authentication result transmission unit 2108 is provided.

The authentication request receiving unit 2100 receives the authentication request transmitted from the Web client 101 via the network interface 203.

The authentication information management unit 2101 stores and manages the authentication information associated with the user ID and password of the user registered in each authentication server in the external storage device 204.

The authentication unit 2102 authenticates the user by collating the authentication request received by the authentication request receiving unit 2100 with the authentication information managed by the authentication information management unit 2101.

The issuing unit 2103 issues an authentication token indicating that the user has been authenticated.

The user ID conversion unit 2104 converts the user ID included in the authentication request into a hash value.

The mapping information management unit 2105 stores, holds, and manages the mapping information between the hash value of the user ID registered in each region and the region in which the user is registered in the external storage device 204. The hash value of the user ID is stored in order to protect the user ID that can be personal information.

The mapping information collation unit 2106 collates (or searches) with the mapping information management unit 2105 using the hash value of the user ID calculated by the user ID conversion unit as a key, determines whether or not it exists (verification result), and If it exists, identify the relevant region.

The region determination unit 2107 determines a false region based on the user ID included in the authentication request.

The authentication result transmission unit 2108 displays an authentication result representing either an authentication token issued by the issuer 2103, a region specified by the mapping information collation unit 2106, or a false region determined by the region determination unit 2107. It is transmitted to the Web client 101 via the network interface 203.

Next, the authentication process of the authentication servers 113 and 123 according to the fifth embodiment will be described with reference to the flowchart of FIG.

First, in S2200, the authentication request receiving unit 2100 receives the authentication request transmitted from the Web client 101.

Next, in S2201, the authentication unit 2102 collates the user ID and password included in the authentication request received in S2200 with the authentication information managed by the authentication information management unit 2101.

If the user ID is registered in the authentication information management unit 2101 (when S2202 is YES) and the passwords match (when S2203 is YES), the issuing unit 2103 issues an authentication token in S2204. Then, in S2205, the authentication result transmission unit 2108 transmits the authentication token as the authentication result to the Web client 101. On the other hand, if the passwords do not match (S2203 is NO), the region determination unit 2107 determines a false region in S2206. Then, in S2207, the authentication result transmission unit 2108 transmits the false region as the authentication result to the Web client 101. Since the method of determining the false region is the same as that of S705 of the first embodiment, the description thereof will be omitted.

When the user ID is not registered in the authentication information management unit 2101 (when S2202 is NO), the user ID conversion unit 2104 calculates the hash value of the user ID included in the authentication request received in S2200 in S2208. do.

Next, in S2209, the mapping information collation unit 2106 collates the mapping information of the region from the mapping information management unit 2105 based on the hash value of the user ID obtained in S2208. Since the region mapping information is the same as the example of the first embodiment, the description thereof will be omitted.

When the mapping information matching the hash value is found (when S2210 is YES), in S2211, the authentication result transmission unit 2108 transmits the region associated with the matched hash value to the Web client 101 as the authentication result. ..

On the other hand, when the mapping information is not found (when S2210 is NO), the region determination unit 2107 determines a false region in S2212. Then, in S2213, the authentication result transmission unit 2108 transmits a false region as an authentication result to the Web client 101. Since the method of determining the false region is the same as that of S705 of the first embodiment, the description thereof will be omitted.

As described above, the authentication servers 113 and 123 of the fifth embodiment respond to the authentication request including the correct user ID and password with the authentication token. When the Web client 101 determines the authentication server in which the user ID is registered as the first authentication server and sends the first authentication request, the login is completed by one communication between the Web client and the authentication server. , Usability is improved. Furthermore, in order to respond to an authentication request for a user ID that is not registered in any region and a false region uniquely determined from the user ID in response to an authentication request for a password error, it is determined whether or not the user ID is registered. It is also possible to make it difficult.

In the fifth embodiment, the authentication servers 113 and 123 determine and respond to a false region uniquely determined from the user ID, but this determination method may be common among the authentication servers. As a result, since the region returned for each user ID is unique to each authentication server, it becomes possible to further make it difficult to determine whether or not the user ID is registered.

(Other examples)
The present invention supplies a program that realizes one or more functions of the above-described embodiment to a system or device via a network or storage medium, and one or more processors in the computer of the system or device reads and executes the program. It can also be realized by the processing to be performed. It can also be realized by a circuit (for example, ASIC) that realizes one or more functions.

