JP3950095B2 - Authentication server, authentication method, authentication request terminal, and authentication request program - Google Patents

Description

  The present invention uses an authentication request terminal connected to an application server and uses the downloaded application after performing a trial using a function for a predetermined period using a distributed license key. The present invention relates to an authentication server and an authentication method for authenticating the application that can officially use the application by registering a key, an authentication requesting terminal on which the application is installed, and an application authentication program.

  With the spread of information devices such as computers, PDAs and mobile phones in recent years, various applications have been sold. Application sales methods include (1) a method of recording in a storage medium such as a CD-ROM or a flexible disk and selling at a store, and (2) a method of downloading from a server providing the application and making a payment. Are listed. In particular, since the method (2) can be easily upgraded, it is considered that application sales methods using such a method will become more popular in the future.

  As a conventional method for preventing unauthorized use of an application, there is a method for preventing reproduction of data from an information recording medium copied to an object other than an authorized user (for example, Patent Document 1). This method can be applied to content recorded on a recording medium, but cannot be applied to an application downloaded from a server.

On the other hand, the spread of communication networks such as ADSL, cable communication, and optical fiber communication is remarkable in proportion to the spread of information devices in recent years. This has increased the number of machines that are always connected at home. In addition, along with the spread of information devices, a proxy server or the like is provided in the home, and a communication network can be used from several personal computers.
JP 2002-32137 A

  However, unauthorized sales are constantly being carried out for the sale of applications, and application providers must also perform development to prevent unauthorized use.

  For example, the user can use all functions as a trial period for a certain period after downloading the application. After a certain period of time, the application cannot be used or the functions that can be used are restricted. After that, the user can continue to use all functions by purchasing and registering a license key. Can do.

  By distributing this license key to a person without permission, a user who has not purchased the license key may use it illegally. In some cases, application data and registry data are copied to another computer to illegally use the application.

  In view of the situation where one person owns several personal computers, there is a need for a method in which a license key purchased by one person can be used by several devices.

  Accordingly, an object of the present invention is to provide an authentication server, an authentication method, an authentication request terminal, and an authentication request program that prevent unauthorized use of an application and can be used by a plurality of devices.

In order to solve the above problems, an authentication server according to the first feature of the present invention is an application that is used by connecting to an application server in an authentication request terminal, and the application downloaded at the authentication request terminal is distributed. The present invention relates to an authentication server that authenticates an application that can use a trial license key to register a purchased license key and officially use the application after performing a trial using a function for a predetermined period. That is, the authentication server according to the first feature of the present invention is provided for each device of the authentication request terminal when the application is installed in the authentication request terminal and started to start trial using the trial license key. Device registration key is issued, sent to the authentication request terminal, trial start authentication means for starting the trial, and after the license key of either the trial license key or the purchased license key is registered at the authentication request terminal, Register the license key and device identification key received from the authentication request terminal in the authentication key storage device, authenticate the use of the application, and determine the status of the function used by the authentication request terminal based on the type of the license key, Use authentication means for transmitting to the authentication requesting terminal .

  According to the authentication server according to the first feature of the present invention, since the device identification key is issued for each authentication request terminal, not only the user but also the device used by the user can be managed. Can do. Therefore, one user can register a plurality of devices.

  As a result, it is possible to limit the functions that can be used according to the state of the application trial period, trial period exceeded, formal usage period, usage period exceeded, and the like.

  Further, when the license key is registered in the use authentication means, a basic software identification key dynamically generated at the authentication requesting terminal is further received from the manufacturing number of the basic software that operates the authentication requesting terminal, and the basic software identification is performed. The key is preferably registered in the authentication key storage device.

  Accordingly, by further managing the basic software identification key dynamically generated from the basic software, it is possible to eliminate unauthorized use with higher accuracy.

  In addition, it is preferable to further include a registered number check means for checking whether or not the number of device identification keys that can be registered for one license key exceeds a predetermined number with reference to the authentication key storage device.

  Thereby, when the predetermined number is exceeded, it is considered that this license key is used illegally, and access by this license key can be excluded.

Also, a first server encryption key for encrypting a predetermined first message, which is the same as the first client encryption key registered at the authentication requesting terminal, first further comprises a server encryption key storage means for registering the first server encryption key storage device, the trial starts authentication means, further, in response to a request from the authentication request terminal, the first language A check code that is transmitted and received from at least the authentication requesting terminal with the first client encryption key encrypted with the first message, and the first server encryption key is used to encrypt the first message, When it matches the check code received from the authentication requesting terminal, it is preferable that a device identification key given to each device of the authentication requesting terminal is issued and transmitted to the authentication requesting terminal to start trial use .

  Here, the “word” is a character string that combines numbers, symbols, characters, and the like. Also, the encryption key used in the present invention is an encryption key according to a secret key method in which the same key is managed by the application and the authentication server.

  Thereby, it can be determined whether the application installed in the authentication requesting terminal is a valid application.

  In addition, the apparatus further comprises first word encryption key storage means for registering the first word encryption key for checking the validity of the first word in the first word encryption key storage device, and the trial start authentication In the means, the first word check code obtained by encrypting the first word with the first word encryption key is further transmitted to the authentication request terminal, and the first client encryption key is used for the first request from the authentication request terminal. When receiving a check code obtained by encrypting the first word, the first word check code is also received, and the check code obtained by encrypting the received first word with the first word encryption key is received from the authentication requesting terminal. When the received first text check code matches, the validity of the first text may be confirmed.

  Thereby, it is possible to check whether or not the transmitted first word is falsified.

  Further, it is preferable that the trial start authentication means confirms that the time difference between the time when the request is received from the authentication requesting terminal and the time when the check code and the word are received is within a predetermined time.

  Thereby, it is possible to eliminate a case where an illegal act is performed at the authentication requesting terminal.

  The first wording is embedded with the time when the request is received from the authentication requesting terminal, and the trial start authenticating unit calculates the time when the request is received from the authentication requesting terminal, and requests from the calculated authentication requesting terminal. It is preferable to confirm that the time difference between the time when the message is received and the time when the check code and the first word are received is within a predetermined time.

  As a result, the time at which the request is received from the authentication terminal can be calculated, so that the trial start permission can be limited to a predetermined time from the time received from the authentication requesting terminal. That is, since it is possible to prevent the authentication request terminal from generating a check code illegally and to continue the trial even after the trial period has passed, higher security can be realized.

  In addition, it further comprises a usage suspension list storage means for registering a usage suspension license key not to be connected to the application server in the usage suspension list storage device, and registered in the usage authentication means with reference to the usage suspension list storage device. It is preferable not to authenticate existing license keys.

  As a result, it is possible to eliminate the connection from the license key for unauthorized use to the application server.

  Also, a second server encryption key for encrypting a predetermined second word, which matches the second client encryption key that matches the second client encryption key registered at the authentication requesting terminal A second server encryption key storage means for registering the second server encryption key in the second server encryption key storage device, and a predetermined second wording when connecting the authentication request terminal to the application server. And the encrypted message obtained by encrypting the second message with the second client encryption key from at least the authentication requesting terminal, and the second message encrypted with the second server encryption key It is preferable to further include function use authentication means for connecting the authentication request terminal to the application server when the wording matches the encrypted message received from the authentication request terminal.

  Thereby, it can be determined whether the application installed in the authentication requesting terminal is a valid application.

  Also, a first server encryption key for encrypting a predetermined first message, which is the same as the first client encryption key registered at the authentication requesting terminal, A first server encryption key storage means for registering in the first server encryption key storage device, and a second server encryption key for encrypting a predetermined second message, which are registered at the authentication requesting terminal. A second server encryption key for registering in the second server encryption key storage device a second server encryption key that matches a second client encryption key that matches the second client encryption key When the storage means and the authentication requesting terminal connect to the basic function of the application server, the first wording is transmitted in response to a request from the authentication requesting terminal, and the first client encryption key is used to encrypt the first wording. Check The code and the first text are received from at least the authentication requesting terminal, and the check code obtained by encrypting the first text with the first server encryption key matches the check code received from the authentication requesting terminal; Furthermore, a predetermined second message and an encrypted message obtained by encrypting the second message with the second client encryption key are received from at least the authentication requesting terminal, and the second message is received with the second server encryption key. It is preferable to further include basic function use authentication means for connecting the authentication request terminal to the application server when the encrypted message obtained by encrypting the above message matches the encrypted message received from the authentication request terminal.

  As a result, when the basic function of the application server is used, more accurate security can be ensured by performing double authentication.

