JP4857857B2 - Seed information management server and authentication system - Google Patents

Description

The present invention relates to a sheet over de information management server and the authentication system.

  Various authentication methods based on password authentication have been put to practical use as methods for ensuring security when accessing a computer or a communication network. There are fixed passwords and one-time passwords (hereinafter referred to as OTP) as passwords used. However, in the authentication method using fixed passwords, the password is broken using a password cracking tool, etc. There is a disadvantage of being easily accessible. On the other hand, the authentication method based on OTP has a feature that unauthorized access is less likely because authentication is performed using a temporary password that changes with time, and various methods have been proposed (for example, Patent Document 1). reference).

  An authentication system that also uses an OTP authentication method includes an OTP generator (so-called token) that generates an OTP and an authentication server that performs authentication. The OTP generator stores one unique code information (hereinafter referred to as seed information) in a storage means such as a built-in ROM (Read Only Memory), and is timed by this seed information and a built-in timing means. Identification information, that is, OTP is generated by calculating current time information by a predetermined encoding algorithm. When logging in to a desired server or system, a user who is a user of the authentication system inputs the generated OTP together with a login ID (user ID) using a terminal device such as a PC (Personal Computer). .

On the other hand, the same seed information as the seed information stored in the OTP generator is stored in the authentication server. That is, one seed information is stored in each of the OTP generator and the authentication server, and the authentication server stores seed information for the number of OTP generators distributed to the user. The authentication server calculates the seed information corresponding to the OTP generator of the user who has logged in and the current time information timed by the built-in time measuring means using the same encoding algorithm as the OTP generator. User authentication is performed by generating an OTP for verification and comparing the OTP for verification with the OTP input from the user.
JP 2000-357156 A

  As described above, in the authentication system using the conventional OTP authentication method, the seed information stored in the OTP generator needs to be stored in the authentication server. For example, when an employee accesses a company server of the company or another company within the company, an authentication server is placed between the company server and the employee's terminal, and unique seed information is generated for each employee. Is set in advance in the OTP generator and the authentication server.

However, when the number of users using the authentication system is an unspecified number, there is a problem that the procedure for its operation becomes complicated and lacks practicality. For example, in a situation where a general user makes a credit payment in online shopping, if an OTP authentication method is used to respond to a request for identity authentication, each of the OTPs corresponding to the number of users is assigned to each OTP. Since it is necessary to set in advance in the generator and the authentication server of the credit company, the procedure for its operation and management becomes extremely complicated.
In addition, since the seed information is different for each server or system of each service provider company that is normally the login destination, the user needs to own the number of seed information corresponding to the login destination, that is, the OTP generator. For this reason, the user needs to use different OTP generators according to the login destination, and the procedure for using the OTP generator is complicated.

  An object of the present invention is to improve convenience related to operation and use of seed information in an authentication system using an authentication method using a one-time password.

According to the first aspect of the present invention, the identification information generated by the identification information generation device based on one seed information is compared with the identification information for verification generated based on the same seed information as the seed information. A seed information management server connected via a communication line to a plurality of authentication servers that perform authentication, and a plurality of unique IDs assigned to the plurality of identification information generation apparatuses and a plurality of identification information generation apparatuses stored therein Seed information storage means for associating and storing a plurality of selection information corresponding to each of the plurality of seed information, a specific unique ID from the authentication server, and the authentication server assigned to the authentication server Receiving means for receiving instruction information using selection information as a search key; and seed information corresponding to the received instruction information from a plurality of seed information stored in the seed information storage means And search, reading means for reading out the seed information applicable, characterized in that the read seed information was provided with a transmission unit that transmits to the authentication server.

The invention according to claim 4 is connected to the seed information management server according to any one of claims 1 to 3, the seed information management server, and the access terminal via a communication line, and is stored in the identification information generation device. Among the plurality of seed information, an authentication server that performs authentication by comparing the identification information generated based on one seed information with the identification information for verification generated based on the same seed information as the seed information. The authentication server comprises: a unique ID receiving means for receiving, from the access terminal, a unique ID unique to the identification information generating device and user information relating to a user possessing the identification information generating device; Selection information storage means for storing selection information pre-assigned to each operator to which the authentication server belongs, and the received unique ID together with the selection information Transmitting means for transmitting to the node information management server, seed information receiving means for receiving one seed information corresponding to the transmitted unique ID and selection information from the seed information management server, and the received seed information A user-specific seed information storage means for storing the user information in association with the user information, and when the user information and the identification information are transmitted from the access terminal, the seed information corresponding to the user information is stored in the user-specific seed information storage. And generating the collation identification information based on the read seed information, collating the generated collation identification information with the transmitted identification information, and performing user authentication. And an authentication means.

According to the first aspect of the present invention, even when a plurality of seed information is stored in one identification information generating device, the seed information corresponding to the authentication server corresponding to each of the plurality of seed information is authenticated. Since it can be transmitted to the server, the convenience related to the operation and use of the seed information can be improved.

According to invention of Claim 4 , even if it is a case where several seed information is memorize | stored in one identification information production | generation apparatus, one seed information according to an own authentication server among these several seed information Can be stored and authenticated based on the seed information, so that the convenience of using and using the seed information can be improved.

  The best mode for carrying out the present invention will be described below in detail with reference to the drawings. However, the scope of the invention is not limited to the illustrated examples.

  First, the configuration of the authentication system 100 in the present embodiment will be described with reference to FIG. As shown in FIG. 1, the authentication system 100 includes an OTP generator 10, an access terminal 20, an operator authentication server 30, a seed information management server 40, etc., and at least the access terminal 20, the operator authentication server 30, and operator authentication A server 30 and a seed information management server 40 are connected to each other via a network N so as to be able to transmit and receive data. In addition, the quantity of each apparatus which comprises the authentication system 100 shall not be limited to the example of illustration, For example, it is good also as an aspect provided with the some provider authentication server 30 from which each provider differs. The network configuration formed by each device is not limited to the illustrated example. For example, the provider authentication server 30 and the seed information management server 40 may be connected via another network.

