JP5613596B2 - Authentication system, terminal device, authentication server, and program - Google Patents

Authentication system, terminal device, authentication server, and program Download PDF

Info

Publication number
JP5613596B2
JP5613596B2 JP2011050814A JP2011050814A JP5613596B2 JP 5613596 B2 JP5613596 B2 JP 5613596B2 JP 2011050814 A JP2011050814 A JP 2011050814A JP 2011050814 A JP2011050814 A JP 2011050814A JP 5613596 B2 JP5613596 B2 JP 5613596B2
Authority
JP
Japan
Prior art keywords
authentication
information
terminal device
token
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
JP2011050814A
Other languages
Japanese (ja)
Other versions
JP2012191270A (en
Inventor
松井 利樹
利樹 松井
竹森 敬祐
敬祐 竹森
真 西川
真 西川
Original Assignee
Kddi株式会社
Kddi株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kddi株式会社, Kddi株式会社 filed Critical Kddi株式会社
Priority to JP2011050814A priority Critical patent/JP5613596B2/en
Publication of JP2012191270A publication Critical patent/JP2012191270A/en
Application granted granted Critical
Publication of JP5613596B2 publication Critical patent/JP5613596B2/en
Application status is Active legal-status Critical
Anticipated expiration legal-status Critical

Links

Images

Description

  The present invention relates to a terminal device that receives authentication, an authentication server that performs authentication for the terminal device, and an authentication system that includes these terminal device and authentication server. The present invention also relates to a program for causing a computer to function as the terminal device and the authentication server.

  In a general server-client type communication system, as a method of authenticating a terminal device that is a client, the terminal device sends authentication information (ID and password) input to the terminal device by the user to the authentication server for authentication. A method in which the server performs authentication based on the authentication information can be considered. However, it is very troublesome for the user to input authentication information every time authentication is performed. Therefore, once authentication information is input to the terminal device and authentication is performed by the authentication server, the authentication server issues an authentication token to the terminal device, and the terminal device transmits the authentication token to the authentication server in the next and subsequent authentications. The method of omitting the input of authentication information can be considered.

  Note that Patent Document 1 describes a technique for continuing an authentication state using an authentication token without performing re-authentication when a failure such as a power failure occurs.

JP 2009-59065 A

  However, on a terminal device such as a smartphone or a PC (Personal Computer), if authentication information is held in a nonvolatile memory, the authentication information may be stolen by a virus or the like. If the authentication information is stolen, there is a risk of a so-called impersonation attack in which a malicious user acts as a legitimate user using the authentication information. Also, when authentication information is held in volatile memory, the authentication information is stored for a shorter time than when authentication information is held in non-volatile memory. However, when the software or OS (Operating System) is restarted, the authentication token is lost from the volatile memory, and the user needs to input the authentication information again.

  In order to solve the above problem, there is a method in which a secure secure module is prepared in a terminal device, and authentication information is safely stored in the secure module. However, when using a secure module, it may be difficult to provide a secure module in a terminal device such as a smartphone or a PC configured with general-purpose hardware from the viewpoint of cost or the like.

  The present invention has been made in view of the above-described problems, and is an authentication system capable of reducing the occurrence of an attack due to impersonation without adding hardware for storing authentication information to a terminal device, An object is to provide a terminal device, an authentication server, and a program.

The present invention has been made in order to solve the above-described problem. In an authentication system including a terminal device and an authentication server, the terminal device adds time information to device identification information for identifying the terminal device. first and encryption unit, first the authentication server an authentication request containing the authentication information and the device identification information used for authentication processing for generating the first encrypted information generated by encrypting the common key with And an authentication token obtained by encrypting the authentication information and the device identification information with a second common key as a response to the first authentication request from the authentication server, and receiving the authentication token and the encryption A first communication unit that transmits a second authentication request including information and the time information to the authentication server, and the authentication server stores the authentication information registered in advance, Included in the first authentication request A second encryption unit that generates the authentication token by encrypting the authentication information and the device identification information with the second common key; and receiving the first authentication request from the terminal device. A second communication unit that transmits the authentication token based on the first authentication request to the terminal device and receives the second authentication request from the terminal device; and the second authentication request includes the second communication request. Decrypting an authentication token with the second common key to obtain the authentication information and the device identification information, decrypting the encrypted information included in the second authentication request with the first common key, and comparing the device identification information and the decoding unit that acquires the time information, and the device identification information acquired by decoding the authentication token, and the device identification information acquired by decrypting the encrypted information The authentication information acquired by decoding the authentication token, possess an authentication unit which performs authentication processing by comparing the authentication information stored in the storage unit, the authentication unit Furthermore, the authentication system performs the authentication process by comparing the time information acquired by decrypting the encrypted information and the time information included in the second authentication request. is there.

