JP5604176B2 - Authentication cooperation apparatus and program thereof, device authentication apparatus and program thereof, and authentication cooperation system - Google Patents

Description

  The present invention relates to an authentication linkage apparatus and program, apparatus authentication apparatus and program, and authentication apparatus that can integrally handle an authentication result of a user who enjoys a service and an authentication result of a device used by the user, and authentication It relates to a linkage system.

2. Description of the Related Art In recent years, personal electronic services that authenticate user identities (identities) via a network and provide services according to the authentication results have become popular. Examples of this service include a service for browsing secure information including personal information (such as a net bank) and a service for distributing multimedia contents to members and charged users.
While the situation in which such services can be freely used in various access environments improves convenience, there are concerns about problems of information leakage and unauthorized use of contents due to the use of unauthorized devices and impersonation of the person himself / herself.

  Therefore, information leakage and unauthorized use of content are restricted by restricting the terminals that refer to and use secure personal information and copyrighted content to legitimate devices owned by the principal or those authorized to use the principal. It is expected to reduce the risk of For example, even if credit information such as a user's own password is leaked by restricting the use of the service to access from a mobile terminal or a fixed terminal registered by the individual in advance, the service fraud that misuses that information Risk of use can be minimized.

  As described above, in order to limit the devices used by the user, it is necessary to bind the individual user and the device used by the user. For example, in Non-Patent Document 1, a user uses a smart card in which authentication information such as a device public key certificate, a multi-user attribute certificate, and an access control list is stored in a tamper-resistant area. Device used by the user by performing device authentication with the other terminal (authenticating device) after acquiring ownership of the device to be used (authenticating device) by entering Number (personal identification number) A technique is disclosed for realizing authorization based on ownership bound to. In the method disclosed in Non-Patent Document 1, it is assumed that there is a one-to-one relationship between a device that performs authentication and a device that receives authentication.

  However, in recent years, standardization of identity linkage technology has progressed, and the service provider or the service providing apparatus itself does not always authenticate the requested counterpart terminal or the user, and is a terminal different from the service providing apparatus. In some cases, device authentication and personal authentication are performed. For example, in Non-Patent Document 2, a frame that realizes authentication cooperation by performing identity authentication of a user with a specific device that is in a trust relationship with the service provider and using the authentication information in succession by a plurality of service providers. Work is advocated. Non-Patent Document 3 discloses a standardized specification indicating the authentication information in a description method called an XML format assertion.

In such a current situation, a technique for binding a subject such as a user or a device who enjoys a service has been disclosed (see Patent Document 1).
The invention according to Patent Document 1 associates individual entities, whose trust is guaranteed by different trust anchors (credit points), with a new entity in the entity dynamic control device, thereby allowing dynamic binding of different entities. Realized.
As a result, the invention according to Patent Document 1 can dynamically consider authentication information of different entities, that is, a user and a device (user terminal) used by the user, as being associated with the same entity.

JP 2008-108203 A

“Design and Implementation of an Inter-Device Authentication Framework Guaranteeing Explicit Ownership”, IPSJ Journal, 49 (2), p. 808-821, 2008 Liberty Alliance Project, “Liberty Alliance ID-FF1.2 Specifications”, [online], [searched April 22, 2010], Internet, (URL: http://www.projectliberty.org/resource_center/specifications/liberty_alliance_id_ff_1_2_specifications /) OASIS, “Assertion and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0”, [online], [Search April 22, 2010], Internet, (URL: http: //docs.oasis-open .org / security / saml / v2.0 / saml-core-2.0-os.pdf), March 15, 2005

  In the method disclosed in Non-Patent Document 1 described above, each service provider needs to perform original device authentication and user authentication. Therefore, a service mode in which a plurality of services using the above-described identity cooperation technology are performed in cooperation with each other. Cannot be realized, resulting in a very closed service form.

  Further, the invention according to Patent Document 1 described above allows the service provider to bind two or more different entities (users, user terminals, etc.) whose reliability has been confirmed to a dynamically generated new entity. It is characterized by flexible access control. However, the subject dynamic control device in the invention according to Patent Document 1 performs unconditional binding if two or more different subjects whose reliability is guaranteed are presented. It is not guaranteed whether the two entities are associated in advance.

  Further, in the invention according to Patent Document 1, the subject dynamic control device generates a new subject based on a service request made to the service provider. It is not assumed to be used in cooperation between multiple services.

  The present invention has been made in view of the problems as described above, and does not perform authentication of the apparatus main body in each service providing apparatus, but as information associated with the authentication information of the user main body between a plurality of service providing apparatuses. It is an object of the present invention to provide an authentication collaboration apparatus and program that can be used in cooperation (identity collaboration), a device authentication apparatus and program thereof, and an authentication collaboration system.

  The present invention has been developed to solve the above-described problem. First, the authentication collaboration apparatus according to claim 1 authenticates a user who uses the service among a plurality of service providing apparatuses that provide the service. An authentication cooperation device of an authentication cooperation system comprising an authentication cooperation device that performs authentication in cooperation with a device authentication device that performs device authentication of a user-use terminal that uses the service, and includes an authentication request reception unit, a user authentication unit, The authentication information issuing means, the authentication information storing means, the device authentication requesting means, the device authentication result receiving means, and the authentication information updating means.

  In this configuration, the authentication collaboration apparatus receives a user authentication request indicating a user authentication request from the service providing apparatus from which the user has requested a service by the authentication request receiving unit. Then, when the user authentication unit receives the user authentication request by the authentication request receiving unit, the authentication cooperation device is configured to have a user operating the user utilization terminal based on user information registered in the user information storage unit in advance. User authentication between. This user authentication can be performed by password authentication, for example.

Then, the authentication collaboration apparatus issues (generates) authentication information by adding an identifier for identifying the user to the user authentication result in the user authentication means by the authentication information issuing means, and writes and stores it in the authentication information storage means.
Further, the authentication cooperation apparatus transmits the authentication information or the reference information to the apparatus authentication apparatus by the apparatus authentication request unit and requests the apparatus authentication of the user using terminal. At this time, a device authentication request is made by designating an identifier of a user linked in advance between the device authentication device and the authentication cooperation device.

  And an authentication cooperation apparatus receives the apparatus authentication result of the user utilization terminal which the user specified by authentication information has registered beforehand from an apparatus authentication apparatus by an apparatus authentication result receiving means. Thereby, the authentication cooperation apparatus can acquire the authentication result of the apparatus corresponding to the user who is the authentication subject.

  Thereafter, the authentication cooperation apparatus updates the authentication information by adding the device authentication result received by the device authentication result receiving unit to the authentication information stored in the authentication information storage unit by the authentication information updating unit. As a result, the authentication information records the authentication result between the user and the device (user use terminal) that the user has registered in advance as the authentication subject. The authentication result of the associated device can be bound and presented to the service providing apparatus.

  An authentication collaboration apparatus according to claim 2 is the authentication collaboration apparatus according to claim 1, wherein the authentication collaboration apparatus includes an authentication level storage unit and an authentication level determination unit.

In this configuration, the authentication cooperation apparatus stores an authentication level indicating the authentication status of the user and the user using terminal in the authentication level storage unit.
Then, when receiving the user authentication request by the authentication level determination unit, the authentication cooperation device determines which level is the authentication level stored in the authentication level storage unit.

  When the authentication level is unauthenticated by the user, the authentication cooperation device performs user authentication by the user authentication unit. When the authentication level is unauthenticated by the device, the device authentication request unit performs the user authentication on the device authentication device. Request user terminal authentication. As a result, the authentication cooperation apparatus can discriminate the current authentication level, actively make a device authentication request for the user terminal, and update the authentication information.

  According to a third aspect of the present invention, there is provided an authentication collaboration apparatus according to the first or second aspect, comprising authentication information update request receiving means and device authentication result inquiry means.

In this configuration, the authentication collaboration apparatus receives an authentication information update request including a token that uniquely specifies the authentication result of the user terminal from the device authentication apparatus by the authentication information update request receiving unit. Then, the authentication cooperation device transmits the device authentication result inquiry including the token included in the authentication information update request to the device authentication device by the device authentication result inquiry means, thereby authenticating the user terminal of the identified user. Get the result.
Thereby, the authentication cooperation apparatus can recognize that the authentication result of the user using terminal has been updated by the token, acquire the authentication result, and bind to the authentication result of the user subject.

  Furthermore, the authentication cooperation program according to claim 4 includes an authentication cooperation device that performs authentication of a user who uses the service in cooperation between a plurality of service providing devices that provide the service, and a user use terminal that uses the service. In the authentication cooperation device of the authentication cooperation system comprising the device authentication device that performs the device authentication, the authentication cooperation device computer is requested to authenticate the user authentication result and the authentication result of the device registered by the user in advance. The receiving unit, the user authentication unit, the authentication information issuing unit, the device authentication request unit, the device authentication result receiving unit, and the authentication information updating unit are configured to function.

  In this configuration, the authentication cooperation program receives a user authentication request indicating a user authentication request from the service providing apparatus from which the user has requested a service by the authentication request receiving unit. The authentication cooperation program includes a user who operates the user utilization terminal based on user information registered in advance in the user information storage unit when the user authentication unit receives a user authentication request by the authentication request receiving unit. User authentication between.

Then, the authentication linkage program issues (generates) authentication information by adding an identifier for identifying the user to the user authentication result in the user authentication means by the authentication information issuing means, and writes and stores it in the authentication information storage means.
Further, the authentication cooperation program transmits the authentication information or the reference information thereof to the device authentication apparatus by the device authentication request means and requests device authentication of the user using terminal.