  The network N is, for example, a WAN (Wide Area Network), but may include a LAN (Local Area Network), and includes a telephone line network, an ISDN (Integrated Services Digital Network) line network, a broadband communication line network, a dedicated line, and a mobile line. It may be configured to include a body communication network, a communication satellite line, a CATV (Community Antenna TeleVision) line, an optical communication line, a wireless communication line, and an Internet service provider that connects them. The data communication protocol between the devices is not particularly limited. For example, it is preferable to use a protocol that takes security into consideration, such as TLS / SSL, S / MIME, and IPsec. Also, a unique protocol may be used.

  The OTP generator 10 is a so-called token distributed to each user, and generates an OTP serving as user identification information in the authentication system 100 from the seed information and time information in response to an operation from the user via the operation unit 12. To do.

  FIG. 2 is a block diagram showing an internal configuration of the OTP generator 10. As shown in FIG. 2, the OTP generator 10 includes a CPU 11, an operation unit 12, a display unit 13, a ROM 14, a RAM 15, a time measuring unit 16, a storage unit 17, an I / F unit 18, and the like. Connected.

  The CPU 11 uses the RAM 15 as a work area, executes various processes in cooperation with various programs stored in advance in the ROM 14, and comprehensively controls the operations of the units constituting the OTP generator 10.

  The operation unit 12 includes various input keys and the like, and outputs an input signal input by a user operation to the CPU 11. The display unit 13 is configured by an LCD (Liquid Crystal Display), an ELD (Electro Luminescence Display) panel, or the like, and displays various types of information based on display signals from the CPU 11. The display unit 13 may be configured to form a touch panel integrally with the operation unit 12.

  The ROM 14 stores a program necessary for the operation of the OTP generator 10 and data related to execution of the program. As shown in FIG. 2, the ROM 14 stores a system program 141, an OTP generation program 142, a seed number management program 143, a seed table 144, and an OTP generator unique ID 145.

  The system program 141 is a program for realizing basic functions as an OTP generator. In cooperation with the system program 141, the CPU 11 assigns execution of a predetermined function to, for example, read / write control of various data to the storage unit 17, display control to the display unit 13, and predetermined input keys of the operation unit 12. Implement input control.

  The OTP generation program 142 is a program for realizing various functions related to OTP generation. The CPU 11 generates an OTP based on a predetermined algorithm based on the one seed information and the time information input from the timer unit 16 in cooperation with the OTP generation program 142.

  The seed number management program 143 is a program for realizing various functions related to registration and management of the seed number management table 171 stored in the storage unit 17. The CPU 11 executes a seed number management process (see FIG. 21) described later in cooperation with the seed number management program 143.

  In the seed table 144, a plurality of seed information is registered in association with a plurality of seed numbers (selection information) corresponding to each of the plurality of seed information.

  FIG. 3 is a diagram showing an example of the seed table 144 stored in the ROM 14. As shown in FIG. 3, in the seed table 144, a plurality of seed information (12345567890 etc.) and a plurality of seed numbers (1 to 20) corresponding to each of the plurality of seed information are registered in association with each other. Yes. The number of seed information registered in the seed table 144 is not limited to the illustrated example, and is not particularly limited. When a specific seed number is selected by the user via the operation unit 12, the CPU 11 reads seed information corresponding to the selected seed number from the seed table 144, and cooperates with the above-described OTP generation program 142. An OTP is generated based on the read seed information. Further, the CPU 11 transmits the generated OTP to an external device via the I / F unit 18 or causes the display unit 13 to display the generated OTP in response to a predetermined user operation via the operation unit 12.

  The OTP generator unique ID 145 is a unique ID such as a manufacturing number assigned to each OTP generator 10. The CPU 11 reads the OTP generator unique ID 145 from the ROM 14 in response to a predetermined user operation via the operation unit 12, and transmits the OTP generator unique ID 145 to the external device via the I / F unit 18 or the display unit 13. To display.

  The RAM 15 is a temporary storage area for programs, input, or output data read from the ROM 14, parameters, and the like in various processes that are executed and controlled by the CPU 11.

  The timer unit 16 measures the current time on the basis of a clock signal from a crystal oscillator (not shown) that constantly transmits a constant frequency, and outputs the measured time information to the CPU 11.

  The storage unit 17 includes a nonvolatile storage medium including a magnetic or optical recording medium or a semiconductor memory, and stores a seed number management table 171 related to a seed number management process (see FIG. 21) described later. The storage medium may be configured to be detachably attached to the OTP generator 10.

  In the seed number management table 171, the seed number corresponding to each seed information stored in the seed table 144 is associated with the operator identification information regarding the operator server that performs OTP authentication generated based on each seed information. Registered. Here, the business entity identification information is information input from the user via the operation unit 12 in a seed number management process (see FIG. 21) described later. For example, the business operator name to which each business server server belongs, etc. Can be entered.

  FIG. 4 is a diagram showing an example of the seed number management table 171. As shown in FIG. 4, in the seed number management table 171, a seed number and business operator identification information related to the seed number are registered in association with each other. The CPU 11 refers to the seed number management table 171 in response to a user operation from the operation unit 12, and sends the specific seed number and the business name associated with the seed number to the external device via the I / F unit 18. Is transmitted or displayed on the display unit 13.