  In the authentication system of the present invention, the terminal device further holds a non-volatile storage for holding the authentication token until the second authentication request is transmitted to the authentication server after the authentication token is received from at least the authentication server. It has the characteristic memory.

In addition, the present invention provides a first encryption unit that generates encrypted information that is encrypted with a first common key by adding time information to device identification information for identifying a terminal device, and authentication used for authentication processing. A first authentication request including information and the device identification information is transmitted to an authentication server, and the authentication information and the device identification information are encrypted with a second common key as a response to the first authentication request. A first communication unit that receives the authentication token from the authentication server and transmits a second authentication request including the authentication token, the encrypted information, and the time information to the authentication server. The authentication server includes: a storage unit that stores the previously registered authentication information; and the authentication information and the device identification information included in the first authentication request. By encrypting with a common key A second encryption unit for generating an authentication token; receiving the first authentication request from the terminal device; transmitting the authentication token based on the first authentication request to the terminal device; A second communication unit that receives an authentication request from the terminal device, and obtains the authentication information and the device identification information by decrypting the authentication token included in the second authentication request with the second common key. Obtained by decrypting the encrypted information included in the second authentication request with the first common key to obtain the device identification information and the time information, and decrypting the authentication token. The device identification information is compared with the device identification information obtained by decrypting the encrypted information, and the authentication information obtained by decrypting the authentication token is recorded in the storage unit. An authentication unit that performs an authentication process by comparing the authentication information, and the authentication unit further includes the time information acquired by decrypting the encrypted information, and the second information The terminal device is characterized in that the authentication process is performed by comparing the time information included in the authentication request .

In addition, the present invention is included in a first authentication request including a storage unit that stores pre-registered authentication information, the authentication information received from a terminal device, and device identification information that identifies the terminal device. An authentication unit that generates an authentication token by encrypting the authentication information and the device identification information with a second common key; receiving the first authentication request from the terminal device; and The authentication token based on the authentication request is transmitted to the terminal device, the authentication token, encrypted information obtained by adding time information to the device identification information and encrypted with a first common key, and the time information . A second communication unit that receives a second authentication request including the second authentication request from the terminal device, and decrypts the authentication token included in the second authentication request with the second common key, thereby the authentication information and the device identification. Get the information A decoding unit configured to obtain the device identification information and the time information of the encrypted information contained in the second authentication request decoded by the first common key, and the said device acquired by decoding the authentication token The identification information and the device identification information obtained by decrypting the encrypted information are compared, the authentication information obtained by decrypting the authentication token, and the storage unit stored in the storage unit An authentication unit that performs an authentication process by comparing authentication information, and the authentication unit is further included in the time information acquired by decrypting the encrypted information and the second authentication request. The authentication server performs the authentication process by comparing the time information .

  Moreover, this invention is a program for functioning a computer as said terminal device.

Further, the program of the present invention includes a native code for causing a computer to function as the first encryption unit.

  Moreover, this invention is a program for functioning a computer as said authentication server.

  According to the present invention, a process of comparing the device identification information acquired by decrypting the authentication token and the device identification information acquired by decrypting the encrypted information is added to the authentication process. Even if the authentication token held in the terminal device is extracted, it is impossible to impersonate unless the device identification information can be generated. Therefore, hardware for storing the authentication information is added to the terminal device. Therefore, the occurrence of attacks due to spoofing can be reduced.