An authentication method according to the second aspect of the present invention is an application that is used by connecting to an application server at an authentication requesting terminal, and the application downloaded at the authentication requesting terminal is predetermined by using a distributed trial license key. The present invention relates to an authentication method for authenticating an application that can officially use an application by registering a purchased license key after performing a trial using a function during the period. That is, the authentication method according to the second aspect of the present invention is provided for each device of the authentication request terminal when the application is installed in the authentication request terminal and started to start trial using the trial license key. Device registration key is issued, sent to the authentication requesting terminal, the trial start authentication step for starting the trial, and after the license key of either the trial license key or the purchased license key is registered at the authentication requesting terminal, Register the license key and device identification key received from the authentication request terminal in the authentication key storage device, authenticate the use of the application, and determine the status of the function used by the authentication request terminal based on the type of the license key, Causing the computer to execute a use authentication step to be transmitted to the authentication requesting terminal .

  In addition, when the license key is registered in the usage authentication step, a basic software identification key dynamically generated at the authentication requesting terminal is further received from the serial number of the basic software that operates the authentication requesting terminal, and the basic software identification is performed. The key is preferably registered in the authentication key storage device.

  In addition, it is preferable to further include a registered number check step for checking whether the number of device identification keys that can be registered for one license key exceeds a predetermined number with reference to the authentication key storage device.

Also, a first server encryption key for encrypting a predetermined first message, which is the same as the first client encryption key registered at the authentication requesting terminal, A first server encryption key storage step of registering in the first server encryption key storage device; and in the trial start authentication step, further, in response to a request from the authentication requesting terminal, the first wording A check code that is transmitted and received from at least the authentication requesting terminal with the first client encryption key encrypted with the first message, and the first server encryption key is used to encrypt the first message, When it matches the check code received from the authentication requesting terminal, it is preferable that a device identification key given to each device of the authentication requesting terminal is issued and transmitted to the authentication requesting terminal to start trial use .

  In addition, the method further comprises a first word encryption key storage step of registering a first word encryption key for checking the validity of the first word in the first word encryption key storage device. In the step, the first word check code obtained by encrypting the first word with the first word encryption key is further transmitted to the authentication requesting terminal, and the first client encryption key is used for the first request from the authentication requesting terminal. When receiving a check code obtained by encrypting the first word, the first word check code is also received, and the check code obtained by encrypting the received first word with the first word encryption key is received from the authentication requesting terminal. If it matches the received first text check code, the validity of the application may be confirmed.

  In the trial start authentication step, it is preferable to confirm that the time difference between the time when the request is received from the authentication requesting terminal and the time when the check code and the first word are received is within a predetermined time. .

  Also, the first wording is embedded with the time when the request is received from the authentication requesting terminal. In the trial start authentication step, the time when the request is received from the authentication requesting terminal is calculated, and the request from the calculated authentication requesting terminal is requested. It is preferable to confirm that the time difference between the time when the message is received and the time when the check code and the first word are received is within a predetermined time.

  In addition, a use stop list storage step of registering a use stop license key not to be connected to the application server in the use stop list storage device is further provided. In the use authentication step, registration is performed with reference to the use stop list storage device. It is preferable not to authenticate existing license keys.

  Also, a second server encryption key for encrypting a predetermined second word, which matches the second client encryption key that matches the second client encryption key registered at the authentication requesting terminal A second server encryption key storage step of registering the second server encryption key in the second server encryption key storage device, and a predetermined second wording when connecting the authentication request terminal to the application server. And the encrypted message obtained by encrypting the second message with the second client encryption key from at least the authentication requesting terminal, and the second message encrypted with the second server encryption key When the wording matches the encrypted wording received from the authentication requesting terminal, it is preferable to further cause the computer to execute a function use authentication step for connecting the authentication requesting terminal to the application server. Arbitrariness.

  Also, a first server encryption key for encrypting a predetermined first message, which is the same as the first client encryption key registered at the authentication requesting terminal, A first server encryption key storage step for registering in the first server encryption key storage device, and a second server encryption key for encrypting a predetermined second message, which are registered at the authentication requesting terminal. A second server encryption key for registering in the second server encryption key storage device a second server encryption key that matches a second client encryption key that matches the second client encryption key When connecting to the key function of the application server from the storage step and the authentication requesting terminal, the first wording is transmitted in response to a request from the authentication requesting terminal, and the first wording is encrypted with the first client encryption key. Turn into The check code and the first text are received from at least the authentication requesting terminal, and the check code obtained by encrypting the first text with the first server encryption key matches the check code received from the authentication requesting terminal. Further, a predetermined second message and an encrypted message obtained by encrypting the second message with the second client encryption key are received from at least the authentication requesting terminal, and the second server encryption key is used to receive the second message. When the encrypted message obtained by encrypting the message of 2 matches the encrypted message received from the authentication requesting terminal, it is preferable that the computer further execute a basic function use authentication step for connecting the authentication requesting terminal to the application server. .

An authentication requesting terminal according to the third aspect of the present invention uses a license purchased after performing a trial using a function for a predetermined period using a trial license key for an application connected to an application server. The present invention relates to an authentication request terminal in which an application that can officially use an application by registering a key is installed, and requests authentication from an authentication server connected to the application server. That is, the authentication requesting terminal relating to the third feature of the present invention is a first client encryption key for encrypting a predetermined first message transmitted from the authentication server, and is registered in the authentication server. The first client key storage means for registering the first client encryption key in the first client key storage device, which matches the server encryption key of the first server, and the serial number of the basic software operating the authentication requesting terminal The basic software encryption key storage means for registering the basic software encryption key, which is the key to be converted, into the basic software encryption key storage device, and the application is installed in the authentication requesting terminal, and the trial is started using the trial license key In order to start the application, the first word received from the authentication server is changed to the first client cipher. Generate a check code by encrypting with a key, send at least the check code to the authentication server, and if authenticated by the authentication server, receive the device identification key given to each device of the authentication requesting terminal from the authentication server, and try it After registering the trial start authentication requesting means for starting the license, and either the trial license key or the purchased license key, a basic software identification key encrypted with the basic software encryption key is generated, and the license key and And a usage authentication requesting means for transmitting a basic software identification key and a device identification key and receiving a status of a function that can be used by the authentication requesting terminal.

  Here, the serial number of the basic software is also called a product key. Further, here, the authentication request terminal is identified based on the production number of the basic software. However, the identification number is not limited to the production number of the basic software as long as the authentication request terminal can be identified. For example, a MAC (Media Access Control) address uniquely identified by the communication device, a serial number of the processing processor, and the like can be considered. In addition to this, any number may be used as long as it is a number assigned to an apparatus included in the authentication request terminal and can uniquely identify the apparatus. In this way, the basic software identification key may be a number that can be uniquely identified assigned to an apparatus included in the authentication requesting terminal.

  According to the authentication requesting terminal of the third feature of the present invention, the basic software identification key is dynamically generated from the basic software manufacturing number, so that the application file and registry data including the license key and the device identification key are separated. The case where it tries to copy and use for the apparatus of can be excluded.

  Also, a second client encryption key for encrypting a predetermined second word, the second client encryption key that matches the second server encryption key registered in the authentication server, is set in the second client encryption key. Second client key storage means for registering in the second client key storage device, and when connecting to the application server, a predetermined second wording and encryption obtained by encrypting the second wording with the second client encryption key And when the encrypted message obtained by encrypting the second message with the second server encryption key matches the encrypted message transmitted from the authentication requesting terminal, the authentication server It is preferable to further include function use authentication requesting means for obtaining permission to connect to the application server.

  Accordingly, authentication is performed even when the server function is used, so that high security can be ensured.

Authentication request program according to a fourth aspect of the present invention, for applications utilizing connected to an application server in the authentication request terminal, after a trial by using the function in a predetermined period by using a trial license key The present invention relates to an authentication request program for registering a purchased license key and requesting authentication of an application that can formally use the application, and requesting authentication from an authentication server connected to the application server. That is, the authentication request program according to the fourth feature of the present invention is a first client encryption key for encrypting a predetermined first message transmitted from the authentication server, and is registered in the authentication server. A first client key storage step for registering the first client encryption key in the first client key storage device, which coincides with the first server encryption key, and a serial number of the basic software for operating the authentication requesting terminal. The basic software encryption key storage step for registering the basic software encryption key, which is the key to be encrypted, in the basic software encryption key storage device, and the application is installed on the authentication requesting terminal, and the trial is started using the trial license key To start the application, the first word received from the authentication server is changed to the first class. Encrypted with an ant encryption key, generates a check code, sends at least the check code to the authentication server, and if authenticated by the authentication server, receives the device identification key given to each device of the authentication requesting terminal from the authentication server Then, after registering the trial start authentication request step for starting the trial and the license key of either the trial license key or the purchased license key, a basic software identification key encrypted with the basic software encryption key is generated, The license key, the basic software identification key, and the device identification key are transmitted to cause the computer to execute a use authentication request step for receiving a status of a function that can be used by the authentication request terminal.