  And an authentication cooperation program receives the apparatus authentication result of the user utilization terminal which the user specified by authentication information has registered beforehand from an apparatus authentication apparatus by an apparatus authentication result receiving means. Thereafter, the authentication cooperation program updates the authentication information by adding the device authentication result received by the device authentication result receiving unit to the authentication information stored in the authentication information storage unit by the authentication information updating unit.

  The device authentication apparatus according to claim 5 is an authentication cooperation apparatus that performs authentication of a user who uses the service in cooperation between a plurality of service providing apparatuses that provide the service, and a user use terminal that uses the service A device authentication device in an authentication cooperation system comprising a device authentication device that performs device authentication of the user, a user registration device information storage means, an authentication information reception means, an authentication information verification means, a device authentication means, and a device authentication result And a transmission means.

  In this configuration, the device authentication apparatus registers in advance an identifier for identifying the user and device information for device authentication of the user terminal used by the user in the user registration device information storage unit. The device information is, for example, a device key or an electronic certificate.

  The device authentication apparatus receives authentication information indicating a user authentication result from the authentication cooperation apparatus by the authentication information receiving unit. Further, the device authentication apparatus verifies the legitimacy of the user based on the authentication information received by the authentication information receiving unit by the authentication information verifying unit. For example, a signature is added to the authentication information, and the authentication information verification unit verifies the validity of the authentication information by verifying the signature.

  In addition, the device authentication apparatus is configured to use the user authentication terminal based on the device information stored in the user registration device information storage unit corresponding to the user identifier verified by the authentication information verification unit by the device authentication unit. Device authentication with. This device authentication can be performed by, for example, challenge / response authentication using a device key.

Then, the device authentication apparatus transmits the device authentication result in the device authentication means to the authentication cooperation device by the device authentication result transmission means.
Accordingly, the device authentication apparatus verifies the validity of the user based on the user authentication information received from the authentication cooperation apparatus, and transmits the authentication result of the user use terminal used by the specified authorized user to the authentication cooperation apparatus. can do.

  According to a sixth aspect of the present invention, there is provided a device authentication apparatus according to the fifth aspect, further comprising a device authentication request receiving unit and an authentication information inquiry unit.

In such a configuration, the device authentication apparatus receives a device authentication request indicating a request for authentication of the user terminal including the authentication information or the reference information for referring to the authentication information from the authentication cooperation device by the device authentication request receiving unit. Receive.
When the device authentication request includes the reference information of the authentication information, the device authentication device transmits an inquiry of the reference destination authentication information to the authentication cooperation device by the authentication information inquiry means.

Then, the device authentication apparatus uses the authentication information verification unit to send the authentication information received by the device authentication request receiving unit or the authentication information received by the authentication information receiving unit and transmitted by the authentication cooperation device in response to the inquiry by the authentication information inquiry unit. Based on the above, the validity of the user is verified.
Thereby, the device authentication apparatus can acquire user authentication information in conjunction with the request for device authentication, verify the validity of the user, and obtain the authentication result of the user use terminal used by the specified legitimate user. It can be sent to the authentication collaboration device.

  According to a seventh aspect of the present invention, in the device authentication apparatus according to the fifth aspect, the apparatus authentication device includes an authentication information update request transmission unit and a device authentication result inquiry reception unit.

In this configuration, the device authentication apparatus generates a token that uniquely specifies the device authentication result by the device authentication unit, and stores the device authentication result and the token in association with each other in the device authentication result storage unit. This token is information indicating the access authority to the device authentication result, and a general software token can be used.
Then, the device authentication apparatus transmits an authentication information update request indicating a request for updating the authentication information including the token to the authentication cooperation apparatus by the authentication information update request transmission unit. The device authentication apparatus receives a device authentication result inquiry including a token from the authentication cooperation device by the device authentication result inquiry reception unit.

In addition, the device authentication apparatus reads the device authentication result corresponding to the token included in the device authentication result inquiry from the device authentication result storage unit by the device authentication result transmission unit, and transmits the device authentication result to the authentication cooperation device.
As a result, the device authentication apparatus can actively request the authentication cooperation apparatus to update the authentication information, and can bind the authentication result of the apparatus main body registered in advance by the user to the authentication information of the user main body.

  Furthermore, the device authentication program according to claim 8 includes an authentication cooperation apparatus that performs authentication of a user who uses the service in cooperation between a plurality of service providing apparatuses that provide the service, and a user use terminal that uses the service In the device authentication device of the authentication cooperation system comprising the device authentication device that performs the device authentication, the computer of the device authentication device receives the authentication information in order to link the user authentication result and the device authentication result of the device registered in advance. Means, authentication information verification means, device authentication means, and device authentication result transmission means.

  In this configuration, the device authentication program receives the authentication information indicating the user authentication result from the authentication cooperation apparatus by the authentication information receiving unit. Further, the device authentication program verifies the validity of the user based on the authentication information received by the authentication information receiving unit by the authentication information verifying unit.

Then, the device authentication program is stored in a user registration device information storage unit that pre-registers and stores an identifier for identifying a user and device authentication device information of a user terminal used by the user by the device authentication unit. On the basis of the device information, the device authentication is performed with the user use terminal corresponding to the identifier of the user whose validity is verified by the authentication information verification means.
Then, the device authentication program transmits the device authentication result in the device authentication unit to the authentication cooperation device by the device authentication result transmission unit.

  The authentication collaboration system according to claim 9 is an authentication collaboration apparatus that performs authentication of a user who uses the service in cooperation between a plurality of service providing apparatuses that provide the service, and a user use terminal that uses the service An authentication collaboration system comprising a device authentication device that performs device authentication, wherein the authentication collaboration device includes an authentication request receiving unit, a user authentication unit, an authentication information issuing unit, an authentication information storage unit, and a device authentication request. Means, a device authentication result receiving means, and an authentication information updating means, wherein the device authentication apparatus comprises a user registration device information storage means, an authentication information receiving means, an authentication information verification means, a device authentication means, And a device authentication result transmitting means.

  In this configuration, the authentication collaboration apparatus of the authentication collaboration system receives a user authentication request indicating a user authentication request from the service providing apparatus from which the user has requested a service by the authentication request receiving unit. Then, when the user authentication unit receives the user authentication request by the authentication request receiving unit, the authentication cooperation device is configured to have a user operating the user utilization terminal based on user information registered in the user information storage unit in advance. User authentication between.

Then, the authentication collaboration apparatus issues (generates) authentication information by adding an identifier for identifying the user to the user authentication result in the user authentication means by the authentication information issuing means, and writes and stores it in the authentication information storage means.
Furthermore, the authentication linkage device, the device authentication requesting means, to the device authentication apparatus, transmits the authentication information and requests the device authentication of the user using terminal.

And an authentication cooperation apparatus receives the apparatus authentication result of the user utilization terminal which the user specified by authentication information has registered beforehand from an apparatus authentication apparatus by an apparatus authentication result receiving means.
Thereafter, the authentication cooperation apparatus updates the authentication information by adding the device authentication result received by the device authentication result receiving unit to the authentication information stored in the authentication information storage unit by the authentication information updating unit.

In addition, the device authentication apparatus of the authentication cooperation system registers in advance an identifier for identifying the user and device information for device authentication of the user terminal used by the user in the user registration device information storage unit.
The device authentication apparatus receives authentication information indicating a user authentication result from the authentication cooperation apparatus by the authentication information receiving unit. Further, the device authentication apparatus verifies the legitimacy of the user based on the authentication information received by the authentication information receiving unit by the authentication information verifying unit.

In addition, the device authentication apparatus is configured to use the user authentication terminal based on the device information stored in the user registration device information storage unit corresponding to the user identifier verified by the authentication information verification unit by the device authentication unit. Device authentication with.
Then, the device authentication apparatus transmits the device authentication result in the device authentication means to the authentication cooperation device by the device authentication result transmission means.

The present invention has the following excellent effects.
According to invention of Claim 1, 4, the authentication cooperation apparatus can acquire the apparatus authentication result of the user utilization terminal linked | related with the user, binds a user authentication result and an apparatus authentication result, It can be generated and updated as authentication information. As a result, the service providing device that uses the authentication cooperation device does not need to perform device authentication of the user terminal used by the user for each service providing device, and authentication information that binds the user authentication result and the device authentication result is used. It becomes possible to determine whether or not the service is possible.
In addition, since the authentication collaboration apparatus includes the authentication results of two entities (user and user use terminal) in one authentication information, the authentication collaboration apparatus can be used for the service providing apparatus without changing the interface of the conventional authentication collaboration apparatus. Authentication information linkage (identity linkage) can be performed.

According to the second aspect of the present invention, the authentication cooperation apparatus can change the object of authentication according to the authentication level, acquire the user authentication result and the device authentication result, and bind it as one piece of authentication information. it can.
According to the third aspect of the present invention, the authentication cooperation device detects that the device authentication result has been updated by acquiring the authentication information update request from the device authentication device, and receives the device authentication result from the device authentication device. Can be acquired.

  According to the fifth and eighth aspects of the present invention, the device authentication apparatus identifies a user based on user-subjected authentication information transmitted from the authentication cooperation apparatus, and authenticates the user using terminal registered in advance by the user. Can be done. Accordingly, the device authentication apparatus can perform device authentication in cooperation with user authentication in the authentication cooperation device.

