JP4717514B2 - Communication system, communication method, communication program, authentication server - Google Patents

Description

  The present invention relates to a communication system having an authentication server that authenticates a communication device connected to a network and the communication device.

Conventionally, communication systems in which communication devices connected to a network perform data communication have been operated. In a communication system via a network, there is a risk of information theft and unauthorized remote operation by remote connection to other communication devices, so an authentication server is provided on the network to authenticate the user or communication device itself. A communication system is operated in which a communication device is connected to a network and performs communication only when it is authenticated and permitted by a server. (For example, see Patent Document 1)
JP 2003-203054 A

  However, if a communication device in operation is disconnected from the network and taken out to the outside, authentication by the authentication server cannot be performed, and information stored in the communication device may be stolen. There are circumstances.

  The present invention has been made in view of conventional circumstances, and even when a communication device connected to a network is illegally disconnected from the network and taken out by a third party, the communication device is stored in the communication device. An object of the present invention is to provide a communication system, a communication system, a communication program, and an authentication server that can prevent leakage of confidential information.

  In order to achieve the above object, a first communication system of the present invention is a communication system including a communication device connected to a network and an authentication server for performing authentication of the communication device, wherein the communication device includes the authentication device. A connection request means for requesting the server to authenticate the connection to the network, and when connection authentication is performed by a connection authentication process performed based on the authentication request, the connection processing to the network is performed. A connection processing means; a disconnect request means for requesting the authentication server to disconnect from the network a communication device connected to the network by the connection process; and a disconnect authentication performed based on the disconnect request. A disconnection processing unit configured to perform disconnection processing from the network when disconnection authentication is performed by the processing; And an operation restriction unit for restricting the operation of the communication device when the network disconnection is performed, and the authentication server performs the connection authentication process of the communication device based on the connection authentication request. A connection authentication unit and a disconnection authentication unit that performs the disconnection authentication process of the communication device based on the disconnection authentication request.

  With this configuration, when a communication device connected to the network is disconnected from the network by a third party without permission, it is possible to prevent the communication device from being operated, and leakage of confidential information due to theft of the communication device. Can be prevented.

  In the second communication system of the present invention, the connection for confirming that the connection between the communication device and the authentication server is continued by the connection confirmation data exchanged between the communication device and the authentication server. It has the structure which has a confirmation means.

  With this configuration, it can be ensured that the connection between the communication device and the authentication server is reliably continued.

  In the third communication system of the present invention, the connection confirmation unit transmits the connection confirmation data from the authentication server to the communication device at predetermined time intervals, and the connection Connection confirmation response means for returning a connection confirmation response from the communication device to the authentication server based on reception of confirmation data, and prohibiting connection between the communication device and the network when the connection confirmation response is not received And a connection prohibiting means.

  With this configuration, when it is not possible to recognize that the communication device and the authentication server are securely connected, a safer communication system can be realized by prohibiting the network connection of the communication device.

  In the fourth communication system of the present invention, the connection prohibiting means includes an alarm transmitting means for notifying the communication device of a warning.

  With this configuration, it is possible to know that the communication device has been illegally disconnected from the network.

  The fifth communication system of the present invention is configured to include a re-authentication unit that performs the connection authentication on a communication device that is prohibited from connecting to the network by the connection prohibition unit.

  With this configuration, even when subsequent network connection is prohibited due to a network disconnection that is not illegal, authentication by the authentication server can be performed again to permit network connection.

  The first communication method of the present invention is a communication method having a communication device connected to a network and an authentication server for authenticating the communication device, and the communication device and the network are connected to the authentication server. A connection request step for requesting to authenticate the connection with the connection, a connection authentication step for performing a connection authentication process for authenticating a connection between the communication device and the network based on the authentication request, and a connection by the connection authentication process. When authenticated, a connection processing step for performing connection processing for connecting the communication device and the network, and disconnecting the communication device connected to the network by the connection processing from the network with respect to the authentication server. A disconnect request step for requesting, and based on the disconnect request, the network of the communication device A disconnection authentication processing step for performing disconnection authentication processing for authenticating the disconnection, a disconnection processing step for performing disconnection processing for disconnecting the communication device from the network when disconnection authentication is performed by the disconnection authentication processing, and the disconnection authentication. When network disconnection without using processing is performed, the method includes an operation restriction step of restricting the operation of the communication device.

  By this method, when a communication device connected to the network is disconnected from the network without permission by a third party, it is possible to prevent the operation of the communication device, and leakage of confidential information due to theft of the communication device. Can be prevented.

  Further, the second communication method of the present invention is a connection confirmation for confirming that the connection between the communication device and the network is continued by connection confirmation data exchanged between the communication device and the authentication server. The method has steps.

  This method can ensure that the connection between the communication device and the authentication server is reliably continued.

  Further, according to a third communication method of the present invention, the connection confirmation unit transmits the connection confirmation data from the authentication server to the communication device at predetermined time intervals set in advance, and the connection Connection confirmation response means for returning a connection confirmation response from the communication device to the authentication server based on reception of confirmation data, and prohibiting connection between the communication device and the network when the connection confirmation response is not received And a connection prohibiting means.

  By this method, when it is not possible to recognize that the communication device and the authentication server are securely connected, a safer communication system can be realized by prohibiting the network connection of the communication device.

  The fourth communication method of the present invention is a method in which the connection prohibiting step includes an alarm sending step of notifying the communication device of a warning.

  By this method, it is possible to know that the communication device has been illegally disconnected from the network.

  The fifth communication method of the present invention is a method including a re-authentication step for performing the connection authentication on a communication device whose connection to the network is prohibited by the connection prohibiting step.

  According to this method, even when a subsequent network connection is prohibited due to a network disconnection that is not illegal, authentication by the authentication server can be performed again to permit the network connection.

  The communication system, communication method, authentication server, and communication device of the present invention are realized by a program for causing a computer to realize the functions of the communication system, the communication method, the authentication server, and the communication device.

  With this program, it is not necessary to configure with special hardware, and it is possible to flexibly add or change new functions.

  The first authentication server of the present invention is an authentication server for authenticating a communication device, and based on a connection authentication request required to authenticate a connection between the communication device and a network, the communication device A connection authentication means for performing connection authentication processing for authenticating a connection between the network and the network, and a disconnection authentication request required to authenticate disconnection of the communication device that has been subjected to the previous connection authentication processing from the network And disconnection authentication means for performing disconnection authentication processing for authenticating disconnection of the communication device from the network.

  With this configuration, when a communication device connected to the network is disconnected from the network by a third party without permission, it is possible to prevent the communication device from being operated, and leakage of confidential information due to theft of the communication device. Can be prevented.