  Also, a second client encryption key for encrypting a predetermined second word, the second client encryption key that matches the second server encryption key registered in the authentication server, is set in the second client encryption key. A second client key storage step to be registered in the second client key storage device, and when connecting to the application server, a predetermined second word and an encryption obtained by encrypting the second word with the second client encryption key And when the encrypted message obtained by encrypting the second message with the second server encryption key matches the encrypted message transmitted from the authentication requesting terminal, the authentication server It is preferable to further cause the computer to execute a function use authentication request step for obtaining permission to connect to the application server.

  Therefore, according to the present invention, it is possible to provide an authentication server, an authentication method, an authentication request terminal, and an authentication request program that prevent unauthorized use of an application and can be used by a plurality of devices.

  Next, embodiments of the present invention will be described with reference to the drawings. In the following description of the drawings, the same or similar parts are denoted by the same or similar reference numerals.

As shown in FIG. 2, the application to be authenticated by the authentication system according to the embodiment of the present invention includes (1) a trial period T1 from installation of the application to purchase of the license key, and (2) purchase of the license key. (2) Full function usage period T3 until the license key usage period expires, (3) Restricted function trial period T3 after the usage period expires until the license key is purchased again, (4) License again The cycle of full function trial period T4 after purchasing the key is repeated. Although not shown in the figure, the period between the end of the trial period T1 and the purchase of the license key is a limited function trial period.

  In the trial period T1, by registering the trial license key, all functions can be used for a certain period such as one month. In the full function trial periods T2 and T4, by registering the purchased license key, all functions can be used for a certain period such as one year. Only the limited function can be used until the license key is purchased after the limited function trial period T3 or the trial period T1 ends.

  An application according to an embodiment of the present invention can receive services such as providing search results by connecting to a server via a communication network.

(First embodiment)
As shown in FIG. 3, the authentication system according to the first embodiment of the present invention includes an authentication server 1 that authenticates an application, a search server 2 that provides a search service to a user terminal, and requests authentication from the authentication server 1. In addition, user terminals 3a to 3d (authentication request terminals) that request the search server 2 to provide services are provided.

  The authentication server 1, the search server 2, and the user terminals 3a to 3d are connected to the communication network 5 and can communicate with each other. Here, the communication network is an infrastructure capable of mutual communication such as the Internet and personal computer communication. When the authentication server 1, the search server 2, and the user terminals 3 a to 3 d are connected to the communication network 5, they are connected via a router 7, a proxy server, a firewall, an Internet service provider access point server, and the like.

  The authentication server 1 and the search server 2 are realized by installing an application having a predetermined function in hardware such as a general computer. If a load is applied to one server, a predetermined function may be operated by several servers. In FIG. 3, the authentication server 1 and the search server 2 are constructed on separate hardware, but may be constructed on the same hardware.

  The user terminals 3a to 3c are realized by installing search applications 4a to 4d including an authentication request program in hardware such as a general computer. Further, the user terminals 3 a and 3 b are managed by the same user, and the user terminals 3 a and 3 b can be connected to the communication network 5 by the router 7.

  With reference to FIG. 4, the flow of the authentication process according to the embodiment of the present invention will be described.

  First, in step S11, an application is installed in the user terminal 3a. In step S12, the application is activated. At this time, the user terminal 3a requests trial start authentication from the authentication server 1 in step S13. In step S14, the authentication server 1 transmits the result of trial start authentication to the user terminal 3a after authentication. Thereby, trial use of an application can be performed in the user terminal 3a.

  Next, in step S15, a license key for the application is purchased and registered. Thereafter, when the application is activated in step S16, the server time is acquired from the authentication server 1 in step S17, and compared with the time of the internal clock of the user terminal 3a to detect the difference. Thereby, in the user terminal 3a, the user terminal 3a can grasp | ascertain the exact time of the authentication server 1 at any time by the difference with the time of the authentication server 1, without changing the time of an internal clock.

  Next, in step S18, the user terminal 3a requests the authentication server 1 to authenticate the purchased license key. After the authentication, the authentication server 1 transmits the license key authentication result to the user terminal 3a in step S19. Thereby, the user can start using the application.

  Here, when a general function is used in step S20 and a connection from the user terminal 3a to the search server 2 providing the service occurs in step S21, the user terminal 3a authenticates the application to the authentication server. 1, the authentication server 1 transmits the authentication result of the application to the user terminal 3a in step S23 after the authentication.

  When connection from the user terminal 3a to the basic function of the search server 2 occurs in step S24, the authentication server 1 is requested to perform license key authentication performed in step S18 and application authentication in step S22. The authentication server 1 confirms this authentication and returns the result in step S26.

  In FIG. 4, the processing from step S16 to step S26 is performed every time the application is activated. Further, the process from step S21 to step S23 is performed every time the connection to the search server 2 occurs, and the process from step S24 to step S26 is performed every time the connection to the basic function of the search server 2 occurs.

  As shown in FIG. 5, the license key 51 according to the embodiment of the present invention includes a license identification key part 52, a registration date part 53, and a check digit part 54.

  The license identification key unit 52 is an identification key for identifying the license key purchased by the user. During the trial period, the license identification key unit 52 is assigned a common key to all users for trial use.

  The registration date portion 53 indicates the date on which the license key purchase was registered in the YYYYMMDD format. During the trial period, the registration date portion 53 indicates the date when the application is first installed.

  The check digit part 54 is a check digit for checking whether the license identification key part 52 and the registration date part 53 are correctly transmitted and received. Even if an erroneous transmission is made by the check digit, the erroneous transmission can be corrected on the authentication server 1 side.

  The license key 51 according to the embodiment of the present invention includes a 9-byte license identification key part 52, an 8-byte registration date part 53, an 8-byte check digit part 54, and two “-” ( 51 bytes in total are included.

  An authentication server 1 according to the first embodiment of the present invention will be described.

  As shown in FIG. 1, an authentication server 1 according to the first embodiment of the present invention includes a check code encryption key storage device (first server encryption key storage device) 101, an authentication key storage device 102, and usage. Stop list storage device 103, access log storage device 104, date encryption key storage device (second server encryption key storage device) 105, random number encryption key storage device (first word encryption key storage device) 106, Access acceptance means 111, trial start authentication means 112, usage authentication means 113, registered number check means 114, function usage authentication means 115, basic function usage authentication means 116, input / output control device 121, communication control device 122, input device 123, A display device 124 is provided.

  The check code encryption key storage device 101 is a storage device in which a check code encryption key (first server encryption key) for encrypting a predetermined check code (first wording) is recorded. The check code encryption key matches the check code encryption key registered with the user terminal 3a (the first client encryption key).

  In the authentication key storage device 102, after the license key is registered, the license key and the device identification key assigned to each device by the authentication server 1 are recorded from the user terminal 3a. Furthermore, an OS identification key (basic software identification key) that is dynamically generated in the user terminal 3a from the serial number of the OS (basic software) that operates the user terminal 3a is also recorded.

  Furthermore, although the OS identification key is generated based on the basic software serial number here, the OS is not limited to the basic software serial number as long as the authentication requesting terminal can be identified. For example, a MAC (Media Access Control) address uniquely identified by the communication device, a serial number of the processing processor, and the like can be considered. In addition to this, any number may be used as long as it is a number assigned to an apparatus included in the authentication request terminal and can uniquely identify the apparatus. In this way, the basic software identification key may be a number that can be uniquely identified assigned to an apparatus included in the authentication requesting terminal.

  As shown in FIG. 6, in the authentication key storage device 102, a plurality of device identification keys and OS identification keys corresponding to one license identification key are registered. Furthermore, the registered number of devices registered for one license identification key is also recorded.

  The use suspension list storage device 103 is a storage device in which license keys for suspension of use that are not connected to the search server 2 are registered. As shown in FIG. 7, the use suspension list storage device 103 is preferably registered with a license identification key for suspension of use, and a reason such as “OS identification key fraud” or “device registration number exceeded”.