According to the invention described in claim 6, the device authentication apparatus can acquire the authentication information of the user subject in response to the device authentication request transmitted from the authentication cooperation device. In addition, the device authentication apparatus can identify a user based on the authentication information and authenticate a user using terminal registered in advance by the user.
According to the invention described in claim 7, the device authentication device can notify the authentication cooperation device of a request for spontaneously updating authentication information when performing device authentication. Thus, the device authentication apparatus can bind user authentication and device authentication in cooperation with the authentication cooperation device.

  According to the invention described in claim 9, when the service providing apparatus performs user authentication in cooperation with the authentication cooperation apparatus, the authentication cooperation system uses the apparatus authentication apparatus to authenticate the user terminal used by the user. It is possible to bind the authentication information of two subjects (user, user use terminal) to one authentication information, and use them in cooperation between a plurality of service providing apparatuses. As a result, when the service providing apparatus verifies the user authentication result and provides the service, the service providing apparatus can also determine the validity of the access environment of the device used by the user. Different access control can be performed for each device.

It is a system configuration figure showing the composition of the authentication cooperation system concerning a 1st embodiment of the present invention. It is a block block diagram which shows the structure of the authentication cooperation apparatus which concerns on 1st Embodiment of this invention. It is a block block diagram which shows the structure of the apparatus authentication apparatus which concerns on 1st Embodiment of this invention. It is a sequence diagram which shows operation | movement of the authentication cooperation system which concerns on 1st Embodiment of this invention. It is a figure which shows an example of the user information memorize | stored in the user information storage means of the authentication cooperation apparatus of this invention. It is a figure which shows an example of the authentication information memorize | stored in the authentication information memory | storage means of the authentication cooperation apparatus of this invention. It is a figure which shows an example of the authentication information (certificate) which bound the apparatus authentication result. It is a system block diagram which shows the structure of the authentication cooperation system which concerns on 2nd Embodiment of this invention. It is a block block diagram which shows the structure of the authentication cooperation apparatus which concerns on 2nd Embodiment of this invention. It is a block block diagram which shows the structure of the apparatus authentication apparatus which concerns on 2nd Embodiment of this invention. It is a sequence diagram which shows operation | movement of the authentication cooperation system which concerns on 2nd Embodiment of this invention.

Embodiments of the present invention will be described below with reference to the drawings.
<First Embodiment>
[Configuration of authentication linkage system]
First, with reference to FIG. 1, the structure of the authentication cooperation system which concerns on 1st Embodiment of this invention is demonstrated.

The authentication cooperation system S is a system that performs authentication of the user use terminal 4 used by a user when user authentication is performed between a plurality of service providing apparatuses 3.
Here, the authentication collaboration system S connects the authentication collaboration device 1, the device authentication device 2, a service provision device group including one or more service provision devices 3, and the user use terminal 4 via the network N. Configured.

  The authentication collaboration apparatus 1 performs authentication mainly for individual users who enjoy the service. Since this authentication cooperation device 1 performs authentication of individual users in cooperation with the service providing device 3 for which a trust relationship has been established in advance, authentication information centered on the individual user is sent to the service providing device 3. Issue. In addition, this authentication cooperation apparatus 1 issues the authentication of the user subject and the authentication of the device subject as one piece of authentication information by including the authentication result of the device subject issued by the device authentication device 2 in the authentication information.

  The device authentication apparatus 2 performs authentication with a user as a main device for which a service is provided. The device authentication apparatus 2 authenticates the user using terminal 4 used by the user based on device information for identifying the user device registered in advance, and issues a device-based authentication result. The authentication result of the device main body is bound to the authentication information in the authentication cooperation device 1.

  The service providing device 3 provides a service to the user. The service provided by the service providing apparatus 3 is a general service and is not particularly limited. For example, there are a net bank service, a multimedia content (video, music) distribution service, and the like.

The user utilization terminal 4 is an apparatus in which a user receives service provision from the service provision apparatus 3 via the network N. The user utilization terminal 4 is not particularly limited as long as it is a device that receives a service provided via a network, such as a personal computer, a television receiver, a portable terminal, and a dedicated terminal.
Hereinafter, the authentication cooperation device 1 and the device authentication device 2 according to the present invention will be described in detail.

[Configuration of authentication linkage device]
First, the configuration of the authentication collaboration apparatus 1 will be described with reference to FIG. Here, the authentication collaboration apparatus 1 includes a communication unit 10, a storage unit 11, and a control unit 12.

  The communication unit 10 communicates with a communication destination terminal (device authentication apparatus 2, service providing apparatus 3, user use terminal 4) using a predetermined protocol such as TCP / IP. The communication unit 10 can be realized by, for example, a NIC (Network Interface Card).

  The storage unit 11 stores various data held in the authentication cooperation device 1. The storage unit 11 can be realized by a storage device such as a magnetic disk or an optical disk that can be read and written from the outside. Here, the storage unit 11 includes a device authentication destination storage unit 110, a user information storage unit 111, and an authentication information storage unit 112. These storage units may be configured as individual storage media, or may be configured to store in different storage areas with one storage medium.

  The device authentication destination storage unit 110 stores in advance the address of the device authentication apparatus 2 that provides a device authentication service (device authentication service) mainly for the device. This address is, for example, a URL (Uniform Resource Locator) of the device authentication service destination of the device authentication apparatus 2.

The user information storage unit 111 stores user information (credential information, attribute information) necessary for authenticating the user subject in advance.
Here, the credential information, which is user information, is information indicating the trust of the user, such as ID / password, biometric information, hardware token, electronic certificate, and the like. In the present invention, these authentication methods are not particularly limited. The attribute information is information for identifying the user, such as the user's name and age.

Further, the user information storage unit 111 stores an identifier (cooperation user identifier) for linking with the device authentication device 2 and each service providing device 3 in association with each user. This cooperation user identifier may be a real ID (user identifier itself), but it is desirable to use a temporary ID (cooperation user identifier) in order to minimize damage at the time of leakage.
It is assumed that such user information is registered in the user information storage unit 111 in advance by a user information registration unit (not shown). In addition, it is assumed that a new user registration, user information deletion, or the like is performed by the user information registration unit.

Here, an example of user information stored in the user information storage unit 111 will be described with reference to FIG. 5 (refer to FIG. 2 as appropriate).
In FIG. 5, “user name”, “user identifier (user ID)”, “password”, and “cooperation user identifier corresponding to device authentication device 2 (device authentication device cooperation) are stored in the user information storage unit 111 for each user. User identifier) ”and“ cooperation user identifier (user identifier for service provision device cooperation) ”corresponding to a plurality of service provision devices 3 (3a, 3b,...) Are shown.

Here, “user name” is attribute information for identifying a user. In addition, information such as age and date of birth may be stored.
The “user identifier (user ID)” is information for uniquely identifying a user, and is a character string such as alphanumeric characters.

  “Password” is credential information for authenticating a user. Here, it is assumed that the ID / password is used as an authentication method. However, when using another authentication method such as an electronic certificate, information (such as an authentication key) corresponding to the authentication method is stored. become.

The “cooperation user identifier (device authentication device cooperation user identifier)” is an identifier for identifying a user with the device authentication device 2 and is a temporary ID associated with a user identifier that is a real ID. It is.
The “cooperation user identifier (service providing device cooperation user identifier)” is an identifier for identifying a user with the service providing device 3 and is a temporary ID associated with a user identifier that is a real ID. It is.
Returning to FIG. 2, the description of the configuration of the authentication collaboration apparatus 1 will be continued.

The authentication information storage unit (authentication level storage unit) 112 stores information (authentication level, authentication result, authentication information, etc.) related to authentication for each user.
Here, the authentication level is information indicating the authentication state of the authentication subject (user, device). The authentication result is information indicating a user authentication result indicating a result of user authentication and a device authentication result indicating a result of device authentication. The authentication level and the authentication result are updated by a user authentication unit 122 and an authentication information update unit 128 described later.

  The authentication information is an electronic certificate (hereinafter simply referred to as a certificate) that certifies the authentication result of the subject (user and device) issued by the authentication information issuing means 124.

Here, an example of information related to authentication stored in the authentication information storage unit 112 will be described with reference to FIG. 6 (refer to FIG. 2 as appropriate).
In FIG. 6, “user identifier (user ID)”, “authentication level”, “session information”, “user authentication result”, “device authentication result”, “authentication information” are stored in the authentication information storage unit 112 for each user. The example which memorize | stored is shown.

Here, the “user identifier (user ID)” is information for uniquely identifying the user, and is the same as the user identifier shown in FIG.
The “authentication level” is information indicating to what level the authentication of the authentication subject (user, device) has progressed. Specifically, the authentication level is ““ 0 ”= unauthenticated” indicating that the subject (user and device) has not yet been authenticated, “1” = user indicating that only user authentication has been completed. The information is distinguished by “authenticated”, “2” = user / device authenticated ”indicating a state in which both user authentication and device authentication are completed.

  Here, it is assumed that “session information (session ID)” issued to the user using terminal 4 (see FIG. 1) that has been successfully authenticated is stored in the authentication information storage unit 112. This "session information" is used to prevent unnecessary re-authentication if the same session information continues to be used even when a user who has succeeded in authentication transitions to another service. To do. Since this session information is used in general session management, a detailed description thereof is omitted here.

“User authentication result” is information indicating the authentication result of the user subject. This “user authentication result” includes, for example, an authentication time, an authentication method, and the like.
“Device authentication result” is information indicating the authentication result of the device itself. The “device authentication result” includes, for example, information such as an authentication status (information indicating whether or not it is determined to be a legitimate device), an authentication time, an authentication method, a device authentication issue destination (an identifier for specifying the device authentication device 2). ), Device information (device type, manufacturer, etc.), signature (digital signature issued by the device authentication apparatus 2), and the like.

