JP5616156B2 - One-time authentication system - Google Patents

Description

  The present invention relates to a one-time authentication system.

  There is a system in which a seed such as a random number is updated each time the client and the server are successfully authenticated, a one-time ID is generated from the seed at the next authentication, and the client and the server authenticate each other. (For example, refer to Patent Document 1).

JP 2004-282295 A

  In the system as described above, the client-side seed for next authentication is stored in the client-side device. For this reason, normally, client-side devices that can be used to receive authentication using a one-time ID are limited to devices that store seeds.

  However, in order not to limit the client-side devices that can be used for authentication by the one-time ID, the client-side seed is stored in a rewritable portable storage device such as an IC card, and the user can It is conceivable to carry a portable storage device. By doing so, the seed can be read from the portable storage device by the reader / writer built in or connected to the device selected by the user, and authentication by the one-time ID can be performed by the device.

  Such authentication is repeatedly performed a plurality of times within the session, and the seed and thus the one-time ID are updated each time authentication is successful.

  However, there is an upper limit (that is, the life) of the number of writable times in a nonvolatile memory built in an IC card or the like, and the seed for the next session is stored in the portable storage device because it is desired to reduce the number of times of writing. Even if the seed is updated in the session, the client side device keeps it in the RAM without storing it in the portable storage device, and the seed for the next authentication is portable at the end of the session (or after the session ends). It will be written to the storage device.

  Therefore, it is necessary to arrange the portable storage device at a position writable by the reader / writer at least until the end of the session, which is not convenient. Also, if the portable storage device is removed from the reader / writer during the session, the seed is not in the portable storage device at the next session, so even a legitimate user can receive a one-time ID at the first authentication of the next session. You will not be able to receive authentication by.

  The present invention has been made in view of the above problems, and allows a portable storage device holding a seed to be detached in a short time after the start of a session. It is an object of the present invention to obtain a one-time authentication system capable of repeatedly performing authentication, a terminal device and a client computer program usable in the system.

  In order to solve the above problems, the present invention is configured as follows.

  The one-time authentication system according to the present invention includes a server device, a client device, and a portable storage device that can read and write data by the client device when placed at a predetermined position. Each of the server device and the client device generates a seed, encrypts and transmits the seed to each other, generates and transmits a one-time authenticator from the seed, and authenticates the one-time authenticator with each other based on the seed. Each time authentication is successful, a seed for the next authentication is generated and the seed is updated. The portable storage device holds the seeds of the server device and the client device. In phase 1, the client device reads the seed from the portable storage device, generates and transmits a one-time authenticator based on the read seed, and succeeds in authenticating the one-time authenticator. The seed is written in the portable storage device, and in Phase 2 after Phase 1, the initial authentication seed of Phase 2 is derived from the next authentication seed of Phase 1, and a one-time authenticator is generated from the initial authentication seed. If the one-time authenticator is successfully authenticated, a seed for next authentication in phase 2 is generated and the seed is updated. The server device holds the seed for next authentication in phase 1 until the next authentication in phase 1, and derives the seed for initial authentication in phase 2 from the next seed for authentication. If the authentication is successful, a seed for next authentication in phase 2 is generated and the seed is updated.

  Thereby, the seed for authentication in phase 1 and the seed for authentication in phase 2 are separately provided, and the authentication in phase 1 is executed using the seed stored in the portable storage device, The seed stored in the type storage device is updated, and thereafter, authentication in phase 2 is repeated. For this reason, if the authentication in phase 1 is completed, the user can leave the portable storage device from the terminal device or the reader. Accordingly, the portable storage device that holds the seed can be detached in a short time after the session starts, and even if the portable storage device is detached, authentication can be continuously repeated thereafter.

In addition to the above one-time authentication system, the one-time authentication system according to the present invention may be as follows. In this case, the portable storage device and the server device hold the phase 1 client side seed and the phase 1 server side seed as seeds. The client device
(A1) Read the phase 1 client side seed and the phase 1 server side seed from the portable storage device,
(A2) Generate a phase 1 client side one-time authenticator from the phase 1 client side seed and the phase 1 server side seed,
(A3) Generate the next authentication phase 1 client-side seed,
(A4) Send the phase 1 client-side one-time authenticator and the encrypted next-phase authentication phase 1 client-side seed to the server device,
(A5) receiving the phase 1 server side one-time authenticator and the encrypted next phase phase 1 server side seed from the server device;
(A6) If the authentication is successful for the phase 1 server-side one-time authenticator, the next authentication phase 1 client-side seed and the next authentication phase 1 server-side seed are written to the portable storage device,
(A7) If the authentication is successful for the phase 1 server side one-time authenticator, the next authentication phase 1 client side seed and the next authentication phase 1 server side seed to the initial authentication phase 2 client side seed and the initial authentication phase 2 server Derive the side seed,
(A8) Generate an initial authentication phase 2 client-side one-time authenticator from the initial authentication phase 2 client-side seed and initial authentication phase 2 server-side seed;
(A9) Generate the next authentication phase 2 client-side seed,
(A10) Send the initial authentication phase 2 client side one-time authenticator and the encrypted next authentication phase 2 client side seed to the server device,
(A11) receiving the phase 2 server side one-time authenticator and the encrypted next phase phase 2 server side seed after encryption from the server device;
(A12) If the authentication is successful for the phase 2 server side one-time authenticator, the next authentication phase 2 client-side one-time authenticator is generated from the next authentication phase 2 client-side seed and the next authentication phase 2 server-side seed.
The server device
(B1) receiving a phase 1 client-side one-time authenticator and an encrypted next-phase phase 1 client-side seed from the client device;
(B2) When the authentication is successful for the phase 1 client-side one-time authenticator, the next authentication phase 1 server-side seed is generated,
(B3) Generate a phase 1 server-side one-time authenticator from the next authentication phase 1 client-side seed and phase 1 server-side seed,
(B4) Send the phase 1 server side one-time authenticator and the encrypted next phase phase 1 server side seed to the client device,
(B5) Deriving the initial authentication phase 2 client side seed and the initial authentication phase 2 server side seed from the next authentication phase 1 client side seed and the next authentication phase 1 server side seed,
(B6) receiving the phase 2 client-side one-time authenticator and the encrypted second-phase authentication phase 2 client-side seed from the client device;
(B7) Based on the initial authentication phase 2 client-side seed and the initial authentication phase 2 server-side seed, when the initial authentication phase 2 client-side one-time authenticator is successfully authenticated, the next authentication phase 2 server-side seed is generated. And
(B8) A first-time authentication phase 2 server-side one-time authenticator is generated from the next-authentication phase- 2 client-side seed and the initial-authentication phase- 2 server-side seed,
(B9) The initial authentication phase 2 server side one-time authenticator and the encrypted next authentication phase 2 server side seed are transmitted to the client device.