  The access log storage device 104 is a storage device that records details of access to the authentication server 1. As shown in FIG. 8, the time of access, the type of request such as “use authentication request”, “trial start authentication request”, “function use request”, “basic function use request”, and access The license key, device identification key, OS identification key, and authentication result of the user terminals 3a to 3d are registered. Also, in the case of a trial start authentication request, a usage fee can be paid to a vendor by acquiring and recording vendor information such as a site where an application is downloaded and a magazine.

  The date encryption key storage device 105 is a storage device in which a date encryption key (second server encryption key) for encrypting an access date (predetermined second wording) is recorded. The date encryption key matches the date encryption key (second client encryption key) registered in the user terminal 3a.

  The random number encryption key storage device 106 is an encryption key for checking the validity of a predetermined check code (first wording), and this encryption key is recorded only in the authentication server 1.

  The access receiving unit 111 is a unit that receives a connection from the user terminals 3a to 3d, records the connection in the access log storage device 104, and distributes the message to a process that is performed according to the message type of the connection.

  When the application is installed in the user terminals 3a to 3d and activated to start the trial, the trial start authentication unit 112 confirms the validity of the application in response to a request from the user terminals 3a to 3d, and then the user This is a means for issuing a device identification key given to each device of the terminals 3a to 3d, transmitting it to the user terminals 3a to 3c, and starting trial use.

  Specifically, in response to a request from the user terminals 3a to 3d, a random number (first wording) issued by the trial start authentication unit 112 is transmitted, and the check code encryption key recorded in the user terminals 3a to 3d The check code obtained by encrypting the random number and the random number are received from at least the user terminals 3a to 3d. On the other hand, a check code obtained by encrypting a random number with the check code encryption key recorded in the check code encryption key storage device 101 of the authentication server 1 is generated. When the check code created by the user terminals 3a to 3d matches the check code created by the authentication terminal 1, the trial start authentication unit 112 determines that the connected application is a legitimate application and determines the validity of the application. Check.

  At this time, the authentication server 1 generates a random number check code from the random number encryption key recorded in the random number encryption key storage device 106 in advance, and transmits the random number and the random number check code from the user terminals 3a to 3d. A random number, a check code, and a random number check code may be received.

  In this case, the authentication server 1 refers to the random number encryption key storage device 106 to check whether or not the random number check code is correctly generated from the received random number. 1 is determined to have been transmitted.

  Further, it is confirmed that the time difference between the time when the request is received from the user terminals 3a to 3d and the time when the check code and the random number are received is within a predetermined time. If this time difference exceeds a predetermined time, authentication is not permitted. Thereby, in the user terminals 3a to 3d, it is possible to prevent unauthorized use when transmission / reception data is analyzed or counterfeited.

  Furthermore, it is preferable that the random number transmitted by the authentication server 1 is filled with the time when the request is received from the user terminals 3a to 3d. Thus, by checking the validity of the random number, it is possible to calculate a valid time that is not tampered with, and using this valid time, it is possible to confirm whether it is within a predetermined time. That is, since it is possible to prevent the authentication request terminal from generating a check code illegally and to continue the trial even after the trial period has passed, higher security can be realized.

  After the license key is registered in the user terminals 3a to 3d, the usage authentication unit 113 receives the license key and the device identification key from the user terminals 3a to 3d, registers them in the authentication key storage device 102, and uses the application. It is a means to authenticate. Here, it is also preferable to register an OS identification key.

  If there is a request with the license key registered in the usage suspension list storage device 103, the usage authentication unit 113 does not authenticate and does not connect to the search server 2. In addition, when authenticating the use of the application, taking into account the license key, the device identification key, and the OS identification key used by the user terminals 3a to 3d, the full-function use of the functions used by the user terminals 3a to 3d, The status such as use of restricted function, suspension of use, etc. is determined and transmitted to the user terminal. In the case of “use stop”, it is registered in the use stop list storage device 103.

  The registered number check unit 114 refers to the authentication key storage device 102 and checks whether the number of device identification keys that can be registered for one license key exceeds a predetermined number. In the first embodiment of the present invention, referring to the access log storage device 104, if there is an access with an unregistered device identification key, it is registered in the authentication key storage device 102 and the registered number is checked. I do. The registered number check means 114 according to the first embodiment performs batch processing once per fixed period.

  When the function use authentication means 115 is connected to the search server 2 from the user terminals 3a to 3d, at least the user terminal includes the date and the date encrypted with the date encryption key recorded in the user terminals 3a to 3d. Receive from 3a to 3d. Further, if the date encrypted with the date encryption key recorded in the date encryption key storage device 105 of the authentication server 1 matches the encrypted date transmitted from the user terminals 3a to 3d, the connection is established. This is means for authorizing the application as a regular application and connecting the user terminals 3a to 3d to the search server 2.

  In the usage authentication unit 113, the authentication server 1 transmits a random number, and the user terminal 3a encrypts the random number and transmits it to the authentication server 1, whereas the function usage authentication unit 115 encrypts the date from the user terminal. And send it. Therefore, the usage authentication unit 113 can ensure higher security than the function usage authentication unit 115. In addition, since the function usage authentication unit 115 is performed after the usage authentication, high security is not required, and the processing can be performed more quickly by simplifying compared to the usage authentication unit 113. .

  The basic function use authentication means 116 is means for authenticating the use of the basic function of the search server 2 with higher security. Here, higher security is ensured by performing the checks performed by the use authentication unit 113 and the function use authentication unit 115.

  The trial start authentication unit 112, the use authentication unit 113, the registered number check unit 114, the function use authentication unit 115, and the basic function use authentication unit 116 are processed by a processing control device provided in the authentication server 1, although not shown. .

  The input / output control device 121 is a device that controls input / output of the authentication server 1. The communication control device 122 is a device that connects the authentication server 1 to the communication network 5. The input device 123 is a general input device such as a mouse, a keyboard, or a trackball, and the display device 124 is a general output device such as a liquid crystal display or a CRT display.

  The user terminal 3a according to the first embodiment of the present invention will be described with reference to FIG.

  A search application 4a is installed in the user terminal 3a.

Although not shown here, of course, there are processing means necessary for the search.

  The search application 4a includes a check code encryption key storage device (first client key storage device) 301, an authentication key storage device 302, an OS license key storage device 303, an OS license key encryption key storage device (basic software encryption key). Storage device) 304, use function status storage device 305, date encryption key storage device (second client key storage device) 306, trial start authentication request means 311, license key registration means 312, use authentication request means 313, function use Authentication request means 314 and basic function use authentication request means 315 are provided.

  The check code encryption key storage device 301 stores a check code encryption key (first client encryption key) for encrypting a random number (predetermined first wording) transmitted from the authentication server 1. The check code encryption key recorded here is the same as the check code encryption key recorded in the check code encryption key storage device 101 of the authentication server 1.

  The authentication key storage device 302 is a storage device in which the purchased license key and the device identification key received from the authentication server 1 are recorded. These authentication keys include a method of storing and storing them in a file, and a method of storing them in a registry.

  Moreover, you may memorize | store in both. In this case, when the authentication key stored in either the file or the registry is deleted, the search application 4a can restore the authentication key from the other authentication key.

  The OS license key storage device 303 is a storage device in which a serial number of an OS (basic software) that operates the user terminal 3a is recorded. This data is usually registered in the registry.

  The OS license key encryption key storage device 304 is a storage device in which an OS license key (basic software encryption key) that is a key for encrypting the manufacturing number of the OS (basic software) that operates the user terminal 3a is recorded. .

  The use function status storage device 305 is a storage device that records the status of the function that can be used by the user terminal 3 a received from the authentication server 1. The search application 4a refers to the used function status storage device 305 and processes only available functions.

  The date encryption key storage device 306 is a storage device that records a date encryption key (second client encryption key) that encrypts a date (predetermined second wording) acquired by the user terminal 3a. The date encryption key recorded here is the same as the date encryption key recorded in the date encryption key storage device 105 of the authentication server 1.

  The trial start authentication request means 311 is a means for requesting authentication when the search application 4a is installed in the user terminal 3a and the search application 4a is activated to start trial use. The check code is generated by encrypting the random number received from the authentication server 1 with the check code encryption key recorded in the check code encryption key storage device 301. Further, at least the received random number and the check code are transmitted to the authentication server 1. When the authentication server 1 authenticates, the device identification key given to the user terminal 3a is received from the authentication server 1 and starts trial use. Further, the received device identification key is registered in the authentication key storage device 302.

