JP4256361B2 - Authentication management method and system - Google Patents

Description

  The present invention relates to an authentication management method and system, and more particularly, to user authentication processing performed when a server is accessed from a client via a network.

A client accesses a server at a remote site via a network such as the Internet to acquire information or conduct electronic commerce on a daily basis.
When performing these operations and transactions using the Internet, generally, an ID and a password assigned to an individual are input from a client and transmitted to a server. These information and authentication information held in the server The user is authenticated by checking.

  However, since the authentication information itself exists in the server, it may be leaked to a third party by hacking or the like. Although leakage may be protected by encryption of authentication information, if the authentication information itself is taken outside, the decryption of the encryption is a problem of time.

  In addition, the file managed by the WEB server may need to be kept secret, or may not be permitted to be copied because it is a copyrighted file. In such a case, the access right is set for each normal file or the file is encrypted. However, the protection of the file by the access right may be leaked by password hacking or the like. In addition, protecting the file by encrypting the file is not a safe matter if the file data is taken out to the outside so that the decryption of the cipher is a time issue.

  By the way, it is known to use electronic tally as a technique for ensuring the security of electronic information in electronic commerce. Electronic tally is an encryption technique in which a file is encrypted and divided into a plurality of parts, and the original file cannot be restored unless all the divided parts are prepared. For example, in Japanese Patent Application Laid-Open No. 2003-132234 (Patent Document 1), as an example of using electronic tally, a remaining reserved portion X of electronic information is divided into a plurality of tally information Yi by an electronic tally generating means provided in a server machine. In other words, a technique is disclosed in which each is sent to a user machine through a separate communication path and restored by an electronic tally restoration means provided in the user machine.

JP 2003-132234 A

  However, the content disclosed in Patent Document 1 is a basic principle relating to the application of electronic tally to the transaction of electronic information between a server machine and a user machine using the Internet, and includes, for example, a client and a remote site. It is not specifically disclosed how tally information is generated and managed by the servers.

An object of the present invention is to improve security by applying electronic tally to user authentication performed in a system including a client and a server.
Another object of the present invention is to provide an authentication processing method and system for further improving security by using updated electronic tally authentication information when accessing a server from a client.

The present invention is a method for managing user authentication information performed when accessing a server according to a request from a client. The server side divides at least two pieces of information used for authentication into a first Generating authentication information and second authentication information, storing the second authentication information in the storage means on the server side in association with the user ID and / or the specific information on the client device, Authentication information is transmitted from the server to the client, and the client associates with the ID of the user and stores it in the storage means in the client, and when accessing the server from the client, at least an ID related to the user Transmitting the first authentication information to the server, and the server stores the received first authentication information and the ID in the storage unit corresponding to the ID; The server integrates the stored second authentication information and restores the authentication information, and the server updates and divides the authentication information for the user to create the new first authentication information and the second authentication information. A step of generating authentication information, and a step of storing updated second authentication information in the storage means in association with the user ID, and transmitting the updated first authentication information to the client. And at the client, storing the received updated first authentication information in the storage means.
In one example, the first and second authentication information are created by performing electronic tally processing on password or time information given to the user.
In a preferred example, the process of restoring the original authentication information from the first authentication information and the second authentication information is executed when the user ID and unique information received by the server are valid.
Also, in one example, when the original authentication information is restored from the first authentication information and the second authentication information, a request from the client is transmitted to a server having an authentication function, and the user transmitted from the client The entered password is checked against the password of the user registered in advance in a certain server, and if it is valid, a response to the request is transmitted from the server to the client.