  “Authentication information” is a certificate (electronic certificate) for certifying the authentication result of the subject (user and device). A plurality of certificates are generated for each service providing apparatus 3 used by the user.

Here, with reference to FIG. 7, a specific example of “certificate” which is the substance of “certification information” will be described.
As shown in FIG. 7, the certificate is information including, for example, “signature”, “user subject information”, “condition”, “user authentication result”, and “device authentication result”.

Here, the “signature” is a digital signature for certifying the validity of the certificate, and is information added by the signature generation means 125 described later.
The “user subject information” is an identifier that identifies a user for performing user authentication cooperation with the device authentication apparatus 2 and the service providing apparatus 3. Here, instead of using an actual user identifier as the identifier, the cooperation user identifier (for device authentication device cooperation) described in FIG. 5 for performing cooperation with the device authentication device 2 and the service providing device 3 is used. User identifier, service providing device cooperation user identifier).

“Condition” is information indicating various conditions for using the certificate. For example, a certificate information issue destination indicating to which apparatus the certificate has been issued, or an expiration date of the certificate.
The “user authentication result” has the same content as the user authentication result described with reference to FIG. 6, and the “user authentication result” in FIG. 6 is bound when the certificate is generated.
The “device authentication result” has the same content as the device authentication result described with reference to FIG. 6, and the “device authentication result” in FIG. 6 is bound when the certificate is generated.

This certificate preferably conforms to a standardized specification or standard such as SAML (Security Assertion Markup Language) assertion, which is a specification in XML format established by the standardization organization OASIS.
Returning to FIG. 2, the description of the configuration of the authentication collaboration apparatus 1 will be continued.

  The control unit 12 controls the operation of the authentication collaboration apparatus 1. The control unit 12 can be realized by a general hardware configuration such as a CPU, a RAM, and a ROM. Here, the control unit 12 includes an authentication request reception unit 120, an authentication level determination unit 121, a user authentication unit 122, a device authentication request unit 123, an authentication information issue unit 124, a signature generation unit 125, and authentication information. Inquiry receiving means 126, device authentication result receiving means 127, and authentication information updating means 128 are provided. In addition, the control part 12 can operate a computer (CPU) by the program (authentication cooperation program) which functions as each of these means.

The authentication request receiving unit 120 receives an authentication request for authenticating a subject (user, device) who enjoys the service via the communication unit 10. This authentication request is a request transmitted by the service providing apparatus 3 requested to use the service from the user use terminal 4. The service providing apparatus 3 adds the address of the transfer destination (authentication cooperation apparatus 1) to the authentication request, and transmits it to the user using terminal 4 that requested the service. Then, the user use terminal 4 transmits an authentication request to the authentication cooperation apparatus 1 by redirection. As a result, the individual service providing apparatuses 3 do not need to perform an authentication process directly with the user use terminal 4.
The authentication request receiving unit 120 notifies the authentication level determining unit 121 that the authentication request has been received together with the session information from the user using terminal 4.

  The authentication level discriminating unit 121 discriminates the authentication level of the authentication subject (user, device) when notified that the authentication request is received from the authentication request receiving unit 120. Specifically, the authentication level determination unit 121 determines which level (“unauthenticated”) or “user authentication” is the authentication level of the subject (user and device) stored in the authentication information storage unit 112. Or “user / device authenticated”), and the delivery destination of the authentication request is changed according to the authentication level. In this case, the authentication level determination unit 121 uses the user authentication unit 122 when the authentication level is “unauthenticated”, the device authentication request unit 123 when the authentication level is “user authenticated”, and the authentication level “ If “user / device authenticated”, the authentication request is issued to the authentication information issuing unit 124.

  The user authentication unit 122 authenticates the credential information received from the user (user use terminal 4) based on the user information stored in the user information storage unit 111. For example, when user authentication is performed by an ID / password authentication method, the user authentication unit 122 requests the user (user utilization terminal 4) to input a user identifier (ID) and a password, and the input ID / password. The user authentication is performed depending on whether or not the user information stored in the user information storage unit 111 matches. Of course, user authentication may be performed by other authentication methods such as biometric information.

After the user authentication, the user authentication unit 122 writes the authentication result into the authentication information storage unit 112, and the authentication information (certificate) corresponding to the service providing apparatus 3 that has made the authentication request or the reference information (authentication information) of the certificate. Reference information) is handed over to the device authentication request means 123. Here, the reference information is information indicating a reference destination of the authentication information, for example, an address indicating the location of the certificate. In SAML, as a format of reference information (artifact), a certificate issuer identifier (or an identifier for conversion to an issuance site URL) and a random character string temporarily issued for certificate search are used. It is recommended to use a combination. Therefore, such an identifier and a random character string may be combined as reference information.
When handing over the authentication information to the device authentication requesting unit 123, the user authentication unit 122 requests the authentication information issuing unit 124, which will be described later, to issue the authentication information, and hands over the issued authentication information to the device authentication requesting unit 123. And

  The device authentication request unit 123 requests device authentication from the device authentication apparatus 2 after authenticating the user. Here, the device authentication request unit 123 adds the authentication information (certificate) delivered from the user authentication unit 122 or its reference information and the address of the transfer destination (device authentication apparatus 2) to the device authentication request, It transmits to the user use terminal 4 which requested the service. The address of the transfer destination (device authentication apparatus 2) is stored in advance in the device authentication destination storage unit 110. Then, the user use terminal 4 transmits a device authentication request to the device authentication apparatus 2 by redirection. As a result, each service providing device 3 does not need to directly perform device authentication processing with the user use terminal 4.

The authentication information issuing unit 124 issues (generates) authentication information (certificate) based on the authentication result stored in the authentication information storage unit 112.
Here, the authentication information issuing unit 124 performs authentication information (when the user authentication is performed, when there is an inquiry about authentication information from the device authentication apparatus 2, or when the device authentication result is acquired from the device authentication apparatus 2). Issue a certificate.

The authentication information issuing unit 124 corresponds to the requested user identifier when the user authentication is performed, that is, when the user authentication unit 122 requests the issuance of authentication information. The certificate is generated by binding the authentication result stored in the ID and adding a digital signature by the signature generation unit 125.
Specifically, the authentication information issuing unit 124 generates the authentication information (certificate) described in FIG. 7 and writes it in the authentication information storage unit 112.

  The authentication information issuing unit 124 receives an inquiry for authentication information from the device authentication apparatus 2, that is, when an authentication information inquiry receiving unit 126 (to be described later) receives an inquiry for authentication information based on the reference information. The reference authentication information (certificate) is read from the authentication information storage unit 112 and transmitted to the device authentication apparatus 2.

  Further, the authentication information issuing unit 124 receives the device authentication result when the device authentication result is acquired from the device authentication apparatus 2, that is, the device authentication result receiving unit 127 described later receives the device authentication result, and the authentication information updating unit 128 updates the authentication information. When issued, the authentication information (certificate) is reissued. At this time, the authentication information issuing unit 124 adds the address of the transfer destination (service providing apparatus 3) to the reissued authentication information (certificate) and transmits it to the user use terminal 4. Then, the user using terminal 4 transmits authentication information (certificate) to the service providing apparatus 3 by redirection. As a result, the service providing apparatus 3 can grasp the results of user authentication and device authentication.

  The signature generation means 125 gives a digital signature to the certificate when the authentication information issuing means 124 generates authentication information (certificate). The digital signature can be a general digital signature. That is, the signature generation means 125 generates a digital signature by calculating a hash value of certificate data with a hash function and encrypting it with a secret key. As a result, the device authentication apparatus 2 and the service providing apparatus 3 can verify the authentication information (certificate) with the digital signature added to the certificate.

  The authentication information inquiry receiving unit 126 receives an authentication information inquiry from the device authentication apparatus 2. The authentication information inquiry receiving unit 126 passes the reference information included in the received authentication information inquiry to the authentication information issuing unit 124.

  The device authentication result receiving unit 127 receives a device authentication result performed by the device authentication apparatus 2 as a device authentication response in response to the device authentication request requested by the device authentication request unit 123. Note that this device authentication response includes a cooperation user identifier, which identifies the user. The device authentication result receiving unit 127 passes the received device authentication response to the authentication information updating unit 128.

  The authentication information updating unit 128 updates the authentication information based on the device authentication result included in the device authentication response received by the device authentication result receiving unit 127. That is, the authentication information update unit 128 searches the user information storage unit 111 for a user identifier corresponding to the cooperation user identifier delivered from the device authentication result reception unit 127, and searches the authentication information storage unit 112 for the searched user identifier. The device authentication result corresponding to is updated with the received device authentication result. Then, the authentication information updating unit 128 instructs the authentication information issuing unit 124 to issue authentication information with the updated device authentication result.

  With this configuration, the authentication collaboration apparatus 1 can centrally manage authentication of different entities, ie, authentication of the user entity and authentication of the device entity, and perform identity collaboration of the user entity.

[Configuration of device authentication device]
Next, the configuration of the device authentication apparatus 2 will be described with reference to FIG. 3 (refer to FIG. 1 as appropriate). Here, the device authentication apparatus 2 includes a communication unit 20, a storage unit 21, and a control unit 22.

  The communication unit 20 communicates with a communication destination terminal (authentication cooperation apparatus 1, service providing apparatus 3, user use terminal 4) using a predetermined protocol such as TCP / IP. The communication unit 20 can be realized by, for example, a NIC (Network Interface Card).