  The license key registration unit 312 is a unit that registers the purchased license key in the authentication key storage device 302.

  When connecting to the search server 2, the use authentication requesting unit 313 first encrypts the date using the date acquired by the user terminal 3 a and the date encryption key recorded in the date encryption key storage device 306. At least to the authentication server 1. Furthermore, when the second encrypted date obtained by encrypting the date with the date encryption key recorded in the date encryption key storage device 105 of the authentication server 1 matches the first encrypted date, The authorization server 1 obtains permission to connect to the application server.

  The basic function use authentication request means 315 is a means for authenticating the use of the basic function of the search server 2 with higher security. Here, higher security is ensured by performing the checks performed by the use authentication unit 113 and the function use authentication unit 115.

  Although not shown, the trial start authentication requesting unit 311, license key registration unit 312, usage authentication requesting unit 313, function usage authentication requesting unit 314, and basic function usage authentication unit 116 are provided by a processing control device provided in the user terminal 3 a. It is processed.

  The input / output control device 321 is a device that controls input / output of the user terminal 3a. The communication control device 322 is a device that connects the user terminal 3 a to the communication network 5. The input device 323 is a general input device such as a mouse, a keyboard, or a trackball, and the display device 324 is a general output device such as a liquid crystal display or a CRT display.

  Although only the user terminal 3a is described here, the user terminals 3b to 3d have the same configuration.

  Next, an authentication method according to the first embodiment of the present invention will be described using detailed flows of the authentication server 1 and the user terminal 3a.

  With reference to FIG. 10, the process of the access reception means 111 of the authentication server 1 is demonstrated.

  First, when there is an access from the user terminal 3a, the access log storage device 104 records the access date and time, license key, device identification key, OS identification key, message type, etc. in step S101.

  Next, in step S102, processing is distributed according to the type of request.

  If the message is a usage authentication request in step S102, the usage authentication unit 113 performs usage authentication in step S103.

  If the message is a trial start authentication request in step S102, trial start authentication is performed by the trial start authentication means 112 in step S104.

  If the message is a search request to the search server 2 in step S102, first, in step S105, it is determined whether the request is an authentication request using the basic function. If it is a request for use of a basic function, in step S106, use authentication means 113 performs use authentication, and in step S107, function use authentication means 115 performs function use authentication. On the other hand, if it is determined in step S105 that the basic function is not used, only the function use authentication is performed by the function use authentication unit 115 in step S107.

  Finally, in step S108, the authentication results in steps S103, 104, 106, and 107 are recorded in the access log storage device 104.

  With reference to FIG. 11, the data exchange between the trial start authentication unit 112 of the authentication server 1 and the trial start authentication request unit 311 of the user terminal 3a will be described.

  First, in step S151, a trial start authentication request is transmitted from the user terminal 3a to the authentication server 1. The server records the time when this request is received in the temporary storage device. Next, in step S152, a random number in which the generated time is embedded is generated, and the generated random number is encrypted with the server random number encryption key recorded in the random number encryption key storage device 106 to generate a random number check code. In step S153, the generated random number and random number check code are transmitted. Thereby, the session management of the user terminal 3a in the authentication server 1 can be easily performed. Further, by transmitting a random number check code and receiving it by the authentication server, it is possible to check whether the random number has been tampered with. In addition, since the transmitted random number is returned again, it is possible to further check whether the transmitted random number matches the received random number, so that higher unauthorized use can be prevented.

  Further, in step S156, by encrypting with the random number encryption key recorded in the random number encryption key storage device 106, whether the random number transmitted in step S155 is a random number generated by the authentication server 1, or Check whether the sent random number check code is correct. If it is not a random number generated by the authentication server 1 or if the transmitted random number check code is illegal, the user terminal 3a assumes that an illegal act has been performed and does not perform authentication.

  In step S157, a check code encrypted with the check code encryption key recorded in the check code encryption key storage device 101 of the authentication server 1 is generated, and the validity of the received check code is checked in step S155. . If the received check code does not match the check code generated by the authentication server 1, the user terminal 3a is not authenticated.

  In step S158, the authentication server 1 records the time received in step S155, and calculates the generated time from a random number in which the time generated by the authentication server 1 is embedded. Further, a time T that is a time difference between the time when the calculated random number is generated and the time received in step S155 is calculated, and it is determined whether the time T is within a predetermined time. If it is longer than the predetermined time, the user terminal 3a assumes that an illegal act has been performed and does not perform authentication.

  When all the authentications in steps S156 to S158 are cleared, a trial license key is generated in step S159, and the trial license key is transmitted to the user terminal 3a in step S160. In step S161, a device identification key is generated, and in step S162, the device identification key is transmitted to the user terminal 3a. When receiving the device identification key, the user terminal 3 a registers it in the authentication key storage device 302. The device identification key generated here is a key for uniquely identifying the device.

  In FIG. 11, it is described that a random number check code is generated and transmitted to the user terminal 3a in step S152, and the check code is further transmitted from the user terminal 3a. However, only the random number is transmitted from the authentication server 1, and the user Only the check code may be transmitted from the terminal 3a. In this case, the authentication server 1 manages the random number transmitted by the authentication server 1 by managing the session with the user terminal 3a.

  In FIG. 11, the trial license key and the device identification key are issued separately, but the authentication server 1 may transmit the two keys together to the user terminal 3 a.

  With reference to FIG. 12, the exchange of data between the use authentication unit 113 of the authentication server 1 and the use authentication request unit 313 of the user terminal 3a will be described.

  First, in step S201, when a search application is activated on the user terminal 3a, in step S202, the OS license key storage device 303 and the OS license key encryption key storage device 304 are referred to, and the OS license key is changed to the OS license key. The OS identification key is generated by encrypting with the key encryption key.

  Next, in step S203, the user terminal 3a transmits the license key recorded in the authentication key storage device 302, the device identification key, and the OS identification key generated in step S202 to the authentication server 1.

  In step S204, the authentication server 1 uses the license key, the device identification key, and the OS identification key to check whether each key is valid and the status of the function that can be used by the user terminal 3a. Here, higher security can be ensured by checking the validity with the license key, the device identification key issued by the authentication server 1, and the OS identification key dynamically generated by the user terminal 3a.

  In step S205, the authentication server 1 transmits the usage function status acquired in step S204 to the user terminal 3a. In step S206, the user terminal 3a records the received usage function status in the usage function status storage device 305.

  With reference to FIG. 13, the detailed processing of the validity check in step S204 of FIG. 12 will be described.

  First, in step S251, a license key, a device identification key, and an OS identification key are acquired from the user terminal 3a. At this time, the license key check digit part 54 determines whether the license identification key part 52 and the registration date part 53 are incorrect data. When the data is incorrect, the data in the check digit part 54 is used to restore the data in the license identification key part 52 and the registration date part 53. If the restoration is impossible, the data is transmitted again to the user terminal 3a.

  Next, in step S <b> 252, the usage suspension list storage device 103 is referenced to search whether the license key acquired in step S <b> 251 is registered in the usage suspension list storage device 103. If registered in the use stop list storage device 103, the use function status is set to “use stop” in step S253, and the process ends. If it is not registered in the use suspension list storage device 103, the process proceeds to step S254.

  In step S254, it is determined whether the license key and the OS identification key are valid. Here, it is determined whether or not the license key is a purchased license key. If it is not a purchased license key, the use function status is set to “use stop” in step S255, and the process is terminated. If it is a purchased license key, the process proceeds to step S256.

  In step S256, it is determined whether the license key is a trial license key or a purchased license key. If the license key is a trial license key, it is determined in step S257 whether or not the license key expiration date has passed. If it is within the expiration date of the license key, in step S258, the usage function status is set to “full function” and the process is terminated. On the other hand, if the expiration date of the license key has been exceeded, in step S260, the usage function status is set to “restricted function” and the process ends.

  On the other hand, if the license key is a purchased license key in step S256, it is determined in step S259 whether the license key is within the expiration date. If it is out of date, the usage function status is set to “restricted function” and the process ends. If it is within the time limit, the process proceeds to step S261.

  Next, in step S261, it is determined whether the device identification key is valid. Here, when the device identification key is a device identification key issued by the authentication server 1, it is determined that the device identification key is valid. If it is determined in step S261 that the device identification key is not valid, the use function status is set to “use stop” in step S262, and the process ends. If the device identification key is valid, the process proceeds to step S263.

  On the other hand, if the device identification key is valid, it is determined that the device is a valid user, and the use function status is set to “full function” in step S263, and the process is terminated.