The present invention is also grasped as an authentication processing method. That is, according to the present invention, when an access request is made from a client to a server, in the authentication processing method for performing user authentication processing on the server, at least the first authentication information and the first authentication information are divided into a plurality of authentication information used for authentication. 2 authentication information is generated, the first authentication information is transmitted to the client, the second authentication information is stored in the server, the first authentication information transmitted from the client, and stored in the server in advance. A step of restoring the original authentication information according to the second authentication information, and changing at least the first authentication information and the second authentication information according to the restoration result of the original authentication information, Transmitting the authentication information to the client, the changed first authentication information transmitted from the client, and the changed second authentication information previously stored in the server. , And restoring the original authentication information Te is an authentication processing method having.
In a preferred example, when the original authentication information is correctly restored, the step of transmitting the user ID and password to the requesting server for authentication related to the user password, and the authentication result at the server And transmitting to the client.
In a preferred example, the first authentication information and the second authentication information are discarded once used for the authentication process, and new first authentication information and second authentication information are generated.
The present invention is also grasped as a program for executing the authentication information management method or the authentication processing method on a server and / or a client.

The present invention is also grasped as an authentication management system. That is, in an authentication management system including a client device and a server that receives a request transmitted from the client device via a network, performs a user authentication process, and obtains an answer related to the request and transmits it to the client ,
The server divides the authentication information for authenticating the user into a plurality of pieces to generate at least first authentication information and second authentication information, and from the divided first authentication information and second authentication information Electronic tally generating / restoring means for restoring the original authentication information; and second storage means for storing the divided second authentication information in association with the user's ID;
The client device has first storage means for storing first authentication information created by the server,
When transmitting a request from the client device to the server, the first authentication information stored in the first storage means is transmitted, and the electronic tally generating / restoring means of the server receives the received first authentication information and second If the original authentication information is restored from the second authentication information stored in the storage means and the authentication information is correctly restored, the authentication information is updated, and the first authentication information is updated based on the updated authentication information. And an authentication management system for creating second authentication information.
In a preferred example, the electronic tally generating / restoring means and the second storage means are provided in a remote proxy provided in the server, and the first storage means is provided in a local proxy provided in the client device.
In a preferred example, the first storage means stores the second authentication information in association with the user ID transmitted from the client device and the specific information related to the client device.

The authentication processing method according to the present invention is also grasped as follows. That is, when an access request is made from the client device to the server, in the authentication processing method for performing user authentication processing on the server side, at least the first tally information and the second tally information are divided into a plurality of pieces of information used for authentication. Generating tally information, transmitting the first tally information to the client device, retaining the second tally information in the server, the first tally information transmitted from the client device, and the second tally information. The original authentication information is used to restore the original information, and the first authentication step for authenticating the user and, if the result of the first authentication conforms, the unique information such as a password of the user transmitted from the client device is used. And an authentication processing method comprising: a second authentication step for authenticating the user; and a step of permitting an access request from the user when it is adapted in the second authentication step. It is.
In a preferred example, when the result of the first authentication is met, the changed first tally information and the second tally information are created, the changed first tally information is transmitted to the client device, and the changed first tally information is transmitted to the client device. The tally information of 2 is stored in the server.

  As a system for realizing the above authentication processing method, preferably, when there is an access request from the client device to the server, in the authentication processing system that performs user authentication processing on the server side, the information used for authentication is divided into a plurality of pieces. Electronic tally generating / restoring means for generating at least first tally information and second tally information and restoring original information from the generated first tally information and second tally information, and first tally Means for transmitting information to the client device, means for holding the second tally information, electronic tally generating / restoring means from the first tally information sent from the client device and the second tally information held in the holding means If the result of authentication by the first authentication means is valid and the first server having the first authentication means for authenticating the user depending on whether the original information is restored by And a second server having second authentication means for authenticating the user using the user's unique information sent from the remote device, and the result of authentication by the second authentication means is valid The authentication processing system permits access requests from users.

