JP4278417B2 - User authentication password generation method and user authentication method - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to a method for generating a password from an arbitrary user file selected by a user to be authenticated and a user authentication method.
[0002]
[Prior art]
In the conventional authentication system, the user to be authenticated needs to directly input the password character string itself at the time of authentication. In this case, the password character string may vary from a short character string with a limited number of characters to a complex and long character string using a large number of character types in order to increase security strength.
In preparation for authentication, the user to be authenticated directly stores the password character string itself, or if it is difficult to store, describes it on a paper medium or stores it as a file on an electronic medium. There are many cases.
When a password character string is specified by the user to be authenticated at the time of user registration, a meaningful character string based on personal information is often registered. And when performing user registration in a plurality of authentication systems, there is a tendency to use the same password.
Further, as shown in the following Patent Document 1, there is a method of generating a password based on information attached to a file such as a file name, a size last update date, and an extension designated by a user to be authenticated.
[0003]
[Patent Document 1]
Japanese Patent Laid-Open No. 2002-351841
[Problems to be solved by the invention]
However, in the case of the conventional authentication system as described above, for example, the following problem may occur.
(1) In the case of a short and simple password character string, discovery by a brute force attack is easy.
(2) In the case of a long and complicated password character string, misunderstanding, forgetting, and input mistakes are likely to occur.
(3) When stored in paper or electronic media, there is a risk of theft or outflow.
(4) When a meaningful character string based on personal information is registered, analogy by others is possible.
When the user to be authenticated directly registers, stores, manages, and inputs a password character string, lowering the security strength reduces the burden on the user, but increases the risk and may make the system unstable. . On the other hand, if the security strength is increased, it seems as if the risk is reduced and the system is stable, but the burden on the user is rather heavy, causing a system risk caused by the user. .
Further, in the method disclosed in Patent Document 1, if a file name or size used for generating a password is known, there is a possibility that a third party can easily create a password. .
[0005]
An object of the present invention is to provide a password generation method that eliminates the need for an authentication target user to directly input a password character string, reduces a user's burden, and at the same time generates a password with high security strength. is there.
It is another object of the present invention to provide a user authentication method capable of performing user authentication using a password generated by this password generation method.
[0006]
[Means for Solving the Problems]
In order to achieve the above object, a password generation method according to the present invention is a method for generating a password for user authentication performed on an authentication server,
The authentication server is
A first step of setting a first character string range acquired from the password generation source file and a second character string range of the password generation source acquired from within the first character string range;
A second step of accepting, from the client terminal , user identification information of the authentication target user and a password generation source file selected by the authentication target user at the time of user registration from the client terminal used by the authentication target user ;
The character string in the first character string range is acquired from the accepted password generation source file, the character string in the second character string range is acquired, and the character string in the second character string range is generated as a password. A third step of generating the original password;
The generated password; and a fourth step of registering in a storage device together with the user identification information.
In the second step, the storage path information of the password generation source file is received together with the user identification information and the password generation source file from the client terminal, and in the third step, a part of the storage path information is a password. A second password as a generation source is generated, and in the fourth step, the first password, user identification information, storage path information, and a second password are registered in the storage device.
Further, in the third step, a CRC value of the password generation source file is calculated, a third password having a part of the CRC value as a password generation source is generated, and in the fourth step, the first password is generated. A password, a second password, user identification information, storage path information, and a third password are registered in a storage device.
[0007]
A user authentication method according to the present invention is a user authentication method implemented on an authentication server,
The authentication server is
A first step of setting a first character string range acquired from the password generation source file and a second character string range of the password generation source acquired from within the first character string range;
A second step of accepting, from the client terminal , user identification information of the authentication target user and a password generation source file selected by the authentication target user at the time of user registration from the client terminal used by the authentication target user ;
The character string in the first character string range is acquired from the accepted password generation source file, the character string in the second character string range is acquired, and the character string in the second character string range is generated as a password. A third step of generating a first password based on;
Fourth upon user authentication steps between client terminal claimant is used, the user identification information and password generation source file authentication object user selects to register the generated first password in a storage device together with the user identification information A fifth step of accepting from the client terminal ;
A sixth step of determining whether the received user identification information is registered in the storage device, and returning error information to the client terminal if not registered;
A character string in the first character string range is acquired from the password generation source file received from the client terminal in the fifth step, a character string in the second character string range is acquired, and a second character is acquired. A seventh step of generating a password using a character string within the column range as a password generation source;
The first password stored together with the user identification information that matches the user identification information received in the fifth step is acquired from the storage device, and whether or not it matches the password generated in the seventh step An eighth step of determining and authenticating that the user is a legitimate user only when they match is characterized.