  In the first embodiment, the registered number that can be registered by one license key is checked by the registered number check means 114 that is processed in a batch or the like, so the registered number check is not performed here.

  With reference to FIG. 14, data exchange between the function usage authentication unit 115 of the authentication server 1 and the function usage authentication request unit 314 of the user terminal 3a will be described.

  First, in step S301, the search application 4a is activated in the user terminal 3a, and when connection to the search server 2 occurs, a connection authentication request is made. At this time, the date is acquired, and the date is encrypted with the date encryption key recorded in the date encryption key storage device 306. Further, in step S303, the user terminal 3a transmits the date and the date encrypted in step S302 to the authentication server 1.

  On the other hand, in step S304, the authentication server 1 generates an encrypted date by referring to the date encryption key storage device 105 from the received date. Furthermore, in step S305, it is confirmed whether the encrypted date character string received in step S303 is the same as the encrypted date character string generated in step S304. If they are not the same, in step S306, the usage function status is set to “not connectable” so that the user terminal 3a is not connected to the search server 2 and transmitted to the user terminal 3a. On the other hand, if they are the same, in order to connect the user terminal 3a to the search server 2, in step S306, the usage function status is transmitted to the user terminal 3a as “connection permitted”.

  When the user terminal 3a receives “connection permission” in step S306, the user terminal 3a starts using the function of the search server 2 in step S307.

  With reference to FIG. 15, a detailed flowchart of the registered number check means 114 will be described.

  First, in step S351, referring to the access log storage device 104, an access log obtained after the previous processing of the registered number check means 114 is acquired. Next, in step S352, the license key and the device identification key are associated with each other in the log acquired in step S351, and the authentication key storage device 102 is updated.

  Further, the association between the device identification key and the OS identification key is checked for all license keys.

First, in step S353, it is determined whether a plurality of OS identification keys are related to the device identification key. If a plurality of OS identifiers are associated with the device identification key, the license key is registered in the use suspension list storage device 103 in step S354.

  On the other hand, if only one OS identification key is associated with the device identification key, it is determined in step S355 whether the number of registered devices has been exceeded. If the number of registered devices is exceeded, the license key is registered in the use suspension list storage device 103 in step S356.

  The processing from step S353 to step S356 is checked for all license keys.

  In FIG. 15, the OS identification key is dynamically generated from the OS license key. Therefore, when an application is used by one device operating with the OS license key that is properly purchased, the device identification key and The association with the OS identification key is not broken. Therefore, if there is a relationship between the license key and the device identification key, but the OS identification key is not registered, the application and registry data are copied as they are from one device to another without going through the trial start authentication means 112. It is considered a case. In such a case, it is preferable to register the license key in the use suspension list storage device 103 and take a use suspension measure.

  It is also assumed that the association between the device identification key and the OS identification key is broken due to an OS version upgrade or the like. In this case, after that, if the same OS identification key is continuously used, it is determined that the OS has been upgraded and no use suspension measures are taken. On the other hand, when a plurality of OS identification keys are used in combination with one device identification key, it is preferable to register this license key in the usage suspension list storage device 103 and take a usage suspension measure.

  In FIG. 10 to FIG. 15, data exchange between the user terminal 3 a and the authentication server 1 is described, but it goes without saying that the same processing is performed in the user terminals 3 b to 3 d.

  An example of a screen presented by the search applications 4a to 4d is shown with reference to FIGS.

  The license key registration unit 312 presents a license key registration screen P101 as shown in FIG. On the license key registration screen P101, a guidance message “Please enter the license key purchased from the authentication site” is presented. Here, the “authentication site” is a site operated by a server that purchases a license key and issues a license key. Here, the “authentication site” is provided with an authentication site link L101, and the authentication site can be displayed by clicking the authentication site link L101. When the purchased license key is registered in the input text box T101 for inputting the license key and the OK button B101 is clicked, the purchased license key is recorded in the authentication key storage device 102. When the cancel button B102 is clicked, the word entered in the input text box T101 is cleared.

  When it is determined in the authentication server 1 that the use stop measures are taken, a use stop guidance screen P102 as shown in FIG. 17 is presented. On the use stop guidance screen P102, a guide message is displayed "Use stop measures have been taken. Please contact us below". Furthermore, the mail address of the inquiry destination is described, and the mail activation link L102 is provided in this mail address. By clicking the mail activation link L102, a mail transmission screen in which the mail address is input is displayed. Is done.

  In the authentication server 1, when the trial period and the license key usage period have elapsed, a restricted usage guidance screen P103 as shown in FIG. 18 is presented. On the restricted use guidance screen P103, a guidance message “Use period has passed. Please purchase a license key at the authentication site.” Is displayed. Also in FIG. 18, an authentication site link L103, which is a link to the authentication site, is provided as in FIG. When the license key registration button B104 is clicked, a license key registration screen P101 shown in FIG. 16 is presented, and the license key can be registered. On the other hand, when the OK button B105 is clicked, only the restricted function is used as it is.

  In the embodiment of the present invention, a license key assigned to one user and a device identification key assigned to a predetermined number of license keys are used. Therefore, in the first embodiment of the present invention, the user can install an application on a plurality of devices owned by the user by purchasing one license key.

  Further, the user terminals 3a to 3d can dynamically generate an OS identification key and receive it by the authentication server 1, thereby rejecting a connection from an application installed in an unauthorized manner.

  In the first embodiment of the present invention, the registered number check unit 114 is batch-processed with reference to the access log storage device 104, thereby reducing the load on the authentication server 1 in authentication. .

(Second Embodiment)
As shown in FIG. 19, the authentication server 1 according to the second embodiment of the present invention includes a registered number check means 114, as compared with the authentication server 1 according to the first embodiment shown in FIG. Not different. That is, in the authentication server 1 according to the second embodiment of the present invention, the usage authentication unit 113 checks the number of registered devices every time access is made.

  With reference to FIG. 20, the detailed flow of the validity check in the use authentication unit 113 of the authentication server 1 according to the second embodiment of the present invention will be described.

  First, in step S401, a license key, a device identification key, and an OS identification key are acquired from the user terminal 3a. At this time, the license key check digit part 54 determines whether the license identification key part 52 and the registration date part 53 are incorrect data. When the data is incorrect, the data in the check digit part 54 is used to restore the data in the license identification key part 52 and the registration date part 53. If the restoration is impossible, the data is transmitted again to the user terminal 3a.

  Next, in step S <b> 402, the usage suspension list storage device 103 is referenced to search whether the license key acquired in step S <b> 401 is registered in the usage suspension list storage device 103. If it is registered in the use stop list storage device 103, the use function status is set to “use stop” in step S403, and the process ends. If it is not registered in the use suspension list storage device 103, the process proceeds to step S254.

  In step S404, it is determined whether the license key and the OS identification key are valid. Here, it is determined whether or not the license key is a purchased license key. If it is not a purchased license key, the use function status is set to “use stop” in step S405, and the process ends. If it is a purchased license key, the process proceeds to step S406.

  In step S406, it is determined whether the license key is a trial license key or a purchased license key. If the license key is a trial license key, it is determined in step S407 whether the expiration date of the license key has passed. If it is within the expiration date of the license key, in step S408, the usage function status is set to “full function” and the process is terminated. On the other hand, if the expiration date of the license key has been exceeded, in step S410, the usage function status is set to “restricted function” and the process ends.

  On the other hand, if the license key is a purchased license key in step S406, it is determined in step S409 whether the license key is within the expiration date. If it is out of date, the usage function status is set to “restricted function” and the process ends. If it is within the time limit, the process proceeds to step S411.

  In step S411, the authentication key storage device 102 is referred to and it is determined whether the license key and the device identification key are associated with each other. If not associated, in step S412, the license key, the device identification key, and the OS identification key are associated.

  In step S413, it is determined whether a plurality of OS identification keys are associated with one device identification key. If a plurality of OS identification keys are associated with each other, in step S414, the use function status is set to “use stop”, and the process ends. On the other hand, if only one OS identification key is associated with the device identification key, the process proceeds to step S415.

  In step S415, it is determined whether the number of registered devices registered in one license key has been exceeded. If exceeded, in step S416, the use function status is set to “use stop” and the process is terminated.

  On the other hand, if the registered number does not exceed, the use function status is set to “full function” in step S417, and the process ends.

  In the second embodiment of the present invention, since the number of registered units is checked in real time, the number of registered units can be checked with higher accuracy.

(Other embodiments)
As described above, the present invention has been described according to the best mode for carrying out the invention. However, it should not be understood that the description and drawings constituting a part of this disclosure limit the present invention.

