JP4924710B2 - Information processing apparatus and program - Google Patents

Description

  The present invention relates to a method for logging in to a system.

  In the IT (Information Technology) system, personal authentication technology has become important. In a computer system, when logging in, a user is required to input a password, and the password of the user registered in advance is checked.

  On the other hand, in a password authentication system, if a password is stolen by a malicious third party, there is a risk that an unauthorized user is logged into the system, important data is taken away, and the person is left.

Prior art documents include the following.
Japanese Patent Laid-Open No. 03-156662 JP-A-11-102344

  An object of the present invention is to capture a third party who has illegally logged into a system that performs authentication using a password.

  The present invention employs the following means in order to solve the above-described problems.

As a first measure:
The information processing apparatus includes a storage unit that stores information, a display unit that displays data, an operation unit that inputs data to the device, a transmission unit that transmits data, and a control unit. The first authentication of the user is performed based on the input data and the identification information stored in the storage means, and the storage means includes second identification information, importance information indicating the importance of the data, Data transmission destination information, and when the first authentication is successful , the control means, based on the data newly input from the operation means within the set time and the second identification information, When the second authentication is performed and the second authentication fails, access to data having a preset importance is permitted based on the importance information, and the second authentication is performed based on the destination information. Data indicating that the second authentication failed is sent from the communication means. To.

As a second means:
The control means, if it fails to said second authentication, based on the importance information, the data of importance is set Me該予 displayed on said display means, 該予Me settings displayed on the display unit It has been to allow access to the importance of the data.

As a third means:
A storage means for storing information, a display means for displaying data, an operation means for inputting data to the apparatus, and a control means, the data inputted from the operation means and the identification stored in the storage means In the information processing apparatus that performs the first authentication of the user based on the information, the storage means includes second identification information and importance information indicating the importance of the data, and the control means includes the first authentication information. When the first authentication is successful, the second authentication is performed based on the data newly input from the operation means within the set time and the second identification information, and the second authentication fails Based on the importance information, access to data having a preset importance is permitted.

As a fourth means:
When it is determined that the control unit has accessed data other than the preset importance level data based on the importance level information, the control unit further performs the operation unit within a predetermined time. The second authentication is performed on the basis of the data input from and the second identification information. When the second authentication is successful, access to all data is permitted.

As a fifth means:
A storage unit that stores information; a display unit that displays data; an operation unit that inputs data to the apparatus; and a transmission unit that transmits data. The data input from the operation unit and the storage unit A program for controlling an information processing device that performs first authentication of a user based on stored identification information, wherein the information processing device is operated within a set time when the first authentication is successful. Based on the data newly input from the means and the second identification information, the means for performing the second authentication, if the second authentication fails, based on the importance information representing the importance of the data, Function as a means for permitting access to data having a preset importance, a means for transmitting data indicating that the second authentication has failed from the communication means based on destination information for transmitting data Let

As a sixth means:
When the second authentication fails, the program displays the preset importance data on the display means based on the importance information, and the preset information displayed on the display means. Function as a means to allow access to data of a certain importance.

  According to the present invention, when the second authentication fails, access to data of a specific importance level is permitted, and a mail indicating that unauthorized login has been made is transmitted to the system administrator. As a result, a third party who has illegally logged in can be shown to have successfully logged in to the system and stayed there. In addition, if the second authentication fails, the administrator will be notified of unauthorized use by e-mail, so that an unauthorized third party will stay on the spot until the administrator arrives at the site. Can be caught.

It is a general-view figure of PC. It is the figure which showed the hardware whole structure of PC. It is a functional block diagram of an authentication process. It is a flowchart of an authentication process. It is a figure showing a password input screen. It is a figure showing the screen of a transition state. It is a flowchart (the 1) of the process after login. It is a flowchart (the 2) of the process after login. It is a figure showing the table with which the program and the security level were matched. It is a figure showing the table with which the data and the security level were matched.

Explanation of symbols

100 PC
102 PC main body 104 Display screen 105 CD / DVD loading slot 106 Display device 107 Keyboard 108 Mouse 109 Power button 110 USB connector 111 FD loading slot 112 System controller 113 Keyboard controller 114 CPU
116 Main storage device 118 Hard disk 120 EPROM
121 bus 122 CMOS
123 Timer 125 Network controller 126 Power supply monitoring unit 204 OS
208 Application 210 Program-Security Level Correspondence Table 212 Data Security Level Correspondence Table 214 Program Name 216 Data Name 218 Security Level

  Embodiments of the present invention will be described below with reference to the drawings.

  FIG. 1 is an overview of a PC (Personal Computer). The PC 100 includes a PC main body 102 with a built-in CPU (Central Processing Unit), a memory, and the like, a display unit 106 that displays an image on the display screen 104 by a command from the PC main body 102, and a keyboard that gives a command to the PC main body 102 by a user operation 107, a mouse 108 that moves a cursor on the display screen 104 and gives a command corresponding to an icon on which the cursor is superimposed by operating a button.