  The storage unit 21 stores various data held in the device authentication apparatus 2. The storage unit 21 can be realized by a storage device such as a magnetic disk and an optical disk that can be read and written from the outside, for example. Here, the storage unit 21 includes a user registration device information storage unit 210 and a device authentication result storage unit 211. These storage units may be configured as individual storage media, or may be configured to store in different storage areas with one storage medium.

  The user-registered device information storage unit 210 registers and stores information (registered device information) for authenticating a device (user use terminal 4) used by a user for each user in advance. The registered device information is, for example, device authentication secret information (device key or the like), an electronic certificate, or the like. In addition, this registered device information is assumed to be associated with a cooperation user identifier in order to perform authentication cooperation with the authentication cooperation apparatus 1 in advance.

  It is assumed that such registered device information is registered in the user registered device information storage unit 210 in advance by a user device registration unit (not shown). Further, it is assumed that new registration of a device used by the user, deletion of registered device information, and the like are performed by the user device registration means.

  The device authentication result storage unit 211 stores the authentication result (device authentication result) of the device (user use terminal 4) used by the user by the device authentication unit 224 described later. This device authentication result is stored in association with information for identifying the user (cooperation user identifier).

  The device authentication result is information indicating the authentication result of the device subject. The device authentication result includes, for example, an authentication status, an authentication time, an authentication method, a device authentication issue destination, device information (information such as a device type that identifies the user use terminal 4 and a manufacturer), and the like in FIG. This information is the same as the information written in the “device authentication result” of the described certificate.

  The control unit 22 controls the operation of the device authentication device 2. The control unit 22 can be realized by a general hardware configuration such as a CPU, a RAM, and a ROM. Here, the control unit 22 includes a device authentication request receiving unit 220, an authentication information inquiry unit 221, an authentication information receiving unit 222, an authentication information verification unit 223, a device authentication unit 224, and a device authentication result transmission unit 225. Signature generating means 226. The control unit 22 can operate the computer (CPU) by a program (device authentication program) that functions as each of these means.

  The device authentication request receiving unit 220 receives a device authentication request for authenticating a device (user use terminal 4) used by the user from the authentication cooperation apparatus 1 via the communication unit 20. This device authentication request is a request transmitted from the device authentication request unit 123 (see FIG. 2) of the authentication cooperation device 1, redirected by the user use terminal 4, and transmitted to the device authentication device 2. .

  The device authentication request receiving unit 220 extracts user authentication information (certificate) or reference information included in the device authentication request. The device authentication request receiving unit 220 delivers the authentication information to the authentication information receiving unit 222 when receiving the authentication information in response to the device authentication request, and receives the reference information to the authentication information inquiry unit 221 when receiving the reference information. hand over.

  The authentication information inquiry unit 221 transmits the reference information included in the device authentication request received by the device authentication request reception unit 220 to the authentication cooperation apparatus 1 that is the authentication information issuer, thereby inquiring the user authentication information. Is what you do. The authentication information inquiry unit 221 transmits an authentication information inquiry, which is a message including reference information, to the authentication cooperation apparatus 1 via the communication unit 20.

The authentication information receiving unit 222 receives user authentication information from the authentication collaboration apparatus 1 via the communication unit 20. When the device authentication request receiving unit 220 receives a device authentication request with authentication information added, the authentication information receiving unit 222 receives the authentication information from the device authentication request receiving unit 220.
The authentication information receiving unit 222 passes the received authentication information to the authentication information verification unit 223.

The authentication information verification unit 223 verifies the user authentication information received by the authentication information reception unit 222. Specifically, the authentication information verification unit 223 verifies the authenticity of the authentication information by verifying a signature (digital signature) added to the authentication information. That is, the authentication information verification unit 223 calculates the hash value of the authentication information (certificate) with the same hash function as the signature generation unit 125 described with reference to FIG. 2, and uses the hash value and the added signature for the authentication collaboration apparatus 1. The signature is verified by comparing with the value obtained by decrypting with the public key, and the validity of the authentication information is confirmed.
When the validity of the authentication information is confirmed, the authentication information verification unit 223 delivers the cooperation user identifier added to the authentication information to the device authentication unit 224. Thus, the device is authenticated only when the user is authenticated.

The device authentication unit 224 performs device authentication of the user use terminal 4 used by the user at the stage where the user is authenticated by the authentication information verification unit 223.
That is, the device authentication unit 224 corresponds to the cooperation user identifier delivered from the authentication information verification unit 223, and based on the registered device information stored in advance in the user registered device information storage unit 210, the user use terminal 4 Perform device authentication. For example, the device authentication unit 224 performs device authentication by challenge / response authentication using a device key stored in the security module of the user use terminal 4 as registered device information. This device authentication method is not limited to challenge / response authentication, and a general authentication method (such as an electronic certificate) can be used.

  The device authentication unit 224 writes, for example, an authentication status, an authentication time, an authentication method, a device authentication issue destination, device information, and the like as a device authentication result in the device authentication result storage unit 211 in association with the cooperation user identifier. Further, the device authentication unit 224 writes the device authentication result in the device authentication result storage unit 211, then hands over the cooperation user identifier to the device authentication result transmission unit 225 and transmits the device authentication result to the authentication cooperation apparatus 1 that has requested device authentication. An instruction is sent to send the authentication result.

  The device authentication result transmission unit 225 transmits the device authentication result performed by the device authentication unit 224 to the authentication cooperation apparatus 1 that has requested the device authentication via the communication unit 20. The device authentication result transmission unit 225 receives the device authentication result corresponding to the cooperation user identifier delivered from the device authentication unit 224 when the device authentication unit 224 is instructed to transmit the device authentication result. The result is read from the result storage unit 211, added with the signature generated by the signature generation unit 226, and transmitted to the authentication cooperation apparatus 1.

When the device authentication result transmission unit 225 transmits the device authentication result, the signature generation unit 226 gives a digital signature to the device authentication result. As this digital signature, a general digital signature can be used.
Note that by providing a signature to the device authentication result, the authentication cooperation apparatus 1 that has received the device authentication result can verify the validity of the device authentication result.

  With this configuration, the device authentication device 2 performs device authentication on the device (user use terminal 4) on which the authentication cooperation device 1 has performed user authentication, and notifies the authentication cooperation device 1 of the result. Can do. Thereby, the authentication cooperation device 1 and the device authentication device 2 can perform user-based authentication and device-based authentication in cooperation.

[Operation of authentication linkage system]
Next, the operation of the authentication collaboration system according to the first embodiment of the present invention will be described with reference to FIG. 4 (refer to FIGS. 1 to 3 as appropriate). Since the service providing device 3 and the user using terminal 4 are general ones, description of the internal operations of each is omitted here.

  First, the user transmits a “service use request”, which is a message requesting the use of a service, to the service providing apparatus 3 via the user use terminal 4 (step S10). "Usage request" is received (step S11).

  The service providing apparatus 3 that has received this “service use request” is a message for requesting user authentication by redirection (transfer) so that authentication processing is performed between the authentication cooperation apparatus 1 and the user use terminal 4. A “user authentication request” is transmitted to the user using terminal 4 (step S12). Then, the user using terminal 4 receives the “user authentication request” (step S13), and transmits the “user authentication request” to the authentication cooperation apparatus 1 by redirection (step S14).

And the authentication cooperation apparatus 1 receives a "user authentication request" via the communication part 10 by the authentication request receiving means 120 (step S15).
Here, the authentication cooperation apparatus 1 determines the authentication level of the subject (user and device) stored in the authentication information storage unit 112 by the authentication level determination unit 121 (not shown).

  The authentication cooperation apparatus 1 is stored in the user information storage unit 111 by the user authentication unit 122 when the authentication level is “unauthenticated” in which the subject (user and device) has not been authenticated yet. User authentication is performed with the user using terminal 4 on the basis of the user information (step S16). For example, the user authentication unit 122 requests the user ID / password, and confirms the validity of the user by comparing the user information with the ID / password input by the user at the user utilization terminal 4. Then, the authentication collaboration apparatus 1 updates the authentication level of the subject (user and device) stored in the authentication information storage unit 112 to “user authenticated” in a state where only the user authentication is completed, by the user authentication unit 122. .

  Then, the authentication cooperation apparatus 1 writes the user authentication result in association with the user in the authentication information storage unit 112 by the user authentication unit 122, and the authentication result stored in the authentication information storage unit 112 by the authentication information issue unit 124 Then, authentication information (certificate) is issued (generated) by adding a digital signature by the signature generating means 125 (step S17). And the authentication cooperation apparatus 1 advances operation | movement to step S18.

  When the authentication cooperation apparatus 1 receives the “user authentication request” in step S15 and the authentication level is “user authenticated” in a state where only the user authentication is completed, the user authentication is not performed and step S18 is performed. Proceed to the operation. When the “user authentication request” is received and the authentication level is “user / device authenticated” in which both user authentication and device authentication are completed, the operation proceeds to step S33.

  Then, for the authenticated user, the authentication cooperation device 1 uses the device authentication request unit 123 to check the authenticity of the terminal (user use terminal 4) currently used by the user. A device authentication request, which is a message requesting device authentication by redirection (transfer) so that device authentication processing is performed between the device authentication apparatus 2 and the user using terminal 4 stored in advance in 110, It transmits to the user utilization terminal 4 (step S18). Note that FIG. 4 shows a method of assigning reference information (authentication information reference information) of authentication information, instead of attaching authentication information itself to the device authentication request.