The first communication device of the present invention is a communication device connected to a network, and a connection request for requesting an authentication server that authenticates the communication device to authenticate connection to the network. Means, a connection processing means for performing connection processing to the network when connection authentication is performed by the connection authentication processing performed based on the authentication request, and the authentication server to the network by the connection processing. Disconnection requesting means for requesting to disconnect the connected communication device from the network, and disconnection processing for disconnecting from the network when disconnection authentication is performed by a disconnection authentication process performed based on the disconnection request And an operation restriction for restricting the operation of the communication device when a network disconnection is performed without using the disconnection authentication process. It has a configuration and a stage.

  With this configuration, when a communication device connected to the network is disconnected from the network by a third party without permission, it is possible to prevent the communication device from being operated, and leakage of confidential information due to theft of the communication device. Can be prevented.

  According to the present invention, a communication system, a communication method, and a communication capable of preventing leakage of confidential information even when a communication device connected to the network is disconnected from the network and taken out by a third party without permission. A program and an authentication server can be provided.

(First embodiment)
A first embodiment of the present invention will be described with reference to the drawings.
FIG. 1 is a block diagram of a communication system 100 according to the first embodiment of the present invention.
The communication system 100 includes a communication device 110 that is connected to the network 99 and performs data communication, and an authentication server 120 that authenticates the communication device 110. A method in which the communication device 110 operates after receiving authentication by the authentication server 120 will be described below.

First, the configuration of the authentication server 120 and the communication device 110 will be briefly described.
The authentication server 120 includes an authentication database 121, a device table 122, an alarm transfer destination table 123, a device authentication registration processing unit 124, a device disconnection processing unit 125, a device connection confirmation unit 126, and an authentication server network processing unit 127.
Further, the communication device 110 includes a connection processing unit 111, a disconnection processing unit 112, and a communication device network processing unit 113.

  The authentication database 121 stores the authentication data of the communication device 110 by the user registering in advance. The device table 122 stores a list of devices that have been authenticated in association with an IP address, a unique device ID, a flag indicating whether unauthorized connection release has been performed, and an authentication key. The alarm transfer destination table 123 records an alarm transfer destination in order to perform processing when the communication device 110 is illegally disconnected. The device authentication registration processing unit 124 performs authentication processing of the communication device 110 and registration processing in the device table 122. Upon receiving a disconnection request from the communication device 110, the device disconnection processing unit 125 performs a disconnect permission process, deletes the entry of the communication device 110 from the device table 122, and returns a message.

  The device connection confirmation unit 126 transmits a message to the communication device 110 registered in the device table 122 at a predetermined time by the user and waits for a response. In view of this, an alarm is transmitted to a transfer destination registered in the alarm transfer destination table 123. The authentication server network processing unit 127 transfers data from the device authentication registration processing unit 124, the device disconnection processing unit 125, and the device connection confirmation unit 126 to the communication device 110 via the network 99.

  The communication device network processing unit 113 transfers data received from the authentication server 120 via the network 99 to the connection processing unit 111 or the disconnection processing unit 112, or transmits data received from the connection processing unit 111 or the disconnection processing unit 112 to the authentication server 120. The connection processing unit 111 performs authentication processing to the authentication server 120 when connecting to the network 99. The disconnection processing unit 112 performs disconnection processing with the authentication server 120 in order to disconnect the communication device 110 from the network 99 in order to perform relocation or maintenance.

  The connection processing unit 111 and the communication device network processing unit 113 of the communication device 110 are examples of a connection request unit and a connection processing unit. The disconnection processing unit 112 of the communication device 110 is an example of a disconnection request unit and a disconnection processing unit. The communication device network processing unit 113 of the communication device 110 is an example of a connection confirmation unit and a connection confirmation response unit.

  The device authentication registration processing unit 124 and the authentication server network processing unit 127 of the authentication server 120 are examples of connection authentication means. The device disconnection processing unit 125 and the authentication server network processing unit 127 of the authentication server 120 are examples of disconnection authentication means. The device connection confirmation unit 126 and the authentication server network processing unit 127 of the authentication server 120 are an example of a connection confirmation unit, a connection confirmation transmission unit, and an alarm transmission unit. The device connection confirmation unit 126 of the authentication server 120 is an example of a connection prohibition unit.

Next, detailed operation of each unit in the authentication server 120 will be described with reference to a flowchart.
First, the operation of the device authentication registration processing unit 124 of the authentication server 120 will be described. FIG. 2 is an operation flowchart of the device authentication registration processing unit 124 according to the first embodiment of the present invention. The device authentication registration processing unit 124 repeats the following processing from step S201 to step S206.

  The device registration processing unit 124 receives device identification data and authentication data such as an IP address and a unique identification ID transmitted from the authentication communication device 110 from the authentication server network processing unit 127 (step S201). Then, the authentication database 121 is referred to, authentication processing is performed using the authentication data received in step S201, and further, the device table 122 is referred to and whether or not the corresponding device has been illegally disconnected before. Confirmation is performed (step S202).

  As a result of step S202, it is determined whether or not the communication device 110 is authenticated and unauthorized connection release is not performed on the device table (step S203). If the determination result in step S203 is true, the device registration processing unit 124 transfers the connection permission response to the authentication server network processing unit 127 to transfer to the communication device 110 (step S204). Then, the identification data of the communication device 110 is registered in the device table 122 (step S205). If the determination result in step S203 is false, the device registration processing unit 124 transfers an error message to the authentication server network processing unit 127 in order to transfer the error message to the communication device 110 (step S206).

Next, the operation of the device disconnection processing unit 125 of the authentication server 120 will be described.
FIG. 3 is an operation flowchart of the device disconnection processing unit 125 according to the first embodiment of the present invention. The device disconnection processing unit 125 repeats the following processing from step S301 to step S306.

  First, the device disconnection processing unit 125 receives the connection disconnection request and device identification data transmitted from the communication device 110 from the authentication server network processing unit 127 (step S301). After referring to the device table 122 based on the device identification data received in step S301 and confirming whether or not the communication device 110 is registered, the device disconnection processing unit 125 refers to the authentication database 121 and performs authentication processing based on the authentication data. Is performed (step S302). As a result of step S302, the device disconnection processing unit 125 determines whether it is registered in the device table 122 and passed authentication (step S303).

  When the determination result in step S303 is true, the device disconnection processing unit 125 transfers a disconnection permission response to the authentication server network processing unit 127 to transfer to the communication device 110 (step S304). Then, the entry data of the communication device 110 is deleted from the device table 122 (step S305). If the determination result in step S303 is false, the device disconnection processing unit 125 transfers the error message to the authentication server network processing unit 127 to transfer the error message to the communication device 110 (step S306).

