JP5538132B2 - Terminal system for guaranteeing authenticity, terminal and terminal management server - Google Patents

Description

  The present invention relates to a terminal system that notifies a user of the authenticity of a terminal that receives a service and enables the user to receive the service safely.

  In order to improve the productivity of workers, a work style called “telework” has been widely used in which work is performed mainly in places other than predetermined work places. In particular, there are an increasing number of users, mainly in sales positions, who perform operations such as sending and receiving e-mails and creating documents in a form called mobile operations, such as at home, in the city, and in the car.

  As such work styles become widespread, information leakage accidents frequently occur in companies, and thorough information management is required. Examples of information leakage accidents include accidents in which PCs or information devices taken outside the company are lost or stolen, or personally owned PCs that store personal information are stolen due to vacant nests at home. Many have been reported. What is common to these is that a medium storing information is taken out of the company.

  As a countermeasure against such information leakage, there is an increasing need for a thin client system in companies. A thin client system is a system that uses an information device such as a notebook PC that does not have a storage area to connect to an in-house system remotely via a network such as a mobile phone or a public LAN, and does not store the information itself outside the company. is there. In such a thin client system, an authentication function when connecting from outside the company is important. Conventionally, an IC card reader is connected to a notebook PC or the like, personal authentication is performed using a personal IC card (employee ID card) or a security device, and connection to the company is permitted.

  With public terminals such as kiosk terminals installed on street corners, the management status of the terminals is unknown, so users can use services that handle information including personal information and confidential information with a low risk of information leakage and eavesdropping. It is hard to receive in state. There is a technique for confirming the validity of a terminal without passing any information about the user itself to a terminal whose validity has not been confirmed (terminal to be guaranteed). In this technology, in a terminal validity guarantee system including a guarantee target terminal and a validity confirmation server, validity certification information indicating whether the guarantee target terminal is in a valid state of software and hardware in the terminal is obtained. Provided with a validity proof part that transmits to the validity confirmation server. When the validity confirmation server receives an inquiry about the validity of the guarantee target terminal from the user terminal, the validity confirmation request is sent to the guarantee target terminal. And a validity confirmation function for confirming the validity of the guarantee target terminal based on the validity certification information transmitted from the validity certification section of the guarantee target terminal and transmitting the confirmation result to the user terminal (Patent Document 2). .

JP 2002-312316 A JP 2005-293151 A

  In mobile business, generally, a user carries a personalized terminal device such as a PC, a PDA, or a mobile phone and uses it at home or in the city. In the prior art, when the user does not carry the terminal device, the telework can be safely executed in the terminal device by using the terminal device after the user authentication is completed at the terminal device installed at the destination. At this time, it is necessary to maintain (carry) the terminal environment of the user even if the terminal to be used is changed.

  However, there is no protection against attacks on terminal systems that guarantee the safety of a large number of unspecified terminals to users and terminal systems that personalize the terminal environment in order to ensure information security at the time of use terminal migration. There was a problem.

  For example, Patent Document 1 discloses a technique for preventing unauthorized access in which a terminal on which user authentication has been established is used as a stepping stone and another person impersonates a legitimate user. In Patent Document 1, a determination unit that determines whether or not user authentication is established for a terminal blocks access from the outside, and prevents unauthorized access by impersonating a legitimate user using the terminal as a step. However, although the above-mentioned Patent Document 1 can prevent unauthorized access to a terminal that is being used by a user, a terminal (for example, a public terminal, kiosk, etc.) that can be used by the user temporarily borrowing a device (computer). In the terminal, there is a possibility that a third party operates an unauthorized program before use. For this reason, in the said prior art, there existed a problem that the user could not confirm the safety | security of a terminal.

  Further, in Patent Document 2, a terminal legitimacy that allows a user to confirm the validity of a terminal without passing any information about the user to a terminal for which the user has not yet confirmed the validity. A quality assurance technique is disclosed. In this patent document 2, a user obtains an identifier of a terminal prior to use of the terminal, and then accesses the validity confirmation server and sends the identifier. The validity confirmation server requests validity certification information from the terminal, and sends the validity confirmation result to the user when confirmation is completed.

  If the validity confirmation result is composed of the same information every time, a fake terminal can pretend to be a legitimate terminal by a so-called replay attack technique. In Patent Document 2, in order to prevent such an attack, when carrying out the validity check process, a random number is given to the terminal and displayed to the user, and the random number is given to the validity check result, Replay attack is prevented by confirming that the random number displayed on the terminal matches the random number given to the validity check result.

  However, in the above-mentioned Patent Document 2, no countermeasure against a so-called man-in-the-middle attack is taken. A man-in-the-middle attack is an attack technique in which a fake terminal is placed between a legitimate terminal for a user and the fake terminal appears to be a legitimate terminal by relaying the interaction between the user and the legitimate terminal. The following methods can be considered. First, a fake terminal having a function of presenting a valid terminal identifier to a user is prepared. The user obtains the legitimate terminal identifier from the fake terminal and then accesses the legitimacy confirmation server to confirm the legitimacy. This validity check succeeds because it is performed on a legitimate terminal to which the identifier is assigned, not a fake terminal, and a random number is passed from the legitimacy confirmation server to the legitimate terminal and also to the user terminal. The random number is sent. For this reason, if the fake terminal can intercept the random number transmitted from the validity checking server to the legitimate terminal and present it to the user, a man-in-the-middle attack will be established.

  Furthermore, in the above-mentioned patent document 2, as a means for the user to confirm the validity confirmation information and the random number, display by a user terminal having a graphical user interface is required.

  Therefore, the present invention has been made in view of the above-described problems. When a user uses a terminal with uncertain safety, the user terminal is provided with a countermeasure against a man-in-the-middle attack and provided with a graphical user interface. It is intended that the terminal system presents the safety of the terminal to the user without using the terminal.

  In the terminal system, the terminal management server that manages the terminal confirms the safety of the terminal, the user confirms the information presented by the terminal management server on the terminal, and the confidentiality of the user necessary for using the service. The service (user identification information and authentication information) is made available only on terminals whose safety has been confirmed, and the provision of services is started.