  In addition to the one-time authentication system described above, the one-time authentication system according to the present invention may be as follows. In this case, the phase 1 client-side one-time authenticator and the phase 2 client-side one-time authenticator are calculated with the same one-way function, and the one-way function takes two arguments and functions according to the order of the arguments. It is a function with different values. If the order of arguments for the phase 1 client-side one-time authenticator is the order of phase 1 client-side seed and phase 1 server-side seed, the order of the arguments for the phase 2 client-side one-time authenticator is 2 server-side seed and phase 2 client-side seed. On the other hand, when the order of arguments for the phase 1 client-side one-time authenticator is the order of phase 1 server-side seed and phase 1 client-side seed, the order of the arguments for the phase 2 client-side one-time authenticator is 2 client-side seed and phase 2 server-side seed.

  Thereby, the data formats of the function values used for the phase 1 client-side one-time authenticator and the phase 2 client-side one-time authenticator are the same. For this reason, even if it is wiretapped, it cannot be determined from the data format whether it is a phase 1 one-time authenticator or a phase 2 one-time authenticator. Also, since the order of the arguments is changed, it is difficult for the one-time authenticator of phase 1 and the first one-time authenticator of phase 2 to match. Therefore, tamper resistance is improved.

  In addition to the one-time authentication system described above, the one-time authentication system according to the present invention may be as follows. The phase 1 server-side one-time authenticator and the phase 2 server-side one-time authenticator are calculated with the same one-way function. The one-way function takes two arguments, and the function values differ depending on the order of the arguments. It is a function. If the order of arguments for the phase 1 server-side one-time authenticator is the next authentication phase-one client-side seed and phase-one server-side seed, the order of arguments for the phase-two server-side one-time authenticator Is the order of the phase 2 server-side seed and the next authentication phase 2 client-side seed. On the other hand, when the order of the arguments for the phase 1 server-side one-time authenticator is the order of the phase 1 server-side seed and the next authentication phase 1 client-side seed, the order of the arguments for the phase 2 server-side one-time authenticator Is the order of the next authentication phase 2 client-side seed and phase 2 server-side seed.

  As a result, the data formats of the function values used for the phase 1 server-side one-time authenticator and the phase 2 server-side one-time authenticator are the same. For this reason, even if it is wiretapped, it cannot be determined from the data format whether it is a phase 1 one-time authenticator or a phase 2 one-time authenticator. Also, since the order of the arguments is changed, it is difficult for the one-time authenticator of phase 1 and the first one-time authenticator of phase 2 to match. Therefore, tamper resistance is improved.

  In addition to the one-time authentication system described above, the one-time authentication system according to the present invention may be as follows. In this case, the client device holds the next authentication phase 1 client-side seed and next authentication phase 1 server-side seed in the memory until it is written in the portable storage device, and the next authentication phase 1 client-side seed and next authentication phase. 1 The server-side seed is erased from the memory after being written into the portable storage device.

  Accordingly, since the seed of phase 1 does not remain in the client device, it becomes difficult to illegally obtain the seed used in phase 1 from the client device next time after the authentication of phase 1 is completed.

  In addition to the one-time authentication system described above, the one-time authentication system according to the present invention may be as follows. In this case, the portable storage device and the server device hold the phase 1 common encryption key. The client device reads the phase 1 common encryption key from the portable storage device, encrypts the next authentication phase 1 client-side seed with the phase 1 common encryption key, and succeeds in authenticating the phase 1 server-side one-time authenticator. Update the phase 1 common encryption key, write the updated phase 1 common encryption key to the portable storage device, derive the initial value of the phase 2 common encryption key from the updated phase 1 common encryption key, and use the phase 2 common encryption key The key for the next authentication phase 2 client side is encrypted with the key. When the phase 2 server side one-time authenticator is successfully authenticated, the phase 2 common encryption key is updated. On the other hand, the server device encrypts the phase 1 server-side seed for the next authentication with the phase 1 common encryption key, and when the authentication is successful for the phase 1 client-side one-time authenticator, updates the phase 1 common encryption key. The phase 1 common encryption key is retained until the next authentication in phase 1, and the initial value of the phase 2 common encryption key is derived from the updated phase 1 common encryption key, and the next authentication is performed using the phase 2 common encryption key. When the phase 2 server side seed is encrypted and the phase 2 client side one-time authenticator is successfully authenticated, the phase 2 common encryption key is updated.

  As a result, the common encryption key used in phase 1 and the common encryption key used in phase 2 are separately provided and encrypted using the phase 1 common encryption key stored in the portable storage device. When the seed is sent and received and the authentication in phase 1 is successful, the phase 1 common encryption key stored in the portable storage device is updated, and whenever the authentication in phase 2 is successful, the phase 2 common encryption key is updated. Update the key. For this reason, the common encryption key is updated separately in phase 1 and phase 2, and tamper resistance is improved.

  In addition to the one-time authentication system described above, the one-time authentication system according to the present invention may be as follows. In this case, the client device holds the updated phase 1 common encryption key in the memory until it is written in the portable storage device, and writes the updated phase 1 common encryption key in the portable storage device and then deletes it from the memory. To do.

  As a result, since the common encryption key used in phase 1 does not remain in the client device, it is difficult to illegally obtain the common encryption key used in phase 1 next time from the client device after the authentication in phase 1 is completed. Become.

  A terminal device according to the present invention generates a seed from a communication processing unit that communicates with a server device via a network, and generates a seed from the server device using the communication processing unit, and receives the generated seed and reception A one-time authenticator is generated from the seed and sent using the communication processing unit, and the one-time authenticator received from the server device is authenticated based on the seed. And an authentication processing unit for generating a seed and updating the seed. Then, in phase 1, the authentication processing unit reads the seeds on the server device side and the terminal device side from the portable storage device that can read and write data by the terminal device when placed in a predetermined position, and reads the read seed When the one-time authenticator is successfully generated and transmitted, and the authentication is successful for the one-time authenticator, the next authentication seed of the phase 1 for the server device side and the terminal device side is written in the portable storage device. In Phase 2 after 1, when the initial authentication seed of Phase 2 is derived from the next authentication seed of Phase 1, a one-time authenticator is generated from the initial authentication seed, and the one-time authenticator is successfully authenticated. Next, a seed for next authentication in phase 2 is generated and the seed is updated.

  The client computer program according to the present invention generates a seed from the computer in the terminal device, receives the seed of the server device from the server device, and generates and transmits a one-time authenticator from the generated seed and the received seed. , Based on the seed, to authenticate the one-time authenticator received from the server device, and to function as an authentication processing unit that generates the next authentication seed and updates the seed each time authentication is successful A client computer program. Then, in phase 1, the authentication processing unit reads the seeds on the server device side and the terminal device side from the portable storage device that can read and write data by the terminal device when placed at a predetermined position, and uses the read seeds as the read seeds. If a one-time authenticator is successfully generated and transmitted, and the one-time authenticator is successfully authenticated, the next authentication seed of the phase 1 for the server device side and the terminal device side is written in the portable storage device. In the subsequent phase 2, the initial authentication seed of the phase 2 is derived from the next authentication seed of the phase 1, a one-time authenticator is generated from the initial authentication seed, and the one-time authenticator is successfully authenticated. The seed for next authentication in the phase 2 is generated and the seed is updated.

  According to the present invention, the portable storage device that holds the seed can be detached in a short time after the session starts, and even if the portable storage device is detached, the authentication can be continuously repeated thereafter. An authentication system is obtained.