Next, the operation of the device connection confirmation unit 126 of the authentication server 120 will be described.
FIG. 4 is an operation flowchart of the device connection confirmation unit 126 according to the first embodiment of the present invention. The device connection confirmation unit 126 repeats the following processing from step S401 to step S406.

  First, the device connection confirmation unit 126 waits for a predetermined time (step S401). Then, referring to the device table 122, a connection confirmation message is transmitted to the registered communication device 110 (step S402). Then, it waits to receive an acknowledgment message from each communication device 110 or to time out (step S403). Then, as a result of step S403, it is determined whether there is a device that has timed out (step S404).

  If the determination result in step S404 is true, the device connection confirmation unit 126 transfers information such as the identification ID of the device that has timed out to the alarm transfer destination registered in the alarm transfer destination table 123 (step S405). Then, alarm occurrence information that an alarm has occurred in the communication device 110 that has timed out is registered in the device table 122. (Step S406). If the determination result in step S404 is false, no processing is performed.

Next, the operation of the authentication server network processing unit 127 of the authentication server 120 will be described.
FIG. 5 is an operation flowchart of the authentication server network processing unit 127 according to the first embodiment of the present invention. The authentication server network processing unit 127 repeats the following processing from step S501 to step S507.

  First, some data is received (step S501). The authentication server network processing unit 127 determines the transmission source of this data (step S502). If it is determined in step S502 that the transmission source in step S501 is the communication device 110, the following processing from step S503 to step S506 is performed.

  The authentication server network processing unit 127 determines the content of the command from the communication device 110 (step S503). This command includes a device registration request, a device disconnection request, and a connection confirmation response. If the determination result in step S503 is a device registration request, the authentication server network processing unit 127 transfers the data to the device authentication registration processing unit 124 (step S504). If the determination result in step S503 is a device disconnection request, the authentication server network processing unit 127 transfers data to the device disconnection processing unit 125 (step S505). If the determination result in step S503 is a connection confirmation response, the authentication server network processing unit 127 transfers the data to the device connection confirmation unit 126 (step S506).

  If the transmission source in step S501 is the device authentication registration processing unit 124, the device disconnection processing unit 125, or the device connection confirmation unit 126 based on the determination result in step S502, the authentication server network processing unit 127 is described in the data. The data is transferred via the network 99 to the communication device 110 that is the transfer destination (step S507).

Next, the operation of the communication device 110 will be described using a flowchart.
First, the operation of the communication device network processing unit 113 of the communication device 110 will be described.
FIG. 6 is an operation flowchart of the communication device network processing unit 113 in the first embodiment of the present invention. The communication device network processing unit 113 repeats the following processing from step S601 to step S607. Also,

  First, some data is received (step S601). The communication device network processing unit 113 determines the transmission source of this data (step S602). If it is determined in step S602 that the transmission source in step S601 is the authentication server 120, the following processing from step S603 to step S606 is performed.

  The contents of the command transmitted from the authentication server 120 are determined (step S603). This command includes a connection permission response, a device disconnection response, and a connection confirmation message. If the determination result in step S603 is a connection permission response, the communication device network processing unit 113 transfers the data to the connection processing unit 111 (step S604). If the determination result in step S603 is a device disconnection response, the communication device network processing unit 113 transfers the data to the disconnection processing unit 112 (step S605). If the determination result in step S603 is a connection confirmation message, the communication device network processing unit 113 transmits a data connection confirmation response to the authentication server 120 (step S606).

  If the transmission source in step S601 is the connection processing unit 111 or the disconnection processing unit 112 based on the determination result in step S602, the communication device network processing unit 113 transmits a network to the authentication server 120 that is the transfer destination described in the data. The data is transferred via 99 (step S607).

Next, the operation of the connection processing unit 111 of the communication device 110 will be described.
FIG. 7 is an operation flowchart of the connection processing unit 111 according to the first embodiment of the present invention.

  The communication device 110 is connected to the network 99 by the user, and a network connection request occurs. In order to perform connection processing to the network 99, the connection processing unit 111 transfers the connection registration request to the communication device network processing unit 113 in order to transfer to the authentication server 120 (step S701). In addition, the connection processing unit 111 transfers authentication data and device identification data such as a unique device ID to the communication device network processing unit 113 for transfer to the authentication server 120 (step S702).

  The connection processing unit 111 receives the connection authentication result transmitted from the authentication server 120 from the communication device network processing unit 113 (step S703). It is determined whether or not the result of step S703 is connection authentication pass (step S704). If the determination result in step S704 is true, the connection processing unit 111 performs network settings necessary for network communication (step S705). If the determination result in step S704 is false, the connection processing unit 111 notifies the user that the connection has failed (step S706).

Next, the operation of the disconnection processing unit 112 of the communication device 110 will be described.
FIG. 8 is an operation flowchart of the cutting processing unit 112 in the first embodiment of the present invention.

  First, a network disconnection request by a user occurs. The disconnection processing unit 112 transfers a device disconnection request for performing network disconnection processing to the communication device network processing unit 113 in order to transfer the request to the authentication server 120 (step S801). In addition, the disconnection processing unit 112 transfers device identification data such as a unique device ID to the communication device network processing unit 113 for transfer to the authentication server 120 (step S802).

  The disconnection processing unit 112 receives the disconnection permission transmitted from the authentication server 120 from the communication device network processing unit 113 (step S803). As a result of step S803, it is determined whether or not cutting is permitted (step S804). If the determination result in step S804 is true, the disconnection processing unit 112 notifies the user that disconnection is permitted (step S805). If the determination result in step S804 is false, the disconnection processing unit 112 notifies the user that the disconnection has failed using a GUI or the like (step S806).

According to the communication system of the first embodiment of the present invention, the communication device 110 connected to the network is illegally released by a malicious user and taken out and stored in the communication device. It becomes possible to prevent information from leaking.
(Second Embodiment)

A second embodiment of the present invention will be described with reference to the drawings.
FIG. 9 is a block diagram of a communication system 900 according to the second embodiment of the present invention. The communication system 900 includes a communication device 910 that is connected to the network 99 and performs data communication, and an authentication server 920 that authenticates the communication device 910. A case where the communication device 910 performs an operation after receiving authentication by the authentication server 920 will be described. Here, parts that are the same as those of the communication system 100 according to the first embodiment of the present invention are given the same reference numerals.