ADVANTAGE OF THE INVENTION According to this invention, the authentication information utilized can be electronically tallyed and a secret sharing can be aimed at between a client and a server, and the security of the electronic information handled by a system can be improved.
Even if the authentication information leaks, it is difficult to restore the authentication information because it is tallyed information. Further, since the authentication information to be electronically tallyed is updated, the leaked authentication information cannot be used at the next access, and the security can be further improved.
Further, according to the present invention, the authentication check based on the possibility of restoration of the electronic tally authentication information is performed before the authentication based on the verification of the unique information of the user. Can be further improved.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
FIG. 1 is a diagram showing an example of a client / server system to which one embodiment is applied.
The remote site 1 and the local site 2 are connected via a network 3 such as the Internet or a WAN (Wide Area Network), and communication based on, for example, HTTP is possible between the two.
The remote site 1 includes an extended authentication server 10 that performs authentication processing and a server 12 that has an authentication function. Note that “enhancement” of the authentication server 10 is referred to in this manner because a new secret sharing processing function using electronic tally technology is added to the remote proxy 11.

  The extended authentication server 10 has a remote proxy which is software for connecting to the network 3 and communicating information, and the remote proxy has a secret sharing processing function. This secret sharing processing function is a function for performing encryption and decryption processing of electronic tally information, and is referred to herein as a secret sharing remote proxy (R-PROXY) 11. Although details will be described later, the proxy 11 is realized by executing a program having the function by a processor.

  The server 12 is a WEB server that acquires content and the like, or a mail server that transmits and receives mail, and both have an authentication function. Also, in the server 12, the correspondence between IDs and passwords P given to users who are permitted to use the server 12 is registered in advance in the memory in a table format by the server administrator.

  On the other hand, the client that is the local site 2 usually has a plurality of PCs 20. Although one PC 20 is shown in the figure, a large number of PCs 20 are actually connected to the network 3. The PC 20 includes a GUI 21 and a local proxy (L-PROXY) 22. The GUI 21 has a display and input function. The display function includes application software for browsing information such as a WEB page acquired from the server 12, for example, and receives HTML format files, image files, music files, etc. through the network 3, and analyzes the layout. Then, it is reproduced and displayed on the display unit of the PC 20. The local proxy 22 is software for connecting the browser and the network 3 and communicating information. Details of the function will be described later.

FIG. 2 shows a secret sharing processing function in the remote site 1 and the client 2 of the WEB system.
The secret sharing remote proxy 11 of the extended authentication server 10 includes a basic processing unit 111, an authentication information registration / update unit 112, a request analysis unit 113, a request relay unit 114, a response relay unit 115, and an encryption / decryption unit 116. Yes.

  The basic processing unit 111 performs basic processing such as initial setting processing and child thread creation. The authentication information registration / update unit 112 is authentication information generated for user authentication, and is one of authentication information (that is, divided authentication information) divided into two by electronic tally (ie, divided authentication information). Second electronic tally information b), which will be described later, is registered in advance in, for example, the table T2 in association with the user ID. Further, the registered information is updated. The operation of generating and registering electronic tally information regarding authentication information will be described later with reference to FIG.

  The request analysis unit 113 analyzes the HTTP request transmitted from the client PC 20. As a result of the analysis, according to the content of the HTTP request, unique information, ID, and one electronic tally information (first electronic tally information a) are received, and when the conditions are met, the first and second electronic tally The table T2 is referred to in order to perform password restoration processing from the information.

  Here, the unique information is set when registering the authentication information, and is managed by the remote proxy 11 and the local proxy 22. As the unique information, for example, the device number of the client PC 20 can be used as the unique information. Alternatively, it is possible to obtain and set from the biometric information of the user in order to specify an individual who uses the PC 20. In the remote proxy 11, the unique information is information for determining a condition for whether or not to restore the divided authentication information. This condition is a condition for determining whether or not to restore the authentication information. For example, when the unique information matches, restoration of the tallyed authentication information is permitted.

The request relay unit 114 relays the HTTP request transmitted from the client PC 20 and transmits it to the server 12.
The response relay unit 115 relays the information acquired from the server 12 in order to transmit it to the client PC 20. Note that the response acquired from the server 12 includes content such as an image and a file, and authentication result information.