The invention is not limited to the above embodiment, and various modifications and modifications can be made without departing from the spirit and scope of the invention. Therefore, a claim is attached to publicize the scope of the invention.

100 ... Internet, 101 ... Web client, 110 ... US region, 120 ... EP region, 112, 122 ... Reverse proxy server, 113, 123 ... Authentication server, 114, 124 ... Resource server, 130 ... Integrated server, 600 ... Region identification Request receiving unit, 601 ... User ID conversion unit, 602 ... Mapping information management unit, 603 ... Mapping information collating unit, 604 ... Region determination unit, 605 ... Region specific result transmission unit

Claims (29)

An information processing device that transmits region information representing a corresponding region to the client terminal in response to a region identification request received from a client terminal via the Internet.
Communication means to communicate with the Internet and
A management means for managing mapping information associated with user information and region information,
When a region identification request including user information for identifying a user is received from a client terminal via the communication means, a collation means for collating the mapping information of the management means and a collation means.
When the collation result of the collation means indicates that the corresponding user information exists in the mapping information, the corresponding region information is transmitted to the client terminal as a response.
Information processing characterized by having a response means for transmitting false region information as a response to the client terminal when the collation result of the collation means indicates that the corresponding user information does not exist in the mapping information. Device. The user information includes a user ID that identifies the user, and includes a user ID.
The management means manages the information obtained by pairing the hash value of the user ID and the region information as the mapping information.
The information according to claim 1, wherein the collation means obtains a hash value from a user ID included in a received region identification request, and performs collation by searching for the mapping information using the hash value as a key. Processing equipment. When the matching result of the matching means indicates that the mapping information does not have a value matching the hash value of the corresponding user ID, the response means is a falsehood uniquely determined by the numerical value represented by the hash value of the user ID. The information processing apparatus according to claim 1, wherein the region information of the above is transmitted as a response. The response means responds with information representing a region specified by a residual value when the numerical value represented by the hash value of the user ID is divided by the number of regions managed by the management means as the false region information. The information processing apparatus according to claim 3, wherein the information processing apparatus is to be used. The management means further manages false mapping information in which a hash value of a user ID that does not exist in the mapping information and the false region information are paired.
The response means
When the collation result of the collation means does not have a value matching the hash value of the user ID corresponding to the mapping information and there is a value matching the false mapping information, the relevant value is applicable. In response to the relevant false region information in the false mapping information,
When the collation result of the collation means does not have a value matching the hash value of the user ID corresponding to the mapping information and there is no matching value in the false mapping information, the above is described. The information processing apparatus according to claim 1, wherein a pair of a hash value of a user ID and a new false region information is registered in the false mapping information, and the new false region information is returned. Further having an attacker determination means for determining whether the client terminal is an attacker,
The response means provides false region information even when the attacker determination means determines that the client terminal is an attacker, in addition to indicating that the corresponding user information does not exist in the mapping information. The information processing apparatus according to any one of claims 1 to 5, wherein the information processing apparatus is transmitted as a response. The information processing device according to claim 6, wherein the attacker determination means determines whether or not the attacker is an attacker based on a region identification request sent from a client terminal and incidental information thereof. The attacker determination means stores the region identification request sent from the client terminal and its incidental information as a region identification request history associated with the result of the collation means, and determines whether or not the region identification request history is an attacker. The information processing apparatus according to claim 6, wherein the information processing apparatus is used for determination. It has a communication means for communicating with the Internet and a management means for managing mapping information in which user information and region information are associated with each other, and is a region corresponding to a region identification request received from a client terminal via the communication means. It is a control method of an information processing device that transmits region information representing the above to the client terminal.
When a region identification request including user information for identifying a user is received from a client terminal via the communication means, a collation step for collating the mapping information of the management means and a collation step.
When the collation result of the collation step indicates that the corresponding user information exists in the mapping information, the corresponding region information is transmitted to the client terminal as a response.
Information processing characterized by having a response step of transmitting false region information as a response to the client terminal when the collation result of the collation step indicates that the corresponding user information does not exist in the mapping information. How to control the device. A program for causing the computer to execute each step of the method according to claim 9, which is read and executed by the computer. A system that includes an integrated server deployed in one or more regions, an authentication server deployed in one or more regions, and a pseudo-authentication server deployed in one or more regions.
The integrated server is
Communication means to communicate with the Internet and
A management means for managing mapping information associated with user information and region information,
When a region identification request including user information for identifying a user is received from a client terminal via the communication means, a collation means for collating the mapping information of the management means and a collation means.