It is a block diagram which shows the structure of the authentication system by one Embodiment of this invention. It is a block diagram which shows the structure of the client by one Embodiment of this invention. It is a block diagram which shows the structure of the server by one Embodiment of this invention. It is a sequence diagram which shows the procedure of operation | movement of the authentication system by one Embodiment of this invention. It is a sequence diagram which shows the procedure of operation | movement of the authentication system by one Embodiment of this invention. It is a flowchart which shows the procedure of the operation | movement of the server by one Embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 shows the configuration of an authentication system according to an embodiment of the present invention. An authentication system is composed of a client 1 that is a terminal device that receives authentication and a server 2 that is an authentication server that performs authentication. A plurality of clients 1 may exist.

  FIG. 2 shows the configuration of the client 1. The client 1 includes a CPU (Central Processing Unit) 10, a communication unit 11, a display unit 12, an operation unit 13, a memory 14, and a storage unit 15. The CPU 10 reads various programs stored in the storage unit 15 and loads them into the memory 14, performs various calculations according to various instructions of the program, and controls each unit in the client 1. The communication unit 11 communicates with another external communication device (the server 2 in this embodiment). The display unit 12 displays various information. The operation unit 13 includes various operation members that are operated by the user. The memory 14 is composed of a volatile memory that temporarily stores a program read from the storage unit 15, a result of calculation performed by the CPU 10, and the like. The storage unit 15 includes a nonvolatile memory that stores various programs that define the operation of the CPU 10 and various data processed in the client 1. As an example, the client 1 of the present embodiment is assumed to employ Android (registered trademark) as the OS.

  The authentication processing unit 16 and the encryption unit 17 are programs for causing the CPU 10 to execute various processes. FIG. 2 shows a state where the programs of the authentication processing unit 16 and the encryption unit 17 are read from the storage unit 15 into the memory 14 and the authentication processing unit 16 and the encryption unit 17 are activated on the memory 14. Yes. These programs started on the memory 14 perform various processes using resources of the CPU 10 and the memory 14. The authentication processing unit 16 performs processing necessary when receiving authentication from the server 2. The encryption unit 17 encrypts a device ID (apparatus identification information) that identifies an individual client 1 with a common key (hereinafter referred to as a common key A), and performs processing to generate device encryption information (encryption information). .

  The device ID is one of IMSI (International Mobile Subscriber Identity), IMEI (International Mobile Equipment Identity), OS ID, MAC (Media Access Control address) address, or a combination thereof, which is identification information unique to each device. IMEI is information including information such as the device manufacturer, model, and serial number, and is recorded in, for example, a general-purpose flash memory provided as a standard in a mobile terminal. The IMSI is a unique identifier for each contractor, and is recorded on, for example, a general-purpose UIM (User Identity Module Card) card necessary for using a mobile terminal. The OS ID is 64-bit information randomly generated when the OS is first started in the apparatus, and is recorded in, for example, a general-purpose flash memory provided as a standard in a mobile terminal. The common key A used by the encryption unit 17 is stored in the program of the encryption unit 17. For example, the communication unit 11 holds the MAC address.

  The program of the encryption unit 17 is composed of native code (machine language) that is difficult to decompile. An OS such as Android (registered trademark) is provided with a mechanism for calling native code using JNI (Java (registered trademark) Native Interface) which is a native code interface. In order to prevent the processing of the encryption unit 17 from being deciphered by decompilation, it is more desirable not only to configure the program of the encryption unit 17 with native code but also to obfuscate the program of the encryption unit 17. By configuring the encryption unit 17 not to depend on the hardware of the client 1, high compatibility can be realized in a terminal device using general-purpose hardware.

  FIG. 3 shows the configuration of the server 2. The server 2 includes a CPU 20, a communication unit 21, a memory 22, and a storage unit 23. The CPU 20 reads various programs stored in the storage unit 23 and loads them into the memory 22, performs various calculations according to various instructions of the program, and controls each unit in the server 2. The communication unit 21 communicates with another external communication device (in this embodiment, the client 1). The memory 22 is composed of a volatile memory that temporarily stores a program read from the storage unit 23, a result of calculation performed by the CPU 20, and the like. The storage unit 23 includes a nonvolatile memory that stores various programs that define the operation of the CPU 20 and various data processed in the server 2.