  Specifically, a terminal system including a terminal having a memory and a terminal management server connected to the terminal via a network, the terminal is connected to an ID device storing a preset ID and authentication information, An authentication request unit that acquires an ID and authentication information from an ID device and transmits it as an authentication request to the terminal management server, an authenticity investigation unit that investigates the state of the memory, and a result that the authenticity investigation unit investigates to the terminal management server An authenticity investigation result transmission unit for transmission, and a confidential information processing unit for decrypting service use authentication information encrypted with a public key in the ID device with a private key corresponding to the public key, A terminal information registration unit that pre-registers unique information for each user of the terminal, and an ID and authentication information included in the authentication request received from the terminal in comparison with the preset user information. The authentication unit that performs authentication, the authenticity determination unit that determines that the terminal has not been tampered with from the investigation result received from the terminal, and the authentication has been successful and the authenticity determination unit has not been tampered with A unique information transmission unit that transmits information unique to the user to the terminal and a terminal public key management unit that manages the public key, and the terminal receives the user received from the terminal management server. Has a display unit for displaying information unique to the.

  According to the present invention, when a user uses a terminal with uncertain safety, the terminal system presents the safety of the terminal to the user, so that the user can safely provide the service from the server on the network. Can receive. Therefore, the convenience for the user and the safety when using the system of the user are improved.

It is a block diagram which shows the function structure of the terminal system of this invention. It is a block diagram which shows the hardware constitutions of the terminal management server of this invention. It is a block diagram which shows the hardware constitutions of the terminal of this invention. It is a figure explaining an example of the terminal information of this invention. It is a figure explaining an example of the user information of this invention. It is a block diagram which shows the hardware constitutions of the ID device of this invention. It is a screen image which shows an example of the information which the terminal management process part of this invention displays on the screen of a terminal. It is a perspective view which shows an example of the terminal of this invention. It is a sequence diagram which shows an example of the process performed with the terminal system of this invention. It is the sequence diagram which shows the 2nd Embodiment of this invention and shows an example of the process performed with a terminal system.

  Embodiments of the present invention will be described below with reference to the drawings. In the drawings, elements denoted by the same reference numerals have the same functions.

<First Embodiment>
FIG. 1 is a block diagram illustrating an example of a functional configuration of the terminal system according to the present embodiment. A terminal management server 100, a service providing server 150, and a terminal 130 are connected to the network 120 and can communicate with each other. Communication between the network 120 and each device is performed by the terminal management server 100, the service providing server 150, and the communication units (101, 151, 135) in the terminal 130.

  The terminal management server 100 includes a terminal management server processing unit 102, a storage 110, a terminal information registration unit 103, and a terminal public key management unit 104. The terminal management server processing unit 102 manages a plurality of terminals on the network 120 such as the terminal 130 via the communication unit 101 using information held in the storage 110. The storage 110 holds user information 105, authentication information 106, terminal information 107, and a log 108 of the terminal 130.

  Here, the user information 105 is managed by associating information on the user who uses the terminal 130 of the terminal system with information such as the usage authority and state described later, and the user environment of the user at the terminal. Is. The authentication information 106 is authentication information that the terminal management server 100 has. Specifically, the authentication information 106 is a common key that is secret information possessed by the terminal management server 100, a secret key corresponding to the public key certificate of the server, or the like. The authentication information 106 may be stored in a tamper resistant storage in the storage 110. The terminal information 107 is information that is managed by associating terminal information managed by the terminal management server 100 with information such as a terminal use authority and status described later. The tamper resistant storage is a storage device that can suppress analysis and modification of data from the outside. For example, the tamper resistant storage is provided with a cryptographic processing circuit and prohibits data access in a state where authentication is not completed. The technology can be applied. The terminal management server processing unit 102 and the terminal information registration unit 103 are configured by software, loaded from the storage 110 serving as a storage medium into the memory, and executed by a processor described later.

  The terminal 130 includes a terminal management processing unit 131, a service processing unit 132, a confidential information processing unit 133, a storage 139, a communication interface 134, and a communication unit 135. The terminal management processing unit 131 uses the information stored in the storage 139 to communicate with the terminal management server 100 and the service providing server 150 on the network 120 via the communication unit 135 and performs authentication described later before performing the terminal The service provided from the service providing server 150 is provided to 130 users. The storage 139 has terminal information 138 inside. The terminal information 138 is secret information that the terminal 130 has, such as a terminal ID, a common key, a public key certificate of the terminal, and a secret key corresponding to the public key. The communication interface 134 mediates communication between the function in the terminal 130 and the ID device 140.

  The service processing unit 132 displays one or more user environments when the terminal management processing unit 131 makes the user environment described below available on the terminal 130, or is used by the user for receiving services. Is an application. Specifically, it is a browser application or an application that communicates with the service processing unit 152 of the service providing server 150 for providing other services. The terminal management processing unit 131 and the service processing unit 132 are configured by software, loaded from a storage 139 as a storage medium into a memory, and executed by a processor described later.

  The ID device 140 includes a device management unit 141, a storage 142, and a communication interface 144. The device management unit 141 communicates with the terminal 130 via the communication interface 144 using information stored in the storage 142. The device management unit 141 also encrypts information stored in the storage 142 using the encryption key obtained via the communication interface 144 and then sends the information encrypted via the communication interface 144 to the terminal 130. Output. The storage 142 records authentication information 143. The authentication information 143 includes a common key that is secret information held by the user, a public key certificate of the user, a secret key corresponding to the public key, a server certificate for verifying authentication information transmitted by the terminal management server, and the like. Including.

  When the user owns the ID device 140 and uses the terminal 130 of the terminal system of the present embodiment, the ID device 140 is connected to the terminal 130 with uncertain safety by causing the communication interfaces 144 and 134 to communicate. . Communication performed between the communication interface 144 and the communication interface 134 of the terminal 130 includes short-range wireless communication, contact IC card communication, non-contact IC card communication, serial communication for peripheral device connection, and peripheral device connection. Parallel communication or the like. The ID device 140 may be formed in an IC card shape, for example, or may constitute a part of a portable device.