  The I / F unit 18 is a communication interface that controls communication of various types of information exchanged between the OTP generator 10 and an external device such as the access terminal 20 under the control of the CPU 11. Examples of the I / F unit 18 include a serial input / output terminal such as a USB (Universal Serial Bus) port and an RS-232C terminal, a parallel input / output terminal, a SCSI interface, and an infrared data conforming to an IrDA (Infrared Data Association) standard. A communication device, a wireless communication device conforming to the BlueTooth standard, and the like can be cited, and it is possible to connect to the I / F unit 27 of the access terminal 20 by wired or wireless communication means. Specifically, various types of information such as a seed number, an OTP generator unique ID, and OTP are transmitted from the OTP generator 10 to the access terminal 20 via the I / F unit 18.

  The access terminal 20 is a terminal such as a PC operated by a user who uses the authentication system 100, and receives information such as an OTP generator unique ID, OTP, and login name input via the operation unit 22, as a provider authentication server. By transmitting to 30, the operator authentication server 30 is accessed.

  FIG. 5 is a block diagram showing the internal configuration of the access terminal 20. As shown in FIG. 5, the access terminal 20 includes a CPU 21, an operation unit 22, a display unit 23, a storage unit 24, a RAM 25, a communication unit 26, an I / F unit 27, and the like, and each unit is connected via a bus 28. The

  The CPU 21 performs various processes in cooperation with various programs stored in advance in the storage unit 24 using the RAM 25 as a work area, and controls the operations of the respective units constituting the access terminal 20 in an integrated manner.

  The operation unit 22 includes various input keys and the like, and outputs an input signal input by a user operation to the CPU 21. The display unit 23 is configured by an LCD, an ELD panel, or the like, and displays various information based on a display signal from the CPU 21. The display unit 23 may be configured to form a touch panel integrally with the operation unit 22.

  The storage unit 24 includes a nonvolatile storage medium including a magnetic or optical recording medium or a semiconductor memory, and stores a program necessary for the operation of the access terminal 20 and data related to execution of the program. The storage unit 24 stores a system program 241 as shown in FIG.

  The system program 241 is a program for realizing basic functions as an access terminal. The CPU 21 cooperates with the system program 241 to control reading and writing of various data to the storage unit 24, for example. Display control on the display unit 23, input control in which execution of a predetermined function is assigned to a predetermined input key of the operation unit 22, and the like are realized. In addition, the CPU 21 cooperates with the system program 241 to access (connect to) the provider authentication server 30 and realize an information receiving function for enjoying a screen, information, and the like used for authentication. For example, the function as a Web client To realize.

  The RAM 25 serves as a temporary storage area for programs, input, or output data and parameters read from the storage unit 24 in various processes controlled by the CPU 21.

  The communication unit 26 is a network interface, such as a modem (MODEM: MOdulator / DEModulator), a terminal adapter (Terminal Adapter), and a LAN adapter, and is connected to the network N under the control of the CPU 11 (operator authentication). The communication control of various information exchanged with server 30 grade | etc., Is performed.

  The I / F unit 27 is a communication interface that controls communication of various types of information exchanged between the access terminal 20 and an external device such as the OTP generator 10 under the control of the CPU 21. Examples of the I / F unit 27 include a serial input / output terminal such as a USB port and an RS-232C terminal, a parallel input / output terminal, a SCSI interface, an infrared communication device conforming to the IrDA standard, and wireless communication conforming to the BlueTooth standard. Devices, etc., and can be connected to the I / F unit 18 of the OTP generator 10 by wired or wireless communication means. When connecting to the I / F unit 18 of the OTP generator 10, it is preferable that both I / F units use a communication interface conforming to a common standard.

  The business operator authentication server 30 is an authentication server belonging to each business operator. Based on the login information transmitted from the access terminal 20, the operator authentication server 30 determines whether or not the user of the access terminal 20 is a user registered by a user registration process (see FIG. 18) described later. Perform access control.

  FIG. 6 is a block diagram showing the internal configuration of the operator authentication server 30. As shown in FIG. 6, the operator authentication server 30 includes a CPU 31, an operation unit 32, a display unit 33, a storage unit 34, a RAM 35, a clock unit 36, a communication unit 37, and the like, and each unit is connected via a bus 38. The

  The CPU 31 performs various processes in cooperation with various programs stored in advance in the storage unit 34 using the RAM 35 as a work area, and comprehensively controls the operations of the respective units constituting the business operator authentication server 30.

  The operation unit 32 includes various input keys and the like, and outputs an input signal input by a user operation to the CPU 31. The display unit 33 is configured by an LCD, an ELD panel, or the like, and displays various information based on a display signal from the CPU 31. The display unit 33 may be configured to form a touch panel integrally with the operation unit 32.

  The storage unit 34 includes a non-volatile storage medium including a magnetic or optical recording medium or a semiconductor memory, and stores a program necessary for the operation of the operator authentication server 30 and data related to the execution of the program.

  As illustrated in FIG. 6, the storage unit 34 stores a system program 341, an OTP generation program 342, a user-specific seed information table 343, an operator-specific seed number 344, and a secret key 345.

  The system program 341 is a program for realizing basic functions as the operator authentication server 30. In cooperation with the system program 341, the CPU 31 assigns execution of a predetermined function to, for example, read / write control of various data to the storage unit 34, display control to the display unit 33, and predetermined input keys of the operation unit 32. Implement input control. In addition, the CPU 31 realizes an information providing function for providing the access terminal 20 with a screen, information, and the like for authentication, in cooperation with the system program 341, for example, realizing a function as a Web server.

  The OTP generation program 342 is a program for realizing various functions related to OTP generation. The CPU 31 generates an OTP based on a predetermined algorithm based on the one seed information and the time information input from the time measuring unit 36 in cooperation with the OTP generation program 342.

  In the user-specific seed information table 343, user information of each user registered through the access terminal 20 is registered. Here, the user information includes a login ID (user ID) for identifying each user, an OTP generator unique ID input at the time of user registration processing, seed information for generating OTP, and personal information such as the user's name. These pieces of information are registered in association with each user (login ID).