FIG. 1 is a block diagram showing a configuration of a one-time authentication system according to an embodiment of the present invention. FIG. 2 is a block diagram showing a configuration of the terminal device in FIG. FIG. 3 is a block diagram showing a processing unit realized in the terminal device shown in FIG. FIG. 4 is a block diagram showing a configuration of the server apparatus in FIG. FIG. 5 is a block diagram showing a processing unit realized in the server apparatus shown in FIG. FIG. 6 is a block diagram showing the configuration of the IC card in FIG. FIG. 7 is a sequence diagram for explaining the authentication repeatedly performed using the one-time authenticator executed in the system shown in FIG. FIG. 8 is a sequence diagram illustrating details of the one-time authentication (step S4) in phase 1 in FIG. FIG. 9 is a sequence diagram illustrating details of the first one-time authentication (step S7a) in phase 2 in FIG. FIG. 10 is a sequence diagram illustrating details of the second and subsequent one-time authentications (step S7) in phase 2 in FIG. FIG. 11 is a diagram illustrating an example of the structure of the seed table in the second embodiment. FIG. 12 is a diagram illustrating an example of an authenticator table in the second embodiment. FIG. 13 is a flowchart for explaining data processing by the server device in the second embodiment. FIG. 14 is a flowchart illustrating data processing performed by the server device according to the second embodiment.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

Embodiment 1 FIG.

  FIG. 1 is a block diagram showing a configuration of a one-time authentication system according to an embodiment of the present invention.

  In the system shown in FIG. 1, an IC card reader / writer 2 is connected to a terminal device 1 as a client device, and the terminal device 1 is connected to a network 3, and a server device 4 is connected to the network 3. Is connected. The terminal device 1 can read / write data from / to the IC card 5 using the reader / writer 2 when the IC card 5 is placed at a predetermined position (for example, above the reader / writer 2). Data communication can be performed with the server device 4.

  The terminal device 1 is a device such as a personal computer. The network 3 includes a wired and / or wireless LAN (Local Area Network) and / or a WAN (Wide Area Network) such as the Internet. The IC card 5 is a card having a nonvolatile memory area in which data can be read and written, such as Ferica (registered trademark). In the first embodiment, the IC card 5 is used as a portable storage device.

  The IC card 5 holds a seed. The seed is data used to generate a one-time authenticator. In this embodiment, a random number is used. The one-time authenticator is an ID (one-time ID) or password (one-time password) that can be used only once during authentication. In this embodiment, the one-time authenticator is a one-time ID.

  Each of the server device 4 and the terminal device 1 generates a seed, updates the seed each time authentication is successful, encrypts the seed, transmits and receives each other, and generates a one-time authenticator from both seeds. Based on the seed, the one-time authenticators are mutually authenticated. Hereinafter, the authentication for the one-time authenticator is referred to as one-time authentication.

  The server device 4 and the terminal device 1 perform one-time authentication in phase 1 and phase 2. Phase 1 is a phase in which the first one-time authentication after the start of the session is performed, and phase 2 is a phase following Phase 1.

  In phase 1, the terminal device 1 reads both seeds from the IC card 5, generates a one-time authenticator based on the seed, transmits the one-time authenticator to the server device 4, and succeeds in authenticating the one-time authenticator. Write the authentication seed into the IC card 5.

  In Phase 2 after Phase 1, the terminal device 1 derives the initial authentication seed for Phase 2 from the next authentication seed for Phase 1, generates a one-time authenticator from the initial authentication seed, and performs one-time authentication. If the authentication is successful for the child, the next authentication seed in phase 2 is generated, and a one-time authenticator is generated based on the next authentication seed.

  On the other hand, the server device 4 holds the next authentication seed for the phase 1 until the next authentication in the phase 1 and derives the initial authentication seed for the phase 2 from the next authentication seed. When the authentication is successful, the next authentication seed in phase 2 is generated, and a one-time authenticator is generated based on the next authentication seed.

  In FIG. 1, there is only one IC card 5, but it is also possible to perform authentication with different one-time authenticators by holding different seeds in two or more IC cards 5. . In FIG. 1, the terminal device 1 and the reader / writer 2 are only one set, but a plurality of similar devices may be connected to the network 3.

  The configuration and operation of each device in the system will be described below.

(1) Configuration of each device

  FIG. 2 is a block diagram showing the configuration of the terminal device 1 in FIG.

  As illustrated in FIG. 2, the terminal device 1 includes a computer having a CPU (Central Processing Unit) 11, a ROM (Read Only Memory) 12, a RAM (Random Access Memory) 13, and the like.

  The CPU 11 is an arithmetic processing unit that executes a program and executes a process described in the program. The ROM 12 is a nonvolatile memory that stores programs and data in advance. The RAM 13 is a volatile memory that temporarily stores the program and data when the program is executed.

  The interface 14 is an interface circuit to which the storage device 15 can be connected, and is compatible with SCSI (Small Computer System Interface), IDE (Integrated Device Electronics), or the like.

  The storage device 15 is connected to the interface 14 and has a recording medium that stores an operating system (not shown), a one-time authentication program 31, an application program, and the like. As the storage device 15, a hard disk drive, SSD (Solid State Disk), or the like is used.

  The interface 16 is an interface circuit to which the communication device 17 can be connected. The communication device 17 is a device connectable to the network 3 such as a network interface card or a modem.

  The interface 18 is a peripheral device interface such as IEEE1394 or USB (Universal Serial Bus), and is an interface circuit to which the reader / writer 2 can be connected.

  The interface 20 is an interface circuit to which the input device 21 can be connected. The input device 21 is a device that receives a user operation such as a keyboard and a mouse and outputs a signal corresponding to the user operation.

  The image processing circuit 22 is a circuit that outputs an image signal corresponding to the data when the image data is written. A display device 23 that displays an image based on the image signal can be connected to the image processing circuit 22.

  The CPU 11, ROM 12, RAM 13, interfaces 14, 16, 18, 20 and image processing circuit 22 are connected to each other via a bus or a controller chip so that data communication is possible.

  FIG. 3 is a block diagram showing a processing unit realized in the terminal device 1 shown in FIG. As shown in FIG. 3, a reader / writer control unit 41, a communication processing unit 42, and an authentication processing unit 43 are realized in the terminal device 1.

  The reader / writer control unit 41 is a driver that controls the reader / writer 2, and reads / writes data from / to the IC card 5.

  The communication processing unit 42 uses the communication device 17 to perform data communication with the server device 4 via the network 3 using a predetermined communication protocol.

  The authentication processing unit 43 is realized by the CPU 11 executing the one-time authentication program 31, and uses the reader / writer control unit 41 and the communication processing unit 42 to perform client-side processing in mutual authentication with the server device 4. Run.

  FIG. 4 is a block diagram showing the configuration of the server device 4 in FIG.

  In FIG. 4, a CPU 51 is an arithmetic processing unit that executes a program and executes a process described in the program. The ROM 52 is a nonvolatile memory that stores programs and data in advance. The RAM 53 is a memory that temporarily stores the program and data when the program is executed.