  The terminal 130 transmits the status of connection with the ID device 140 to the terminal management server 100 and sends an authentication information request to the ID device 140. Information sent to the ID device 140 is processed by the device management unit 141. If the terminal 130 determines that the user can use the terminal 130 by the terminal management server 100, the ID described later from the ID device 140 to the terminal 130 will be described later. The information is transmitted, and the user can use the user environment registered by the user on the terminal 130. This user environment is managed in the terminal information 107 on the terminal management server 100, and is registered in advance by the user.

  Among the terminal information 107, the user environment is registered by a user from a terminal (not shown) according to the administrator policy of the terminal management server 100 using the function of the terminal information registration unit 103 via the network 120. When registering the user environment, the user receives user authentication from the terminal information registration unit 103. The user environment registered in advance in the terminal management server 100 by the user is the type and specifications of the terminal 130 used by the user, the communication environment, and information specific to the user (images, sounds, videos, programs to be executed, etc.). Yes, it is registered in advance before the terminal 130 is used. The type of terminal is a classification including a mobile phone, a PC, a kiosk terminal, and a determination whether an application such as a browser can be used. The specifications of the terminal 130 include a screen size, display capability, arithmetic processing capability, connected peripheral device type, memory capacity, input / output device type, communication capability, audio output capability, security function, and the like. The communication environment is a state of communication quality between the terminal and the server.

  The service providing server 150 is a server computer that provides a service to the terminal 130 when the user's terminal 130 is accessed via the network 120, and includes a service processing unit 152, a storage 153, and a communication unit 151. Is done. The service processing unit 152 uses the user information 155 in the storage 153 to authenticate the user. In addition, the service processing unit 152 uses terminal information 157 in the storage 153 and authenticates a terminal used by the user as necessary. The user acquires server authentication information from the authentication information 156 in the storage 153 via the service processing unit 152 and performs server authentication of the service providing server 150. When the user authentication and the terminal authentication are successful, the user receives service provision from the service providing server 150 through the terminal 130. The service processing unit 152 is configured by software, loaded from a storage 153 as a storage medium into a memory, and executed by a processor described later.

  FIG. 8 shows an example of the appearance of the terminal 130. The terminal 130 includes a screen 801, an input device 802 such as a touch panel, a keyboard, and a numeric keypad, a reader / writer 803 such as a magnetic card and a contact IC card, a communication interface 144 such as a non-contact IC card, and an effect of preventing falsification of the casing. It has an anti-opening seal 805 that clearly indicates.

  The screen 801 shows the usage of the terminal 130, the type of encryption used in the terminal 130, the encryption strength, etc. before the user uses the terminal 130 or while the user is using the terminal 130. Information about the authenticity of the terminal 130 is notified to the user. Further, the screen 801 relates to the verification result such as the time when the authenticity of the terminal 130 is checked and the time when the authenticity is verified using the user authentication information and the user environment registered in the terminal management server 100. Information can be displayed.

  The terminal 130 uses an information device such as a mobile phone to access the terminal ID, the installation location of the terminal, and the status related to the authenticity of the terminal (internal status and when the administrator confirmed immediately before). Information (URL display by two-dimensional barcode in FIG. 8) is displayed. The user can inquire the terminal management server 100 about the authenticity of the terminal 130 based on the access information. The terminal management server 100 answers the inquiry from the user to the user based on the authenticity information transmitted from the terminal 130. The user can verify and confirm the answer result using information such as the public key certificate of the terminal management server 100.

  FIG. 9 is a sequence diagram of the terminal system when the user uses the terminal 130 to determine the safety of the terminal 130 using the function of the terminal management server 100 and receive a service from the service providing server 150.

<Initialization process>
The terminal 130 performs an initialization process 901 when an administrator or a user of the terminal 130 performs an operation for activation. The initialization process 901 includes activation of the OS of the terminal 130, activation of a management application (terminal management processing unit 131 and the like), connection to the network, process confirmation, and log recording. The initialization process 901 is performed not only by the operation of the administrator or user, but also when the user ends use or when an instruction is received from the terminal management server 100.

<Environment confirmation process>
The terminal 130 performs an environment confirmation process 902. The environment confirmation processing 902 is confirmation of connection to the management server 100 via the network 120 and confirmation of information such as a power source, connected peripheral devices, and locations where the devices are installed.

<Authenticity investigation processing>
In the authenticity check (903) step of the terminal 130, the process state loaded into the memory 302 (FIG. 3) of the terminal 130 and operated by the CPU 301 (FIG. 3), information on devices connected to the terminal 130, The terminal management processing unit 131 performs an investigation on the physical location where the terminal 130 is installed, the network state, the storage state, and the like in accordance with a procedure determined in advance by an administrator who manages the terminal 130.

<Details of authenticity survey>
In the investigation of the state of the process loaded into the memory 302 of the terminal 130 and executed by the CPU 301, the terminal management processing unit 131 confirms the operation state of the process operating on the terminal 130. Specifically, the result of comparing the process operation information of the terminal management processing unit 131 with the process scan result is confirmed in advance.

  As for information on devices connected to the terminal 130, the terminal management processing unit 131 checks the state of the device connected to the terminal 130 and the driver program that drives the device.

  The physical position where the terminal 130 is installed is investigated by using a positioning system such as a GPS (not shown) connected to the terminal 130, or input from a camera.

  In examining the state of the network 120, the terminal management processing unit 131 confirms the network address, connection path, connection quality, and the like. In the investigation of the state of the storage 139, the terminal management processing unit 131 investigates the storage capacity and the state of the partition, the file scan on the storage 139, and the result of the virus scan.

<Communication channel generation processing>
The terminal management processing unit 131 on the terminal 130 is connected to the terminal management server processing unit 102 of the terminal management server 100 via the communication unit 135 and the communication unit 101. The terminal management processing unit 131 performs communication channel (mutual authentication channel) generation (904) such as mutual authentication and SSL communication with the terminal management server processing unit 102. In step 904, the terminal management processing unit 131 verifies the information sent by the terminal management server processing unit 102 of the terminal management server 100 using the server certificate, and the terminal management server processing unit 102 performs the terminal management processing unit 131. Is verified using the terminal ID and authentication information (public key certificate or the like) of the terminal.