The user terminal 4 receives the “device authentication request” (step S19), and transmits the “device authentication request” to the device authentication apparatus 2 by redirection (step S20).
The device authentication apparatus 2 receives the “device authentication request (authentication information reference information)” via the communication unit 20 by the device authentication request receiving unit 220 (step S21).

After that, the device authentication apparatus 2 requests the authentication information of the reference destination from the reference information of the authentication information given to the “device authentication request”. It transmits to the authentication cooperation apparatus 1 via the communication part 20 (step S22).
And the authentication cooperation apparatus 1 receives "authentication information inquiry (authentication information reference information)" via the communication part 10 by the authentication information inquiry reception means 126 (step S23).

  Then, the authentication cooperation apparatus 1 reads the authentication information (certificate) of the reference destination included in the “authentication information inquiry” from the authentication information storage unit 112 by the authentication information issuing unit 124 and reads “authentication information response”. Is transmitted to the device authentication apparatus 2 (step S24).

  The device authentication apparatus 2 receives the authentication information of the user as an “authentication information response” from the authentication cooperation apparatus 1 via the communication unit 20 by the authentication information receiving unit 222 (step S25). Further, the device authentication apparatus 2 verifies the authenticity of the authentication information by verifying the signature added to the received user authentication information by the authentication information verification means 223 (step S26).

  Subsequently, the device authenticating apparatus 2 uses the device authenticating unit 224 based on the registered device information stored in advance in the user registered device information storing unit 210 corresponding to the cooperation user identifier included in the authentication information. Then, device authentication of the user using terminal 4 is performed (step S27). At this time, the device authentication unit 224 writes the result of device authentication (device authentication result) in the device authentication result storage unit 211.

Thereafter, the device authentication apparatus 2 transmits a “device authentication response” to the user use terminal 4 via the communication unit 20 so that the device authentication result transmission unit 225 redirects the device authentication result to the authentication cooperation device 1. (Step S28).
Then, the user using terminal 4 receives the “device authentication response” (step S29), and transmits the “device authentication response” to the authentication cooperation apparatus 1 by redirection (step S30).

On the other hand, the authentication cooperation apparatus 1 receives the “device authentication response” via the communication unit 10 by the device authentication result receiving unit 127 (step S31).
Thereafter, the authentication cooperation apparatus 1 updates the authentication information stored in the authentication information storage unit 112 based on the device authentication result notified as the “device authentication response” by the authentication information update unit 128 (step S32). .

Further, the authentication collaboration apparatus 1 binds the authentication result with the updated device authentication result by the authentication information issuing unit 124, and issues (generates) the authentication information by adding the digital signature by the signature generating unit 125, and the authentication A “user authentication response” is transmitted to the user using terminal 4 so as to redirect the information to the service providing apparatus 3 as a response result (user authentication response) of the user authentication (step S33).
Then, the user using terminal 4 receives the “user authentication response” (step S34), and transmits the “user authentication response” to the service providing apparatus 3 by redirection (step S35).

  Then, the service providing apparatus 3 receives the “user authentication response” (step S36), and transmits a “service use response” to the user use terminal 4 as a response to the “service use request” received in step S11 ( Step S37). Further, the user use terminal 4 receives a “service use response” from the service providing apparatus 3 (step S38).

As a result, the service providing apparatus 3 verifies the validity of the user and the device of the user use terminal 4 and provides the service.
As a result of the above operation, the authentication cooperation system S can verify the user authentication result even when the service providing apparatus 3 does not have the device authentication function, and provides the device (user utilization terminal) used by the user when providing the service. The validity of 4) can also be judged.

Second Embodiment
[Configuration of authentication linkage system]
Next, with reference to FIG. 8, the structure of the authentication cooperation system which concerns on 2nd Embodiment of this invention is demonstrated.

Authentication collaboration system S _B, when linking the user authentication among multiple service providing apparatus, together, is a system for authenticating a user using terminal used by a user.
Here, authentication collaboration system S _B, the authentication linkage apparatus 1B and it included a function of the service providing device a device authentication apparatus 2B, and service providing comprising one or more service providing apparatus 3 (3a, 3b, ...) and The device group and the user use terminal 4 are connected via a network N.

  The authentication collaboration apparatus 1B performs authentication mainly for individual users who enjoy the service. This authentication cooperation apparatus 1B basically has the same function as the authentication cooperation apparatus 1 described in FIG. However, the authentication cooperation device 1B does not make a device authentication request to the device (the device authentication device 2B in FIG. 8) that the service providing device 3 includes the device authentication function. By including the authentication result of the device entity issued by 2B in the authentication information, the authentication of the user entity and the authentication of the device entity are issued as one piece of authentication information.

  The device authentication device 2B includes a device authentication function in the service providing device 3, provides services to the user, and performs authentication based on the device. This device authentication device 2B is different from the device authentication device 2 described with reference to FIG. 2 in that it provides a service and makes an authentication information update request spontaneously to the authentication cooperation device 1B.

The service providing device 3 and the user using terminal 4 are the same as those described with reference to FIG.
Hereinafter, the authentication cooperation device 1B and the device authentication device 2B according to the present invention will be described in detail.

[Configuration of authentication linkage device]
First, the configuration of the authentication cooperation apparatus 1B will be described with reference to FIG. 9 (refer to FIG. 8 as appropriate). Here, the authentication collaboration apparatus 1B includes a communication unit 10, a storage unit 11, and a control unit 12B.
The communication unit 10 and the storage unit 11 are the same as those described with reference to FIG.

  The control part 12B controls operation | movement of the authentication cooperation apparatus 1B. The control unit 12B can be realized by a general hardware configuration such as a CPU, a RAM, and a ROM. Here, the control unit 12B includes an authentication request reception unit 120B, an authentication level determination unit 121, a user authentication unit 122B, a device authentication request unit 123, an authentication information issue unit 124, a signature generation unit 125, and authentication information. An inquiry receiving unit 126, a device authentication result receiving unit 127B, an authentication information updating unit 128, an authentication information update request receiving unit 129, and a device authentication result inquiry unit 130 are provided. Note that the control unit 12B can operate the computer (CPU) by a program (authentication cooperation program) that functions as each of these means.

  Here, the authentication level discriminating means 121, the device authentication requesting means 123, the authentication information issuing means 124, the signature generating means 125, the authentication information inquiry receiving means 126, and the authentication information updating means 128 are the same as those in the authentication cooperation apparatus 1 described in FIG. Since it is the same as the configuration, the same reference numerals are given and description thereof is omitted.

  The authentication request receiving unit 120 </ b> B receives an authentication request for authenticating a user who enjoys the service via the communication unit 10. The authentication request receiving unit 120B is functionally the same as the authentication request receiving unit 120 described with reference to FIG. 2, but when the device that has made the user authentication request is the device authentication device (service providing device) 2B, A function for passing the authentication request to the user authentication means 122B is added.

  The user authentication unit 122B has the same function as the user authentication unit 122 described with reference to FIG. 2 except that user authentication is performed based on a request from the authentication request reception unit 120B.

  The device authentication result receiving unit 127B receives the device authentication result performed by the device authentication apparatus 2 (see FIG. 3) in response to the device authentication request requested by the device authentication request unit 123 or an inquiry by the device authentication result inquiry unit 130 described later. The device authentication result transmitted from the device authentication apparatus 2B is received as a response to. It should be noted that a cooperation user identifier that identifies a user that is linked in advance with the device authentication apparatus 2B (2) is added to the device authentication result. The device authentication result receiving unit 127B delivers the received device authentication result and the cooperation user identifier to the authentication information updating unit 128.

  The authentication information update request receiving unit 129 receives a request (authentication information update request) for updating authentication information transmitted from the device authentication apparatus 2B via the user use terminal 4 via the communication unit 10. It is. This authentication information update request includes a device authentication token that is an access right to the device authentication result issued by the device authentication apparatus 2B. The authentication information update request receiving unit 129 delivers the device authentication token to the device authentication result inquiry unit 130.

The device authentication result inquiry unit 130 sends a device authentication result inquiry (message: “device authentication result inquiry”) including the device authentication token received by the authentication information update request receiving unit 129 via the communication unit 10. To 2B.
With this configuration, the authentication cooperation device 1B can authenticate the user subject based on the device authentication result received by the device authentication result receiving unit 127B in response to the authentication information update request from the device authentication device 2B. Can be issued and authentication information bound with the device authentication result can be issued.

[Configuration of device authentication device]
Next, the configuration of the device authentication apparatus 2B will be described with reference to FIG. Here, the device authentication apparatus 2B includes a communication unit 20, a storage unit 21B, and a control unit 22B.
The communication unit 20 is the same as that described with reference to FIG.

  The storage unit 21B includes a user registration device information storage unit 210 and a device authentication result storage unit 211B. The user registration device information storage unit 210 is the same as that described with reference to FIG.

  The device authentication result storage unit 211B stores a result (device authentication result) obtained by authenticating a device (user use terminal 4) used by a user by the device authentication unit 224B described later. This device authentication result is stored in association with information for identifying the user (cooperation user identifier). In addition, the device authentication result storage unit 211B stores a device authentication result in association with a token (device authentication token) that is an authority for accessing the device authentication result. This device authentication token is issued by the device authentication means 224B.

  The control unit 22B controls the operation of the device authentication device 2B. The control unit 22B can be realized by a general hardware configuration such as a CPU, a RAM, and a ROM. Here, the control unit 22B includes an authentication information reception unit 222, an authentication information verification unit 223, a device authentication unit 224B, a device authentication result transmission unit 225B, a signature generation unit 226, a service use request reception unit 227, An authentication request transmission unit 228, an authentication information update request transmission unit 229, and a device authentication result inquiry reception unit 230 are provided. The control unit 22 can operate the computer (CPU) by a program (device authentication program) that functions as each of these means.