  Further, the PC main body 102 is loaded with a power button 109 for powering on the PC 100, a USB connector 110 compliant with the USB (Universal Serial Bus) standard, a CD (Compact Disc) and a DVD (Digital Versatile Disk). / DVD loading port 105 and FD loading port 111 into which FD (Floppy (registered trademark) Disk) is loaded.

(PC hardware configuration diagram)
FIG. 2 is a block diagram schematically showing an example of the hardware configuration of the PC shown in FIG. In addition, the same number is attached | subjected about the block demonstrated in FIG.

  The PC 100 includes a system controller 112, a CPU 114, a main storage device 116, a display unit 106, a hard disk 118, an EPROM (Erasable Programmable Read Only Memory) 120, a keyboard controller 113, a CMOS (Complementary Metal Oxide Semiconductor) 122, a timer 123, and a power supply monitor. The unit 126 and the network controller 125 are connected by a bus 121. Hereinafter, each block will be described.

  The system controller 112 controls the entire system such as data input / output management. The CPU 114 executes various programs such as an OS and a BIOS that are expanded in the main storage device 116. The main storage device 116 is used as a work area for executing a program read from the hard disk 118. In the present embodiment, an OS, applications, and the like are deployed in the main storage device 116. Details will be described later with reference to FIG. The display unit 106 displays an image based on a command issued by the CPU 114 via the system controller 112. The hard disk 118 stores an OS and application programs. The EPROM 120 stores a BIOS that is executed first after the PC is powered on. The keyboard controller 113 detects input from the keyboard 107 and the mouse 108. The CMOS 122 stores BIOS menu settings. The power monitoring unit 126 monitors whether or not the power button 106 has been operated. The timer 123 provides time information to the CPU 114. The network controller 125 transmits information to other information systems via an intranet or the Internet.

(Function block diagram of authentication processing)
FIG. 3 is a functional block diagram schematically showing an example of the authentication process. The authentication processing function includes a main storage device 116, a keyboard controller 113, a hard disk 118, and a timer 123. An OS 204 is expanded in the main storage device 116. Further, an application 208 is deployed on the OS 204. Hereinafter, each block will be described. Note that the blocks described in FIG. 2 are assigned the same numbers, and descriptions thereof are omitted.

[Keyboard controller]
The keyboard controller 113 detects input from the keyboard 107 and the mouse 108.

[hard disk]
The hard disk 118 stores a password set in advance by the user and information related to a set time when the password is input. In addition, the mail address of the transmission destination for notifying that there has been unauthorized use is stored. Furthermore, the table etc. with which the program and the security level were matched are stored.

[application]
In the application 208, the driver 206 is deployed on the OS 204. The application 208 detects a password input from the keyboard controller 113. Furthermore, user authentication is performed by comparing the input password with the password stored in the hard disk 118. Further, time information is acquired from the timer, and it is determined whether or not a password input from the user has been performed within the set time.

(Flow chart of authentication process)
The authentication process will be described below with reference to FIG.

  In step S001, the power monitoring unit 126 determines whether or not the power button 109 has been operated by the user. If the power button 109 is operated by the user, the process proceeds to step S002.

  In step S <b> 002, the CPU 114 activates the BIOS stored in the EPROM 120. Then, the BIOS is expanded in the main storage device 116 and initializes various devices such as the keyboard controller 113. The process proceeds to step S003.

  In step S003, the BIOS expands the OS 204 stored in the hard disk 118 in the main storage device 116, and starts the OS. The process proceeds to step S004.

  In step S004, the OS 204 expands the application 208 stored in the hard disk 118 on the OS 204. The process proceeds to step S005.

  In step S 005, the application 208 displays the password request screen data stored in the hard disk 118 on the display unit 106. FIG. 5 shows a state where the password request screen data is displayed on the display unit 106. The user inputs, for example, a user name and password from the keyboard 107 according to the instruction displayed on the display unit 106. The process proceeds to step S006.

  In step S006, the application 208 determines whether or not a password has been input by the user via the keyboard controller 113. If the password has been entered, the process proceeds to step S007.

  In step S007, the application 208 compares the password input by the user with the password stored in advance in the hard disk 118 in step S006, and determines whether the authentication is successful. If the authentication is successful, the process proceeds to step S008. On the other hand, if the authentication fails, the process proceeds to step S009.

  In step S009, the application 208 determines whether the number of authentication failures is within a set number. The set number of times may be set in advance by the user and stored in the hard disk 118, for example. The application 208 compares the set number of times stored in the hard disk 118 with the number of authentication failures acquired by the application 208. If the number of failed authentications is within the set number, the process returns to step S005, and the application 208 displays the password request screen again. On the other hand, if the number of authentication failures is not within the set number, the process proceeds to step SA01. The processing after step SA01 will be described later with reference to FIG.