<Ensuring security of terminal authentication information>
After the mutual authentication process in step 904, secure sharing of secret information for communication is performed between the terminal management processing unit 131 and the terminal management server processing unit 102, and a secure communication path is established. Here, the authentication information used by the terminal management processing unit 131 is stored as terminal information 138 on the storage 139. In preparation for theft of the terminal 130, the terminal information 138 of the storage 139 may be stored in a tamper-resistant device. Further, in order to use the terminal information 138, the terminal information 138 may not be used unless the administrator of the terminal 130 inputs secret information such as a password.

<Authenticity survey result transmission>
The terminal management processing unit 131 on the terminal 130 transmits to the terminal management server processing unit 102 the authenticity check result acquired in the step of the authenticity check 903 of the terminal 130 and the terminal ID 401 preset for the terminal 130 ( 905). The terminal management server processing unit 102 on the terminal management server 100 verifies the validity of the received authenticity check result with reference to the terminal information 107 in the storage 110 (906).

<Contents of authenticity verification>
This verification is included in the authenticity verification information 409 of the terminal information 107 stored in the storage 110 from the authenticity investigation result and the terminal ID received by the terminal management server processing unit 102 of the terminal management server 100 from the terminal 130. Run based on policy.

  For example, in the server that has read the policy, the terminal management server processing unit 102 searches the terminal information 107 with the terminal ID 401 received from the terminal 130, and the network address of the terminal 130 included in the authenticity check result is the terminal information 107. It is determined whether or not the address 404 (FIG. 4) matches. Further, the terminal management server processing unit 102 searches the terminal information 107 with the terminal ID 401 received from the terminal 130, and the location information (latitude and longitude) of the terminal 130 included in the authenticity check result is the location 408 of the terminal information 107. It is determined whether or not it matches (FIG. 4). Further, the terminal management server processing unit 102 determines from the authenticity check result received from the terminal 130 that an unauthorized program or file has not been detected. Then, the terminal management server processing unit 102 of the terminal management server 100 authenticates the terminal 130 when the network address and the position information of the terminal 130 match the terminal information 107 and no unauthorized program is detected. It is determined that the terminal is (legitimate).

<Transmission of authenticity verification result>
When the authenticity check result is verified as valid, the terminal management server processing unit 102 transmits the authenticity verification result to the terminal management processing unit 131 (907). On the other hand, if the authenticity verification result is not verified as valid, the terminal management server processing unit 102 notifies the authenticity verification result to the administrator of the terminal management server 100 or the administrator of the terminal 130. This notification is performed by e-mail, FAX, notification using a network, telephone or the like. In addition, the terminal management server processing unit 102 stores the verification result that is not valid in the log 108 on the storage 110. Next, the terminal management server processing unit 102 transmits a result “not determined to be valid” to the terminal management processing unit 131. When the terminal management processing unit 131 of the terminal 130 receives the authenticity verification result “not determined as valid” from the terminal management server processing unit 102, the processing of the authenticity check 903 of the terminal 130 and the authenticity check result The transmission (905) is repeated up to a predetermined number of times. Each time the authenticity check result is received from the terminal 130, the terminal management server processing unit 102 performs verification (906) of whether or not the authenticity check result is valid. Specifically, authenticity verification refers to the process status that is sent inside the terminal, information about the device connected to the terminal, the physical location where the terminal is installed, the network status, and the storage status. The status, file scan, virus scan result, and the like are compared with information registered in the terminal information 107 in advance.

  Until it is recognized that the transmission of the authenticity check result is correct, the terminal management processing unit 131 displays on the display screen of the terminal 130 that the authenticity of the terminal is being checked. When the terminal management server processing unit 102 receives an invalid investigation result for a predetermined number of times per predetermined time for the terminal 130, the terminal management server processing unit 102 blocks communication with the terminal management server 100 of the terminal 130.

  When communication with the terminal 130 is interrupted, the terminal management server processing unit 102 notifies the administrator of the terminal management server 100 and the administrator of the terminal 130 of the result of communication disconnection. This notification is performed by e-mail, FAX, notification using a network, telephone or the like. Further, the terminal management server processing unit 102 saves the result of blocking communication in the log 108 on the storage 110.

<Saving the result of authenticity verification>
When the terminal management processing unit 131 on the terminal 130 receives the authenticity verification result, the terminal management processing unit 131 stores the authenticity verification result in the storage 139 (908). The authenticity verification result is protected by protected communication (mutual authentication channel) between the terminal management server 100 and the terminal 130. Also, information transmitted to and received from the terminal management server 100 is encrypted with the public key of the terminal 130 and is transmitted in a state that can only be decrypted by the terminal management processing unit 131. The authenticity verification result includes time information (how long the verification has been performed and the current time) and information such as the state of the terminal 130 for the terminal management server processing unit 102 to update the terminal information 107. include.

<Maintaining authenticity verification state>
Based on the authenticity check 903 and authenticity verification 906 of the terminal 130, the terminal management server determines that the terminal 130 is a computer in which an unauthorized program is not operating and is installed at a predetermined position and capable of secure communication. Determined by 100. That is, it is guaranteed that the environment of the terminal 130 has not been altered by a user before the user who uses the terminal 130 this time, and the terminal 130 is determined to be authentic.

  Further, in the authenticity check 903 performed at the terminal 130, the check result includes the time when the check was performed, and in the authenticity verification 906 performed by the terminal management server 100, the policy included in the authenticity verification information 409 is displayed at the terminal 130. In the case of limiting the difference between the time of the authenticity investigation performed and the current time, if the difference between the time of the authenticity investigation and the current time exceeds a predetermined value, the investigation result is discarded and not used. That is, by prohibiting the use of old authenticity investigation results, the accuracy of authenticity determination can be improved. Note that after discarding the investigation result, the terminal management server 100 can instruct the terminal 130 to execute the authenticity investigation 903 again.

<Start of use (device connection) and sending of authentication information request (ID device → terminal)>
When using the terminal 130, the user causes the terminal 130 and the ID device 140 to communicate with each other via the communication interface 134 and the communication interface 144 (909). In response to an instruction from the terminal management processing unit 131, the device management unit 141 on the ID device 140 transmits an authentication information request to the terminal management processing unit 131 via the communication interface 144 and the communication interface 134 (910). Specifically, the authentication information request is to perform digest authentication. As an example of digest authentication, for example, challenge-and-response authentication defined in RFC 2069 is performed between the ID device 140 and the terminal management server 100.