From this disclosure, various alternative embodiments, examples and operational techniques will be apparent to those skilled in the art.

  In the embodiment of the present invention, three statuses are provided depending on the state of the license key, the device identification key, etc., when all functions can be used, when only limited functions can be used, and when no functions can be used at all. However, only two of the three statuses may be used, or four or more statuses may be used.

  Of course, the present invention includes various embodiments not described herein. Therefore, the technical scope of the present invention is defined only by the invention specifying matters according to the scope of claims reasonable from the above description.

It is a functional block diagram of the authentication server which concerns on the 1st Embodiment of this invention. It is the figure which showed the cycle of the application which concerns on embodiment of this invention in time series. It is a system configuration figure of an authentication system concerning a 1st embodiment of the present invention. It is the sequence diagram which showed progress of the authentication which concerns on the 1st Embodiment of this invention. It is a figure explaining the structure of the license key which concerns on the 1st Embodiment of this invention. It is the figure which showed an example of the data item and data of the authentication key memory | storage device which concerns on the 1st Embodiment of this invention. It is the figure which showed an example of the data item and data of the use suspension list storage device which concerns on the 1st Embodiment of this invention. It is the figure which showed an example of the data item and data of the access log memory | storage device which concerns on the 1st Embodiment of this invention. It is a functional block diagram of the user terminal which concerns on the 1st Embodiment of this invention. It is the flowchart which showed the process of the access reception means based on the 1st Embodiment of this invention. FIG. 5 is a sequence diagram showing data exchange between a trial start authentication unit and a trial start authentication request unit according to the first embodiment of the present invention. FIG. 5 is a sequence diagram showing data exchange between a usage authentication unit and a usage authentication request unit according to the first embodiment of the present invention. It is a detailed flowchart of the validity check in the use authentication means which concerns on the 1st Embodiment of this invention. It is the sequence diagram which showed the exchange of the data of the function use authentication means and function use authentication request means which concern on the 1st Embodiment of this invention. It is the flowchart which showed the process of the registration number check means based on the 1st Embodiment of this invention. It is an example of the license key registration screen which an application concerning a 1st embodiment of the present invention presents on a user terminal. It is an example of the utilization stop guidance screen which the application which concerns on the 1st Embodiment of this invention shows on a user terminal. It is an example of the restriction | limiting use guidance screen which the application which concerns on the 1st Embodiment of this invention shows on a user terminal. It is a functional block diagram of the authentication server which concerns on the 2nd Embodiment of this invention. It is a detailed flowchart of the validity check in the use authentication means which concerns on the 2nd Embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Authentication server 2 ... Search server 3a-3d ... User terminal 4a-4d ... Search application 5 ... Communication network 7 ... Router 51 ... License key 52 ... License identification key part 53 ... Registration date part 54 ... Check digit part 101, 301 ... Check code encryption key storage device 102, 302 ... Authentication key storage device 103 ... Use stop list storage device 104 ... Access log storage device 105,306 ... Date encryption key storage device 106 ... Random number encryption key storage device 106
DESCRIPTION OF SYMBOLS 111 ... Access reception means 112 ... Trial start authentication means 113 ... Usage authentication means 114 ... Registered number check means 115 ... Function use authentication means 116 ... Core function use authentication means 121, 321 ... Input / output control device 122, 322 ... Communication control device 123, 323... Input device 124 324 display device 303 OS license key storage device 304 OS license key encryption key storage device 305 use function status storage device 311 trial start authentication request unit 312 license key registration unit 313 ... Use authentication request means 314 ... Function use authentication request means 315 ... Basic function use authentication request means

Claims (24)