First, the configuration of the authentication server 920 and the communication device 910 will be briefly described.
The authentication server 920 includes an authentication database 121, a device table 922, an alarm transfer destination table 123, a device authentication registration processing unit 924, a device disconnection processing unit 925, a device connection confirmation unit 926, an authentication server network processing unit 927, and a connection recovery processing unit 928. Have
The communication device 910 includes a connection processing unit 911, a disconnection processing unit 112, a communication device network processing unit 913, a communication device connection recovery processing unit 914, and a storage unit 915.

  The authentication database 121 stores authentication data of the communication device 910 registered in advance by the user. The device table 922 stores a list of devices that have been authenticated in association with an IP address, a unique device ID, a flag indicating whether unauthorized connection release has been performed, an authentication key, and user data. The alarm transfer destination table 123 records an alarm transfer destination in order to perform processing when the communication device 910 is illegally disconnected. The device authentication registration processing unit 924 performs authentication processing for the communication device 910 and registration processing for the device table 922. Upon receiving a disconnection request from the communication device 910, the device disconnection processing unit 925 performs disconnection permission processing, deletes the entry of the communication device 910 from the device table 922, and then returns a message.

  The device connection confirmation unit 926 sends a message to the communication device 910 registered in the device table 922 at a predetermined time by the user and waits for a response. In view of this, an alarm is transmitted to a transfer destination registered in the alarm transfer destination table 123. The authentication server network processing unit 927 transfers the device authentication registration processing unit 924, the device disconnection processing unit 925, and the device connection confirmation unit 926 to the communication device 910 via the network 99. The connection recovery processing unit 928 performs authentication and performs reconnection when an unintentional disconnection occurs due to a power failure or a network device trouble.

  The communication device network processing unit 913 transfers the data received from the authentication server 920 to the connection processing unit 911 or the disconnection processing unit 112 via the network 99, or authenticates the data from the connection processing unit 911 or the disconnection processing unit 112. Transfer to server 920. The connection processing unit 911 performs authentication processing to the authentication server 920 when connecting to the network 99. The disconnection processing unit 112 performs disconnection processing with the authentication server 920 in order to disconnect the communication device 910 from the network 99 in order to perform relocation or maintenance.

  The communication device connection recovery processing unit 914 authenticates the authentication server 920 again and performs reconnection when an unintentional disconnection due to a power failure or a network device trouble occurs. The storage unit 915 records a public key, a secret key, user data such as a password and user biometric information used to recover the connection of the communication device 910, and a public key of the authentication server 920.

Further, the device authentication registration processing unit 924, the connection recovery processing unit 928, and the authentication server network processing unit 927 of the authentication server 920 are examples of re-authentication means.

Next, detailed operation of each unit in the authentication server 920 will be described with reference to a flowchart.
First, the operation of the device authentication registration processing unit 924 of the authentication server 920 will be described.
FIG. 10 is an operation flowchart of the device authentication registration processing unit 924 in the second embodiment of the present invention. The device authentication registration processing unit 924 repeats the following processing from step S1001 to step S1007.

  The device authentication registration processing unit 924 receives from the authentication server network processing unit 927 the device identification data such as the IP address and unique identification ID transmitted from the communication device 910, authentication data, the public key of the communication device 910, and user data. Receive (step S1001). Then, the authentication database 121 is referred to, authentication processing is performed using the authentication data received in step S1001, and further, the device table 122 is referred to confirm whether or not the corresponding device has been illegally disconnected before. This is performed (step S1002).

  As a result of step S1002, it is determined whether or not the communication device 910 is authenticated and unauthorized connection release is not performed in the device table (step S1003). If the determination result in step S1003 is true, the device authentication registration processing unit 924 transfers the connection permission response to the authentication server network processing unit 927 to transfer to the communication device 910 (step S1004). Then, the device authentication registration processing unit 924 registers the identification data, public key, and user data of the communication device 910 in the device table 922 (step S1005). Further, the device authentication registration processing unit 924 creates a public key and a secret key, and transfers them to the authentication server network processing unit 927 in order to transmit the public key to the communication device 910 (step S1006). If the determination result in step S1003 is false, the device authentication registration processing unit 924 transfers an error message to the authentication server network processing unit 927 to transfer the error message to the communication device 910 (step S1007).

Next, the operation of the device disconnection processing unit 925 of the authentication server 920 will be described.
FIG. 11 is an operation flowchart of the device disconnection processing unit 925 in the second embodiment of the present invention. The device disconnection processing unit 925 repeats the following processing from step S1101 to step S1106.

  The device disconnection processing unit 925 receives the connection disconnection request and device identification data transmitted from the communication device 910 from the authentication server network processing unit 927 (step S1101). After confirming whether or not it is registered by referring to the device table 922 based on the device identification data received in step S1101, the device disconnection processing unit 925 refers to the authentication database 121 and performs an authentication process using the authentication data (step). S1102). As a result of step S1102, the device disconnection processing unit 925 determines whether it is registered in the device table 922 and passed authentication (step S1103).

  When the determination result in step S1103 is true, the device disconnection processing unit 925 transfers a disconnection permission response to the authentication server network processing unit 927 to transfer to the communication device 910 (step S1104). Then, the entry data of the communication device 910 is deleted from the device table 922 (step S1105). If the determination result in step S1103 is false, the device disconnection processing unit 925 transfers the error message to the authentication server network processing unit 927 in order to transfer it to the communication device 910 (step S1106).

Next, the operation of the device connection confirmation unit 926 of the authentication server 920 will be described.
FIG. 12 is an operation flowchart of the device connection confirmation unit 926 in the second embodiment of the present invention. The device connection confirmation unit 926 repeats the following processing from step S1201 to step S1206.

  First, the device connection confirmation unit 926 waits for a preset fixed time (step S1201). Then, with reference to the device table 922, a connection confirmation message is transmitted to the registered communication device 910 (step S1202). Then, it waits to receive an acknowledgment message from each communication device 910 or to time out (step S1203). As a result of step S1203, the device connection confirmation unit 926 determines whether there is a device that has timed out (step S1204).

  If the determination result in step S1204 is true, the device connection confirmation unit 926 transfers information such as the identification ID of the device that has timed out to the alarm transfer destination registered in the alarm transfer destination table 123 (step S1205). Then, alarm occurrence information that an alarm has occurred in the communication device 910 that has timed out is registered in the device table 922 (step S1206). If the determination result in step S1204 is false, no processing is performed.

Next, the operation of the connection recovery processing unit 928 of the authentication server 920 will be described.
FIG. 23 is an operation flowchart of the connection recovery processing unit 928 in the second embodiment of the present invention. The connection recovery processing unit 928 repeats the following processing from step S2301 to step S2307.