  The interface 54 is an interface circuit to which the storage device 55 can be connected, and is an SCSI or IDE compatible one. The storage device 55 is a device that is connected to the interface 54 and has a recording medium that stores an operating system (not shown), a one-time authentication program 61, data used for authentication, and the like. As the storage device 55, a hard disk drive, SSD, or the like is used. The storage device 55 holds a seed table 71, an authenticator table 72, and a card attribute table 73 as data used for authentication.

  The seed table 71 has a next authentication seed and a next authentication common encryption key for each of the phase 1 and the phase 2 updated at the time of the last authentication. The next authentication seed and the next authentication common encryption key are held separately for each of one or a plurality of IC cards.

  The authenticator table 72 has a client-side one-time authenticator for the next authentication for each of the phase 1 and the phase 2 updated at the time of the last authentication. The authenticator table 72 includes a phase 1 table 72a and a phase 2 table 72b. The phase 1 table 72a has a client-side one-time authenticator for the next authentication for phase 1, and the phase 2 table 72b has a client-side one-time authenticator for the next authentication for phase 2. The client side one-time authenticator for the next authentication is held separately for each of one or a plurality of IC cards.

  The card attribute table 73 is a table having a card ID of the IC card 5 and attribute information (such as card owner information) associated with the card ID. The card attribute table 73 is referred to when determining the validity of the card ID received together with the one-time authenticator from the terminal device 1 when the one-time authenticator is a one-time password.

  The interface 56 is an interface circuit to which the communication device 57 can be connected. The communication device 57 is a device connectable to the network 3 such as a network interface card or a modem.

  The CPU 51, the ROM 52, the RAM 53, and the interfaces 54 and 56 are connected to each other by a bus or a controller chip so that data communication can be performed.

  FIG. 5 is a block diagram showing a processing unit realized in the server device 4 shown in FIG. As shown in FIG. 5, in the server device 4, a communication processing unit 81 and a server side authentication processing unit 82 are realized.

  The communication processing unit 81 uses the communication device 57 to perform data communication with the terminal device 1 via the network 3 using a predetermined communication protocol.

  The server-side authentication processing unit 82 is realized by the CPU 51 executing the one-time authentication program 61, and uses the communication processing unit 81 to perform mutual authentication with one or a plurality of client devices (such as the terminal device 1). Perform server-side processing.

  FIG. 6 is a block diagram showing the configuration of the IC card 5 in FIG.

  The IC card 5 includes a communication unit 91, a nonvolatile memory 92, and a control unit 93. The communication unit 91 includes an antenna and a communication circuit for communication with the reader / writer 2. The nonvolatile memory 92 is a flash memory or the like, and has a user area that can be rewritten by the user and a non-user area that cannot be rewritten by the user. The card ID 101 unique to the IC card is held in advance in the non-user area, and the seed 102 is held in the user area. The control unit 93 is a circuit that reads / writes data from / to the nonvolatile memory 92 in accordance with a command received from the reader / writer 2.

(2) Operation of each device

  FIG. 7 is a sequence diagram for explaining the authentication repeatedly performed using the one-time authenticator executed in the system shown in FIG.

  First, at the start of a session (step S1), the user places the IC card 5 on the reader / writer 2.

  In the terminal device 1, the authentication processing unit 43 controls the reader / writer 2 using the reader / writer control unit 41, and reads the seed 102 and the like from the IC card 5 (step S2).

  And the authentication process part 43 sets the value (here 1) which shows the phase 1 to the phase flag P (step S3). The phase flag P is data indicating an authentication phase. From the value of the phase flag P, the current phase is identified, and it is also determined that the phase has shifted from phase 1 to phase 2.

  Next, one-time authentication in the phase 1 is executed between the authentication processing unit 43 of the terminal device 1 and the server side authentication processing unit 82 of the server device 4 (step S4). At this time, the authentication processing unit 43 generates a one-time authenticator from the read seed, generates a next-authentication seed and encrypts it, and the server device generates the one-time authenticator and the encrypted next-authentication seed. 4 to send. The server-side authentication processing unit 82 receives the one-time authenticator and the encrypted seed for next authentication, and determines whether or not the one-time authenticator is valid. If the one-time authenticator is valid, the server-side authentication processing unit 82 decrypts and holds the next authentication seed for the client.

  Note that the initial value of the client-side seed, the initial value of the server-side seed, and the initial value of the common encryption key in phase 1 are preset in the IC card 5 and the server device 4. In the server device 4, their initial values are set in association with the IC card 5.

  In the server device 4, the same seed as the seed 102 of the IC card 5 is held in the seed table 71, and the next authentication client-side one-time authenticator of phase 1 is held in the authenticator table 72. . The next authentication client-side one-time authenticator is generated at the previous authentication and written in the authenticator table 72. This next authentication client-side one-time authenticator is used to determine the validity of the one-time authenticator transmitted from the terminal device 1. That is, when the one-time authenticator transmitted from the terminal device 1 matches the one-time authenticator stored in the authenticator table 72, it is determined that the one-time authenticator is valid.

  The initial value of the seed of phase 1 is set in advance in the IC card 5 and the server device 4, and the value of the seed of phase 1 is updated each time the authentication of phase 1 is successful.

  When the one-time authentication in the phase 1 is successful, in the server device 4, the server-side authentication processing unit 82 generates a client-side one-time authenticator from the next authentication seed, and in the authenticator table 72, for the IC card 5. Update the client side one-time authenticator for the next authentication in phase 1. On the other hand, the authentication processing unit 43 of the terminal device 1 updates the seed 102 in the IC card 5 based on the next authentication seed (step S5).

  At this point, the IC card 5 can be detached from the reader / writer 2. For this reason, the authentication processing unit 43 may notify the user that the IC card 5 can be detached from the reader / writer 2 using the audio output or the video output.

  And the authentication process part 43 sets the value (here 2) which shows the phase 2 to the phase flag P (step S6).

  Next, the first authentication in phase 2 is executed at a timing when authentication is required (step S7a).

  In the first authentication in phase 2, the initial value of the seed for phase 2 is derived from the seed updated in the authentication in phase 1 (that is, the seed for next authentication in phase 1). In the first embodiment, the seed value updated by the authentication in phase 1 is set as the initial value of the seed for phase 2.

  Thereafter, one-time authentication in the phase 2 is executed between the authentication processing unit 43 of the terminal device 1 and the server side authentication processing unit 82 of the server device 4.

  In the first one-time authentication in phase 2 (step S7a), the authentication processing unit 43 generates a one-time authenticator from the seed having the initial value, and also generates and encrypts a next authentication seed in phase 2. The one-time authenticator and the encrypted seed for next authentication are transmitted to the server device 4.

  On the other hand, the server side authentication processing unit 82 calculates the initial value of the seed of phase 2 from the seed for next authentication of phase 1 and calculates the initial one-time authenticator of phase 2 for the IC card 5 from the initial value. . In the first one-time authentication (step S7a) in phase 2, when the server-side authentication processing unit 82 receives the one-time authenticator and the encrypted next-time authentication seed from the terminal device 1, the received one-time authentication is performed. Whether or not the child is valid is determined based on the calculated one-time authenticator. If the one-time authenticator is valid, the server-side authentication processing unit 82 decrypts and holds the next authentication seed.