<Authentication information request transfer (terminal to terminal management server), second authentication information generation>
The terminal management processing unit 131 transmits the authentication information request received from the ID device 140 to the terminal management server processing unit 102 (911). When the terminal management server 100 accepts the challenge and response authentication information request from the terminal 130, the information and authenticity of the terminal 130 from the transmission result (history 406) of the terminal (terminal 130) set in the terminal information 107. Verify the verification result. If the verification result of authenticity matches a predetermined policy, the terminal management server processing unit 102 generates authentication information by challenge-and-response and creates a second authentication information request. (912).

<Second authentication information generation and return, authentication information transfer (terminal → ID device)>
The terminal management server processing unit 102 transmits the generated authentication information, the second authentication information request, and the public key of the terminal 130 obtained from the terminal public key management unit 104 to the terminal management processing unit 131 (913). The unit 131 transmits the received authentication information, the second authentication information request, and the public key of the terminal 130 to the ID device 140 via the communication interface 134 and the communication interface 144 (914). Here, the authenticity of the public key of the terminal 130 may be guaranteed by a public key certificate.

<Authentication of terminal management server by ID device>
The ID device 140 examines the validity of the authentication information by the challenge and response received from the terminal 130, and if it is valid, the ID device 140 stores the ID stored in the storage 142 and the second received from the terminal 130. Second authentication information for the authentication information request is generated (915). At the time of this processing 915, the ID device 140 and the terminal management server 100 complete the digest authentication by challenge and response.

<Explanation of authentication method variations>
Here, the validity of the authentication information determined by the ID device 140 differs depending on the type of authentication information received from the terminal 130. If the authentication information is a password (pre-shared common key), the authentication is performed by comparing the password stored in the storage 142 with the received authentication information. If the authentication information is digest authentication, the authentication request or the authentication information includes a random number, and the authentication information validity is determined by verifying the digest. If the authentication information is a signature, the validity of the authentication information is determined by signature verification.

<Display authentication result of terminal management server by ID device>
In step 915, if the validity of the authentication information cannot be verified, the ID device 140 does not make a subsequent response. If the ID device 140 is equipped with a display function or a speaker, if the validity of the authentication information has not been verified, information on which the validity of the authentication information has not been verified can be displayed on the screen, music or a warning sound can be displayed. Alert the user by ringing. Similarly, when the validity of the authentication information can be verified, information on which the validity of the authentication information can be verified is displayed on the screen, or a different music or warning sound is played from when the validity cannot be verified. To inform the user of the verification result.

<Presentation of user ID and authentication information to terminal management server>
The ID device 140 transmits the ID (user ID) and the second authentication information (secret information) read from the storage 142 to the terminal management processing unit 131 (916). The terminal management processing unit 131 transmits the received ID and second authentication information to the terminal management server processing unit 102 (917).

<User (ID device) authentication by terminal management server>
The terminal management server processing unit 102 compares the ID and the second authentication information received from the terminal 130 with the user information 105 on the storage 110 and uses the terminal 130 (the owner of the ID device 140). Authenticate. In this authentication, the user ID 501 (FIG. 5) of the user information 105 is searched with the ID received from the terminal 130, and the secret information 503 (FIG. 5) of the corresponding record is compared with the received second authentication information. To determine whether the user is valid.

<Preparation of user environment>
When the terminal management server processing unit 102 determines that the user is a valid user based on the ID (user ID) and the second authentication information (secret information) from the ID device 140, the user registers and Prepare for transmission of the existing user environment. The user environment is stored in the status 506 (FIG. 5) of the user information 105 and is associated with the user ID 501. The user environment is, for example, data and scripts such as information related to the user (name, nickname, ID number, illustration, photo), an application that operates on the terminal 130, and a screen configuration that is used by the application that operates on the terminal 130. .

<Variation of user environment>
At the time of user environment transmission preparation (918), the terminal management server processing unit 102 selects a user environment registered in the user and usable in an environment that can be used by the terminal 130. This is determined by referring to the state of the terminal included in the authenticity verification result and the request from the user that is simultaneously transmitted when transmitting the terminal information 107 and the authentication information. This selection of usable items prevents a user from using an environment that cannot be used because the user cannot use the terminal 130 even if the browser screen configuration data or script is transmitted to the terminal 130 on which the browser application is not installed. It is done in order to

<User environment transmission and display>
The terminal management server processing unit 102 transmits the user environment determined in the user environment transmission preparation 918 to the terminal management processing unit 131 (919). The terminal management processing unit 131 executes the user environment received from the terminal management server 100 on the terminal 130. Authentication information (signature) that guarantees safety when executed by the terminal 130 is added to the user environment transmitted in step 919 as necessary. The terminal 130 confirms authentication information that guarantees this safety. The terminal management processing unit 131 classifies the user environment received from the terminal management server 100 by a predetermined method, and executes or displays the user environment on the terminal 130. If the user environment is information related to the user, the terminal management processing unit 131 displays the information related to the user and performs confirmation (920). If the user environment is an application (program) that runs on the terminal 130, the application is executed on the terminal 130 and is confirmed by the user (920). If the confirmation is data or a script such as a screen configuration used by an application operating on the terminal 130, the user is confirmed whether or not the necessary application is to be operated, and then the data or script is transmitted to the application. Confirm by the user.

<Recognition of safety by users>
The user recognizes that the terminal 130 is a terminal 130 that can be used legally only after confirming the information displayed in step 920 after connecting the ID device 140 to the terminal 130. Through the above processing, the user can know the authenticity verification result of the terminal 130. In the present embodiment, a counterfeit terminal is installed between the user and the legitimate terminal 130, thereby enabling countermeasures against the man-in-the-middle attack method that relays the interaction between the user and the legitimate terminal. In the sequence up to step 920 in FIG. 9, a fake terminal pretends to be an ID device for a legitimate terminal 130 and pretend to be a terminal 130 for a legitimate ID device 140. Yes, if you meet.