  In step S <b> 008, the application 208 displays the transition state screen data stored in the hard disk 118 on the display unit 106. FIG. 6 shows a state where the screen data in the transition state is displayed on the display unit 106. As described above, since the password request screen is not displayed, a user other than an authorized user cannot realize that the password should be input. The process proceeds to step S010.

  In step S010, the application 208 determines whether or not the user has input the second password within the set time via the keyboard controller 113. Here, the input of the password within the set time means that the password is input within a certain time after the screen data in the transition state is displayed on the display unit 106. The set time may be set in advance by the user and stored in the hard disk 118. First, the application 208 acquires from the timer 123 the time during which the screen data in the transition state is displayed on the display unit 106. Next, the application 208 acquires the time when the second password is input from the timer 123. Then, the difference between the acquired times and the set time are compared. If the user inputs the second password within the set time, the process proceeds to step S011. On the other hand, if the user does not input the second password within the set time, the process proceeds to step SA01. The processing after step SA01 will be described later with reference to FIG.

  In step S011, the application 208 compares the second password input by the user with the second password stored in advance in the hard disk 118 in step S010, and determines whether or not the authentication is successful. . If the authentication is successful, the process proceeds to step S012. On the other hand, if the authentication fails, the process proceeds to step SA01. The processing after step SA01 will be described later with reference to FIG.

  In step S012, the CPU 114 starts a formal login process. The process ends.

(Flow after unauthorized login (1))
The flowchart after unauthorized login will be described below with reference to FIG.

  In step SA01, the CPU 114 displays a screen with a low security level. A screen with a low security level is, for example, a screen that displays only low importance data on the display screen 104. Further, for example, it is a screen in which only programs with low importance are selected as programs that can be selected from the menu screen. Definition information such as a low importance program may be set in advance by the user and stored in the hard disk 118. The CPU 114 performs screen display based on the definition information. An example of the definition information is shown in FIGS. In FIG. 9, programs and security levels are associated with each other. For the program, the security level is defined in two stages, “high” and “low”. In FIG. 9, data and security levels are associated with each other. The data is defined in three stages of “A”, “B”, and “C” from the highest security level. The process proceeds to step SA02.

  In step SA <b> 02, the CPU 114 acquires a mail address from the hard disk 118. The process proceeds to step SA03.

  In step SA03, the CPU 114 transmits an email notifying unauthorized use via the network controller 125. The process proceeds to step SA04.

  In step SA04, the CPU 114 removes the PC 100 from the network by stopping the function of the network controller 125. The process ends.

  According to this, even if a password is stolen and an unauthorized login is made, an unauthorized user cannot access important information or the like because a screen with a low security level is displayed. Moreover, it can be assumed that an unauthorized user has logged in to the system and can stay there. Therefore, until the administrator who has been notified of the e-mail notifying the unauthorized use arrives at the site, the unauthorized user can remain on the site and the unauthorized user can be caught.

(Flow after unauthorized login (part 2))
The flowchart after unauthorized login will be described below with reference to FIG.

  In step SB01, the CPU 114 displays a normal screen. The process proceeds to step SB02.

  In step SB02, the CPU 114 determines whether or not an operation with a high security level has been performed by the user. The definition information of the operation with a high security level may be set in advance by the user and stored in the hard disk 118. Here, the operation with a high security level means an operation for accessing highly important data or starting a program with a high security level. Based on the operation information acquired from the keyboard controller 113 and the definition information, the CPU 114 determines whether the user operation is an operation with a high security level. If the user performs an operation with a high security level, the process proceeds to step SB03. On the other hand, when an operation with a high security level is not performed by the user, the CPU 114 permits the operation by the user, and the process returns to step SB02 again.

  In step SB03, the CPU 114 determines whether or not the user has entered the second password within the set time. Here, the input of the password within the set time means that the password is input within a predetermined time after the command to start the program is issued. The set time may be set in advance by the user and stored in the hard disk 118. First, the application 208 acquires from the timer 123 the time when the keyboard activation command is issued from the keyboard controller 113. Next, the application 208 acquires the time when the second password is input from the timer 123. Then, the difference between the acquired times and the set time are compared. If the user inputs the second password within the set time, the process proceeds to step SB04. On the other hand, if the user has not entered the second password within the set time, the process proceeds to step SB07.

  In step SB04, the application 208 compares the second password input by the user with the second password stored in advance in the hard disk 118 in step SB03, and determines whether the authentication is successful. . If the authentication is successful, the process proceeds to step SB05. On the other hand, if the authentication fails, the process proceeds to step SB07.