  The authentication processing unit 24, the encryption unit 25, and the decryption unit 26 are programs for causing the CPU 20 to execute various processes. In FIG. 3, the programs of the authentication processing unit 24, the encryption unit 25, and the decryption unit 26 are read from the storage unit 23 into the memory 22, and the authentication processing unit 24, the encryption unit 25, and the decryption unit 26 are stored on the memory 22. Shows the state where is running. These programs started on the memory 22 perform various processes using the resources of the CPU 20 and the memory 22. The authentication processing unit 24 performs authentication processing for the client 1. The encryption unit 25 encrypts information acquired from the client 1 with a common key (hereinafter referred to as a common key B), and performs processing for generating an authentication token. The decryption unit 26 decrypts the authentication token acquired from the client 1 with the common key B, and decrypts the device encryption information acquired from the client 1 with the common key A.

  The common key A and the common key B used by the encryption unit 25 are stored in the program of the encryption unit 25. The common key A used by the encryption unit 25 is the same as the common key A used by the encryption unit 17 of the client 1.

  Next, operations of the client 1 and the server 2 at the time of authentication will be described with reference to FIG. 4 and FIG. When the client 1 performs data communication with the server 2, the client 1 requests authentication from the server 2, and the server 2 performs authentication in response to the request from the client 1. FIG. 4 shows processing relating to the first authentication in a state where the client 1 does not hold the authentication token.

  In the following description, data used for processing by the client 1 or the server 2 is stored in the memory 14 or the memory 22 as appropriate, and is deleted from the memory 14 or the memory 22 when it becomes unnecessary. Alternatively, the description of erasing data from the memory 22 is omitted. Since the time for which each information is stored in the memory 14 or the memory 22 is sufficiently short, the risk of reading the device ID or the like stored in the memory 14 for processing is small.

  In the following description, it is assumed that communication between the client 1 and the server 2 is performed by encrypted communication such as SSL (Secure Socket Layer). Further, it is assumed that an ID and a password issued to the user of the client 1 are stored in the storage unit 23 of the server 2.

  First, in the client 1, the operation unit 13 is operated by the user, and an ID is input. The authentication processing unit 16 acquires the input ID and stores it in the memory 14 (step S100). Similarly, the user operates the operation unit 13 and inputs a password. The authentication processing unit 16 acquires the input password and stores it in the memory 14 (step S105). Through the processing in steps S100 and S105, an ID and a password, which are authentication information necessary for authentication, are acquired.

  Subsequently, the authentication processing unit 16 acquires the device ID from the storage unit 15 and stores it in the memory 14 (step S110). The authentication processing unit 16 generates an authentication request (first authentication request) including the ID, password, and device ID stored in the memory 14, and outputs them to the communication unit 11 (step S115). The communication unit 11 transmits an authentication request to the server 2 (step S120).

  The communication unit 21 of the server 2 receives the authentication request. The received authentication request is stored in the memory 14. The authentication processing unit 24 collates whether or not the combination of the ID and password included in the authentication request matches the combination of the ID and password stored in the storage unit 23 (step S125). If the combination of the two does not match, a message including information indicating that the authentication has failed is returned to the client 1 and the authentication ends. If the combination of the two matches, the encryption unit 25 encrypts the ID, password, and device ID included in the authentication request with the common key B, generates an authentication token, and outputs the authentication token to the communication unit 21 (step). S130). The communication unit 21 transmits an authentication token to the client 1 that is the transmission source of the authentication request (step S135).