An attacker determination means for determining whether the client terminal is an attacker,
When the collation result of the collation means indicates that the corresponding user information exists in the mapping information, the corresponding region information is transmitted to the client terminal as a response.
In addition to the case where the collation result of the collation means indicates that the corresponding user information does not exist in the mapping information, the pseudo authentication is also performed when the client terminal is determined to be an attacker by the attacker determination means. It has a response means to send the region information of the server,
The authentication server is
Communication means to communicate with the Internet and
An authentication means that authenticates a user when an authentication request is received from the client terminal via the communication means, and an authentication means.
When the authentication result of the authentication means indicates that the authentication is successful, the authentication token is used as a response, and when the authentication fails, the authentication failure is used as a response and the response means is transmitted to the client terminal.
The pseudo authentication server is
Communication means to communicate with the Internet and
A pseudo-authentication means that pseudo-authenticates a user when an authentication request is received from the client terminal via the communication means, and a pseudo-authentication means.
A system including a response means for transmitting a pseudo-authentication result of the pseudo-authentication means to the client terminal as a response. The system according to claim 11, wherein the attacker determination means in the integrated server determines whether or not the attacker is an attacker based on a region identification request sent from a client terminal and incidental information thereof. .. The attacker determination means in the integrated server stores the region identification request sent from the client terminal and its incidental information as a region identification request history associated with the result of the matching means, and determines whether or not the attacker is an attacker. The system according to claim 11, characterized in that it is used. The pseudo-authentication means in the pseudo-authentication server fails authentication regardless of the content of the authentication request sent from the client terminal.
The system according to claim 11, wherein the response means in the pseudo-authentication server responds as a pseudo-authentication result with a result imitating an authentication failure transmitted by the authentication server at the time of authentication failure. The pseudo-authentication means in the pseudo-authentication server determines that the authentication is successful regardless of the content of the authentication request sent from the client terminal.
The system according to claim 11, wherein the response means in the pseudo-authentication server responds as a pseudo-authentication result with a pseudo-authentication token imitating an authentication token transmitted by the authentication server when authentication is successful. A system that includes an integrated server deployed in one or more regions and an authentication server deployed in one or more regions.
The integrated server is
Communication means to communicate with the Internet and
A management means for managing mapping information associated with user information and region information,
When a region identification request including user information for identifying a user is received from a client terminal via the communication means, a collation means for collating the mapping information of the management means and a collation means.
An attacker determination means for determining whether the client terminal is an attacker,
When the attacker determination means determines that the attacker is an attacker, the attacker information notification means for notifying the authentication server of the attacker information indicating that the client terminal is an attacker via the communication means. ,
When the collation result of the collation means indicates that the corresponding user information exists in the mapping information, the corresponding region information is transmitted to the client terminal as a response.
In addition to the case where the collation result of the collation means indicates that the corresponding user information does not exist in the mapping information, the pseudo authentication is also performed when the client terminal is determined to be an attacker by the attacker determination means. It has a response means to send the region information of the server,
The authentication server is
Communication means to communicate with the Internet and
Whether the client terminal is an attacker based on the attacker information when the attacker information notified from the integrated server is stored via the communication means and an authentication request is received from the client terminal. Attacker information usage means to determine
An authentication means that authenticates a user by using an authentication request received from the client terminal when the attacker information utilization means determines that the client terminal is not an attacker.
When the attacker information utilization means determines that the client terminal is an attacker, the pseudo-authentication means for pseudo-authentication of the user
When the authentication means indicates that the authentication is successful, the authentication token is used as a response, when the authentication fails, the authentication failure is used as the response, and when the pseudo authentication means is used, the pseudo authentication result of the pseudo authentication means is used. As a response, it has a response means for transmitting to the client terminal.
A system characterized by that. The system according to claim 16, wherein the attacker determination means in the integrated server determines whether or not the attacker is an attacker based on a region identification request sent from a client terminal and incidental information thereof. .. The attacker determination means in the integrated server stores the region identification request sent from the client terminal and its incidental information as a region identification request history associated with the result of the matching means, and the attacker uses this region identification request history. The system according to claim 16, characterized in that it is used for determining whether or not it exists. The pseudo-authentication means in the authentication server fails the authentication regardless of the content of the authentication request sent from the client terminal.
The system according to claim 16, wherein the response means in the authentication server responds as a pseudo-authentication result, which is transmitted as a result of imitating an authentication failure. The pseudo-authentication means in the authentication server determines that the authentication is successful regardless of the content of the authentication request sent from the client terminal.