  The connection recovery processing unit 928 receives the connection recovery request transmitted from the communication device 910 from the authentication server network processing unit 927 (step S2301). Then, user data such as an encrypted passphrase and biometric data transmitted from the communication device 910 is received from the authentication server network processing unit 927 (step S2302). The connection recovery processing unit 928 decrypts the encrypted user data received in step S2302 using the public key stored in the device table 922, and further collates with the registered user data. (Step S2303).

  As a verification result of step S2303, the connection recovery processing unit 928 determines whether or not the transmitted user data is the same as that registered (step S2304). If the determination result in step S2304 is true, the connection recovery processing unit 928 notifies the alarm transfer destination registered in the alarm transfer destination table 123 that the communication device 910 has resumed connection (step S2305). Then, the connection recovery processing unit 928 transfers the connection recovery permission to the authentication server network processing unit 927 in order to transfer it to the communication device 910 (step S2306). If the determination result in step S2304 is false, the connection recovery processing unit 928 transfers a connection recovery rejection notification to the authentication server network processing unit 927 to transfer to the communication device 910 (step S2307).

Next, the operation of the authentication server network processing unit 927 of the authentication server 920 will be described.
FIG. 13 is an operation flowchart of the authentication server network processing unit 927 in the second embodiment of the present invention. The authentication server network processing unit 927 repeats the following processing from step S1301 to step S1308.

  First, some data is received (step S1301). The authentication server network processing unit 927 determines the transmission source of this data (step S1302). If it is determined in step S1302 that the transmission source in step S1301 is the communication device 910, the following processing from step S1303 to step S1306 is performed.

  The authentication server network processing unit 927 determines the content of the command from the communication device 910 (step S1303). This command includes a device registration request, a device disconnection request, a connection confirmation response request, and a connection recovery request. If the determination result in step S1303 is a device registration request, the authentication server network processing unit 927 transfers the data to the device authentication registration processing unit 924 (step S1304). If the determination result in step S1303 is a device disconnection request, the authentication server network processing unit 927 transfers data to the device disconnection processing unit 925 (step S1305). If the determination result in step S1303 is a connection confirmation response, the authentication server network processing unit 927 transfers data to the device connection confirmation unit 926 (step S1306). If the determination result in step S1303 is a connection recovery request, the authentication server network processing unit 927 transfers data to the connection recovery processing unit 928 (step S1307).

  If the transmission result of step S1301 is the device authentication registration processing unit 924, the device disconnection processing unit 925, the device connection confirmation unit 926, or the connection recovery processing unit 928 based on the determination result of step S1302, the authentication server network processing unit 927 Data is transferred via the network 99 to the communication device 910 that is the transfer destination described in the data (step S1308).

Next, the operation of the communication device 910 will be described using a flowchart.
First, the operation of the communication device network processing unit 913 of the communication device 910 will be described.
FIG. 14 is an operation flowchart of the communication device network processing unit 913 in the second embodiment of the present invention. The communication device network processing unit 913 repeats the following processing from step S1401 to step S1408.

  First, some data is received (step S1401). The communication device network processing unit 913 determines the transmission source of this data (step S1402). As a result of the determination in step S1402, when the transmission source in step S1401 is the authentication server 920, the following processing from step S1403 to step S1407 is performed.

  The communication device network processing unit 913 determines the content of the command from the authentication server 920 (step S1403). This command includes a connection permission response, a device disconnection response, a connection confirmation message, and a connection recovery response. If the determination result in step S1403 is a connection permission response, the communication device network processing unit 913 transfers data to the connection processing unit 911 (step S1404). If the determination result in step S1403 is a device disconnection response, the communication device network processing unit 913 transfers the data to the disconnection processing unit 112 (step S1405). If the determination result in step S1403 is a connection confirmation message, the communication device network processing unit 913 transmits a data connection confirmation response to the authentication server 920 (step S1406). If the determination result in step S1403 is a connection recovery response, the communication device network processing unit 913 transmits data to the communication device connection recovery processing unit 914 (step S1406).

  If the transmission source in step S1401 is the connection processing unit 911, the disconnection processing unit 112, or the communication device connection recovery processing unit 914 based on the determination result in step S1402, the communication network processing unit 913 transfers the transfer destination described in the data. The data is transferred to the authentication server 920 via the network 99 (step S1407).

Next, the operation of the connection processing unit 911 of the communication device 910 will be described.
FIG. 15 is an operation flowchart of the connection processing unit 911 in the second embodiment of the present invention.

  The communication device 910 is connected to the network 99 by the user, and a network connection request occurs. In order to perform connection processing to the network 99, the connection processing unit 911 transfers the connection registration request to the communication device network processing unit 913 in order to transfer to the authentication server 920 (step S1501). The connection processing unit 911 inputs user data such as a password and biometric information by a user and generates a public key and a secret key, and then device identification data such as user data, authentication data, and a unique device ID. The public key is transferred to the communication device network processing unit 913 to be transferred to the authentication server 920 (step S1502).

  The connection processing unit 911 receives the connection authentication result transmitted from the authentication server 920 from the communication device network processing unit 913 (step S1503). Then, it is determined whether or not the result of step S1503 is connection authentication pass (step S1504). If the determination result in step S1504 is true, the connection processing unit 911 performs network settings necessary for network communication, receives the public key of the authentication server, and registers it in the storage unit 915 (step S1505). If the determination result in step S704 is false, the connection processing unit 911 notifies the user that the connection has failed using a GUI or the like (step S1506).

Next, the operation of the communication device connection recovery processing unit 914 of the communication device 910 will be described.
FIG. 24 is an operation flowchart of the communication device connection recovery processing unit 914 in the second embodiment of the present invention. The communication device connection recovery processing unit 914 repeats the processing from step S2401 to step S2407 below.

  First, a connection restart request is input by the user (step S2401). User data such as a passphrase and biometric data previously transferred from the user to the authentication server 920 is input (step S2402). When the user data registered in the storage unit 915 and the above-described user data are collated and the data matches, the communication device connection recovery processing unit 914 stores the secret key registered in the storage unit 915. The user data is encrypted using, and transmitted to the communication device network processing unit 913 for transmission to the authentication server 920 together with the connection recovery request (step S2403). Then, it waits for a connection recovery response from the authentication server 920 (step S2404).

  It is determined whether or not the connection recovery response received in step S2404 is connection recovery permission (step S2405). If the determination result in step S2405 is true, the communication device connection recovery processing unit 914 notifies the user that the connection has been recovered and resumed (step S2406). If the determination result of step S2405 is false, that is, if connection recovery is rejected or time-out, the communication device connection recovery processing unit 914 has refused connection recovery to the authentication server 920 by the user, or due to a time-out. It is notified that connection cannot be resumed (step S2407).