  The encryption / decryption unit 116 decrypts the content of the HTTP request from the client PC 20 and encrypts the response obtained from the server 12. The encryption / decryption unit 116 includes electronic tally generation / restoration means (not shown), and divides information used for authentication, for example, a password, into two electronic tally information, that is, first authentication information and first authentication information. 2 authentication information is generated. Further, the encryption / decryption unit 116 performs a restoration process of the original authentication information from the authentication information divided into two in the authentication information generation process.

On the other hand, the secret sharing local proxy 22 of the client PC 20 includes a basic processing unit 221, a request relay unit 222, and a response relay unit 223.
Here, the basic processing unit 221 performs processing of acquiring device information such as a MAC address and a serial number as unique information and storing it in the memory. The request relay unit 222 relays transmission of the HTTP request sent from the GUI 21 to the remote site 1. The response relay unit 21 receives the HTTP response transmitted from the remote site 1 and relays transmission to the GUI 21.

Next, a processing sequence for generating and registering authentication information will be described with reference to FIG.
Regarding the registration of the ID and password, the GUI inputs the ID and password set for the user in accordance with the displayed predetermined registration form. When receiving the registration request with the input ID and password, the basic processing unit 221 of the local proxy 22 acquires unique information and transmits the information to the extended authentication server 10 (S31). Here, the ID, password, and unique information are usually encrypted by the local proxy 22 and transmitted. Note that the password corresponds to the regular password P authenticated by the server 12, but in this embodiment, as will be described later, this password is processed by electronic tally and used as authentication information. .

  The remote proxy 11 of the extended authentication server 10 analyzes the received HTTP request (S32). If the result of the analysis is an ID and password registration request, the request is relayed and transmitted to the server 12 (S33).

The authentication server 12 performs authentication processing with reference to the received ID and password. This authentication is an authentication process performed when a user receives a service using the server 12, for example, when receiving a service such as an ASP service or a WEB mail. The authentication is determined based on whether or not the ID and password registered in the table T1 of the server 12 match the ID and password transmitted from the user. As a result of this authentication processing, if permitted, a result to that effect is sent as an answer to the remote proxy 11.
The remote proxy 11 relays the received answer using the response relay unit 115 (S34), and performs encryption processing using the encryption / decryption unit 116 (S35).

  Furthermore, since the password is used as authentication information in this embodiment, a plurality of electronic tally information is generated by the electronic tally generation / restoration means of the encryption / decryption unit 116. Here, the authentication information is divided into two by electronic tally, and the first authentication information a and the second authentication information b are generated. The generation of electronic tally information can be realized by using a commonly known electronic tally technique. Since the generated authentication information a and b are subsequently updated, the authentication information for the user 1 generated by tallying the first time is represented as a10 and b10. Similarly, the initial authentication information tallyed for user i is represented as ai0 and bi0.

  Of the first and second authentication information a10 and b10 generated for the user 1, the second authentication information b10 is associated with the ID of the user 1 and the unique information previously received. And registered in the table T2 formed in the memory in the remote proxy 11. On the other hand, the first authentication information a10 is transmitted to the local proxy 22 of the client PC 20 used by the user 1 as an answer to the authentication registration process together with the ID (S36).

  When the local proxy 22 receives the ID and the first authentication information a10, the first authentication information a10 corresponding to the ID of the user is stored in the table T3 of the storage device (not shown) provided in the client PC 20. Register (S37). Then, the registration completion message is displayed on the GUI, and the series of authentication information registration processing is terminated. The authentication information update process in the remote proxy 11 is performed in the same manner as the registration process described above.