  The communication unit 11 of the client 1 receives the authentication token. The received authentication token is stored in the memory 14. The authentication processing unit 16 stores and stores the authentication token stored in the memory 14 in the storage unit 15 (step S140). Subsequently, the authentication processing unit 16 generates a processing completion notification for notifying the server 2 of the completion of the processing, and outputs the processing completion notification to the communication unit 11. The communication unit 11 transmits a process completion notification to the server 2 (step S145). After transmitting the process completion notification, the client 1 ends the process related to the first authentication. By receiving the authentication token, the client 1 is permitted to perform data communication with the server 2 and performs data communication. The communication unit 21 of the server 2 receives the process completion notification. After receiving the process completion notification, the server 2 ends the process related to the first authentication.

  FIG. 5 shows a process related to the second and subsequent authentications in a state where the process related to the first authentication is completed and the client 1 holds the authentication token. First, the authentication processing unit 16 of the client 1 reads the authentication token from the storage unit 15 and stores it in the memory 14 (step S200). The authentication processing unit 16 acquires the device ID from the storage unit 15 and stores it in the memory 14 (step S205). The encryption unit 17 encrypts the device ID stored in the memory 14 with the common key A, generates device encryption information, and stores the device encryption information in the memory 14 (step S210).

  Subsequently, the authentication processing unit 16 generates an authentication request (second authentication request) including the authentication token and device encryption information stored in the memory 14 and outputs the authentication request to the communication unit 11 (step S215). The communication unit 11 transmits an authentication request to the server 2 (step S220).

  The communication unit 21 of the server 2 receives the authentication request. The received authentication request is stored in the memory 14. The decryption unit 26 extracts the authentication token and the device encryption information from the authentication request stored in the memory 14 and stores them in the memory 14. Subsequently, the decryption unit 26 decrypts the authentication token stored in the memory 14 with the common key B, and stores the ID, password, and device ID obtained by the decryption in the memory 14 (step S225). The decrypting unit 26 decrypts the device encryption information stored in the memory 14 with the common key A, and stores the device ID obtained by the decryption in the memory 14 (step S230).

  Subsequently, the authentication processing unit 24 reads the device ID obtained by decrypting the authentication token and the device ID obtained by decrypting the device encryption information from the memory 14 and compares them (step S235). If they do not match, a message including information indicating that the authentication has failed is returned to the client 1 and the authentication is completed. If the two match, the authentication processing unit 24 determines whether the combination of the ID and password obtained by decrypting the authentication token matches the combination of the ID and password stored in the storage unit 23, Collation is performed (step S240).

  If the combination of the two does not match, a message including information indicating that the authentication has failed is returned to the client 1 and the authentication ends. When the combination of the two matches, the authentication processing unit 24 generates a permission notification for notifying the client 1 of permission of data communication and outputs the notification to the communication unit 21. The communication unit 21 transmits a permission notice to the client 1. After transmitting the permission notification, the server 2 ends the process related to the second and subsequent authentications. The communication unit 11 of the client 1 receives the permission notification. By receiving the permission notification, the client 1 is permitted to perform data communication with the server 2 and performs data communication.

  Next, a modification of this embodiment will be described. In order to enhance safety, the following may be performed. The encryption unit 17 of the client 1 performs encryption by adding time information to the device ID when generating the device encryption information in step S210. Further, when generating the authentication request in step S215, the authentication processing unit 16 generates an authentication request including not only the authentication token and the device encryption information but also the above time information.

  When the authentication request including the authentication token is received, the authentication processing unit 24 of the server 2 extracts the authentication token, device encryption information, and time information from the authentication request and stores them in the memory 14. Further, the decryption unit 26 decrypts the device encryption information in step S230 of FIG. Thereafter, the authentication processing unit 24 verifies the validity of the authentication token using the time information.

  FIG. 6 shows the operation of the authentication processing unit 24 related to the verification of the validity of the authentication token. The authentication processing unit 24 reads the time information extracted from the authentication request and the time information obtained by decrypting the device encryption information from the memory 14 and compares them (step S300). If the two match (step S305), the authentication processing unit 24 determines that the authentication token is valid (step S310). If they are different, the authentication processing unit 24 determines that the authentication token is invalid (step S315).

  When it is determined that the authentication token is invalid, a message including information indicating that the authentication has failed is returned to the client 1 and the authentication is completed. If it is determined that the authentication token is valid, the client 1 is authenticated according to the result of the confirmation in steps S235 and S240 in FIG.