The system according to claim 16, wherein the response means in the authentication server responds with a pseudo authentication token imitating an authentication token transmitted at the time of successful authentication as a pseudo authentication result. An information processing device that transmits an authentication result to the client terminal in response to an authentication request received from the client terminal via the Internet.
Communication means to communicate with the Internet and
An authentication means that authenticates a user when an authentication request including user information that identifies the user is received from a client terminal via the communication means.
A management means for managing mapping information associated with user information and region information,
When the authentication result of the authentication means indicates that the authentication has failed due to an error in the user information, the collation means for collating the mapping information of the management means and the collation means.
If the authentication result of the authentication means indicates that the authentication was successful, the authentication token is sent as a response to the client terminal.
When the collation result of the collation means indicates that the corresponding user information exists in the mapping information, the corresponding region information is transmitted to the client terminal as a response.
False if the authentication result of the authentication means indicates that the authentication has failed due to an error in the user information, or if the verification result of the matching means indicates that the corresponding user information does not exist in the mapping information. An information processing apparatus having a response means for transmitting the region information of the above to the client terminal as a response. The user information includes a user ID that identifies the user, and includes a user ID.
The management means manages the information obtained by pairing the hash value of the user ID and the region information as the mapping information.
The information processing according to claim 21, wherein the collation means obtains a hash value from a user ID included in a received authentication request, and performs collation by searching for the mapping information using the hash value as a key. Device. When the matching result of the matching means indicates that the mapping information does not have a value matching the hash value of the corresponding user ID, the response means is a falsehood uniquely determined by the numerical value represented by the hash value of the user ID. 21. The information processing apparatus according to claim 21, wherein the region information of the above is transmitted as a response. The response means responds with information representing a region specified by a residual value when the numerical value represented by the hash value of the user ID is divided by the number of regions managed by the management means as the false region information. 23. The information processing apparatus according to claim 23. It has a communication means for communicating with the Internet and a management means for managing mapping information associated with user information and region information, and in response to an authentication request received from a client terminal via the Internet, the authentication result is sent to the client terminal. It is a control method of the information processing device to send to
An authentication process for authenticating a user when an authentication request including user information for identifying a user is received from a client terminal via the communication means.
When the authentication result of the authentication step indicates that the authentication has failed due to an error in the user information, the collation step for collating the mapping information of the management means and the collation step.
When the authentication result of the authentication process indicates that the authentication was successful, the authentication token is sent as a response to the client terminal.
When the collation result of the collation step indicates that the corresponding user information exists in the mapping information, the corresponding region information is transmitted to the client terminal as a response.
False if the authentication result of the authentication process indicates that the authentication failed due to an error in the user information, or if the verification result of the collation process indicates that the corresponding user information does not exist in the mapping information. A control method for an information processing apparatus, which comprises a response process of transmitting the region information of the above to the client terminal as a response. A program for causing the computer to execute each step of the method according to claim 25 by reading and executing the computer. A system that includes an authentication server deployed in one or more regions and a client terminal that has a Web browser.
The authentication server is
Communication means to communicate with the Internet and
An authentication means that authenticates a user when an authentication request including user information that identifies the user is received from the client terminal via the communication means.
A management means for managing mapping information associated with user information and region information,
When the authentication result of the authentication means indicates that the authentication has failed due to an error in the user information, the collation means for collating the mapping information of the management means and the collation means.
If the authentication result of the authentication means indicates that the authentication was successful, the authentication token is sent as a response to the client terminal.
When the collation result of the collation means indicates that the corresponding user information exists in the mapping information, the corresponding region information is transmitted to the client terminal as a response.
False if the authentication result of the authentication means indicates that the authentication has failed due to an error in the user information, or if the verification result of the matching means indicates that the corresponding user information does not exist in the mapping information. It has a response means for transmitting the region information of the above to the client terminal as a response.
The client terminal is
An authentication request transmission means for transmitting the first authentication request to one of the authentication servers deployed in one or more regions, and
A system comprising: an authentication request retransmission means for transmitting a second authentication request to an authentication server in the region when region information is responded to the authentication request. 27. The response means according to claim 27, wherein the response means determines false region information by a method common to all authentication servers deployed in one or more regions, and transmits the false region information as a response to the client terminal. system. The authentication request transmission means is
The system according to claim 27, wherein the authentication server is determined based on the proximity to the client terminal among the authentication servers deployed in one or more regions, and the first authentication request is transmitted.

Images