  FIG. 7 is a diagram illustrating an example of the seed information table 343 for each user stored in the storage unit 34. As shown in FIG. 7, the user-specific seed information table 343 includes an OTP generator unique ID (ABCD1234), seed information (12345567890), name (Taro Suzuki), etc. related to one user (login ID: XYZ123). Are registered in association with each other.

  The business operator specific seed number 344 is a seed number (selection information) assigned in advance to each business operator, and a unique seed number is assigned to each business operator. The operator specific seed number 344 corresponds to the seed number registered in the seed table 144 of each OTP generator 10 and corresponds to the seed number of the seed table 144 that is the same value as the value indicated by the operator specific seed number 344. The attached seed information is the source of the OTP generated when logging into the operator authentication server 30 with this operator-specific seed number 344.

  The secret key 345 is information corresponding to a “secret key” in the public key cryptosystem. Note that the public key corresponding to the secret key 345 is stored in advance in the storage unit 44 of the seed information management server 40. When the CPU 31 receives the seed information encrypted with the public key from the seed information management server 40, the CPU 31 decrypts the encrypted seed information with the private key 345 corresponding to the public key, and the decrypted seed information. Is registered in the user-specific seed information table 343 in association with the user information related to the seed information.

  The RAM 35 serves as a temporary storage area for programs, inputs, or output data and parameters read from the storage unit 34 in various processes controlled by the CPU 31.

  The time measuring unit 36 measures the current time on the basis of a clock signal from a crystal oscillator (not shown) that constantly transmits a constant frequency, and outputs the measured time information to the CPU 31. It is assumed that the time measured by the time measuring unit 16 and the time measuring unit 36 is synchronized.

  The communication unit 37 is a network interface such as a modem, a terminal adapter, or a LAN adapter, and is connected to other devices (such as the access terminal 20 and the seed information management server 40) connected to the network N under the control of the CPU 31. Controls communication of various information exchanged in

  The seed information management server 40 stores a plurality of seed information stored in each OTP generator 10, and provides seed information of seed numbers corresponding to each business operator to the business operator authentication server 30.

  FIG. 8 is a block diagram showing the internal configuration of the seed information management server 40. As shown in FIG. 8, the seed information management server 40 includes a CPU 41, an operation unit 42, a display unit 43, a storage unit 44, a RAM 45, a communication unit 46, and the like, and each unit is connected via a bus 47.

  The CPU 41 uses the RAM 45 as a work area, executes various processes in cooperation with various programs stored in advance in the storage unit 44, and controls the operation of each unit constituting the seed information management server 40 in an integrated manner.

  The operation unit 42 includes various input keys and the like, and outputs an input signal input by a user operation to the CPU 41. The display unit 43 is configured by an LCD, an ELD panel, or the like, and displays various information based on a display signal from the CPU 41. The display unit 43 may be configured to form a touch panel integrally with the operation unit 42.

  The storage unit 44 includes a nonvolatile storage medium including a magnetic or optical recording medium or a semiconductor memory, and stores a program necessary for the operation of the seed information management server 40 and data related to execution of the program.

  As shown in FIG. 8, the storage unit 44 stores a system program 441, an operator information table 442, and a seed information management table 443.

  The system program 441 is a program for realizing basic functions as the seed information management server 40. In cooperation with the system program 441, the CPU 41 assigns execution of a predetermined function to, for example, read / write control of various data to the storage unit 44, display control to the display unit 43, and predetermined input keys of the operation unit 42. Implement input control.

  In the business operator information table 442, business enterprise information related to each business enterprise related to the authentication system 100 is registered in association with each business enterprise. Here, the company information includes a seed number (a company-specific seed number) pre-assigned to each company, a company name, and a secret key 345 stored in the company authentication server 30 belonging to each company. A corresponding public key, a domain name of the operator authentication server 30, an IP address, and the like are included, and each of these pieces of information is registered in association with each operator.

  FIG. 9 is a diagram illustrating an example of the provider information table 442 stored in the storage unit 44. As shown in FIG. 9, in the business operator information table 442, for each business operator, a seed number, business operator related information such as a business name, and a public key are registered in association with each other. Here, the registered seed number corresponds to the seed number of the seed table 144 stored in the ROM 14 of the OTP generator 10, and the OTP generated based on the seed information corresponding to this seed number is It is used when logging into the business authentication server 30 of the business corresponding to the seed number.

  In the seed information management table 443, a seed table 144 (seed information and seed number) stored in the ROM 14 of each OTP generator 10 and an OTP generator unique ID 145 are registered in association with each other.

  FIG. 10 is a diagram illustrating an example of the seed information management table 443 stored in the storage unit 44. As illustrated in FIG. 10, the seed information management table 443 stores an OTP generator unique ID, seed information, and seed number associated with each OTP generator 10 in association with each other.

  The RAM 45 is a temporary storage area for programs, inputs, or output data and parameters read from the storage unit 44 in various processes controlled by the CPU 41.

  The communication unit 46 is a network interface such as a modem, a terminal adapter, or a LAN adapter, and is exchanged with other devices (such as the operator authentication server 30) connected to the network N under the control of the CPU 41. Performs communication control of various information.

<Environment setting of authentication system 100>
Next, with reference to FIGS. 11 to 15, a process until the environment related to authentication is set in each device configuring the authentication system 100 will be described.

FIG. 11 is a diagram schematically illustrating a process until an environment related to authentication is set in the OTP generator 10, the operator authentication server 30, and the seed information management server 40.
As shown in FIG. 11, in the OTP generator manufacturer 1 that manufactures the OTP generator 10, in the manufacturing process of the OTP generator 10, the seed table 144 and the OTP generator unique ID 145 are stored in the ROM 14 of each OTP generator 10. , The seed table 144 and the OTP generator unique ID 145 stored in each OTP generator 10 are associated with each other and notified to the seed information management server 40.