Further, in the second step, the storage path information of the password generation source file is received together with the user identification information and the password generation source file from the client terminal,
In the third step, a second password having a part of the storage path information as a password generation source is generated, and in the fourth step, the first password, user identification information, storage path information, second In the storage device, and in the seventh step, in addition to the first password, a second password having a part of the storage path information as a password generation source is regenerated, and in the eighth step, The first and second passwords that are stored together with the user identification information that matches the user identification information received in the fifth step are acquired from the storage device, and match the regenerated first and second passwords. Whether or not to do so is determined, and it is authenticated that the user is a legitimate user only when the two match.
Further, in the third step, a third password is generated with a part of the CRC value of the password generation source file as a password generation source, and in the fourth step, the first password and user identification information, The storage path information, the second password, and the third password are registered in the storage device, and the third password is regenerated in addition to the first and second passwords in the seventh step, and the eighth password In the step, the first to third passwords stored together with the user identification information that matches the user identification information received in the fifth step are acquired from the storage device, and the regenerated first to third passwords are obtained. It is characterized in that it is determined whether or not it matches, and is authenticated as a legitimate user only when it matches.
[0008]
DETAILED DESCRIPTION OF THE INVENTION
Embodiments of the present invention will be specifically described below with reference to the drawings.
FIG. 1 is a system configuration diagram showing an outline of a system that performs user authentication using a password generated by using the password generation method according to the present invention.
In the authentication server 101 such as the WWW, setting items 102 including a file content acquisition range (character string acquisition range) and a password generation range from a password generation source file to be selected by the user to be authenticated are set in advance.
The user to be authenticated selects an arbitrary local file in the client terminal from the Web form 103 as the password generation source file 104 and transmits it to the authentication server 101 together with the user ID and the storage path information. The authentication server 101 acquires the file contents in the range set by the setting item 102 among the contents of the password generation source file from the storage path information of the password generation source file selected by the user, and generates a password.
In the authentication server 101, the first password is generated based on the file contents in the range set in the setting item 102 , the second password is generated based on the storage path information, and the third password is further generated based on the CRC value. It is generated and stored in the storage device 105 of the authentication server 101.
The storage path and a partial character string of the CRC value can also be included as a password generation source.
The user authentication is performed by comparing the password and user ID registered in the storage device 105 of the authentication server 101 at the time of user registration with the password regenerated by the contents (storage path information and file contents) retransmitted at the time of user authentication. Done.
[0009]
FIG. 2 is a screen example of range setting acquired from the password generation source file in the authentication server. In 201, the acquisition range (acquisition start position and acquisition capacity) of the character string in the password generation source file specified by the storage path information is set, and the range used for password generation in the character string acquired from the acquisition range (Acquisition start position and acquisition capacity) are set.
In 202 and 203, when not only the file contents but also the storage path information and a part of the CRC value are used as the password generation source, the acquisition start position and the number of acquisition bytes are set.
In addition, here is an example of a screen when there is only one password generation source file, but it is also possible to increase the number of password generation files so that the authentication target user can select multiple password generation source files. Is possible. Alternatively, the range setting can be changed periodically. Such expansion makes it possible to further increase the security strength.
[0010]
FIG. 3 is an example screen for setting options for authentication processing in the authentication server 101.
Here, the hash function method used for password generation in 301 is set to either SHA-1 or MD-5, and in 301, the CRC value calculation method of the file is set to 16 bits or 32 bits. In step 303, a capacity adjustment method is set for each of the range settings specified in FIG. As the capacity adjustment method, there are options such as repeating from the acquisition start position, blanking, NULL, or arbitrary character string.
Although not shown in the screen example, when selecting a password generation source file, it is possible to set filtering for excluding paths and files that exist in common to clients, such as system installation folder and system file. Yes.
[0011]
FIG. 4 is an example of a Web form screen for user registration and authentication that allows the user to be authenticated to select a password generation source file.
Instead of the conventional password input field, a reference button 401 for selecting a password generation source file from the client terminal and a text box 402 for inputting a storage path are arranged.