  Regarding the client 1 and the server 2 of the present embodiment, a program for realizing the operations and functions of the client 1 and the server 2 is recorded on a computer-readable recording medium, and the program recorded on the recording medium is stored in the computer. The client 1 and the server 2 can be configured by reading and executing.

  Here, the “computer” includes a homepage providing environment (or display environment) if the WWW system is used. The “computer-readable recording medium” refers to a storage device such as a portable medium such as a flexible disk, a magneto-optical disk, a ROM, and a CD-ROM, and a hard disk built in the computer. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program described above may be transmitted from a computer storing the program in a storage device or the like to another computer via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the above-described program may be for realizing a part of the above-described function. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer, what is called a difference file (difference program) may be sufficient.

  As described above, according to the present embodiment, the server 2 decrypts the device ID obtained by decrypting the authentication token and the device encryption information in addition to the conventional authentication processing using the ID and password. A process of comparing the obtained device ID is performed. Even if the authentication token held in the client 1 is extracted by a malicious user, the device ID is information unique to each device, and the device ID is encrypted as device encryption information in the authentication token. Therefore, it is difficult to generate a device ID. In this embodiment, since it is impossible to impersonate unless a device ID can be generated, it is possible to reduce the occurrence of an attack due to impersonation without adding hardware for storing authentication information to the client 1. .

  Further, by verifying the validity of the authentication token using the time information, it is possible to further reduce the occurrence of attacks due to impersonation.

  Further, since the authentication token can be held in the non-volatile memory in the client 1, no dedicated hardware for storing the authentication information is required, and an increase in the cost of the client 1 can be avoided. .

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. .

  DESCRIPTION OF SYMBOLS 1 ... Client, 2 ... Server, 10, 20 ... CPU, 11, 21 ... Communication part, 12 ... Display part, 13 ... Operation part, 14, 22 ... Memory , 15, 23 ... storage unit, 16, 24 ... authentication processing unit, 17, 25 ... encryption unit, 26 ... decryption unit

Claims (7)