FIG. 12 is a flowchart showing a procedure of processing related to manufacture of the OTP generator performed by the OTP generator manufacturer 1.
In the manufacturing process of the OTP generator, when the manufacturing of the OTP generator main body is completed (step S11), a plurality of seed numbers corresponding to each of the plurality of seed information and the plurality of seed information are stored in the ROM 14 of the OTP generator 10. Is stored (step S12), and a unique ID such as a production number unique to the OTP generator 10 is stored as an OTP generator unique ID 145 (step S13).

  Next, the seed table 144 and the OTP generator unique ID 145 stored in steps S12 and S13 are associated with each other and notified to the seed information management server 40 (step S14), and this process ends.

  Note that the plurality of seed information stored in one OTP generator 10 in step S12 is different from each other, and more preferably different from any of the plurality of seed information stored in other OTP generators. .

  Returning to FIG. 11, the seed information management server 40 notified of the seed table 144 and the OTP generator unique ID 145 from the OTP generator manufacturer 1 associates the OTP generator unique ID 145 with the seed table 144, and stores the storage unit 44. Are registered in the seed information management table 443.

  FIG. 13 is a flowchart showing a procedure of processing related to registration of the seed information management table 443 performed in the seed information management server 40. This process is a process executed by the cooperation of the CPU 41 and various programs stored in the storage unit 44.

  When the OTP generator manufacturer 1 notifies (inputs) the seed table 144 and the OTP generator unique ID 145 via the operation unit 42, the communication unit 46, and the like (step S21), the OTP generator unique ID 145 and the seed table 144 are transmitted. Are stored as a seed information management table 443 in the storage unit 44 of the seed information management server 40 (step S22), and this process ends.

  Returning to FIG. 11, when the right to use the seed number is assigned to each business operator 3 (business operators A to C), the seed information management server 40 has the seed number, the business name assigned to the seed number, and the business. The business-related information related to the business such as the domain name and IP address of the business operator authentication server 30 is associated with the public key corresponding to the private key 345 stored in the business operator authentication server 30 belonging to the business operator. Registered in the person information table 442.

  FIG. 14 is a flowchart showing a procedure of processing related to registration of the provider information table 442 performed in the seed information management server 40. This process is a process executed by the cooperation of the CPU 41 and various programs stored in the storage unit 44.

  First, the seed number assigned to each business operator is notified (input) via the operation unit 42, the communication unit 46, and the like (step S31). Next, related information regarding each business operator is input (step S32), and when the public key stored in the business operator authentication server 30 belonging to each business operator is input (step S33), the input seed number and the public information are disclosed. The key and the provider related information are associated with each provider and registered in the provider information table 442 of the storage unit 44 (step S34), and this process ends.

  On the other hand, the operator authentication server 30 belonging to the operator assigned with the seed number stores the seed number assigned to the operator in the storage unit 44 as the operator-specific seed number 344.

  As described above, each seed stored in each OTP generator 10 is defined by defining a seed number corresponding to each business in the seed information management server 40 (business information table 442) and the business authentication server 30. The seed number will be defined for a specific operator. For example, when the seed number “2” is assigned to the operator name “ABC bank” and stored in association with the operator information table 442, the seed stored in each OTP generator 10 is stored as shown in FIG. The number “2” is defined for “ABC Bank”. That is, the OTP generated based on the seed information corresponding to the seed number “2” is used when accessing the operator authentication server 30 belonging to “ABC bank”.

<Operation during user registration>
Next, with reference to FIGS. 16-20, the operation | movement at the time of registering user information in the provider authentication server 30 is demonstrated.

  FIG. 16 is a flowchart showing processing executed by the OTP generator 10 when registering user information. This process indicates a process executed by the cooperation of the CPU 11 and various programs stored in the ROM 14.

  First, when an operation signal for instructing display of the OTP generator unique ID of the OTP generator 10 is input via the operation unit 12 (step S41), the OTP generator unique ID 145 stored in the ROM 14 is read. (Step S42). Then, the read OTP generator unique ID 145 is displayed on the display unit 13 as shown in FIG. 17 (step S43), and this process is terminated.

  In this embodiment, the OTP generator unique ID 145 is output to the display unit 13. However, the present invention is not limited to this, and when the access terminal 20 is connected to the I / F unit 18, the ITP Alternatively, the data may be output to the access terminal 20 via the / F unit 18.

  FIG. 18 is a ladder chart showing a procedure of processing related to user information registration (user registration processing). In addition, each process of step S51-S56 in the same figure has shown the process performed by cooperation with CPU21 of the access terminal 20, and the various programs memorize | stored in the memory | storage part 24, and each process of step S61-S68 Shows processing executed by the cooperation of the CPU 31 of the provider authentication server 30 and various programs stored in the storage unit 34, and each processing in steps S <b> 71 to S <b> 73 is performed with the CPU 41 of the seed information management server 40. The process performed by cooperation with the various programs memorize | stored in the memory | storage part 44 is shown.

  First, in the access terminal 20, in response to a predetermined user operation via the operation unit 22, instruction information (user registration request information) for registering user information is transmitted to a specific business operator authentication server 30 ( Step S51).

  When the user authentication request information is received from the access terminal 20 (step S61), the operator authentication server 30 displays a screen that prompts input of user information including the user's name, login ID, OTP generator unique ID, and the like. Instruction information (registration screen display information) is transmitted to the access terminal 20 (step S62).