The storage path information and CRC value of the password generation source file are also registered in the storage device 105 of the authentication server 101. This is because at the time of user authentication, the file name and presence / absence of file movement are checked with the storage path information, and the presence / absence of file update is checked with the CRC value. On the premise of the present invention that a password is generated by acquiring a part of the file content, the generation result may be different if the file content is updated, so the CRC value check is essential. If the storage path information does not match the registered content of the authentication server 101, an error “file name or storage location is different” is returned to the client terminal, and if the CRC values do not match, “the password cannot be generated because the file has been updated”. An error is returned to the client terminal, and user registration is prompted again.
[0012]
FIG. 5 is an explanatory diagram when a character string in the range set by the setting item 102 is acquired from the contents of the password generation source file.
In the figure, reference numeral 501 denotes the entire password generation source file. Reference numeral 502 denotes an entire character string range acquired by the authentication server 101, and reference numeral 503 denotes a character string range acquired from 502 as a password generation source. The acquisition range is set by the setting item 102 of the authentication server 101. In the example of FIG. 5, the case where the file contents are acquired as a hexadecimal character string is described. However, in this case, only the character type 0123456789ABCDEF is used, so a higher order notation is used to increase the character type. It is also possible to do.
Depending on the settings on the authentication server 101, the file content acquisition range need not be the entire file. Rather, by acquiring the entire file, there is a possibility that problems such as the outflow of description contents may occur. It is desirable to set the acquisition range to such an extent that it is impossible to restore the user file even if the contents of the telegram are intercepted, such as avoiding the head portion that can be the header information of the file. The acquisition capacity may be adjusted according to the line bandwidth to be used.
[0013]
FIG. 6 is an example of obtaining a character string range when a storage path and a CRC value are also included as a password generation source, as indicated by 202 and 203 in FIG. As described above, the first purpose of acquiring the storage path and the CRC value is to check at the time of authentication whether the password generation source file has been changed on the client terminal side of the user to be authenticated. However, by including not only the file contents but also the storage path and CRC value as the generation source, the number of parameters input to the hash function for password generation increases, and the effect of increasing the security strength is expected.
Therefore, in the present embodiment, a part 601 of the storage path and a part 602 of the CRC value can be included as a password generation source on the setting screen of FIG.
[0014]
FIG. 7 is a flowchart showing a schematic process of the user registration process in the authentication server 101.
In FIG. 7, first, the user ID of the user to be authenticated is acquired from the client terminal (step 701). Next, the contents of the password generation source file indicated by the storage path are acquired, and the contents set in the setting item 102 therein are acquired (step 702).
Next, it is determined whether or not the file content sufficiently satisfies the capacity set on the setting screen in FIG. 2 (step 703). If not, the setting is made in “Processing when acquisition capacity is insufficient” on the setting screen in FIG. The deficiency is adjusted according to the determined conditions (step 704).
Next, the character string of the password generation source is acquired from the contents of the file acquired in step 702 according to the conditions set in “password generation range setting” on the setting screen of FIG. 2 (step 705). Let B be the character string acquired in step 705.
Next, the acquisition path information of the password generation source file is acquired from the client terminal, and this is set as C (step 706).
[0015]
Next, it is determined whether or not the storage path information is set to be included in the password on the setting screen of FIG. 2 (step 707). If the password is set to be included, a partial character string of the storage path information is determined. Is obtained and set as D (step 708). The range to be acquired is specified on the setting screen of FIG.
Next, the CRC value of the password generation source file is calculated, and this is set as E (step 709).
Next, it is determined whether or not the CRC value is set to be included in the password on the setting screen of FIG. 2 (step 710), and if it is set to include, a partial character string of the CRC value is acquired. This is set as F (step 711). The range to be acquired is specified on the setting screen of FIG.
[0016]
Next, the password generation source character string B acquired in step 705 is input to the hash function to generate a first password B ′ (step 712).
Next, the user ID (= A), storage path information (C), CRC value (E), and first password (B ′) are registered in the storage device 105 (step 713).
Next, when a part of the character string D of the storage path information has been acquired, the character string D is input to the hash function to generate a second password D ′ and registered in the storage device 105 ( Steps 714-716).
Next, when the character string F that is a part of the CRC value has been acquired, the character string F is input to the hash function to generate the third password F ′ and register it in the storage device 105 (step 717-719).
[0017]
FIG. 8 is a flowchart showing an overview of user authentication processing in the authentication server 101.
In FIG. 8, first, the user ID of the user to be authenticated is acquired from the client terminal (step 801), and information registered in the storage device 105 is searched using the user ID (step 802). As a result, if a user ID that matches the user ID received from the client terminal is registered, the verification is OK, and if not registered, an error indicating that the user authentication is rejected is returned to the client terminal (step 803, 804).