An application that is used by connecting to an application server in an authentication request terminal, and the application downloaded at the authentication request terminal is used for a predetermined period of time using a distributed trial license key. After that, an authentication server for authenticating the application that can register the purchased license key and can officially use the application,
When the application is installed on the authentication requesting terminal and activated to start the trial using the trial license key, a device identification key assigned to each device of the authentication requesting terminal is issued, Trial start authentication means to send to the authentication request terminal and start trial,
After the license key of either the trial license key or the purchased license key is registered at the authentication requesting terminal, the license key and the device identification key received from the authentication requesting terminal are registered in the authentication key storage device. Use authentication means for authenticating use of the application , determining a status of a function to be used by the authentication requesting terminal based on a type of the license key, and transmitting the status to the authentication requesting terminal. Authentication server. In the use authentication means, when the license key is registered, a basic software identification key dynamically generated in the authentication request terminal is further received from a production number of the basic software that operates the authentication request terminal, The authentication server according to claim 1 , wherein a basic software identification key is registered in the authentication key storage device. The registered number check means for checking whether or not the number of the device identification keys that can be registered for one license key with reference to the authentication key storage device exceeds a predetermined number. The authentication server according to 1 or 2 . A first server encryption key for encrypting a predetermined first word, wherein the first server encryption key matches the first client encryption key registered in the authentication requesting terminal; Further comprising first server encryption key storage means for registering with the first server encryption key storage device;
In the trial start authentication means, in response to a request from the authentication requesting terminal, the first message is transmitted, and a check code obtained by encrypting the first message with the first client encryption key is transmitted. If the check code received from at least the authentication request terminal and encrypted with the first server encryption key is the same as the check code received from the authentication terminal, the authentication request terminal The authentication server according to any one of claims 1 to 3 , wherein a device identification key assigned to each device is issued, transmitted to the authentication requesting terminal, and trial use is started. And further comprising first word encryption key storage means for registering in the first word encryption key storage device a first word encryption key for checking the validity of the first word.
In the trial start authenticating means, the first wording code obtained by encrypting the first wording with the first wording encryption key is further transmitted to the authentication requesting terminal, and the first requesting authentication unit transmits the first wording check code from the authentication requesting terminal. When the check code obtained by encrypting the first word with the client encryption key is received, the first word check code is also received, and the received first word is converted into the first word encryption. check code that is encrypted with key, when matching the first language check code received from the authentication request device, according to claim 4, characterized in that to check the validity of the first language Authentication server. The trial start authentication means confirms that a time difference between the time when the request is received from the authentication requesting terminal and the time when the check code and the first word are received is within a predetermined time. The authentication server according to claim 4 or 5 , wherein In the first wording, the time when the request is received from the authentication requesting terminal is embedded,
The trial start authenticating unit calculates a time when the request is received from the authentication requesting terminal, and receives the calculated time when the request is received from the authentication requesting terminal, the check code, and the first wording. The authentication server according to claim 5 , wherein it is confirmed that a time difference from the determined time is within a predetermined time. A usage suspension list storage means for registering in the usage suspension list storage device the license key for suspension of usage that is not connected to the application server;
In the use authentication means, by referring to the usage stop list store, the said license key registered, the authentication server according to any one of claims 1 to 6, characterized in that no authentication. A second server encryption key for encrypting a predetermined second text, which matches a second client encryption key that matches a second client encryption key registered at the authentication requesting terminal Second server encryption key storage means for registering the second server encryption key in a second server encryption key storage device;
When connecting from the authentication request terminal to the application server, at least the predetermined second word and an encrypted word obtained by encrypting the second word with the second client encryption key If the encrypted text received from the terminal and the second text encrypted with the second server encryption key matches the encrypted text received from the authentication request terminal, the authentication request terminal is Function usage authentication means for connecting to the application server,
The authentication server according to any one of claims 1 to 8, further comprising a. A first server encryption key for encrypting a predetermined first word, wherein the first server encryption key matches the first client encryption key registered in the authentication requesting terminal; First server encryption key storage means for registering in the first server encryption key storage device;
A second server encryption key for encrypting a predetermined second message, wherein the second server encryption key matches the second client encryption key registered in the authentication requesting terminal. Second server encryption key storage means for registering in the second server encryption key storage device;
When the authentication request terminal connects to the basic function of the application server, the first word is transmitted in response to a request from the authentication request terminal, and the first client encryption key is used to transmit the first word. Is received from at least the authentication requesting terminal, and the check code obtained by encrypting the first message with the first server encryption key is the authentication request. At least the authentication request that matches the check code received from the terminal, and further includes the predetermined second message and an encrypted message obtained by encrypting the second message with the second client encryption key. If the encrypted message received from the terminal and the second message encrypted with the second server encryption key matches the encrypted message received from the authentication requesting terminal, The authentication server according to any one of claims 1 to 3, further comprising a core function use authentication means for connecting the authentication request terminal to the application server. An application that is used by connecting to an application server in an authentication request terminal, and the application downloaded at the authentication request terminal is used for a predetermined period of time using a distributed trial license key. After that, an authentication method for authenticating the application that can register the purchased license key and can officially use the application,
When the application is installed on the authentication requesting terminal and activated to start the trial using the trial license key, a device identification key assigned to each device of the authentication requesting terminal is issued, Trial start authentication step to send to the authentication request terminal and start trial,
After the license key of either the trial license key or the purchased license key is registered at the authentication requesting terminal, the license key and the device identification key received from the authentication requesting terminal are registered in the authentication key storage device. Authenticating the use of the application, determining a status of a function to be used by the authentication requesting terminal based on the type of the license key, and causing the computer to execute a use authentication step to be transmitted to the authentication requesting terminal. A characteristic authentication method. In the use authentication step, when the license key is registered, a basic software identification key dynamically generated in the authentication request terminal is further received from a production number of the basic software that operates the authentication request terminal, The authentication method according to claim 11 , wherein a basic software identification key is registered in the authentication key storage device. The registered number check step for checking whether the number of the device identification keys that can be registered for one license key with reference to the authentication key storage device does not exceed a predetermined number. The authentication method according to 11 or 12 . A first server encryption key for encrypting a predetermined first word, wherein the first server encryption key matches the first client encryption key registered in the authentication requesting terminal; A first server encryption key storage step of registering with the first server encryption key storage device;
In the trial start authentication step, further, in response to a request from the authentication requesting terminal, the first text is transmitted, and a check code obtained by encrypting the first text with the first client encryption key If the check code received from at least the authentication request terminal and encrypted with the first server encryption key is the same as the check code received from the authentication request terminal, the authentication request terminal issuing device identification key assigned to each device, and sends the authentication request terminal, the authentication method according to any one of claims 11 to 13, characterized in that to start the trial. A first word encryption key storage step of registering in the first word encryption key storage device a first word encryption key for checking the validity of the first word;
In the trial start authentication step, a first word check code obtained by encrypting the first word with the first word encryption key is further transmitted to the authentication request terminal, and the first request word is transmitted from the authentication request terminal. When the check code obtained by encrypting the first word with the client encryption key is received, the first word check code is also received, and the received first word is converted into the first word encryption. check code that is encrypted with key, when matching the first language check code received from the authentication request device, according to claim 14, characterized in that to check the validity of the first language Authentication method. In the trial start authentication step, it is confirmed that a time difference between the time when the request is received from the authentication requesting terminal and the time when the check code and the first word are received is within a predetermined time. The authentication method according to claim 14 or 15 , characterized in that: In the first wording, the time when the request is received from the authentication requesting terminal is embedded,
In the trial start authentication step, the time when the request is received from the authentication requesting terminal is calculated, and the calculated time when the request is received from the authentication requesting terminal, the check code, and the first wording are received. The authentication method according to claim 15 , wherein it is confirmed that a time difference from the determined time is within a predetermined time. A use suspension list storage step of registering in the use suspension list storage device the license key for suspension of use that is not connected to the application server;
The authentication method according to any one of claims 11 to 16 , wherein, in the usage authentication step, the registered license key is not authenticated with reference to the usage suspension list storage device. A second server encryption key for encrypting a predetermined second text, which matches a second client encryption key that matches a second client encryption key registered at the authentication requesting terminal A second server encryption key storage step of registering the second server encryption key in a second server encryption key storage device;
When connecting from the authentication request terminal to the application server, at least the predetermined second word and an encrypted word obtained by encrypting the second word with the second client encryption key If the encrypted text received from the terminal and the second text encrypted with the second server encryption key matches the encrypted text received from the authentication request terminal, the authentication request terminal is Function usage authentication step to connect to the application server,
Furthermore authentication method according to any one of claims 11 to 18, characterized by causing the computer to execute. A first server encryption key for encrypting a predetermined first word, wherein the first server encryption key matches the first client encryption key registered in the authentication requesting terminal; A first server encryption key storage step of registering with the first server encryption key storage device;
A second server encryption key for encrypting a predetermined second text, which matches a second client encryption key that matches a second client encryption key registered at the authentication requesting terminal A second server encryption key storage step of registering the second server encryption key in a second server encryption key storage device;
When the authentication request terminal connects to the basic function of the application server, the first word is transmitted in response to a request from the authentication request terminal, and the first client encryption key is used to transmit the first word. Is received from at least the authentication requesting terminal, and the check code obtained by encrypting the first message with the first server encryption key is the authentication request. At least the authentication request that matches the check code received from the terminal, and further includes the predetermined second message and an encrypted message obtained by encrypting the second message with the second client encryption key. If the encrypted message received from the terminal and the second message encrypted with the second server encryption key matches the encrypted message received from the authentication requesting terminal, Authentication method according to any one of claims 11 to 13, characterized in that to execute the critical functionality available authentication step and the further computer to connect the authentication request terminal to the application server. For applications that are used by connecting to the application server, after using a trial license key and performing a trial using a function for a predetermined period, register the purchased license key and officially use the application An authentication request terminal for requesting authentication to an authentication server connected to the application server;
A first client encryption key for encrypting a predetermined first message transmitted from the authentication server, wherein the first client encryption key matches a first server encryption key registered in the authentication server; First client key storage means for registering the client encryption key in the first client key storage device;
Basic software encryption key storage means for registering in the basic software encryption key storage device a basic software encryption key that is a key for encrypting the production number of the basic software that operates the authentication requesting terminal;
The application is installed on the authentication requesting terminal, the application is started to start the trial using the trial license key, and the first word received from the authentication server is changed to the first client. A device that is encrypted with an encryption key, generates a check code, transmits at least the check code to the authentication server, and is authenticated by the authentication server, and is given to each device of the authentication request terminal from the authentication server A trial start authentication requesting means for receiving the identification key and starting the trial;
After registering one of the trial license key and the purchased license key, the basic software identification key encrypted with the basic software encryption key is generated, and the license key and the basic software identification are generated. An authentication request terminal comprising: a key and a device authentication key for transmitting a status of a function that can be used by the authentication request terminal. A second client encryption key for encrypting a predetermined second word, a second client encryption key that matches a second server encryption key registered in the authentication server; Second client key storage means for registering in the client key storage device;
When connecting to the application server, the predetermined second word and the encrypted word obtained by encrypting the second word with the second client encryption key are transmitted to at least the authentication server, and the second When the encrypted message obtained by encrypting the second message with the second server encryption key matches the encrypted message transmitted from the authentication requesting terminal, permission to connect to the application server is obtained from the authentication server. The authentication request terminal according to claim 21, further comprising: function use authentication request means. For applications that are used by connecting to the application server at the authentication request terminal, use the trial license key to perform a trial using the function for a predetermined period, then register the purchased license key and formally use the application It is a program that requests authentication of the application that can be used, and is an authentication request program that requests authentication to an authentication server connected to the application server,
A first client encryption key for encrypting a predetermined first message transmitted from the authentication server, wherein the first client encryption key matches a first server encryption key registered in the authentication server; A first client key storage step of registering a client encryption key in a first client key storage device;
A basic software encryption key storage step of registering a basic software encryption key, which is a key for encrypting a production number of the basic software operating the authentication requesting terminal, in a basic software encryption key storage device;
The application is installed on the authentication requesting terminal, the application is started to start the trial using the trial license key, and the first word received from the authentication server is changed to the first client. A device that is encrypted with an encryption key, generates a check code, transmits at least the check code to the authentication server, and is authenticated by the authentication server, and is given to each device of the authentication request terminal from the authentication server A trial start authentication request step for receiving an identification key and starting a trial;
After registering one of the trial license key and the purchased license key, the basic software identification key encrypted with the basic software encryption key is generated, and the license key and the basic software identification are generated. An authentication request program that causes a computer to execute a use authentication requesting step of transmitting a key and the device identification key and receiving a status of a function that can be used by the authentication request terminal. A second client encryption key for encrypting a predetermined second word, a second client encryption key that matches a second server encryption key registered in the authentication server; A second client key storage step of registering with the client key storage device of
When connecting to the application server, the predetermined second word and the encrypted word obtained by encrypting the second word with the second client encryption key are transmitted to at least the authentication server, and the second When the encrypted message obtained by encrypting the second message with the second server encryption key matches the encrypted message transmitted from the authentication requesting terminal, permission to connect to the application server is obtained from the authentication server. The authentication request program according to claim 23, further causing the computer to execute a function use authentication request step.

Images