  Here, since the authentication information receiving unit 222, the authentication information verification unit 223, and the signature generation unit 226 have the same configuration as that of the device authentication apparatus 2 described with reference to FIG.

The device authentication unit 224B performs device authentication of the user use terminal 4 used by the user when the user is authenticated by the authentication information verification unit 223. The device authentication unit 224B is basically the same as the device authentication unit 224 described with reference to FIG.
However, the device authentication unit 224B issues (generates) a token (device authentication token) that is an access right to the device authentication result, writes it in the device authentication result storage unit 211B in association with the device authentication result, and the device authentication token Is different from the device authentication unit 224 described with reference to FIG.

  As a method for issuing a device authentication token by the device authentication unit 224B, a general software token generation method can be used. For example, the device authentication unit 224B can use a one-time password or the like, such as generating a device authentication token by encrypting time information with a secret key held in advance each time a device authentication result is generated. is there.

  The device authentication result transmission unit 225B transmits the device authentication result performed by the device authentication unit 224B to the authentication cooperation apparatus 1B that has requested an inquiry about the device authentication result via the communication unit 20. The device authentication result transmission unit 225B receives a device authentication token corresponding to the device authentication token delivered from the device authentication result inquiry reception unit 230 when instructed to transmit the device authentication result from the device authentication result inquiry reception unit 230. The result is read from the device authentication result storage unit 211B, added with the signature generated by the signature generation unit 226, and transmitted to the authentication cooperation apparatus 1B.

  The service use request receiving unit 227 receives a “service use request” that is a message requesting use of a service from the user use terminal 4 via the communication unit 20. This service use request receiving means 227 notifies the authentication request sending means 228 that a service use request has been made, together with the address of the user use terminal 4 that has made the request.

  The authentication request transmitting unit 228 requests user authentication from the authentication collaboration apparatus 1B when notified from the service use request receiving unit 227 that there has been a service use request. Here, the authentication request transmission means 228 adds a user authentication request, which is a message requesting user authentication, to which the address of the authentication cooperation apparatus 1B determined in advance (a trust relationship is established in advance) as a transfer destination is added. It transmits to the user use terminal 4 which requested the service. Note that the user use terminal 4 transmits a user authentication request to the authentication cooperation apparatus 1B by redirection. As a result, user authentication is performed between the authentication collaboration apparatus 1 </ b> B and the user use terminal 4.

  The authentication information update request transmission unit 229 requests the authentication cooperation apparatus 1B to update authentication information when the device authentication unit 224B completes device authentication. That is, the authentication information update request transmission unit 229 completes the device authentication from the device authentication unit 224B, and acquires a device authentication token that is an authority to access the device authentication result. An address of the apparatus 1B is added, and an authentication information update request including a device authentication token, which is a message requesting to update authentication information, is transmitted to the user use terminal 4. In addition, the user utilization terminal 4 transmits an authentication information update request to the authentication cooperation apparatus 1B by redirection.

The device authentication result inquiry receiving unit 230 receives a device authentication result inquiry (message: “device authentication result inquiry”) including the device authentication token from the authentication cooperation apparatus 1B via the communication unit 20. The device authentication result inquiry reception unit 230 delivers the device authentication token to the device authentication result transmission unit 225B and instructs to transmit the device authentication result. Then, the device authentication result transmission unit 225B extracts the corresponding device authentication result from the device authentication result storage unit 211B based on the received device authentication token, and transmits it to the authentication cooperation apparatus 1B as the device authentication result.
By configuring in this way, the device authentication device 2B can be configured integrally with the service providing device.

[Operation of authentication linkage system]
Next, the operation of the authentication collaboration system according to the second embodiment of the present invention will be described with reference to FIG. 11 (see FIGS. 8 to 10 as appropriate). In addition, since the user utilization terminal 4 is general, description about the internal operation | movement of the user utilization terminal 4 is abbreviate | omitted.

  First, the user transmits a “service use request”, which is a message requesting the use of a service, to the device authentication apparatus (service providing apparatus) 2B via the user use terminal 4 (step S50). Then, the device authentication apparatus 2B receives a “service use request” via the communication unit 10 by the service use request receiving unit 227 (step S51).

  Subsequently, the device authentication apparatus 2B is a message for requesting user authentication by redirection (transfer) so that authentication processing is performed between the authentication cooperation apparatus 1B and the user utilization terminal 4 by the authentication request transmission unit 228. A “user authentication request” is transmitted to the user using terminal 4 (step S52). Thereafter, the user using terminal 4 receives the “user authentication request” (step S53), and transmits the “user authentication request” to the authentication cooperation apparatus 1B by redirection (step S54).

And the authentication cooperation apparatus 1B receives a "user authentication request" via the communication part 10 by the authentication request receiving means 120B (step S55).
And the authentication cooperation apparatus 1B performs user authentication between the user utilization terminals 4 by the user authentication means 122B based on the user information memorize | stored in the user information storage means 111 (step S56). For example, the user authentication unit 122B requests the user's ID / password, and confirms the validity of the user by comparing the user information with the ID / password input by the user at the user utilization terminal 4.

Thereafter, the authentication cooperation apparatus 1B issues (generates) authentication information based on the user authentication result by the authentication information issuing unit 124 (step S57), and uses the authentication information as a user authentication response result (user authentication response). A “user authentication response” is transmitted to the user using terminal 4 so as to be redirected to the authentication device 2B (step S58). At this time, the authentication information issuing unit 124 adds a signature to the authentication information by the signature generation unit 125.
Then, the user using terminal 4 receives the “user authentication response” (step S59), and transmits the “user authentication response” to the device authentication apparatus 2B by redirection (step S60).

  Then, the device authentication apparatus 2B receives the “user authentication response” via the communication unit 20 by the authentication information receiving unit 222 (step S61). Further, the device authentication apparatus 2B verifies the authenticity of the authentication information by verifying the signature added to the received user authentication information by the authentication information verification means 223 (step S62).

  Subsequently, the device authentication apparatus 2B uses the device authentication unit 224B to correspond to the cooperation user identifier included in the authentication information, based on the registered device information stored in advance in the user registered device information storage unit 210. Then, device authentication of the user using terminal 4 is performed (step S63). At this time, the device authentication unit 224B writes the result of device authentication (device authentication result) in the device authentication result storage unit 211B. At this time, the device authentication unit 224B generates a device authentication token in association with the device authentication result and writes the device authentication token in the device authentication result storage unit 211B.

  Thereafter, the device authentication apparatus 2B includes the device authentication token in the user usage terminal 4 via the communication unit 20 so that the authentication information update request transmission unit 229 redirects the authentication information update request to the authentication cooperation device 1B. “Authentication information update request” is transmitted (step S64).

  Then, the user utilization terminal 4 receives the “authentication information update request” (step S65), and transmits the “authentication information update request” to the authentication cooperation apparatus 1B by redirection (step S66).

On the other hand, the authentication collaboration apparatus 1B receives an “authentication information update request” via the communication unit 10 by the authentication information update request receiving unit 129 (step S67).
After that, the authentication cooperation apparatus 1B requests the device authentication result associated with the device authentication token included in the “authentication information update request”. “Result inquiry” is transmitted to the device authentication apparatus 2B via the communication unit 10 (step S68).

Then, the device authentication apparatus 2B receives the “device authentication result inquiry” via the communication unit 20 by the device authentication result inquiry reception unit 230 (step S69).
Then, the device authentication apparatus 2B reads the authentication information (certificate) corresponding to the device authentication token included in the “device authentication result inquiry” from the device authentication result storage unit 211B by the device authentication result transmission unit 225B. Then, it transmits to the authentication cooperation apparatus 1B as a “device authentication result response” (step S70).

On the other hand, the authentication collaboration apparatus 1B receives a “device authentication result response” via the communication unit 10 by the device authentication result receiving unit 127B (step S71).
Thereafter, the authentication collaboration apparatus 1B updates the authentication information stored in the authentication information storage unit 112 based on the device authentication result notified as the “device authentication result response” by the authentication information update unit 128B (step S72). ).

  Further, the authentication cooperation device 1B issues (generates) authentication information with the updated device authentication result by the authentication information issuing unit 124, and redirects to the device authentication device 2B as an authentication information update response (authentication information update response). In such a manner, an “authentication information update response” is transmitted to the user using terminal 4 (step S73). At this time, the authentication information issuing unit 124 adds a signature to the authentication information by the signature generation unit 125.

Then, the user using terminal 4 receives the “authentication information update response” (step S74), and transmits the “authentication information update response” to the device authentication apparatus 2B by redirection (step S75).
Then, the device authentication apparatus 2B receives the authentication information transmitted as an “authentication information update response” by the authentication information receiving unit 222 (step S76).

  In the authentication information, when the device authentication result is bound, the device authentication apparatus 2B sends “service use request” as a response to the “service use request” received in step S51 by the service use request response transmitting unit (not shown). Response "is transmitted to the user using terminal 4 (step S77). Further, the user use terminal 4 receives a “service use response” from the device authentication apparatus 2B (step S78).