  On the other hand, in the access terminal 20, when registration screen display information is received from the operator authentication server 30 (step S52), a screen for prompting input of user information is displayed on the display unit 13 based on the registration screen display information. (Step S53). Subsequently, when user information such as the user's name, login ID, and OTP generator unique ID is input via the operation unit 12 based on the screen displayed on the display unit 13, the input user information is Is transmitted to the person authentication server 30 (step S54). Here, as the OTP generator unique ID input as the user information, the OTP generator unique ID displayed on the display unit 13 of the OTP generator 10 in the process of FIG. 16 is input. Is not particularly limited, and may be input from the user via the operation unit 22, or input from the OTP generator 10 when the OTP generator 10 is connected to the I / F unit 27. It is good also as an aspect.

  When the operator authentication server 30 receives user information from the access terminal 20 (step S63), the operator specific seed number 344 assigned to the operator authentication server 30 is read from the storage unit 34 (step S64). ), The OTP generator unique ID included in the user information and the read provider unique seed number are transmitted as search keys to the seed information management server 40 (step S65).

  In the seed information management server 40, when a search key is received from the provider authentication server 30 (step S71), the process proceeds to a seed information search process (step S72). Hereinafter, with reference to FIG. 19, the seed information search process in step S72 will be described.

FIG. 19 is a flowchart showing the seed information search process.
First. The seed information corresponding to the OTP generator unique ID and the provider unique seed number included in the search key is retrieved from the seed information management table 443 (step S721), and the corresponding seed information is read from the seed information management table 443 ( Step S722). Next, the public key corresponding to the provider-specific seed number included in the search key is searched from the provider information table 442 (step S723), and the corresponding public key is read from the provider information table 442 (step S724). Based on the public key, the seed information read in step S722 is encrypted (step S725), and the process proceeds to step S73.

  Returning to FIG. 18, the seed information encrypted in step S725 (hereinafter referred to as encrypted seed information) is transmitted to the operator authentication server 30 that transmitted the search key (step S73), and the seed information management server 40 is transmitted. This process ends.

  Thus, since the encrypted seed information is transmitted to the operator authentication server 30, the security related to the seed information can be improved.

  On the other hand, when the encrypted seed information is received from the seed information management server 40 (step S66), the business operator authentication server 30 proceeds to the user information registration process (step S67). Hereinafter, the user information registration process in step S67 will be described with reference to FIG.

FIG. 20 is a flowchart showing a procedure of user information registration processing.
First, the secret key 345 stored in the storage unit 34 is read (step S671), and the seed information is decrypted from the encrypted seed information based on the secret key 345 (step S672). Subsequently, the decrypted seed information is registered in the user-specific seed information table 343 in association with the user information received in step S63 (step S673), and the process proceeds to step S68.

  Returning to FIG. 18, the operator-specific seed number 344 assigned to the operator authentication server 30 and the instruction information (registration completion information) instructing the display of registration completion are transmitted to the access terminal 20 (step S68). The process of the person authentication server 30 ends.

  In the access terminal 20, when registration completion information is received from the operator authentication server 30 (step S55), a screen for notifying the operator-specific seed number and registration completion is displayed on the display unit 13 based on the registration completion information. (Step S57), the process of the access terminal 20 ends.

  Through the above processing, user information is registered in the operator authentication server 30, and thereafter, a user related to this user information can log in to the operator authentication server 30 from the access terminal 20.

  As described above, the seed number management table 171 is stored in the storage unit 17 of the OTP generator 10, and the user can send information on the seed number and the business operator assigned to the seed number via the operation unit 12. In the seed number management table 171 can be input to the CPU 11. In this case, it is preferable that the information related to the operator authentication server 30 that registered the user information (hereinafter referred to as operator identification information) is registered in the seed number corresponding to the operator-specific seed number displayed in step S56. Thus, the convenience of connection to each operator authentication server 30 can be improved at the time of login to the operator authentication server 30 described later.

  FIG. 21 is a flowchart showing a procedure of processing (seed number management processing) related to registration in the seed number management table 171. This process indicates a process executed by the cooperation of the CPU 11 and various programs stored in the ROM 14.

  First, when an instruction signal for registering operator identification information is input by a predetermined user operation via the operation unit 12 (step S81), all seed numbers registered in the seed table 144 are read. Then, all the read seed numbers are displayed on the display unit 13 in a manner that can be selected via the operation unit 12 (step S83).

  Here, when a specific seed number is selected by a predetermined user operation via the operation unit 12 and the instruction signal is input (step S84), a screen prompting input of business operator identification information is subsequently displayed. It is displayed on the part 13 (step S85).

  Subsequently, when the operator identification information is input by a predetermined user operation via the operation unit 12 and the instruction signal is input (step S86), the input operator identification information is selected in step S84. The associated seed number is associated and registered in the seed number management table 171 (step S87), and this process ends.

  In the present embodiment, the seed number associated with the operator identification information is selected from all the seed numbers registered in the seed table 144. However, the present invention is not limited to this. For example, the step of the user registration process described above is used. In S57, the operator-specific seed number displayed on the display unit 13 of the OTP generator 10 is used as the seed number in the OTP generator 10, and this seed number and the operator identification information are associated and registered in the seed number management table 171. It is good also as an aspect.

As described above, in the seed information management server 40, even if a plurality of seed information is stored in one OTP generator 10, an appropriate seed is assigned to the operator authentication server 30 corresponding to each of the plurality of seed information. Since information can be transmitted, the convenience related to the operation and use of seed information can be improved.
Further, even if a plurality of seed information is stored in one OTP generator 10, one of the plurality of seed information corresponding to the own operator authentication server 30 is used in the business operator authentication server 30. Since seed information can be stored and authenticated based on the seed information, the convenience of using and using the seed information can be improved.

<Operation at login>
Next, with reference to FIGS. 22-24, the operation | movement at the time of logging into the provider authentication server 30 from the access terminal 20 is demonstrated.