According to the communication system 900 according to the second embodiment of the present invention, even if communication cannot be performed due to a power failure or a network failure, it is impossible to transmit a connection confirmation response to the authentication server 920. It is possible to resume the connection with a simple procedure.
(Third embodiment)

A third embodiment of the present invention will be described with reference to the drawings.
FIG. 16 is a block diagram of a communication system 1600 according to the third embodiment of the present invention. The communication system 1600 includes a communication device 1610 that is connected to the network 99 and performs data communication, and an authentication server 120 that authenticates the communication device 1610. Here, since the authentication server in the third embodiment of the present invention is the same as the authentication server 120 in the first embodiment of the present invention, the same reference numerals are given and the description is omitted.

First, the configuration of the communication device 1610 will be briefly described.
The communication device 1610 includes a connection processing unit 1611, a disconnection processing unit 1612, a communication device network processing unit 1613, and a connection confirmation detection processing unit 1614.

  The communication device network processing unit 1613 transfers data received from the authentication server 120 to the connection processing unit 1611 or the disconnection processing unit 1612 via the network 99, or authenticates data from the connection processing unit 1611 or the disconnection processing unit 1612. Transfer to server 120. The connection processing unit 1611 performs authentication processing to the authentication server 120 when connecting to the network 99. The disconnection processing unit 1612 performs disconnection processing with the authentication server 120 in order to disconnect the communication device 1610 from the network 99 in order to perform relocation or maintenance. Based on the detection of the connection confirmation message transmitted from the authentication server 120, the connection confirmation detection processing unit 1614 recognizes that the communication device 1610 is connected to the network 99, and only when the communication device 1610 is connected. Control is performed so that access to the storage area is permitted.

  Further, the connection confirmation detection processing unit 1614 and the communication device network processing unit 1613 of the communication device 1610 are an example of an operation restriction unit.

The operation of communication device 1610 will be described below using a flowchart.
First, the operation of the communication device network processing unit 1613 of the communication device 1610 will be described.
FIG. 17 is an operation flowchart of the communication device network processing unit 1613 in the third embodiment of the present invention. The communication device network processing unit 1613 repeats the following processing from step S1707 to step S1707.

  First, some data is received (step S1701). The communication device network processing unit 1613 determines the transmission source of this data (step S1702). If it is determined in step S1702 that the transmission source in step S1707 is the authentication server 120, the following processing from step S1703 to step S1706 is performed.

  The communication device network processing unit 1613 determines the content of the command from the authentication server 120 (step S1703). This command includes a device registration response, a device disconnection response, and a connection confirmation message. If the determination result in step S1703 is a device registration response, the communication device network processing unit 1613 transfers the data to the connection processing unit 1611 (step S1704). If the determination result in step S1703 is a device disconnection response, the communication device network processing unit 1613 transfers the data to the disconnection processing unit 1612 (step S1705). If the determination result in step S1703 is a connection confirmation message, the communication device network processing unit 1613 transfers the data to the connection confirmation detection processing unit 1614 (step S1706).

  If it is determined in step S1702 that the transmission source in step S1707 is the connection processing unit 1611 or the disconnection processing unit 1612, the communication device network processing unit 1613 transmits a network to the authentication server 120 that is the transfer destination described in the data. The data is transferred via 99 (step S1707).

Next, the operation of the connection processing unit 1611 of the communication device 1610 will be described.
FIG. 18 is an operation flowchart of the connection processing unit 1611 in the third embodiment of the present invention.

  The communication device 1610 is connected to the network 99 by the user, and a network connection request occurs. The connection processing unit 1611 transfers a connection registration request for performing a connection process to the network 99 to the communication device network processing unit 1613 for transfer to the authentication server 120 (step S1801). In addition, the connection processing unit 1611 transfers authentication data and device identification data such as a unique device ID to the communication device network processing unit 1613 for transfer to the authentication server 120 (step S1802). The connection processing unit 1611 receives the connection authentication result transmitted from the authentication server 120 from the communication device network processing unit 1613 (step S1803).

  As a result of step S1803, it is determined whether or not connection authentication is passed (step S1804). If the determination result in step S1804 is true, the connection processing unit 1611 performs network settings necessary for network communication (step S1805), and notifies the connection confirmation detection processing unit 1614 that the connection has been made (step S1805). S1806). If the determination result in step S1804 is false, the connection processing unit 1611 notifies the user that the connection has failed using a GUI or the like (step S1807).

Next, the operation of the disconnection processing unit 1612 of the communication device 1610 will be described.
FIG. 19 is an operation flowchart of the cutting processing unit 1612 in the third embodiment of the present invention.

  When a network disconnection request is made by the user, the disconnection processing unit 1612 transfers a device disconnection request for performing the network disconnection processing to the communication device network processing unit 113 for transfer to the authentication server 120 (step S1901). Also, the disconnection processing unit 1612 transfers device identification data such as a unique device ID to the communication device network processing unit in order to transfer to the authentication server 120 (step S1902). The disconnection processing unit 1612 receives the disconnection permission transmitted from the authentication server 120 from the communication device network processing unit 1613 (step S1903).

  As a result of step S1903, it is determined whether or not cutting is permitted (step S1904). If the determination result in step S1904 is true, the disconnection processing unit 1612 notifies the user that disconnection is permitted (step S1905), and the connection confirmation detection processing unit 1614 is normally disconnected from the network 99. This is notified (step S1906). If the determination result in step S1904 is false, the disconnection processing unit 1612 notifies the user that the disconnection has failed using a GUI or the like (step S1907).

Next, the operation of the connection confirmation detection processing unit 1614 of the communication device 1610 will be described.
FIG. 20 is an operation flowchart of the connection confirmation detection processing unit 1614 in the third embodiment of the present invention.

  First, the connection confirmation detection processing unit 1614 receives notification from the connection processing unit 1611 that it is connected to the network 99 (step S2001). Next, the connection confirmation detection processing unit 1614 repeats the following processing from step S2002 to step S2007. One of reception of a connection confirmation message from the communication device network processing unit 1613, timeout, or message reception from the disconnection processing unit 1612 is performed (step S2002). The connection confirmation detection processing unit 1614 determines the event in step S2002 (step S2003).

  If the determination result in step S2003 is message reception from the disconnection processing unit 1612, the connection confirmation detection processing unit 1614 exits from the loop and returns to step S2001 (step S2004). If the determination result in step S2003 is a timeout, the connection confirmation detection processing unit 1614 locks the operation of the storage area controller, access to the storage area, and reading / writing, and sets the stop flag to 1 (step S2005).