  In step SB05, the CPU 114 permits an operation with a high security level, and in step SB02, the CPU 114 executes a program requested to be activated by the user. The process proceeds to step SB06, and the CPU 114 executes a formal login process. According to this, even if the user is a legitimate user, even if he or she forgets to enter the password in step S010 in FIG. 4 or makes a mistake, the official login process is performed by inputting the password again. Can be executed. This is because if the user is an authorized user, a program with a high security level cannot be executed, so that the user can realize that the password input has been forgotten in step S010 of FIG.

  In step SB07, the CPU 114 does not permit an operation with a high security level, and in step SB02, the CPU 114 does not execute a program requested to be activated by the user. The process proceeds to step SB08.

  In step SB08, the CPU 114 determines whether or not the number of times that an operation with a high security level is not permitted is within a set number. The set number of times may be set in advance by the user and stored in the hard disk 118, for example. The application 208 compares the set number of times stored in the hard disk 118 with the number of times that operations with a high security level acquired by the application 208 are not permitted. If the number of times of disapproval is within the set number of times, the process returns to step SB01. On the other hand, if the number of times of disapproval is not within the set number of times, the process proceeds to step SB09. According to this, it is possible to cope with the case where the authorized user forgets the password input in step S010 in FIG. This is because if the user is an authorized user, if the operated program does not start, the user is aware that no password has been input in step S010 of FIG. In this case, the process returns to step SB01, and the user may input the password after performing an operation for starting the program to be used again. Then, the process proceeds from step SB05 to SB06, and the CPU 114 performs a regular login process.

  In step SB09, the CPU 114 acquires a mail address from the hard disk 118. The process proceeds to step SB10.

  In step SB10, the CPU 114 transmits an email notifying unauthorized use via the network controller 125. The process proceeds to step SB11.

  In step SB11, the CPU 114 stops the function of the network controller 125, thereby removing the PC 100 from the network. The process ends.

  According to this, an operation with a high security level by an unauthorized user can be invalidated and the security of the system can be enhanced. Further, if it is an unauthorized user, if the program cannot be executed, an operation for executing the program is performed again. Even if the program is executed again, if the password is not entered, it is regarded as unauthorized use. Therefore, if an unauthorized user continues an operation for executing a program, an administrator who has received an email notifying unauthorized use can find the unauthorized user.

  The above embodiment has been specifically described for better understanding of the present invention, and does not limit other embodiments. Therefore, changes can be made without departing from the spirit of the invention.

Claims (6)

Storage means for storing information; display means for displaying data; operating means for inputting data to the apparatus; transmitting means for transmitting data; and control means; and data input from the operating means; In the information processing apparatus that performs the first authentication of the user based on the identification information stored in the storage unit,
The storage means includes second identification information, importance information indicating the importance of data, and data transmission destination information.
When the first authentication is successful , the control means performs second authentication based on the data newly input from the operation means within the set time and the second identification information,
If the second authentication fails, based on the importance information, permit access to data of a preset importance level,
An information processing apparatus, wherein data indicating that the second authentication has failed is transmitted from the communication unit based on the transmission destination information. The control means, if it fails to said second authentication, based on the importance information, the data of importance is set Me該予 displayed on said display means, 該予Me settings displayed on the display unit The information processing apparatus according to claim 1, wherein access to the data having the determined importance is permitted. A storage means for storing information, a display means for displaying data, an operation means for inputting data to the apparatus, and a control means, the data inputted from the operation means and the identification stored in the storage means In the information processing apparatus that performs the first authentication of the user based on the information,
The storage means includes second identification information and importance information indicating the importance of data,
When the first authentication is successful, the control means performs second authentication based on the data newly input from the operation means within the set time and the second identification information,
An information processing apparatus, wherein when the second authentication fails, access to data having a preset importance level is permitted based on the importance level information. When it is determined that the control unit has accessed data other than the preset importance level data based on the importance level information, the control unit further performs the operation unit within a predetermined time. Second authentication is performed based on the data input from and the second identification information,
4. The information processing apparatus according to claim 3, wherein when the second authentication is successful, access to all data is permitted. A storage unit that stores information; a display unit that displays data; an operation unit that inputs data to the apparatus; and a transmission unit that transmits data. The data input from the operation unit and the storage unit A program for controlling an information processing apparatus that performs first authentication of a user based on stored identification information, the information processing apparatus comprising:
Means for performing second authentication based on data newly input from the operation means and second identification information within a set time when the first authentication is successful;
Means for permitting access to data of a preset importance level based on importance level information representing the importance level of the data when the second authentication fails;
Means for transmitting from the communication means data indicating that the second authentication has failed based on destination information for transmitting data;
A program characterized by functioning as Means for displaying the preset importance data on the display means based on the importance information when the second authentication fails;
Means for permitting access to the preset importance data displayed on the display means;
The program according to claim 5, wherein the program is made to function as:

Images