  FIG. 22 is a flowchart showing processing executed by the OTP generator 10 at the time of login. This process indicates a process executed by the cooperation of the CPU 11 and various programs stored in the ROM 14.

  First, when instruction information for generating an OTP is input by a predetermined user operation via the operation unit 12 (step S91), all seed numbers stored in the seed table 144 are read (step S91). (S92) All the read seed numbers are displayed on the display unit 13 in a manner that can be selected via the operation unit 12 (step S93). Of the read seed numbers, for the seed numbers registered in the seed number management table 171, the operator identification information associated with each seed number is read from the seed number management table 171 and the corresponding seed information is read. It is good also as an aspect displayed together.

  Next, when a specific seed number is selected by a predetermined user operation via the operation unit 12 and an instruction signal is input (step S94), seed information corresponding to the input seed number is stored in the seed table 144. (Step S95), and an OTP is generated based on the seed information and the time information input from the timer unit 16 (step S96). In this way, by specifying one seed number from a plurality of seed numbers displayed on the display unit 13, one seed information corresponding to the specified seed number can be selected. Convenience related to operation and use can be improved.

  Subsequently, the operator identification information corresponding to the seed number selected in step S94 is read from the seed number management table 171 (step S97), the seed number selected in step S94, and the business read in step S97. The person identification information and the OTP generated in step S96 are displayed on the display unit 13 (step S98), and this process ends.

  As described above, since the OTP generator 10 can select one seed information for generating an OTP from a plurality of seed information, it is possible to improve the convenience related to the operation and use of the seed information.

FIG. 23 is a diagram illustrating an example of a seed number, business operator identification information, and OTP displayed on the display unit 13. As illustrated in FIG. 23, the seed number “1”, the operator identification information “aaa-bank”, and the OTP “1072502002” are displayed on the display unit 13 of the OTP generator 10 by the above-described processing. As described above, since the OTP generated on the display unit 13 and the seed number corresponding to the seed information that is the generation source of the OTP are displayed, the OTP and the seed number can be notified in a state that the user can see. .
The user inputs various information displayed on the display unit 13 to the access terminal 20 via the operation unit 22 and transmits the information to the desired operator authentication server 30 to log in the operator authentication server 30. Do.

  FIG. 24 is a ladder chart showing a procedure of processing related to login from the access terminal 20 to the business operator authentication server 30. In the figure, each process of steps S101 to S106 indicates a process executed in cooperation with the CPU 21 of the access terminal 20 and various programs stored in the storage unit 24, and each of steps S111 to S121. The process indicates a process executed by the cooperation of the CPU 31 of the provider authentication server 30 and various programs stored in the storage unit 34.

  First, in the access terminal 20, in response to a predetermined user operation via the operation unit 22, instruction information (login request information) for performing login is transmitted to the specific operator authentication server 30 (step S <b> 101).

  When the business authentication server 30 receives the login request information from the access terminal 20 (step S111), the instruction information (login screen display information) for instructing the display of a screen that prompts the user to input login information such as login ID and OTP. Is transmitted to the access terminal 20 (step S112).

  On the other hand, in the access terminal 20, when login screen display information is received from the operator authentication server 30 (step S102), a screen that prompts the display unit 23 to input login information based on the login screen display information (see FIG. 25). ) Is displayed (step S103). Subsequently, when login information such as a login ID and OTP is input via the operation unit 12 based on the screen displayed on the display unit 23, the input login information is transmitted to the operator authentication server 30. (Step S104).

  Here, as the OTP input as the login information, the OTP (for example, 1072502002) displayed on the display unit 13 of the OTP generator 10 in the process of FIG. 19 is input. Alternatively, it may be input from the user via the operation unit 22 or may be input from the OTP generator 10 when the OTP generator 10 is connected to the I / F unit 27. Good.

  When the login information is received from the access terminal 20 (step S113), the operator authentication server 30 searches the seed information table 343 for each user for the seed information corresponding to the login ID included in the login information (step S114). ), The corresponding seed information is read from the user-specific seed information table 343 (step S115). Next, an OTP for verification is generated based on the seed information and the time information input from the time measuring unit 36 (step S116), and the OTP for verification is compared and verified with the OTP included in the login information. (Step S117).

  Subsequently, it is determined whether or not both OTPs match. If it is determined that both OTPs match (step S118; Yes), login to the operator authentication server 30 is permitted (step S119). The process proceeds to step S121. On the other hand, if it is determined in step S118 that both OTPs do not match (step S118; No), login to the operator authentication server 30 is not permitted (step S120), and the process proceeds to step S121.

  In step S121, instruction information (login result information) indicating the login result determined in step S119 or step S120 is transmitted to the access terminal 20 (step S121), and the processing of the operator authentication server 30 ends.

  On the other hand, in the access terminal 20, when login result information is received from the operator authentication server 30 (step S105), a screen for notifying the login result based on the login result information is displayed on the display unit 23 (step S106). Then, the processing of the access terminal 20 ends.

  As described above, even when a plurality of seed information is stored in one OTP generator 10, seed information corresponding to the provider authentication server 30 corresponding to each of the plurality of seed information is authenticated by each provider. Since it can be stored in the server 30 and the user who owns the OTP generator 10 can be authenticated based on the seed information, the convenience related to the operation and use of the seed information can be improved.

  The application of the present invention is not limited to the example described above, and can be changed as appropriate without departing from the spirit of the present invention.

  For example, in the above-described embodiment, the seed information management table is stored in the OTP generator 10. However, the embodiment is not limited thereto, and the seed information management table may be stored in the storage unit 24 of the access terminal 20. In this case, the seed number management program is also stored in the storage unit 24, and various functions relating to storage and management of the seed number management table are realized by the cooperation of the account information management program and the CPU 21.