Next, referring to an authentication management sequence in the authentication management system shown in FIG. 4, an authentication process and an operation for updating authentication information will be described.
First, when receiving an authentication request with an ID and a password input by the user 1 from the GUI of the client 2, the request relay unit 222 receives the first authentication information a10 stored in the table T3 corresponding to the ID1. And the fixed information of the client 20 held in the memory is acquired. These pieces of information (that is, first authentication information a10, fixed information, ID1) are transmitted to the server 10 (S41).

  The request analysis unit 113 of the remote proxy 11 of the server 10 analyzes the received request (S42). As a result of the analysis, if it is an authentication request, the encryption / decryption unit 116 searches the table T2 and confirms whether the ID and unique information received from the client 20 are registered in the table T2. To do. As a result, if the corresponding ID and unique information are not registered, it is considered that the request is not from a legitimate transmission source client PC, and the subsequent processing is not performed. That is, the response relay unit 115 that performs the authentication process replies to the client PC 20 to that effect.

On the other hand, if the ID and unique information corresponding to the table T2 exist, the process proceeds to the authentication process. That is, the second authentication information b10 registered in association with the ID and the unique information is read out, and the second authentication information b10 and the first authentication information a10 received earlier are decrypted. The original authentication information (a10 + b10) is restored (S43).
This restoration of authentication information means a request from a valid client PC to which authentication information divided by electronic tally is distributed. In this embodiment, this stage of authentication is referred to as first authentication.

  As a result of restoration in step S43, if restoration is not possible (NG), the subsequent processing in steps S44 to S46 is not performed, and the authentication result NG is immediately transmitted to the client PC (S47). On the other hand, if the restoration is successful (OK), the authentication processing to the authentication server 12 is performed and the authentication information is updated. This will be described below.

  The restored authentication information and unique information are temporarily stored in the memory of the remote proxy 11. Then, the request relay unit 114 transmits the previously received user ID and password to the server 12 (S44).

  Before executing the request from the client, the server 12 checks the ID and password of the user registered in advance in the table T1 to check whether the request is from a valid user. If the result of the password authentication process is a request from a legitimate user, the request from the user is executed. Here, the authentication result is returned to the remote proxy 11, and the response relay unit 115 relays it (S45). In this embodiment, the authentication performed by checking the password in the requested server 12 is referred to as second authentication. In the second authentication, it is determined that the user is a valid user.

  In this embodiment, the authentication information is changed in the authentication information registration / update unit 112 each time authentication for a certain user is correctly executed. The reason for changing the authentication information is that even if the authentication information is leaked due to theft of the client PC 20 or decryption of the information in the PC, the authentication information used once is invalidated next time and the authentication after the change is made By validating the information, the security for access to the server is improved.

  Regarding the change of the authentication information, for example, the updated authentication information (a11, b11) is created for the previous authentication information (a10, b10). Then, the updated authentication information is divided by the electronic tally generation / restoration means of the encryption / decryption unit 116 to generate the first authentication information a11 and the second authentication information b11 (S46). Here, as for the authentication information update and division algorithm, for example, a method of sequentially changing the parameters of the division formula of the electronic tally, or changing at least one character of the password based on the authentication information to an appropriate character, etc. The method can be used.

  The generated second authentication information b11 is stored in a location corresponding to the ID of the user in the table T2. As a result, the second authentication information of the user ID “1” in the table T2 is rewritten from b10 to b11. On the other hand, the updated first authentication information a11 is transmitted from the response relay unit 115 to the local proxy 22 of the client 20 together with authentication permission and ID (S47).

The response relay unit 223 of the local proxy 22 relays the received response, that is, the authentication result, and transmits it to the GUI 21 (S48). The received first authentication information a11 after update is stored in the table T3, and the first authentication information in the table T3 is also updated. The first authentication information a11 is used when a request is transmitted from the client PC 20 to the server 10 at the next opportunity.
The GUI indicates that authentication is possible, and a series of processing for the authentication request ends.