  If the determination result in step S2003 is reception of a connection confirmation message, the connection confirmation detection processing unit 1614 determines whether or not the stop flag is 1 (step S2006). If the determination result in step S2006 is true, the connection confirmation detection processing unit 1614 releases the operation of the storage area controller, access to the storage area, and read / write lock, and sets the stop flag to 0 (step S2007). . If the determination result in step S2006 is false, nothing is performed.

According to the communication system 1600 in the third embodiment of the present invention, the storage area of the communication device 1610 can be operated only while the communication device 1610 is connected to the network 99 and authenticated by the authentication server 120. Thus, even if the communication device 1610 is taken out, the data in the storage area can be protected.
(Fourth embodiment)

Next, a fourth embodiment of the present invention will be described with reference to the drawings.
FIG. 21 is a block diagram of a communication system 2100 according to the fourth embodiment of the present invention.
The communication system 2100 includes a communication device 2110 that is connected to the network 99 and performs data communication, and an authentication server 120 that authenticates the communication device 2110. Here, the authentication server in the fourth embodiment of the present invention is the same as the authentication server 120 in the first embodiment of the present invention.

  The communication device network processing unit 1613 transfers data received from the authentication server 120 via the network 99 to the connection processing unit 1611 or the disconnection processing unit 1612, or transmits data from the connection processing unit 1611 or the disconnection processing unit 1612 to the authentication server 120. The connection processing unit 1611 performs authentication processing to the authentication server 120 when connecting to the network 99. The disconnection processing unit 1612 performs disconnection processing with the authentication server 120 in order to disconnect the communication device 2110 from the network 99 in order to perform relocation or maintenance. The connection confirmation detection processing unit 2111 recognizes that the communication device 2110 is authenticated and connected to the network 99 based on detection of the connection confirmation message transmitted from the authentication server 120, and communicates only while connected. Control is performed so as to permit the operation of each function possessed by the device 2110. Here, the communication device network processing unit 1613, the connection processing unit 1611, and the disconnection processing unit 1612 are the same as those in the third embodiment of the present invention, and thus description thereof is omitted.

  In addition, the connection confirmation detection processing unit 2111 and the communication device network processing unit 1613 of the communication device 2110 are examples of operation restriction means.

Next, the operation of the connection confirmation detection processing unit 2111 of the communication device 2110 will be described.
FIG. 22 is an operation flowchart of the connection confirmation detection processing unit 2111 according to the fourth embodiment of the present invention. First, the connection confirmation detection processing unit 2111 receives a notification from the connection processing unit 1611 that the connection to the network 99 has been disconnected (step S2201). Next, the connection confirmation detection processing unit 2111 repeats the following processing from step S2202 to step S2207.

  The connection confirmation detection processing unit 2111 receives a connection confirmation message, a timeout notification, or receives a message from the disconnection processing unit 1612 from the communication device network processing unit 1613. (Step S2202). Then, the event determination in step S2202 is performed (step S2203). If the determination result in step S2203 is that the message has been received from the disconnection processing unit 1612, the connection confirmation detection processing unit 2111 exits the loop and returns to step S2201 (step S2204). If the determination result in step S2203 is a timeout, the connection confirmation detection processing unit 2111 locks the operation of the function of the communication device 2110 and prohibits the operation of the communication function, and sets the stop flag to 1 (step S2205). .

  If the determination result in step S2203 is reception of a connection confirmation message, the connection confirmation detection processing unit 2111 determines whether the stop flag is 1 (step S2206). If the determination result in step S2206 is true, the connection confirmation detection processing unit 2111 enables the operation by releasing the operation lock of the communication device 2110 and permitting the operation of each function of the communication device 2110. The flag is set to 0 (step S2207). If the determination result in step S2206 is false, nothing is processed.

  According to the communication system 2100 in the fourth embodiment of the present invention, the communication device 2110 can be operated only while the communication device 2110 is connected to the network 99, and the communication device is stolen. It can be prevented from being used in a place.

  The present invention relates to a communication system, a communication method, and a communication program capable of preventing leakage of confidential information even when a communication device connected to the network is disconnected from the network and taken out by a third party. It is useful for authentication servers.

The block diagram of the communication system in the 1st Embodiment of this invention. The operation | movement flowchart of the apparatus authentication registration process part of the authentication server in the 1st Embodiment of this invention The operation | movement flowchart of the apparatus cutting process part of the authentication server in the 1st Embodiment of this invention The operation | movement flowchart of the apparatus connection confirmation part of the authentication server in the 1st Embodiment of this invention Operation flow diagram of the authentication server network processing unit of the authentication server in the first embodiment of the present invention The operation | movement flowchart of the communication apparatus network processing part of the communication apparatus in the 1st Embodiment of this invention The operation | movement flowchart of the connection process part of the communication apparatus in the 1st Embodiment of this invention Operation flow diagram of disconnection processing unit of communication device in first embodiment of the present invention The block diagram of the communication system in the 2nd Embodiment of this invention. The operation | movement flowchart of the apparatus authentication registration process part of the authentication server in the 2nd Embodiment of this invention The operation | movement flowchart of the apparatus cutting process part of the authentication server in the 2nd Embodiment of this invention The operation | movement flowchart of the apparatus connection confirmation part of the authentication server in the 2nd Embodiment of this invention Operation flow diagram of authentication server network processing unit of authentication server in second embodiment of the present invention Operation flow diagram of communication device network processing unit of communication device in second embodiment of the present invention The operation | movement flowchart of the connection process part of the communication apparatus in the 2nd Embodiment of this invention The block diagram of the communication system in the 3rd Embodiment of this invention. Operation flow diagram of communication device network processing unit of communication device in third embodiment of the present invention Operation flow diagram of connection processing unit of communication device in third embodiment of the present invention Operation flow diagram of disconnection processing unit of communication device in third embodiment of the present invention Operation flow diagram of connection confirmation detection processing unit of communication device in third embodiment of the present invention The block diagram of the communication system in the 4th Embodiment of this invention. Operation flow diagram of connection confirmation detection processing unit in the fourth embodiment of the present invention The operation | movement flowchart of the connection recovery process part of the authentication server in the 2nd Embodiment of this invention Operation flow diagram of communication device connection recovery processing unit of communication device in second embodiment of the present invention