  (1) In step 911, the authentication information request received by the fake terminal from the ID device 140 is transferred to the terminal processing unit 131 of the legitimate terminal 130, and the terminal management server 100 verifies the authenticity verification result of the legitimate terminal 130. .

  Since the terminal management server processing unit 102 has received the authentication information request from the legitimate terminal 130, if the authenticity verification result of the legitimate terminal 130 matches a predetermined policy, step 912 is correctly executed. Will be implemented.

  (2) In step 914, the fake terminal pretends to be an ID device and sends the authentication information and the second authentication information request received from the legitimate terminal 130 to the legitimate ID device 140 by pretending to be a legitimate terminal. To do.

  (3) In step 916, the fake terminal pretends to be the legitimate terminal 130, received the ID and the second authentication information from the ID device 140, and pretend to be the ID device and received to the legitimate terminal 130. Relay.

  When the above conditions are satisfied, the user environment can be executed or displayed on the legitimate terminal 130 in step 919. Therefore, if a user environment in which a fake terminal is displayed on the legitimate terminal 130 can be acquired and displayed on the fake terminal, a man-in-the-middle attack is established.

<Acquisition of authentication information for service use>
Next, an application running on the terminal management processing unit 131 or the terminal 130 prepares for providing the service to the user. When it is necessary to transmit service usage authentication information as further authentication information for service usage, the user requests information for service usage authentication (request for ID, request for password, Responds to the request for biometric authentication information, request for privacy information, request for input of other secret information) according to the display on the screen. The input information for authentication is transmitted to the ID device 140 and the terminal management server processing unit 102 (921). The ID device 140 generates service use authentication information (signature information), which is further authentication information, from the received authentication information (for example, PIN) (922) and transmits it to the terminal 130 (923). Here, in order to make the man-in-the-middle attack impossible, in step 922, further authentication information (signature information) is encrypted using the public key of the terminal 130 received in step 914, and in step 923 the terminal 130 is informed. Send.

<Service request>
The user makes a service provision request to the terminal management server 100 and the service providing server 150 using an application running on the terminal management processing unit 131 and the terminal 130 (924). In step 924, the service providing server 150 performs an authentication process for the user of the terminal 130, and encrypts communication with a quality necessary for providing the service. The service use authentication information necessary for the user authentication process is encrypted using the public key of the terminal 130 in step 922, and the terminal 130 uses the secret information processing unit 133 to authenticate the authentication information using its own secret key. Perform decryption processing. Then, the terminal 130 sends terminal information including the authenticity verification result (925). The service providing server 150 verifies the service request including the authentication information transmitted by the terminal 130 and the terminal information including the authenticity verification result, and provides the service to the user via the terminal 130 according to a preset service provision policy. (926). Since the terminal information including the authenticity verification result includes information such as a signature that is issued by the terminal management server 100 in step 907, the service providing server 150 can perform the verification.

<Inheriting service status>
At this time, in step 916 of transmitting authentication information, the service received by the user before the start of use of the terminal 130 and the status of the service are received from the ID device 140 by the terminal 130, and the service request transmitted in step 924 is received. By including the service, the user can take over the service and the state of the service that were being executed before the use of the terminal 130 is started with a simple operation. The service and the status of the service indicate the service and the status of the service used by the user in a terminal different from the terminal 130 with which the ID device 140 has previously communicated. Alternatively, when the ID device 140 has the function of the terminal 130, the service executed on the ID device 140 and the status of the service are indicated.

  Communication between the ID device 140 and the terminal 130 and communication between the service providing server 150 and the terminal 130 may be encrypted to prevent eavesdropping. The request for authentication information and the creation of authentication information are not limited to digest authentication or signature verification using public key cryptography, but may be confirmation of biometric information or other authentication information requests and responses to authentication information requests. .

<Processing at the end of use>
The terminal management processing unit 131 detects that the user has ended the use (927), transmits that the user has stopped using the service to the service providing server 150 (928), and also transmits it to the terminal management server 100 (929). ). The method for detecting the end of use by the user is determined in advance from the start of use by the user, such as when the user inputs to the input device of the terminal 130 to indicate the end, or there is no predetermined time input. The terminal 130 is not able to communicate with the ID device 140 and the terminal 130 for a predetermined time because the user has left the place of use or the user has left the place of use. This is a method for detecting the end of use. When the terminal management processing unit 131 detects that the user has finished using the terminal, the terminal management processing unit 131 restarts the terminal 130 or initializes the contents of the memory 302 and the storage 139 described later. As a result, step 901 is started, and a state in which the next user can use the terminal 130 safely is configured.

  Services that the terminal 130 receives from the service providing server 150 include, for example, transmission / reception of streaming information, video conferencing, telephone conferences, mail transmission / reception, remote access using VPN, provision of virtual desktops, use of WEB applications, online games, e-mail Learning, blog use, SIP service use, location information service use, sales support system use, mail service use, PIM service use, office tool use, search service use, and the like.

  FIG. 4 shows an example of the terminal information 107 recorded in the storage 110 of the terminal management server 100. In FIG. 4, terminal information 107 includes a terminal ID 401, a user ID 402, a model 403, an address 404, a management ID 405, a history 406, a status 407, a location 408, and a verification ID. Information 409 and remarks 410 are registered in association with each other.

  The terminal ID 401 is assigned and managed by the terminal manager to the terminal 130 by an individual ID. In the terminal 130, the terminal ID 401 is stored in the storage 139. In step 904 described above, the terminal ID 401 is transmitted from the terminal management server 100. Since the authenticity check result transmitted in step 905 includes information related to the terminal of the terminal information 107, the terminal management server 100 relates to the terminal 130 from the authenticity check result transmitted by the terminal 130. The terminal information 107 is updated.

  The user ID 402 indicates a user who is currently using the corresponding terminal 130. A model 403 indicates a model corresponding to the terminal 130. An address 404 indicates an address such as an IP address that is an identifier on the network 120 to which the terminal 130 is connected. The management ID 405 indicates the ID of a management body or manager of a management company or the like that manages the corresponding terminal 130. The history 406 stores information transmitted from the terminal 130 to the terminal management server 100 and a log recording the state of the terminal 130. This log is a combination of time and information related to other terminals. The other information related to the terminal 130 includes status information that records activation, termination, reset time, maintenance information, application, service, etc. of the terminal 130 and device information connected to the terminal 130.