  Thereafter, similarly, when a request is transmitted from the client PC 20 to the server 10, the first authentication information is also transmitted, and each time the authentication information is correctly restored in the server 10, new authentication information is generated and an electronic tally is generated. It will be understood that the two pieces of authentication information thus held are respectively held in the server 10 and the client PC 20, and such an operation continues in the same manner.

  As described above, according to the present embodiment, authentication information with electronic tally is held in the client PC and the server, respectively, and neither of the authentication information has original information. Even if it is leaked, it is difficult to restore it. Also, since the electronic tally authentication information is used only once and is updated each time, even if the server is accessed using the previous authentication information used once, it is no longer a normal authentication. Information is not restored. For this reason, security can be further strengthened. Furthermore, unless the user ID and the unique information about the client device match, the restoration of the electronic tally authentication information is not allowed, so that the security is further improved.

  In the above embodiment, the user password is used as the authentication information. However, in other embodiments, the present invention is not limited to this, and various information can be used. For example, date information (referred to as time information) may be used as the authentication information, or a combination of time information and user ID or unique information may be used.

  Furthermore, as the authentication information, a character string extracted from any other information such as a newspaper article is used as the authentication information, and the character string is appropriately extracted from the newspaper article on the update date and used for the update. Also good. Whichever information is used, the processing operation described with reference to FIGS. 3 and 4 does not change.

  The password may be not only a personal identification number, a symbol, and a code unique to the user, but also information unique to the user regarding information acquired from the user's living body, such as a fingerprint, a voiceprint, and a vein.

  Moreover, in the said Example, although authentication information is divided | segmented into two by the electronic tally production | generation restoration | reconstruction means, the number divided | segmented is not restricted to this, Generally, multiple may be sufficient. For example, one piece of tally information out of three or more pieces of electronic tally information divided into n pieces is transmitted to the client PC, but the remaining (n-1) pieces are held in the table T2 of the remote proxy 11. Keep it. Then, at the next opportunity (at the second access), the second tally information from (n-1) is transmitted to the client PC, and at the third access, (n-1) is similarly performed. The tally information transmitted sequentially may be changed by transmitting the third tally information from the inside. When all (n-1) tally information is used up for the same client PC, n new tally information may be generated and the processing operation similar to the above operation may be repeated.

Moreover, although the example in which the PC 20 is used as the client device has been described in the above embodiment, the present invention is not limited to the PC, and devices such as a mobile terminal device and a mobile phone can be applied.
Further, the extended authentication server 12 is not limited to a server configured as software, and a server that performs authentication (first authentication) of this embodiment may be uniquely provided as hardware.
Furthermore, the function of the extended authentication server 10 that performs the first authentication and the function of the server 12 that performs the second authentication can be realized by software in one server as hardware.

The figure which shows the structure of the client server system to which one Example of this invention is applied. The figure which shows the processing function in the authentication management system by one Example. The figure which shows the registration processing sequence of the authentication information in the authentication management system by one Example. The figure which shows the sequence of the authentication process in the authentication management system by one Example.

Explanation of symbols

1: Remote site 2: Local site 10: Extended authentication server 11: Secret sharing remote proxy 12: Server having authentication function 20: PC
21: GUI 22: Secret sharing local proxy

Claims (10)