If the authentication of the user ID is OK, the storage path information of the password generation source file designated by the authentication target user of the client terminal is acquired (step 805), and the storage path information and the storage device 105 are registered. Is compared with the storage path information of the user ID (step 806). If the two match, the storage path verification is OK. If they do not match, the storage path is changed and user authentication is rejected. An error to the effect is returned to the client terminal (step 807).
[0018]
If the storage path verification is OK, then the CRC value of the password generation source file is calculated (step 808), and the CRC value and the CRC value of the user ID registered in the storage device 105 are verified ( In step 809), if the two match, the CRC value verification is OK, and if they do not match, an error message that the user authentication is rejected is returned to the client terminal because the file contents are changed (step 810). .
Next, the character string in the password generation source file is acquired according to the setting conditions on the setting screen of FIG. 2 (step 811).
Next, it is determined whether or not the file content sufficiently satisfies the capacity set on the setting screen in FIG. 2 (step 812). If not, the setting is made in “Processing when acquisition capacity is insufficient” on the setting screen in FIG. The deficiency is adjusted according to the determined conditions (step 813).
[0019]
Next, the character string of the password generation source is acquired from the file contents acquired in step 811 according to the conditions set in “password generation range setting” on the setting screen of FIG. 2 (step 814). Let B be the character string acquired in step 705.
Next, the password generation source character string B is input to the hash function to regenerate the first password B ′ (step 815).
Next, it is determined whether or not the storage path information is set to be included in the password on the setting screen of FIG. 2 (step 816). If the storage path information is set to be included, a partial character string of the storage path information is determined. Is obtained and set as D (step 817). The range to be acquired is specified on the setting screen of FIG.
Next, a part of the character string D of the storage path information is input to the hash function to regenerate the second password D ′ (step 818).
[0020]
Next, it is determined whether or not the CRC value is set to be included in the password on the setting screen of FIG. 2 (step 819), and if it is set to include, a partial character string of the CRC value is acquired. This is set as F (step 820). The range to be acquired is specified on the setting screen of FIG.
Next, a part of the character string F of the CRC value of the password generation source file is input to the hash function to regenerate the third password F ′ (step 821).
Next, the first to third passwords B ′, D ′, and F ′ of the user ID registered in the storage device 105 are compared with the regenerated passwords B ′, D ′, and F ′. If they match, the user authentication is OK, and if some of them do not match, an error indicating that the user authentication is rejected is returned to the client terminal (steps 822 to 827).
[0021]
As described above, in this embodiment, the user to be authenticated does not need to be directly aware of the password character string, and user authentication can be performed only by selecting a password generation source file at the time of user registration and authentication.
In addition, the user to be authenticated registers the password character string indirectly through the password generation source file, and only needs to be maintained without updating the password generation source file. Unlike meaningless and long password strings, what you remember is the file location and file name, and if you choose a file that is familiar to the user you want to authenticate, you can easily remember and less forget Authentication is less likely to fail.
[0022]
Also, the password generation source file can be of any type. Since a normal user file also serves as a password generation source file, management is easier than a file in which a password character string is directly described. When saving to an electronic medium, a backup may be obtained together with other normal user files. Even if the client terminal is stolen, it is difficult to specify from a large local file in the client terminal. Even if only the password source file is stolen, or even if the file is passed to a third party, the password will be played correctly if the file storage path is not restored to the same location as when it was originally stored. Not done.
In addition, even if the contents of the message between the user to be authenticated and the authentication server are intercepted and analyzed, not all of the messages sent to the authentication server are within the range of the password generation source. Is difficult. If the number of parameter combinations used as password generators is increased, the identification becomes more difficult.
[0023]
In the above description, there is only one password generation source file, and the password generation source is the file contents, storage path, and CRC value. However, the password generation source parameters are further increased or the range is set on the authentication server. It is possible to further increase the security strength by changing the password periodically, or by expanding the system configuration to require a plurality of password generation source files. Even in such a case, the authentication target user side does not change the password indirectly by using the password generation source file, and there is an advantage that the burden on the user can be reduced as compared with the conventional authentication system.
[0024]
【The invention's effect】
As described above, according to the present invention, it is not necessary for the user to be authenticated to directly input the password character string, and the burden on the user can be reduced and at the same time a password with high security strength can be generated.
In addition, it is possible to reduce the burden on the user and at the same time perform user authentication with high security strength.
[Brief description of the drawings]
FIG. 1 is a system configuration diagram showing an embodiment of the present invention.