  When the first one-time authentication in Phase 2 is successful, in the second-time one-time authentication (Step S7) in Phase 2, the authentication processing unit 43 of the terminal device 1 generates a seed and similarly generates the one generated from the seed. The time authenticator and the encrypted next authentication seed are transmitted to the server device 4.

  On the other hand, in the second-time and subsequent one-time authentications in Step 2 (step S7), the server-side authentication processing unit 82 calculates a one-time authenticator from the next authentication seed transmitted at the previous authentication, and then the terminal When the one-time authenticator and the encrypted next-time authentication seed are received from the device 1, it is determined based on the calculated one-time authenticator whether or not the received one-time authenticator is valid. If the one-time authenticator is valid, the server-side authentication processing unit 82 decrypts and holds the next authentication seed (that is, updates the next authentication seed in phase 2).

  Thereafter, until the end of the session (step S8), authentication in phase 2 is executed at a timing that requires authentication (step S7).

  Here, details of the one-time authentication (step S4) in phase 1 will be described. FIG. 8 is a sequence diagram illustrating details of the one-time authentication (step S4) in phase 1 in FIG. In the following, n in the description of Phase 1 and n in the description of Phase 2 are irrelevant.

  In addition to the seed 102, the IC card 5 also holds a common encryption key for phase 1. The server device 4 also holds the same common encryption key as a common encryption key for phase 1 in addition to the seed. That is, the initial value of the common encryption key in phase 1 is set in advance in the IC card 5 and the server device 4. As will be described later, the value of the common encryption key in phase 1 is updated each time authentication in phase 1 succeeds.

  In the terminal device 1, the authentication processing unit 43 reads the seed R1 (n-1), the seed Q1 (n-1), and the common encryption key K1 (n-1) from the IC card 5 and holds them on the RAM 13 ( Step S2).

  The seed R1 (n-1) is a phase 1 client-side seed for the current (n-1) one-time authentication. The seed Q1 (n-1) is a phase 1 server-side seed for the current (n-1) one-time authentication. The common encryption key K1 (n-1) is obtained when the next authentication phase 1 client-side seed R1 (n) is transmitted to the server device 4 at the time of this time (n-1) one-time authentication. ) Is a phase 1 common encryption key for encrypting.

  First, the authentication processing unit 43 generates a random number R, and sets the random number R to the phase 1 client-side seed R1 (n) for next authentication (step S21).

  And the authentication process part 43 produces | generates the phase 1 client side one-time authenticator C1 (n-1) about this one-time authentication (step S22).

  The one-time authenticator C1 (n-1) is calculated with a one-way function. This one-way function is a function that takes two arguments and has different function values depending on the order of the arguments. In this embodiment, the one-way function is a hash function hc.

  The one-time authenticator C1 (n-1) is calculated according to the following equation.

  C1 (n-1) = hc (R1 (n-1), Q1 (n-1))

  Here, R1 (n-1) is used as the first argument of the hash function hc, and Q1 (n-1) is used as the second argument.

  Further, the authentication processing unit 43 encrypts R1 (n) with the common encryption key K1 (n−1) according to a predetermined encryption method. Note that R1 (n) after encryption with the common encryption key K1 (n-1) is expressed as K1 (n-1) * R1 (n).

  And the authentication process part 43 transmits the one time authenticator C1 (n-1) and K1 (n-1) * R1 (n) to the server apparatus 4 using the communication process part 42 (step S23). . At this time, the communication processing unit 42 transmits the one-time authenticators C1 (n−1) and K1 (n−1) * R1 (n) as one message.

  In the server device 4, the server-side authentication processing unit 82 uses the communication processing unit 81 to receive the message, and from the message, the one-time authenticators C1 (n−1) and K1 (n−1) * R1 (N) is extracted, and it is determined whether or not the received one-time authenticator C1 (n-1) matches the held client-side one-time authenticator for phase 1 (step S24).

  Note that the data format of the message from the terminal device 1 to the server device 4 (the size and position of the one-time authenticator and the size and position of the encrypted seed) are the same in phase 1 and phase 2.

  In addition, the phase 1 client-side one-time authenticator and the phase 2 client-side one-time authenticator have the same data format (that is, the same data length), and the encrypted phase 1 client-side seed and the encrypted Since the phase 2 client-side seed has the same data format (that is, the same data length), it cannot be distinguished from the received data alone whether it is a phase 1 one-time authenticator or a phase 2 one-time authenticator. Therefore, the server-side authentication processing unit 82 determines whether or not the received one-time authenticator matches the one-time authenticator stored in the phase 1 table 72a, and whether the received one-time authenticator is the phase 2 It is determined whether or not the one-time authenticator stored in the table 72b matches, and the received one-time authenticator is a valid one-time authenticator of phase 1, a valid one-time authenticator of phase 2, and Determine whether it is an invalid one-time authenticator.

  Therefore, when it is determined that the received one-time authenticator C1 (n-1) is an unauthorized one-time authenticator, the server-side authentication processing unit 82 determines that the authentication has failed and ends the process.

  When the received one-time authenticator C1 (n-1) matches the client-side one-time authenticator for phase 1 held in the phase 1 table 72a, the server-side authentication processing unit 82 determines that the authentication is successful. First, a random number Q is generated, and the random number Q is set in the next authentication phase 1 server-side seed Q1 (n) (step S25).

  The server-side authentication processing unit 82 decrypts K1 (n−1) * R1 (n) into R1 (n) using the common encryption key K1 (n−1) held in the seed table 71. Then, the server-side authentication processing unit 82 generates the current (n-1) one-time authentication phase 1 server-side one-time authenticator S1 (n-1) (step S26).

  The one-time authenticator S1 (n-1) is calculated with a one-way function. This one-way function is a function that takes two arguments and has different function values depending on the order of the arguments. In this embodiment, the one-way function is a hash function hs.

  The one-time authenticator S1 (n-1) is calculated according to the following equation.

  S1 (n-1) = hs (R1 (n), Q1 (n-1))

  Here, R1 (n) is used for the first argument of the hash function hs, and Q1 (n-1) is used for the second argument. The hash function hs may be the same function as the hash function hc or a different function.

  The server-side authentication processing unit 82 encrypts Q1 (n) with the common encryption key K1 (n-1) according to a predetermined encryption method. Note that Q1 (n) after encryption with the common encryption key K1 (n-1) is expressed as K1 (n-1) * Q1 (n).

  And the server side authentication process part 82 transmits the one time authenticator S1 (n-1) and K1 (n-1) * Q1 (n) to the terminal device 1 using the communication process part 81 (step) S27). At this time, the communication processing unit 81 transmits the one-time authenticator S1 (n-1) and K1 (n-1) * Q1 (n) as one message.

  Note that the data format of the message from the server device 4 to the terminal device 1 (the size and position of the one-time authenticator and the size and position of the encrypted seed) are the same in Phase 1 and Phase 2.