Explanation of symbols

99 Network 100 Communication system 110 according to the first embodiment of the present invention Communication apparatus 111 according to the first embodiment of the present invention Connection processing unit 112 of the communication apparatus according to the first embodiment of the present invention First embodiment of the present invention Communication device disconnection processing unit 113 in the embodiment Communication device network processing unit 120 of the communication device in the first embodiment of the present invention Authentication server 121 in the first embodiment of the present invention Authentication server in the first embodiment of the present invention Authentication database 122 of the authentication server in the first embodiment of the present invention 123 Alarm transfer destination table 124 of the authentication server in the first embodiment of the present invention Device authentication of the authentication server in the first embodiment of the present invention Registration processing unit 125 Device disconnection processing of the authentication server in the first embodiment of the present invention 126 Device connection confirmation unit 127 of the authentication server in the first embodiment of the present invention 127 Authentication server network processing unit 900 of the authentication server in the first embodiment of the present invention The communication system 910 in the second embodiment of the present invention Communication device 911 according to the second embodiment of the present invention Communication device connection processing unit 913 according to the second embodiment of the present invention Communication device network processing unit 914 of the communication device according to the second embodiment of the present invention Communication device connection recovery processing unit 915 of the communication device in the embodiment Communication device storage unit 920 in the second embodiment of the present invention Authentication server 922 in the second embodiment of the present invention Authentication in the second embodiment of the present invention Server device table 924 Device authentication registration processing unit 925 of the authentication server according to the second embodiment of the present invention. Device disconnection processing unit 926 of the authentication server in the second embodiment of the invention Device connection confirmation unit 927 of the authentication server in the second embodiment of the present invention Authentication server network processing unit of the authentication server in the second embodiment of the present invention 928 Authentication server connection recovery processing unit 1600 according to the second embodiment of the present invention Communication system 1610 according to the third embodiment of the present invention Communication device 1611 according to the third embodiment of the present invention Third embodiment of the present invention Communication device connection processing unit 1612 in the third embodiment of the present invention Communication device disconnection processing unit 1613 in the third embodiment of the present invention Communication device network processing unit 1614 of the communication device in the third embodiment of the present invention. Communication device connection confirmation detection processing unit 2100 in the fourth embodiment of the present invention. Ten fourth connection confirmation detection processing unit of the communication device in a fourth embodiment of the communication device 2111 present invention in an embodiment of the invention

Claims (13)

A communication system having a communication device connected to a network and an authentication server for performing authentication of the communication device, wherein the communication device is:
Connection request means for requesting the authentication server to authenticate connection to the network;
A connection processing means for performing connection processing to the network when connection authentication is performed by connection authentication processing performed based on the authentication request;
A disconnect request means for requesting the authentication server to disconnect the communication device connected to the network from the network by the connection processing;
Disconnection processing means for performing disconnection processing from the network when disconnection authentication is performed by disconnection authentication processing performed based on the disconnection request;
When a network disconnection without using the disconnection authentication process is performed, operation restriction means for restricting the operation of the communication device, and the authentication server,
Connection authentication means for performing the connection authentication processing of the communication device based on the connection authentication request;
A communication system comprising: a disconnect authentication unit that performs the disconnect authentication process of the communication device based on the disconnect authentication request. The communication system according to claim 1,
A communication system comprising connection confirmation means for confirming that the connection between the communication device and the authentication server is continued by connection confirmation data exchanged between the communication device and the authentication server. The communication system according to claim 2, wherein the connection confirmation unit includes:
A connection confirmation transmitting means for transmitting the connection confirmation data from the authentication server to the communication device at predetermined time intervals;
A connection confirmation response means for returning a connection confirmation response from the communication device to the authentication server based on the reception of the connection confirmation data;
A communication system comprising: connection prohibiting means for prohibiting connection between the communication device and the network when the connection confirmation response has not been received. The communication system according to claim 3, wherein the connection prohibition unit includes:
A communication system comprising alarm transmission means for notifying the communication device of a warning.   5. The communication system according to claim 3, further comprising a re-authentication unit that performs the connection authentication on a communication device that is prohibited from connecting to the network by the connection prohibiting unit. Communications system. A communication method having a communication device connected to a network and an authentication server for authenticating the communication device,
A connection requesting step for requesting the authentication server to authenticate a connection between the communication device and the network;
A connection authentication step for performing connection authentication processing for authenticating a connection between the communication device and the network based on the authentication request;
A connection processing step for performing connection processing for connecting the communication device and the network when connection authentication is performed by the connection authentication processing;
A disconnect request step for requesting the authentication server to disconnect the communication device connected to the network from the network by the connection process;
A disconnect authentication processing step for performing a disconnect authentication process for authenticating disconnection of the communication device from the network based on the disconnect request;
A disconnection process step of performing a disconnection process for disconnecting the communication device from the network when disconnection authentication is performed by the disconnection authentication process;
An operation restriction step of restricting the operation of the communication device when a network disconnection is performed without using the disconnection authentication process. The communication method according to claim 6, comprising:
A communication method comprising a connection confirmation step of confirming that the connection between the communication device and the network is continued by connection confirmation data exchanged between the communication device and the authentication server. The communication method according to claim 7, wherein the connection confirmation step includes:
A connection confirmation transmission step of transmitting the connection confirmation data from the authentication server to the communication device at predetermined time intervals;
A connection confirmation response step of returning a connection confirmation response from the communication device to the authentication server based on the reception of the connection confirmation data;
And a connection prohibiting step of prohibiting connection between the communication device and the network when the connection confirmation response is not received. 9. The communication method according to claim 8, wherein the connection prohibiting step includes:
A communication method comprising an alarm transmission step of notifying the communication device of a warning. The communication method according to claim 8 or 9, wherein
A communication method comprising a re-authentication step of performing the connection authentication on a communication device whose connection to the network is prohibited by the connection prohibition step.   The communication program which performs each step in any one of Claim 6 thru | or 10. An authentication server for authenticating communication devices,
A connection authentication means for performing a connection authentication process for authenticating a connection between the communication device and the network based on a connection authentication request required to authenticate a connection between the communication device and the network;
Disconnection that performs disconnection authentication processing for authenticating disconnection of the communication device from the network based on a disconnection authentication request that is required to authenticate disconnection of the communication device that has been subjected to connection authentication processing from the network. An authentication server having authentication means. A communication device connected to a network,
Connection request means for requesting an authentication server for authenticating the communication device to authenticate connection to the network;
A connection processing means for performing connection processing to the network when connection authentication is performed by connection authentication processing performed based on the authentication request;
A disconnect request means for requesting the authentication server to disconnect the communication device connected to the network from the network by the connection processing;
Disconnection processing means for performing disconnection processing from the network when disconnection authentication is performed by disconnection authentication processing performed based on the disconnection request;
A communication device having operation restriction means for restricting the operation of the communication device when a network disconnection is performed without using the disconnection authentication process.

Images