FIG. 2 is a diagram illustrating an example of a password generation source range setting screen in the authentication server.
FIG. 3 is a diagram illustrating an example of an option setting screen at the time of authentication in the authentication server.
FIG. 4 is a diagram illustrating an example of a Web form screen for user registration and authentication for an authentication target user.
FIG. 5 is a diagram illustrating an example of acquiring a character string range from the contents of a password generation source file.
FIG. 6 is a diagram illustrating an example of acquiring a character string range when a storage path and a CRC value are also included as a password generation source.
FIG. 7 is a flowchart of user registration processing in the authentication server.
FIG. 8 is a flowchart of user authentication processing in the authentication server.
[Explanation of symbols]
DESCRIPTION OF SYMBOLS 101 ... Authentication server, 102 ... Setting item of file content acquisition range set to authentication server, 104 ... Password generation source file, 105 ... Storage device.

Claims (6)

A method for generating a password for user authentication performed on an authentication server,
The authentication server is
A first step of setting a first character string range acquired from the password generation source file and a second character string range of the password generation source acquired from within the first character string range;
A second step of accepting, from the client terminal , user identification information of the authentication target user and a password generation source file selected by the authentication target user at the time of user registration from the client terminal used by the authentication target user ;
The character string in the first character string range is acquired from the accepted password generation source file, the character string in the second character string range is acquired, and the character string in the second character string range is generated as a password. A third step of generating the original password;
A fourth step and a method of generating a user authentication password, characterized in that it comprises a registering the generated password to the memory device along with said user identification information. In the second step, the storage path information of the password generation source file is received together with the user identification information and the password generation source file from the client terminal, and in the third step, a part of the storage path information is transferred to the password generation source. The second password is generated, and in the fourth step, the first password, user identification information, storage path information, and second password are registered in the storage device. A method for generating the described user authentication password. In the third step, a CRC value of the password generation source file is calculated, a third password having a part of the CRC value as a password generation source is generated, and in the fourth step, the first password and 3. The method for generating a user authentication password according to claim 2, wherein the second password, the user identification information, the storage path information, and the third password are registered in a storage device. A user authentication method performed on an authentication server,
The authentication server is
A first step of setting a first character string range acquired from the password generation source file and a second character string range of the password generation source acquired from within the first character string range;
A second step of accepting, from the client terminal , user identification information of the authentication target user and a password generation source file selected by the authentication target user at the time of user registration from the client terminal used by the authentication target user ;
The character string in the first character string range is acquired from the accepted password generation source file, the character string in the second character string range is acquired, and the character string in the second character string range is generated as a password. A third step of generating a first password based on;
Fourth upon user authentication steps between client terminal claimant is used, the user identification information and password generation source file authentication object user selects to register the generated first password in a storage device together with the user identification information A fifth step of accepting from the client terminal ;
A sixth step of determining whether the received user identification information is registered in the storage device, and returning error information to the client terminal if not registered;
A character string in the first character string range is acquired from the password generation source file received from the client terminal in the fifth step, a character string in the second character string range is acquired, and a second character is acquired. A seventh step of generating a password using a character string in the column range as a password generation source;
The first password stored together with the user identification information that matches the user identification information received in the fifth step is acquired from the storage device, and whether or not it matches the password generated in the seventh step A user authentication method comprising: an eighth step of determining and authenticating an authorized user only when they match. Receiving storage path information of the password generation source file together with the user identification information and the password generation source file from the client terminal in the second step;
In the third step, a second password having a part of the storage path information as a password generation source is generated, and in the fourth step, the first password, user identification information, storage path information, second In the storage device, and in the seventh step, in addition to the first password, a second password having a part of the storage path information as a password generation source is regenerated, and in the eighth step, The first and second passwords that are stored together with the user identification information that matches the user identification information received in the fifth step are acquired from the storage device, and match the regenerated first and second passwords. 5. The user authentication method according to claim 4, wherein it is determined whether or not to perform authentication, and authentication is performed only when the two match.   In the third step, a third password is generated with a part of the CRC value of the password generation source file as a password generation source. In the fourth step, the first password, user identification information, and storage path Register the information, the second password, and the third password in the storage device, regenerate the third password in addition to the first and second passwords in the seventh step, and in the eighth step; The first to third passwords that are stored together with the user identification information that matches the user identification information received in the fifth step are acquired from the storage device, and match the regenerated first to third passwords. 6. The user authentication method according to claim 5, wherein it is determined whether or not to perform authentication, and authentication is made as a legitimate user only when they match.

Images