  1. In an authentication system comprising a terminal device and an authentication server,
    The terminal device
    A first encryption unit that generates encrypted information that is encrypted with a first common key by adding time information to device identification information for identifying the terminal device;
    A first authentication request including authentication information used for authentication processing and the device identification information is transmitted to the authentication server, and the authentication information and the device identification information are sent as a response to the first authentication request. A first communication unit that receives an authentication token encrypted with the common key of 2 from the authentication server, and transmits a second authentication request including the authentication token, the encrypted information, and the time information to the authentication server When,
    Have
    The authentication server is
    A storage unit for storing the authentication information registered in advance;
    A second encryption unit that generates the authentication token by encrypting the authentication information and the device identification information included in the first authentication request with the second common key;
    Second communication for receiving the first authentication request from the terminal device, transmitting the authentication token based on the first authentication request to the terminal device, and receiving the second authentication request from the terminal device And
    The authentication token included in the second authentication request is decrypted with the second common key to obtain the authentication information and the device identification information, and the encrypted information included in the second authentication request is stored in the second authentication request. A decryption unit for decrypting with the first common key to obtain the device identification information and the time information ;
    The device identification information obtained by decrypting the authentication token is compared with the device identification information obtained by decrypting the encryption information, and the authentication token is obtained by decrypting the authentication token. An authentication unit that performs authentication processing by comparing authentication information with the authentication information stored in the storage unit;
    I have a,
    The authentication unit further performs the authentication process by comparing the time information acquired by decrypting the encrypted information and the time information included in the second authentication request. Authentication system.
  2. The terminal device further includes a non-volatile memory that holds the authentication token from when the authentication token is received from at least the authentication server until the second authentication request is transmitted to the authentication server. The authentication system according to claim 1 .
  3. A first encryption unit that generates encrypted information obtained by adding time information to device identification information for identifying a terminal device and encrypted with a first common key;
    A first authentication request including authentication information used for authentication processing and the device identification information is transmitted to an authentication server, and the authentication information and the device identification information are transmitted as a second response as a response to the first authentication request. A first communication unit that receives an authentication token encrypted with the common key from the authentication server, and transmits a second authentication request including the authentication token, the encrypted information, and the time information to the authentication server; ,
    A terminal device characterized by comprising :
    The authentication server is
    A storage unit for storing the authentication information registered in advance;
    A second encryption unit that generates the authentication token by encrypting the authentication information and the device identification information included in the first authentication request with the second common key;
    Second communication for receiving the first authentication request from the terminal device, transmitting the authentication token based on the first authentication request to the terminal device, and receiving the second authentication request from the terminal device And
    The authentication token included in the second authentication request is decrypted with the second common key to obtain the authentication information and the device identification information, and the encrypted information included in the second authentication request is stored in the second authentication request. A decryption unit for decrypting with the first common key to obtain the device identification information and the time information;
    The device identification information obtained by decrypting the authentication token is compared with the device identification information obtained by decrypting the encryption information, and the authentication token is obtained by decrypting the authentication token. An authentication unit that performs authentication processing by comparing authentication information with the authentication information stored in the storage unit;
    Have
    The authentication unit further performs the authentication process by comparing the time information acquired by decrypting the encrypted information and the time information included in the second authentication request.
    A terminal device characterized by that.
  4. A storage unit for storing pre-registered authentication information;
    The authentication information and the device identification information included in the first authentication request including the authentication information and the device identification information for identifying the terminal device received from the terminal device are encrypted with a second common key. An encryption unit that generates an authentication token by
    The first authentication request is received from the terminal device, the authentication token based on the first authentication request is transmitted to the terminal device, and time information is added to the authentication token and the device identification information. A second communication unit that receives from the terminal device a second authentication request that includes encrypted information encrypted with a common key of 1 and the time information ;
    The authentication token included in the second authentication request is decrypted with the second common key to obtain the authentication information and the device identification information, and the encrypted information included in the second authentication request is stored in the second authentication request. A decryption unit for decrypting with the first common key to obtain the device identification information and the time information ;
    The device identification information obtained by decrypting the authentication token is compared with the device identification information obtained by decrypting the encryption information, and the authentication token is obtained by decrypting the authentication token. An authentication unit that performs authentication processing by comparing authentication information with the authentication information stored in the storage unit;
    Equipped with a,
    The authentication unit further performs the authentication process by comparing the time information acquired by decrypting the encrypted information and the time information included in the second authentication request. Authentication server to do.
  5. A program for causing a computer to function as the terminal device according to claim 3 .
  6. The program according to claim 5 , comprising a native code for causing a computer to function as the first encryption unit.
  7. A program for causing a computer to function as the authentication server according to claim 4 .
JP2011050814A 2011-03-08 2011-03-08 Authentication system, terminal device, authentication server, and program Active JP5613596B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2011050814A JP5613596B2 (en) 2011-03-08 2011-03-08 Authentication system, terminal device, authentication server, and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2011050814A JP5613596B2 (en) 2011-03-08 2011-03-08 Authentication system, terminal device, authentication server, and program

Publications (2)

Publication Number Publication Date
JP2012191270A JP2012191270A (en) 2012-10-04
JP5613596B2 true JP5613596B2 (en) 2014-10-29

Family

ID=47083994

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2011050814A Active JP5613596B2 (en) 2011-03-08 2011-03-08 Authentication system, terminal device, authentication server, and program

Country Status (1)

Country Link
JP (1) JP5613596B2 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6094255B2 (en) * 2013-02-22 2017-03-15 大日本印刷株式会社 Cryptographic processing apparatus and information processing apparatus
JP6177020B2 (en) 2013-06-18 2017-08-09 キヤノン株式会社 Authentication system, control method therefor, service providing apparatus and computer program
JP5543010B1 (en) * 2013-12-20 2014-07-09 株式会社 ディー・エヌ・エー Login request apparatus and method for requesting login to predetermined server, and program used therefor
JP6380009B2 (en) 2014-10-31 2018-08-29 株式会社リコー Information processing system, authentication method, and information processing apparatus
CN107438977A (en) * 2015-04-10 2017-12-05 株式会社途艾普 Operation method, server and the client terminal device of server and client side
JP6575275B2 (en) 2015-09-30 2019-09-18 ブラザー工業株式会社 Server device and communication system including server device