  In the above embodiment, the OTP generator 10 and the access terminal 20 configure the authentication system 100 in a state where they are independent from each other. However, the present invention is not limited to this. For example, the OTP generator 10 and the access terminal 20 are connected via the I / F unit 18 and the I / F unit 27, and the access terminal 20 sends various information transmitted from the OTP generator 10 to the operator authentication server 30. A direct transmission mode may be used, thereby saving the user's labor related to login.

It is the figure which showed the structure of the authentication system. It is the figure which showed the internal structure of the OTP generator. It is the figure which showed an example of the seed table It is the figure which showed an example of the seed number management table. It is the block diagram which showed the internal structure of the access terminal. It is the block diagram which showed the internal structure of the provider authentication server. It is the figure which showed an example of the seed information table classified by user. It is the block diagram which showed the internal structure of the seed information management server. It is the figure which showed an example of the provider information table. It is the figure which showed an example of the seed information management table. It is the figure which showed typically the process until an authentication system is constructed | assembled. It is the flowchart which showed the procedure of the process which concerns on manufacture of an OTP generator. It is the flowchart which showed the procedure of the process which concerns on registration to a seed information management table. It is the flowchart which showed the procedure of the process which concerns on registration to a provider information table. It is a figure for demonstrating allocation of the seed number with respect to each provider. It is the flowchart which showed the process performed with an OTP generator at the time of registration of user information. It is the figure which showed an example of OTP generator specific ID displayed on the display part of the OTP generator. It is the ladder chart which showed the procedure of the process which concerns on registration of user information. It is the flowchart which showed the procedure of the process which concerns on the seed information search process of FIG. It is the flowchart which showed the procedure of the process which concerns on the user information registration process of FIG. It is the flowchart which showed the procedure of the process which concerns on registration to a seed number management table. It is the flowchart which showed the process performed with an OTP generator at the time of login. It is the figure which showed an example of the seed number, provider identification information, and OTP which were displayed on the display part of the OTP generator. 5 is a ladder chart showing a procedure of processing related to login to the business operator authentication server 30. It is the figure which showed an example of the login screen displayed on the display part of the access terminal.

Explanation of symbols

100 Authentication System 10 OTP Generator 11 CPU
12 Operation unit 13 Display unit 14 ROM
141 System program 142 OTP generation program 143 Seed number management program 144 Seed table 145 OTP generator unique ID
15 RAM
16 Timekeeping unit 17 Storage unit 171 Seed number management table 18 I / F unit 19 Bus 20 Access terminal 21 CPU
22 Operation unit 23 Display unit 24 Storage unit 241 System program 25 RAM
26 Communication Unit 27 I / F Unit 28 Bus 30 Business Operator Authentication Server 31 CPU
32 Operation unit 33 Display unit 34 Storage unit 341 System program 342 OTP generation program 343 User-specific seed information table 344 Operator-specific seed number 345 Private key 35 RAM
36 Timekeeping Unit 37 Communication Unit 38 Bus 40 Seed Information Management Server 41 CPU
42 Operation Unit 43 Display Unit 44 Storage Unit 441 System Program 442 Operator Information Table 443 Seed Information Management Table 45 RAM
46 Communication 47 Bus

Claims (6)

A plurality of authentication servers that perform authentication by comparing the identification information generated by the identification information generation device based on one seed information and the identification information for verification generated based on the same seed information as the seed information A seed information management server connected via a communication line to
A unique ID assigned to each of the plurality of identification information generation devices, a plurality of seed information stored in each identification information generation device, and a plurality of selection information corresponding to each of the plurality of seed information are associated with each other. Seed information storage means for storing;
Receiving means for receiving, from the authentication server, instruction information using a specific unique ID and selection information assigned to the authentication server as a search key;
Reading means for retrieving seed information corresponding to the received instruction information from a plurality of seed information stored in the seed information storage means, and reading out the corresponding seed information;
Transmitting means for transmitting the read seed information to the authentication server;
A seed information management server comprising: 2. The seed information management server according to claim 1 , further comprising a business operator information storage unit that stores selection information assigned to the authentication server and business related information regarding the authentication server in association with each other. An encryption means for encrypting the seed information;
The transmission unit, the seed information management server according to claim 1 or 2, characterized in that transmitting the seed information encrypted by the encrypting means to the authentication server. The seed information management server according to any one of claims 1 to 3, the seed information management server and an access terminal connected via a communication line, and among a plurality of seed information stored in the identification information generation device, An authentication system comprising an authentication server that performs authentication by comparing identification information generated based on one seed information and verification identification information generated based on the same seed information as the seed information. ,
The authentication server is
Unique ID receiving means for receiving, from the access terminal, a unique ID unique to the identification information generating device and user information relating to a user possessing the identification information generating device;
Selection information storage means for storing selection information pre-assigned to each operator to which the authentication server belongs;
Transmitting means for transmitting the received unique ID together with the selection information to the seed information management server;
Seed information receiving means for receiving, from the seed information management server, one seed information corresponding to the transmitted unique ID and selection information;
User-specific seed information storage means for storing the received seed information in association with the user information;
When the user information and identification information are transmitted from the access terminal, the seed information corresponding to the user information is read from the seed information storage unit for each user, and the identification information for verification is based on the read seed information. Generating means for generating
An authentication means for performing user authentication by comparing the generated identification information for verification with the transmitted identification information;
An authentication system characterized by comprising: The authentication server comprises decryption means for decrypting the seed information encrypted by the seed information management server,
The authentication system according to claim 4 , wherein the user-specific seed information storage unit stores the decrypted seed information in association with the user information. The user-specific seed information storage means, according to the unique ID of the identification information generating device, to claim 4 or 5, characterized in that in association with the user information of the user having the identification information generating device Authentication system .

Images