  Also, the phase 1 server-side one-time authenticator and the phase 2 server-side one-time authenticator have the same data format (that is, the same data length), and the encrypted phase 1 server-side seed and the encrypted one-time authenticator Since the phase 2 server-side seeds have the same data for wait (that is, the same data length), it is possible to distinguish the phase 1 one-time authenticator or the phase 2 one-time authenticator from the received data alone. Absent. For this reason, the authentication processing unit 43 of the terminal device 1 identifies the phase by the value of the phase flag P, and handles the received one-time authenticator as the identified one-time authenticator.

  In the terminal device 1, the authentication processing unit 43 uses the communication processing unit 42 to receive the message and extract the one-time authenticators S1 (n-1) and K1 (n-1) * Q1 (n). To do. Then, the authentication processing unit 43 specifies that the received one-time authenticator is a phase 1 one-time authenticator based on the value of the phase flag P (step S28).

  And the authentication process part 43 calculates the value of the valid one-time authenticator S1 (n-1) according to the above-mentioned formula based on R1 (n) and Q1 (n-1), and received one-time authentication It is determined whether or not the child S1 (n-1) matches the calculated value (step S29).

  At this time, if the received one-time authenticator S1 (n−1) does not match the calculated value, the authentication processing unit 43 determines that the authentication has failed and ends the process. In this case, the seed 102 and the common encryption key for the IC card 5 are not updated and are used in the next session.

  When the received one-time authenticator S1 (n−1) matches the calculated value, the authentication processing unit 43 determines that the authentication is successful, and first holds K1 (n−1) * Q1 (n). The common encryption key K1 (n-1) is decrypted to Q1 (n), and this value is set as the seed for the next authentication phase 1 server.

  Then, the authentication processing unit 43 calculates the next authentication phase 1 common encryption key K1 (n) according to the following equation, and updates the phase 1 common encryption key (step S30).

  K1 (n) = hk (K1 (n-1), R1 (n), Q1 (n))

  Here, hk is a one-way function and a hash function.

  Thus, after successful one-time authentication in phase 1, the authentication processing unit 43 uses the seed 102 and the common encryption key in the IC card 5 as R1 (n) and Q1 (n), and K1 (n). (Step S5).

  On the other hand, also in the server device 4, after transmitting the one-time authenticator S1 (n-1), the server-side authentication processing unit 82 calculates the next authentication phase 1 common encryption key K1 (n) according to the above formula, The phase 1 common encryption key is updated (step S31).

  Then, the server side authentication processing unit 82 sets the values of the seeds R1 (n) and Q1 (n) of the phase 1 as initial values to the client side seed R2 (0) and the server side seed Q2 (0) of the phase 2. It is set (step S32), and the value of the common encryption key K1 (n) of phase 1 is set as the initial value to the common encryption key K2 (0) of phase 2 (step S33). At this time, the server-side authentication processing unit 82 calculates the initial client-side one-time authenticator C2 (0) of phase 2 from R2 (0) and Q2 (0) according to the formula described later, and the phase 2 table Write to 72b and hold.

  Further, the server-side authentication processing unit 82 calculates a client-side one-time authenticator C1 (n) to be used at the next one-time authentication in Phase 1 from R1 (n) and Q1 (n) according to the above formula. . And the server side authentication process part 82 updates the data of the phase 1 about IC card 5 in the seed table 71 with R1 (n), Q1 (n), and K1 (n), and C1 (n), The one-time authenticator for the IC card 5 in the phase 1 table 72a is updated. As a result, these values are held until the next session (that is, the next phase 1 authentication).

  In this way, the one-time authentication in the phase 1 is executed.

  Next, details of one-time authentication (step S7a) in phase 2 will be described. FIG. 9 is a sequence diagram illustrating details of the first one-time authentication (step S7a) in phase 2 in FIG. FIG. 10 is a sequence diagram illustrating details of the second and subsequent one-time authentications (step S7) in phase 2 in FIG.

  In the one-time authentication in phase 2, only for the first time, the initial values of the seed and the common encryption key are derived from the seed and the common encryption key in phase 1 (steps S41 and S42 in FIG. 9).

  Only for the first time, the authentication processing unit 43 of the terminal device 1 first uses the values of the seeds R1 (n) and Q1 (n) of the phase 1 as initial values, and the client-side seed R2 (0) and server-side seed of the phase 2 Q2 (0) is set (step S41), and the value of the phase 1 common encryption key K1 (n) is set to the phase 2 common encryption key K2 (0) as an initial value (step S42). Note that the client-side seed R1, the server-side seed Q2, and the common encryption key K2 in phase 2 are held in the RAM 13 and are not held in the IC card 5 or the storage device 15. At this point, the authentication processing unit 43 deletes the seeds R1 (n) and Q1 (n) and the common encryption key K1 (n) of the phase 1 from the RAM 13. Thereafter, when the seeds R2 (0) and Q2 (0) of the phase 2 and the common encryption key K2 (0) are updated, the values of the seed and the common encryption key of the phase 1 to be used next are completely transmitted from the terminal device 1. Disappears.

  Then, the authentication processing unit 43 generates a random number R and sets it to the next authentication phase 2 client-side seed R2 (n) (in the first case, n = 1) (step S43).

  Next, the authentication processing unit 43 generates a phase 2 client-side one-time authenticator C2 (n-1) for the current one-time authentication (step S44).

  The one-time authenticator C2 (n-1) is calculated with a one-way function. This one-way function is a function that takes two arguments and has different function values depending on the order of the arguments. In this embodiment, this one-way function is the hash function hc described above.

  The one-time authenticator C2 (n-1) is calculated according to the following equation.

  C2 (n-1) = hc (Q2 (n-1), R2 (n-1))

  Here, Q2 (n−1) is used as the first argument of the hash function hc, and R2 (n−1) is used as the second argument.

  Further, the authentication processing unit 43 encrypts R2 (n) with the common encryption key K2 (n-1) according to a predetermined encryption method. Note that R2 (n) after encryption with the common encryption key K2 (n-1) is expressed as K2 (n-1) * R2 (n).

  And the authentication process part 43 transmits the one time authenticator C2 (n-1) and K2 (n-1) * R2 (n) to the server apparatus 4 using the communication process part 42 (step S45). . At this time, the communication processing unit 42 transmits the one-time authenticators C2 (n−1) and K2 (n−1) * R2 (n) as one message.

  In the server device 4, the server side authentication processing unit 82 uses the communication processing unit 81 to receive the message, and the one-time authenticators C2 (n-1) and K2 (n-1) * R2 (n) And determines whether the received one-time authenticator C2 (n-1) matches the client-side one-time authenticator for phase 2 held in the phase 2 table 72b (step S46). .

  At this time, if the received one-time authenticator C2 (n-1) does not match the held client-side one-time authenticator for Phase 2, the server-side authentication processing unit 82 receives the reception as described above. If the one-time authenticator C2 (n-1) is not a phase 1 one-time authenticator, it is determined that the authentication has failed, and the process ends.

  When the received one-time authenticator C2 (n-1) matches the held client-side one-time authenticator for phase 2, the server-side authentication processing unit 82 determines that the authentication is successful, Q is generated, and the random number Q is set in the next authentication phase 2 server-side seed Q2 (n) (step S47).