Thereby, the device authentication device (service providing device) 2B verifies the validity of the user of the user use terminal 4 and the device, and provides the service.
By the above operation, the authentication collaboration system S _B is by a service providing apparatus having a device authentication function (device authentication apparatus 2B), to bind spontaneously device authentication result to the authentication result of the user entity, a plurality of the authentication information It becomes possible to use it between other service providers. Similarly to the authentication collaboration system S (see FIG. 1) of the first embodiment, when the user authentication result is verified and the service is provided, the validity of the device used by the user (user use terminal 4) is also ensured. Judgment can be made.
Here, in the authentication coordination system S _B, were subjected to operation focuses on a device authentication apparatus 2B which includes the functions of the service providing apparatus and the authentication collaboration apparatus 1B, in the authentication coordination system S _B, the user using terminal When 4 requests a service to the service providing apparatus 3, the operation is the same as that described with reference to FIG.

S Authentication Cooperation System 1 Authentication Cooperation Device 10 Communication Unit 11 Storage Unit 110 Device Authentication Destination Storage Unit 111 User Information Storage Unit 112 Authentication Information Storage Unit (Authentication Level Storage Unit)
DESCRIPTION OF SYMBOLS 12 Control part 120 Authentication request receiving means 121 Authentication level discrimination means 122 User authentication means 123 Equipment authentication request means 124 Authentication information issuing means 125 Signature generating means 126 Authentication information inquiry receiving means 127 Equipment authentication result receiving means 128 Authentication information updating means 129 Authentication Information update request receiving means 130 Device authentication result inquiry means 2 Device authentication apparatus 20 Communication unit 21 Storage unit 210 User registered device information storage means 211 Device authentication result storage means 22 Control unit 220 Device authentication request receiving means 221 Authentication information inquiry means 222 Authentication Information receiving means 223 Authentication information verification means 224 Device authentication means 225 Equipment authentication result transmission means 226 Signature generation means 227 Service use request reception means 228 Authentication request transmission means 229 Authentication information update request transmission means 23 Result of device authentication inquiry reception means 3 service providing device 4-user terminal

Claims (9)

An authentication collaboration comprising an authentication collaboration device that performs authentication of a user who uses the service in cooperation between a plurality of service providing devices that provide the service, and a device authentication device that performs device authentication of a user user terminal that uses the service System authentication linkage device,
Authentication request receiving means for receiving a user authentication request indicating a user authentication request from the service providing device;
User authentication for performing user authentication based on user information registered in advance in the user information storage unit with the user operating the user utilization terminal when the user authentication request is received by the authentication request receiving unit Means,
Authentication information issuing means for adding an identifier for identifying the user to the user authentication result in the user authentication means and issuing authentication information;
Authentication information storage means for storing authentication information issued by the authentication information issuing means;
Device authentication request means for transmitting the authentication information or its reference information to the device authentication device and requesting device authentication of the user using terminal;
A device authentication result receiving means for receiving a device authentication result of the user using terminal registered in advance by the user specified by the authentication information from the device authentication device;
An authentication information updating unit that updates the authentication information by adding the device authentication result received by the device authentication result receiving unit to the authentication information stored in the authentication information storage unit;
An authentication linkage apparatus comprising: Authentication level storage means for storing an authentication level indicating an authentication state of the user and the user using terminal;
An authentication level determination unit that determines which level is stored in the authentication level storage unit when the user authentication request is received;
The user authentication means performs the user authentication when the authentication level is user unauthenticated,
The authentication cooperation apparatus according to claim 1, wherein the device authentication request unit requests the device authentication device to authenticate the user using terminal when the authentication level is device unauthenticated. . An authentication information update request receiving means for receiving an authentication information update request including a token for uniquely identifying the authentication result of the user using terminal from the device authentication device;
A device authentication result inquiry means for transmitting a device authentication result inquiry including the token included in the authentication information update request received by the authentication information update request receiving means to the device authentication device;
The authentication cooperation apparatus according to claim 1, further comprising: An authentication collaboration comprising an authentication collaboration device that performs authentication of a user who uses the service in cooperation between a plurality of service providing devices that provide the service, and a device authentication device that performs device authentication of a user user terminal that uses the service In the authentication collaboration apparatus of the system, in order to link the user authentication result and the authentication result of the device registered by the user in advance, the computer of the authentication collaboration apparatus,
Authentication request receiving means for receiving a user authentication request indicating the user authentication request from the service providing device;
User authentication for performing user authentication with a user operating the user utilization terminal based on user information registered in advance in the user information storage unit when the authentication request receiving unit receives the user authentication request means,
An authentication information issuing means for issuing an authentication information by adding an identifier for identifying the user to the user authentication result in the user authentication means, and storing the authentication information in the authentication information storage means;
Device authentication request means for transmitting the authentication information or its reference information to the device authentication apparatus and requesting device authentication of the user using terminal,
A device authentication result receiving means for receiving a device authentication result which is an authentication result of the device authentication apparatus in response to the request of the device authentication request means;
An authentication information updating unit for updating the authentication information by adding the device authentication result received by the device authentication result receiving unit to the authentication information stored in the authentication information storage unit;
Authentication linkage program characterized by functioning as An authentication collaboration comprising an authentication collaboration device that performs authentication of a user who uses the service in cooperation between a plurality of service providing devices that provide the service, and a device authentication device that performs device authentication of a user user terminal that uses the service A device authentication device in a system authentication linkage system,
User registration device information storage means for pre-registering and storing an identifier for identifying the user and device information for device authentication of the user use terminal used by the user;
Authentication information receiving means for receiving authentication information indicating a user authentication result from the authentication cooperation device;
Based on the authentication information received by the authentication information receiving means, authentication information verification means for verifying the validity of the user;
A device that performs device authentication with the user utilization terminal based on device information stored in the user registration device information storage unit corresponding to the identifier of the user whose validity is verified by the authentication information verification unit Authentication means;
Device authentication result transmission means for transmitting a device authentication result in the device authentication means to the authentication cooperation device;
A device authentication apparatus comprising: A device authentication request receiving means for receiving a device authentication request indicating a request for authentication of the user use terminal including the authentication information or reference information for referring to the authentication information from the authentication cooperation device;
An authentication information inquiry means for sending an inquiry for authentication information of a reference destination indicated by the reference information to the authentication cooperation apparatus when the reference information is included in the equipment authentication request received by the equipment authentication request receiving means; With
Based on the authentication information received by the authentication information receiving means or the authentication information received by the authentication information receiving means and sent by the authentication cooperation apparatus in response to the inquiry by the authentication information inquiry means. The device authentication apparatus according to claim 5, wherein the validity of the user is verified. The device authentication means generates a token that uniquely identifies the device authentication result, stores the device authentication result and the token in association with each other in the device authentication result storage means,
An authentication information update request transmitting means for transmitting an authentication information update request indicating a request for updating the authentication information including the token to the authentication cooperation device;
A device authentication result inquiry receiving means for receiving a device authentication result inquiry including the token from the authentication cooperation device,
6. The device authentication result transmission unit reads out a device authentication result corresponding to a token included in the device authentication result inquiry from the device authentication result storage unit and transmits the device authentication result to the authentication cooperation apparatus. The device authentication device described in 1. An authentication collaboration comprising an authentication collaboration device that performs authentication of a user who uses the service in cooperation between a plurality of service providing devices that provide the service, and a device authentication device that performs device authentication of a user user terminal that uses the service In the device authentication device of the system, in order to link the user authentication result and the device authentication result, the computer of the device authentication device,
Authentication information receiving means for receiving authentication information indicating a user authentication result from the authentication cooperation device;
Authentication information verification means for verifying the validity of the user based on the authentication information received by the authentication information receiving means,
The authentication is performed based on device information stored in user registration device information storage means for registering and storing in advance an identifier for identifying the user and device information for device authentication of the user use terminal used by the user. Device authentication means for performing device authentication with the user use terminal corresponding to the user identifier verified by the information verification means;
Device authentication result transmission means for transmitting a device authentication result in the device authentication means to the authentication cooperation device;
A device authentication program that functions as a device. An authentication collaboration comprising an authentication collaboration device that performs authentication of a user who uses the service in cooperation between a plurality of service providing devices that provide the service, and a device authentication device that performs device authentication of a user user terminal that uses the service A system,
The authentication linkage device
Authentication request receiving means for receiving a user authentication request indicating a user authentication request from the service providing device;
User authentication for performing user authentication based on user information registered in advance in the user information storage unit with the user operating the user utilization terminal when the user authentication request is received by the authentication request receiving unit Means,
Authentication information issuing means for adding an identifier for identifying the user to the user authentication result in the user authentication means and issuing authentication information;
Authentication information storage means for storing authentication information issued by the authentication information issuing means;
Device authentication request means for transmitting the authentication information or its reference information to the device authentication device and requesting device authentication of the user using terminal;
A device authentication result receiving means for receiving a device authentication result of the user using terminal registered in advance by the user specified by the authentication information from the device authentication device;
An authentication information updating unit that updates the authentication information by adding the device authentication result received by the device authentication result receiving unit to the authentication information stored in the authentication information storage unit,
The device authentication device
User registration device information storage means for pre-registering and storing an identifier for identifying the user and device information for device authentication of the user use terminal used by the user;
Authentication information receiving means for receiving authentication information indicating a user authentication result from the authentication cooperation device;
Based on the authentication information received by the authentication information receiving means, authentication information verification means for verifying the validity of the user;
A device that performs device authentication with the user utilization terminal based on device information stored in the user registration device information storage unit corresponding to the identifier of the user whose validity is verified by the authentication information verification unit Authentication means;
Device authentication result transmission means for transmitting a device authentication result in the device authentication means to the authentication cooperation device;
An authentication linkage system comprising:

Images