  The terminal status 407 indicates the current status of the corresponding terminal 130. For example, the status of the service used by the user and the status of the service waiting for the user's use. A place 408 indicates a place where the terminal 130 is installed, and is expressed by, for example, longitude and latitude. The verification information 409 records information and a policy for the terminal management server processing unit 102 to verify the authenticity (whether the investigation result is valid or not valid) in the above step 906. This verification information 409 is defined and updated by the administrator of the terminal 130. The remark 410 records other error status information, maintenance information, and special information for authentication.

  FIG. 5 shows an example of user information 105 recorded in the storage 110 of the terminal management server 100. User public key certificate 502, secret information 503 such as a common key, management ID 504, history 505, status 506, terminal ID 507 used by the user, and remarks 508 corresponding to the user ID 501 are registered. .

  The user ID 501 is managed by the system administrator by assigning an individual ID to the user. The user ID 501 is stored and managed by the user (or administrator) inside the ID device 140. The ID transmitted in the above-described step 916 includes the user ID 501 or is managed in association with the user ID 501 by a predetermined method.

  The user public key certificate 502 is a public certificate issued from a certificate authority trusted by the user, and is a public key certificate corresponding to a private key stored in the ID device 140 by the user. The secret information 503 such as a common key is a pre-shared common key, a session key, or a random number used when mutual authentication or sharing of common secret information is performed with the ID device 140 used by the user.

  The management ID 504 indicates the ID of a management body or manager such as a management company that manages the corresponding user. The history 505 stores a log in which processing and status (application status) performed by the user on the terminal 130 are recorded. The log is a combination of time and information related to processing and status performed by other users. The information related to the processing and status performed by other users includes information on the start of use of the terminal, operation on the terminal, information on the end of use of the terminal, and ID device information used.

  The status 506 indicates in what situation the corresponding user is currently using the service. The terminal ID 507 is the terminal ID of the terminal 130 currently used by the user. In the remark 508, other error state information, maintenance information, and special information for authentication are recorded.

  FIG. 2 is a block diagram illustrating a hardware configuration of the terminal management server 100. The terminal management server 100 has a configuration in which a CPU 201, a memory 202, a storage 203, a NIC (network interface card) 204, and an input / output device 205 are connected via a bus. The NIC 204 is connected to the network 120 to configure the communication unit 101 in FIG. The storage 203 corresponds to the storage 110 in FIG. 1, and the function of the storage 203 is realized by a locally connected storage device or a storage (not shown) on the network 120.

  The terminal management server processing unit 102 and the terminal information registration unit 103 load the programs stored in the storage 110 into the memory 202 and execute them by the CPU 201, thereby realizing the functions of these programs.

  FIG. 3 is a block diagram illustrating a hardware configuration of the terminal 130. The terminal 130 has a configuration in which a CPU 301, a memory 302, a storage 303, a NIC 304, an input / output device 305, and a tamper-resistant storage 306 are connected via a bus. The NIC 304 is connected to the network 120. The functions of the storage 303 or the tamper resistant storage 306 and the storage on the network are collectively shown as a storage 139 in FIG.

  Functions of the terminal management processing unit 131 and the service processing unit 132 are realized by loading a program stored in the storage 303 into the memory 302 and executing the program by the CPU 301. The tamper resistant storage 306 stores authentication information held by the user and the terminal 130. The terminal ID and authentication information related to the terminal ID (common key, secret key, public key certificate, etc.) are also stored in the tamper resistant storage 306. The input / output device 305 includes a communication interface 134, an input device such as a screen, a touch panel, a keyboard, and a numeric keypad, a reader / writer such as a magnetic card and a contact IC card, and a communication interface such as a non-contact IC card.

  FIG. 6 is a block diagram illustrating a hardware configuration of the ID device 140. The ID device 140 has a configuration in which a CPU 601, a memory 602, a storage 603, a communication interface 144, an input / output device 604, and a tamper resistant storage 605 are connected by a bus. The communication interface 144 is configured to be connectable with the communication interface 134 of the terminal 130. The ID device 140 has a communication unit (not shown) and may have a terminal function for receiving service equivalent to the terminal 130.

  The storage 142 is realized by combining the storage 603 or the tamper resistant storage 605. The function of the device management unit 141 is realized by loading a program stored in the storage 603 into the memory 602 and executing it by the CPU 601. The tamper-resistant storage 605 stores authentication information (for example, user ID 501 and secret information 503) held by the user and information (for example, a public key) that guarantees the authenticity of the terminal management server 100. The input / output device 604 includes an input device such as a screen, a touch panel, a keyboard, and a numeric keypad, a reader / writer such as a magnetic card and a contact IC card, and a communication interface such as a non-contact IC card.

  FIG. 7 shows information (user environment display 700) displayed on the screen of the terminal 130 when the user environment is transmitted to the terminal 130 in step 919 shown in FIG. 9 of the present embodiment. It is a figure explaining. The user environment display 700 includes a service display unit 701, a status display unit 702, a password input unit 703, a personal information display unit 704, and an image display unit 705. Since the user can arbitrarily register with the terminal management server 100 in the user environment, the personal information display unit 704 displays a name, a nickname, and information related to the user, or the image display unit 705 uses the user environment. It is possible to display information related to the user such as the user's favorite photo. When the user confirms the display of the user environment on the terminal 130, the user can confirm the safety of the terminal 130 and receive a highly convenient service.

  As described above, by configuring a terminal system in which the terminal 130 that can be used by an unspecified number of users and the terminal management server 100 are connected via a network, the user can perform a simple operation with an uncertain authenticity terminal. The service can be used after confirming the authenticity of 130, and the convenience for the user and the safety of handling information such as browsing and processing are improved.

  Also, simply by the user performing an authentication operation with the terminal 130 using the ID device 140, the user can construct a user environment in the terminal 130 in accordance with the specifications of the terminal 130 and the usage situation. Since the time to start can be reduced, convenience for the user is improved.