An authentication processing method that performs user authentication processing on the server side when there is an access request from the client to the server,
The server stores information unique to the user in association with the user ID in the first storage means;
Dividing tally information used for authentication into at least two based on a predetermined algorithm on the server side to generate first tally information and second tally information;
Storing the second tally information in the second storage means on the server side in association with specific information relating to the client device;
Transmitting the first tally information from the server to the client;
The client receives the transmitted first tally information and stores it in a storage means in the client;
When accessing the server from the client, transmitting at least the user ID, information unique to the user, unique information of the client, and the first tally information to the server side;
The server side integrates the received first tally information and the second tally information stored in the second storage means corresponding to the ID, and restores the tally information. And steps to
In the restoration process, when the tally information cannot be restored, a step of transmitting a restoration failure to the client without performing the subsequent authentication process;
When the tally information can be restored in the restoration process, the received unique information of the user and the usage corresponding to the user ID registered in the first storage means of the server Verifying that it is a legitimate user by collating with information unique to the user,
As a result of the determination, if the unique information of the user matches, allowing access to the server; and
In the restoration process, when the tally information can be restored, the first and second tally information is discarded, the tally information is updated, and the updated tally information is changed based on a predetermined algorithm. Dividing into at least two and generating new first tally information and second tally information;
On the server side, the generated new second tally information is stored in the second storage means in association with the unique information regarding the client device, and the new first tally information is stored in the second tally information. Sending to the client;
The client further comprises a step of storing the received first new tally information in the storage means. The authentication processing method according to claim 1, wherein the first and second tally information is created by performing electronic tally processing on time information or arbitrary character information. The authentication processing method according to claim 1, wherein the information unique to the user is a password of the user or biometric information of the user. A step of encrypting the first tally information when transmitting the generated first tally information to the client;
4. The authentication processing method according to claim 1, further comprising a step of decrypting a cipher of the first tally information transmitted and received from the client. 5. A program for executing the authentication processing method according to any one of claims 1 to 4 on the server side and the client. When there is an access request from the client to the server, in the authentication processing system that performs user authentication processing on the server,
The server includes first storage means for storing information unique to a user in association with a user ID, unique information of the user transmitted and received from the client, and the first storage means. And determining means for determining that the user is a legitimate user by collating with information unique to the user corresponding to the ID of the user registered in the user ID. If the user's unique information matches, allow the user access to the server,
The server:
Tally information used for authentication is divided into at least two based on a predetermined algorithm, and tally information generating means for generating first tally information and second tally information,
Second storage means for storing the second tally information in association with specific information relating to the client device;
Transmitting means for transmitting the first tally information from the server to the client;
Receiving means for receiving the ID of the user, the information unique to the user, the unique information of the client, and the first tally information transmitted from the client;
Tally information restoring means for restoring tally information by integrating the received first tally information and the second tally information registered in the second storage means corresponding to the ID; ,
When the tally information cannot be restored by the restoration processing of the tally information restoration means, the transmission processing means for sending a restoration failure to the client without performing subsequent authentication processing,
When the tally information can be restored by the restoration process of the tally information restoration means, the determination by the determination means in the first server is performed,
When the tally information can be restored by the restoration process of the tally information restoring means, the server side discards the first and second tally information, updates the tally information, and generates the tally information generating means. Based on a predetermined algorithm, the updated tally information is divided into at least two to generate new first tally information and second tally information, and the generated second tally Storing information in the second storage means in association with the unique information about the client device, and sending the new first tally information to the client via the sending means,
The client;
Receiving means for receiving the first tally information transmitted from the second server; third storage means for storing the first tally information received via the receiving means; and When accessing the first server, the user's ID input by the user, information unique to the user, unique information of the client, and the third storage means stored in the third storage means An authentication processing system comprising: transmission means for transmitting tally information of 1 to the server side. Further, when the generated first tally information is transmitted to the client, the first tally information is encrypted, and the encryption of the first tally information transmitted and received from the client is decrypted. The authentication processing system according to claim 6, further comprising an encryption / decryption unit. The server includes a remote proxy, and the tally information generation unit, the second storage unit, the transmission unit, the reception unit, the tally information restoration unit, and the encryption / decryption unit are connected to the remote proxy. In the proxy,
The authentication management system according to claim 6 or 7, wherein the client has a local proxy, and the reception unit, the third storage unit, and the transmission unit are provided in the local proxy. . 8. The tally information generating means generates first tally information and second tally information by performing electronic tally processing on time information or arbitrary character information. The authentication processing system described. The authentication processing system according to claim 6, wherein a user password or user biometric information is used as information unique to the user.

Images