  The server-side authentication processing unit 82 decrypts K2 (n−1) * R2 (n) into R2 (n) using the common encryption key K2 (n−1) that is held. Then, the server-side authentication processing unit 82 generates the current (n-1) one-time authentication phase 2 server-side one-time authenticator S2 (n-1) (step S48).

  The one-time authenticator S2 (n-1) is calculated with a one-way function. This one-way function is a function that takes two arguments and has different function values depending on the order of the arguments. In this embodiment, this one-way function is the hash function hs described above.

  One-time authenticator S2 (n-1) is calculated according to the following equation.

  S2 (n-1) = hs (Q2 (n-1), R2 (n))

  Here, Q2 (n−1) is used as the first argument of the hash function hs, and R2 (n) is used as the second argument.

  The server-side authentication processing unit 82 encrypts Q2 (n) with the common encryption key K2 (n−1) according to a predetermined encryption method. Note that Q2 (n) after encryption with the common encryption key K2 (n-1) is expressed as K2 (n-1) * Q2 (n).

  And the server side authentication process part 82 transmits the one time authenticator S2 (n-1) and K2 (n-1) * Q2 (n) to the terminal device 1 using the communication process part 81 (step) S49). At this time, the communication processing unit 81 transmits the one-time authenticator S2 (n-1) and K2 (n-1) * Q2 (n) as one message.

  In the terminal device 1, the authentication processing unit 43 uses the communication processing unit 42 to receive the message and extract the one-time authenticators S2 (n-1) and K2 (n-1) * Q2 (n). To do. Then, the authentication processing unit 43 specifies that the received one-time authenticator is a one-time authenticator of phase 2 based on the value of the phase flag P (step S50).

  Based on R2 (n) and Q2 (n-1), the authentication processing unit 43 calculates the value of the valid one-time authenticator S2 (n-1) according to the above-described equation, and receives the received one-time authenticator S2. It is determined whether (n-1) matches the calculated value (step S51).

  At this time, if the received one-time authenticator S2 (n-1) does not match the calculated value, the authentication processing unit 43 determines that the authentication has failed and ends the process.

  When the received one-time authenticator S2 (n-1) matches the calculated value, the authentication processing unit 43 determines that the authentication is successful, and first holds K2 (n-1) * Q2 (n). The common encryption key K2 (n-1) is decrypted to Q2 (n), and this value is set in the next authentication phase 2 server-side seed.

  Then, the authentication processing unit 43 calculates the next authentication phase 2 common encryption key K2 (n) according to the following equation, and updates the phase 2 common encryption key (step S52).

  K2 (n) = hk (K2 (n-1), R2 (n), Q2 (n))

  Here, hk is a one-way function and a hash function.

  In this way, after successful one-time authentication in phase 2, the authentication processing unit 43 stores R2 (n), Q2 (n), and K2 (n) on the RAM 13 until the next one-time authentication in phase 2. ).

  On the other hand, also in the server device 4, after transmitting the one-time authenticator S2 (n-1), the server-side authentication processing unit 82 calculates the next authentication phase 2 common encryption key K2 (n) according to the above formula, The phase 2 common encryption key is updated (step S53).

  Further, the server-side authentication processing unit 82 calculates a next-time authentication client-side one-time authenticator C2 (n) in phase 2 from R2 (n) and Q2 (n) according to the formula described later. And the server side authentication process part 82 updates the data of the phase 2 about the IC card 5 in the seed table 71 with R2 (n), Q2 (n), and K2 (n), and C2 (n) The one-time authenticator for the IC card 5 in the phase 2 table 72b is updated. As a result, the current seeds R2 (n-1), Q2 (n-1) and the common encryption key K2 (n-1) are deleted, and the next seeds R2 (n), Q2 (n) and the common encryption key K2 are deleted. (N) is held until the next phase 2 authentication. In the next one-time authentication in phase 2, the next seeds R2 (n) and Q2 (n) and the common encryption key K2 (n) are used instead of the initial values described above.

  In this way, the one-time authentication in the phase 2 is executed.

  As described above, according to the first embodiment, the seed for authentication in phase 1 and the seed for authentication in phase 2 are separately provided and the seed 102 stored in the IC card 5 is used. Then, the authentication in phase 1 is executed, the seed 102 stored in the IC card 5 is updated, and thereafter the authentication in phase 2 is repeated. Therefore, when the authentication in phase 1 is completed, the user can remove the IC card 5 from the terminal device 1 or the reader / writer 2. Therefore, the IC card 5 holding the seed 102 can be removed in a short time after the session starts, and even if the IC card 5 is removed, the one-time authentication can be continuously repeated thereafter.

  Further, according to the first embodiment, the same hash function hc is used in phase 1 and phase 2, and the order of the client-side seed and server-side seed in the argument of the hash function hc is as follows. It is reversed.

  Thereby, the data formats of the function values used for the phase 1 client-side one-time authenticator and the phase 2 client-side one-time authenticator are the same. For this reason, even if it is wiretapped, it cannot be determined from the data format whether it is a phase 1 one-time authenticator or a phase 2 one-time authenticator. Further, since the order of the arguments is changed, the one-time authenticator of phase 1 and the first one-time authenticator of phase 2 do not match. Therefore, tamper resistance is improved.

  Further, according to the first embodiment, the same hash function hs is used in phase 1 and phase 2, and the order of the client-side seed and server-side seed in the argument of the hash function hs is as follows: It is reversed.

  As a result, the data formats of the function values used for the phase 1 server-side one-time authenticator and the phase 2 server-side one-time authenticator are the same. For this reason, even if it is wiretapped, it cannot be determined from the data format whether it is a phase 1 one-time authenticator or a phase 2 one-time authenticator. Further, since the order of the arguments is changed, the one-time authenticator of phase 1 and the first one-time authenticator of phase 2 do not match. Therefore, tamper resistance is improved.

  Further, according to the first embodiment, the common encryption key used in phase 1 and the common encryption key used in phase 2 are separately provided, and the phase 1 common encryption key stored in the IC card 5 is provided. When the encrypted seed is transmitted and received, and the authentication in phase 1 is successful, the phase 1 common encryption key stored in the IC card 5 is updated, and every time authentication in phase 2 is successful Then, the phase 2 common encryption key is updated. For this reason, the common encryption key is updated separately in phase 1 and phase 2, and tamper resistance is improved.

Embodiment 2. FIG.

  In the second embodiment of the present invention, an example of the data structure in the server apparatus 4 in the first embodiment and data processing along the data structure will be described. Since the basic configuration and operation of the system are the same as those in the first embodiment, description thereof is omitted. In the second embodiment, the one-time authenticator is a one-time ID.

  First, the data structure will be described.

  In the second embodiment, a unique management number is assigned to each of one or a plurality of IC cards, similar to the IC card 5, in the server device 4, and (a) for next authentication is associated with the management number. Phase 1 client-side one-time authenticator C1 (n), (b) Phase 2 client-side one-time authenticator C2 (n), (c) Seed at present (n-1) for phase 1 R1 (n-1), Q1 (n-1) and common encryption key K1 (n-1), seed R1 (n), Q1 (n) and common encryption key K1 (n) for next authentication, and (d ) Seed R2 (n-1), Q2 (n-1) and common encryption key K2 (n-1) at present (n-1) for phase 2 and seed R2 (n), Q2 ( n) and common encryption key 2 (n) is retained.