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11136234A (en) * 1997-10-30 1999-05-21 Nec Corp User authentication system and user authentication method
JP2002328905A (en) * 2001-04-27 2002-11-15 Nippon Telegr & Teleph Corp <Ntt> Client authentication method, authentication device, program and storage medium
JP2003316743A (en) * 2002-04-24 2003-11-07 Nippon Telegr & Teleph Corp <Ntt> Network access method and client
JP4627316B2 (en) * 2005-04-18 2011-02-09 シャープ株式会社 Service providing system, authentication method, authentication program, and recording medium therefor
JP4552797B2 (en) * 2005-07-26 2010-09-29 日本電気株式会社 Telephone number registration / authentication system, method, authentication server and program
JP2007079857A (en) * 2005-09-13 2007-03-29 Canon Inc Server apparatus, client apparatuses and those control methods, computer program, storage medium
JP2008048212A (en) * 2006-08-17 2008-02-28 Ntt Communications Kk Radio communication system, radio base station device, radio terminal device, radio communication method, and program
JP2008242922A (en) * 2007-03-28 2008-10-09 Casio Comput Co Ltd Authentication device, authentication system, and program
KR100944724B1 (en) * 2007-08-21 2010-03-03 엔에이치엔비즈니스플랫폼 주식회사 User authentication system using IP address and method thereof
JP5092629B2 (en) * 2007-08-30 2012-12-05 カシオ計算機株式会社 Electronic device, payment system and program

Also Published As

Publication number Publication date
JP2012191270A (en) 2012-10-04

Similar Documents

Publication Publication Date Title
US9268545B2 (en) Connecting mobile devices, internet-connected hosts, and cloud services
US8689290B2 (en) System and method for securing a credential via user and server verification
JP4681010B2 (en) Authentication system and authentication method
ES2680152T3 (en) Authentication method and device convenient for the user using a mobile authentication application
US7886355B2 (en) Subsidy lock enabled handset device with asymmetric verification unlocking control and method thereof
JP3999655B2 (en) Method and apparatus for access control with leveled security
JP5474969B2 (en) Mobile device association
CN1328634C (en) Method to protect software against unauthorized use
US10027631B2 (en) Securing passwords against dictionary attacks
CA2689847C (en) Network transaction verification and authentication
JP2007293873A (en) Method for securing electronic device, security system, and electronic device
US20080003980A1 (en) Subsidy-controlled handset device via a sim card using asymmetric verification and method thereof
TWI465932B (en) Method of establishing a trust relationship between mobile devices, vehicle system, and cloud services and the mobile device and computer-readable media thereof
US9009463B2 (en) Secure delivery of trust credentials
JP2004265026A (en) Application authentication system and device
US8683562B2 (en) Secure authentication using one-time passwords
JP4615601B2 (en) Computer security system and computer security method
US9325708B2 (en) Secure access to data in a device
CN101427510B (en) Digipass for the web-functional description
US7457960B2 (en) Programmable processor supporting secure mode
CN101350723B (en) USB Key equipment and method for implementing verification thereof
JP5344716B2 (en) Secure remote startup, boot, and login methods, systems, and programs from a mobile device to a computer
US8462955B2 (en) Key protectors based on online keys
US8156333B2 (en) Username based authentication security
US10348715B2 (en) Computer-implemented systems and methods of device based, internet-centric, authentication

Legal Events

Date Code Title Description
A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A821

Effective date: 20130821

A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20130821

A977 Report on retrieval

Free format text: JAPANESE INTERMEDIATE CODE: A971007

Effective date: 20140421

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20140507

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20140702

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A821

Effective date: 20140703

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20140812

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20140908

R150 Certificate of patent (=grant) or registration of utility model

Ref document number: 5613596

Country of ref document: JP

Free format text: JAPANESE INTERMEDIATE CODE: R150