Second Embodiment
FIG. 10 is a sequence diagram of a system in which a user uses the terminal 130 according to the present embodiment to determine the safety of the terminal 130 using the function of the terminal management server 100 and receive a service from the service providing server 150. is there.

  The difference from FIG. 9 of the first embodiment is that the content of the authenticity verification result in step 1006 is different from the user environment display and confirmation steps in step 1020, and the terminal management server 100 is the main step. It is a point to perform the procedure of the service use of the user. Others are the same as FIG. 9 of 1st Embodiment.

  In step 1006, the terminal management server processing unit 102 verifies authenticity. When it is verified that the authenticity check result is valid, the authenticity verification result is transmitted from the terminal management server processing unit 102 to the terminal management processing unit 131 (907). This authenticity verification result is encrypted so that it can be decrypted by the terminal 130 and can be verified by the ID device 140. When the user starts using the terminal 130 (909), in response to the authentication request 910 of the ID device 140, the authenticity verification result is transmitted to the ID device 140 as the authentication information and the second authentication request. 140 can confirm the authenticity of the terminal 130 and can proceed with the processing from step 1016 onward.

  At this time, the ID device 140 may perform the authenticity using time information of the ID device 140 or an inquiry to the terminal management server 100 via another network. Further, the authenticity may be verified by displaying the calculation result calculated from the authenticity verification result to the user and comparing it with the display on the terminal 130.

  Further, by including the service request and authentication information for service use in the second authentication information transmitted in step 1016, the user instructs the terminal management server 100 via the terminal 130 about the service use request. After (1021, 1022), the terminal management server 100 sends a service provision start request to the terminal 130 and terminal information including the authenticity verification result of the terminal (1023, 1024) to the service providing server 150, The user receives a service (1025).

  By configuring the terminal system in which the terminal 130 and the terminal management server 100 are connected through the network 120 in this way, the time until service start and user operations can be reduced compared to the first embodiment. Improved convenience.

  In step 1016, the terminal 130 is configured to receive the service and the service status that the user has executed before the use of the terminal 130 is started. In step 1025, the user can use the terminal 130 before the use of the terminal 130. If the service and the status of the service that have been executed can be taken over, the user can take over the service and the status of the service that have been executed in a few operations. This improves the convenience for the user. This service and the service status are the service and service status used by the user at a terminal different from the terminal 130 with which the ID device 140 communicated before, or the ID device 140 has the function of a terminal and the ID device 140 Shows the service running above and the status of the service.

  In each embodiment, the terminal management server 100 and the service providing server 150 are configured by different computers. However, the functions of the terminal management server 100 and the service providing server 150 can be provided by a single computer. .

  According to this embodiment, it can be applied to a computer system including a terminal that is borrowed and used temporarily by an unspecified number of users, and further, a terminal that is borrowed and used temporarily by an unspecified number of users. It can be applied to a management server that manages

  100: terminal management server, 102: terminal management server processing unit, 103: terminal information registration unit, 104: terminal public key management unit, 110: storage, 130: terminal, 131: terminal management processing unit, 132: service processing unit, 133: confidential information processing unit, 139: storage, 140: ID device, 141: device management unit, 150: service providing server, 152: service processing unit

Claims (6)

A terminal system including a terminal having a memory and a terminal management server connected to the terminal via a network,
The terminal
An authentication request unit connected to an ID device storing a preset ID and authentication information, acquiring the ID and the authentication information from the ID device, and transmitting the ID and the authentication information to the terminal management server;
An authenticity investigation unit for investigating the state of the memory;
An authenticity investigation result transmission unit for transmitting the result of investigation by the authenticity investigation unit to the terminal management server;
A confidential information processing unit that decrypts service use authentication information encrypted by a public key in the ID device for a user to use a service of a service providing server with a private key corresponding to the public key And
The terminal management server
A terminal information registration unit for registering in advance specific information indicating the user environment that can identify the user of the terminal,
An authentication unit that performs authentication by comparing the ID and the authentication information included in the authentication request received from the terminal with preset user information;
An authenticity determination unit that determines that the terminal has not been tampered with based on the investigation result received from the terminal;
A unique information transmitting unit that transmits information unique to the user to the terminal when the authentication is successful and the authenticity determining unit determines that the authentication has not been performed;
A terminal public key management unit for managing the public key,
The terminal
In order for the user to confirm that the terminal is a legitimately usable terminal, information specific to the user received from the terminal management server is displayed, and for verification by the service providing server, A service processing unit that transmits to the service providing server a service request including the service use authentication information decrypted with the secret key and terminal information including a result investigated by the authenticity examining unit ; Terminal system. The terminal system according to claim 1,
The terminal information registration unit that pre-registers unique information for each user of the terminal,
Pre-register applications to be executed for each user,
The terminal
A terminal system that acquires the application based on information unique to the user received from the terminal management server and executes the application. The terminal system according to claim 1,
The authenticity research department
The result of investigating the state of the memory includes time information at which the investigation was performed,
The authenticity determination unit includes:
A terminal system, wherein when a difference between time information included in a result of investigation by the authenticity investigation unit and a current time exceeds a predetermined value, the investigation result is discarded. The terminal system according to any one of claims 1 to 3,
The ID device is
A storage unit that stores the authentication information in advance;
A communication interface for communicating with the terminal;
A device management unit that performs mutual authentication with the terminal management server and transmits the authentication information stored in the storage unit to the terminal when the result of the mutual authentication is successful;
A terminal system comprising: The terminal system according to claim 1,
The terminal information registration unit that pre-registers unique information for each user of the terminal,
The application used immediately before the user uses the terminal is stored as unique information for each user,
The terminal
A terminal system that acquires the application based on information unique to the user received from the terminal management server, executes the application, and continuously provides the application to the user. The terminal system according to claim 1,
A service providing server for providing a service to the terminal;
The terminal management server
When a service request is received from the terminal, the service request is sent to the service providing server together with the authentication result of the authentication unit and the determination result of the authenticity determination unit,
The service providing server includes:
A terminal system that receives the authentication result and the determination result of the authenticity determination unit and starts providing a service for the service request.

Images