  That is, in the phase 1 table 72a, (a) the phase 1 client-side one-time authenticator C1 (n) for the next authentication is held in association with the management number. In the phase 2 table 72b, (b) a phase 2 client-side one-time authenticator C2 (n) for next authentication is held in association with the management number. In the seed table 71, in association with the management number, (c) seeds R1 (n-1), Q1 (n-1) at the present time (n-1) and common encryption key K1 (n- 1) and seed R1 (n), Q1 (n) and common encryption key K1 (n) for next authentication, and (d) seed R2 (n-1) at the present time (n-1) for phase 2 Q2 (n-1) and common encryption key K2 (n-1), seeds R2 (n) and Q2 (n) for next authentication, and common encryption key K2 (n) are held.

  FIG. 11 is a diagram illustrating an example of the structure of the seed table 71 according to the second embodiment. FIG. 12 is a diagram illustrating an example of the authenticator table 72 in the second embodiment. FIG. 12A shows an example of the phase 1 table 72a, and FIG. 12B shows an example of the phase 2 table 72b.

  The phase 1 address in FIG. 11 is data indicating the position of a record having the same management number as the management number associated with the phase 1 address in the phase 1 table 72a. Similarly, the phase 2 address in FIG. 11 is data indicating the position of a record having the same management number as the management number associated with the phase 2 address in the phase 2 table 72b.

  In FIG. 12, the server side authentication processing unit 82 sorts the records (one-time authenticator and management number pair) in the phase 1 table 72a in ascending order of the values of the one-time authenticator. Similarly, the records in the phase 2 table 72b (one-time authenticator and management number pair) are sorted in ascending order of the one-time authenticator values. Thereby, it is possible to quickly determine whether or not the one-time authenticator received from the client is registered in the tables 72a and 72b during the one-time authentication.

  The seed table 71, the phase 1 table 72a, and the phase 2 table 72b have records of a predetermined number of users (number of IC cards) in advance, and initial values are set in fields other than the management number in the records. Set.

  Next, data processing will be described.

  13 and 14 are flowcharts for explaining data processing by the server device 4 in the second embodiment.

  In the server device 4, when the server-side authentication processing unit 82 receives a message including the one-time authenticator C (phase 1 or phase 2 one-time authenticator) from the terminal device 1, the one-time authenticator C It is determined whether or not any of the phase 1 client side one-time authenticators C1 (n−1) registered in the 1 table 72a (step S101).

  When the received one-time authenticator C is one of the phase-one client-side one-time authenticators C1 (n−1) registered in the phase-one table 72a, the server-side authentication processing unit 82 uses the phase-one table 72a. The management number associated with the received one-time authenticator C is specified (step S102). In this case, phase 1 one-time authentication is performed.

  The server-side authentication processing unit 82 reads Q1 (n-1) and K1 (n-1) associated with the specified management number from the seed table 71 (step S103).

  Then, the server-side authentication processing unit 82 decrypts the received K1 (n-1) * R1 (n) to R1 (n) with the read K1 (n-1), and the R1 (n) Write to the seed table 71 in association with the management number (step S104).

  Next, the server-side authentication processing unit 82 generates a next-authentication server-side seed. First, when the server-side authentication processing unit 82 generates a random number Q and uses this random number Q as the next-authentication server-side seed, the phase-one client-side one-time authenticator for the next authentication becomes another phase 1 It is determined whether or not the client-side one-time authenticator and the phase-two client-side one-time authenticator are matched (step S106), and the initial phase-two client-side one-time authenticator is another phase-two client. It is determined whether or not it matches either the side one-time authenticator or the phase 1 client-side one-time authenticator (step S107). That is, it is determined whether or not the uniqueness of the client-side one-time authenticator (that is, that there is no other one-time authenticator having the same value) when the generated random number Q is used is determined.

  At this time, the server-side authentication processing unit 82 uses the random number Q as the next authentication server-side seed according to the following formula, and the next-time authentication phase 1 client-side one-time authenticator X1 and the first-time phase 2 client-side The one-time authenticator X2 is calculated, and it is determined whether or not these one-time authenticators X1 and X2 are registered in the phase 1 table 72a and the phase 2 table 72b.

  X1 = hc (R1 (n), Q)

  X2 = hc (Q, R2 (0)), R2 (0) = R1 (n)

  If it is determined that the generated random number Q does not ensure uniqueness, the server-side authentication processing unit 82 regenerates the random number Q until the uniqueness is ensured.

  On the other hand, if it is determined that the generated random number Q is unique, the server-side authentication processing unit 82 sets the random number Q to the next authentication phase 1 server-side seed Q1 (n), and the seed Q1 ( n) is written in the seed table 71 in association with the management number (step S108).

  Then, the server-side authentication processing unit 82 generates the phase 1 server-side one-time authenticator S1 (n-1) and the next authentication phase 1 server-side seed K1 (n-1) * Q1 (n) after encryption. And it transmits to the terminal device 1 (step S109).

  Further, the server side authentication processing unit 82 sets X1 calculated at the time of the determination in step S106 as the next authentication phase 1 client side one-time identifier C1 (n), and in C1 (n), in the phase 1 table 72a, The one-time identifier associated with the management number is updated (step S110). At this time, the server-side authentication processing unit 82 reads the phase 1 address associated with the management number from the seed table 71, identifies the record of the management number in the phase 1 table 72a with the phase 1 address, Update the one-time identifier in the record.

  Thereafter, the server-side authentication processing unit 82 sorts the records in the phase 1 table 72a so that the values of the one-time identifiers are in ascending order, and records that have been changed in position by the sort in the seed table 71. The phase 1 address associated with the management number is updated (step S111).

  The server-side authentication processing unit 82 sets X2 calculated at the time of determination in step S107 as the initial authentication phase 2 client-side one-time identifier C2 (0), and in C2 (0), in the phase 2 table 72b, The one-time identifier associated with the management number is updated (step S112). At this time, the server-side authentication processing unit 82 reads the phase 2 address associated with the management number from the seed table 71, identifies the record of the management number in the phase 2 table 72b with the phase 2 address, Update the one-time identifier in the record.

  Thereafter, the server-side authentication processing unit 82 sorts the records in the phase 2 table 72b so that the values of the one-time identifiers are in ascending order. The phase 2 address associated with the management number is updated (step S113).

  Then, the server-side authentication processing unit 82 generates the next authentication phase 1 common encryption key K1 (n) and writes it in the seed table 71 in association with the management number (step S114).

  Furthermore, the server-side authentication processing unit 82 uses the seed for the next authentication of the management number and the common encryption key R1 (n), Q1 (n), K1 (n) in the seed table 71 and the seed for the current authentication. The common encryption keys R1 (n-1), Q1 (n-1), and K1 (n-1) are updated (step S115).

  In this way, the data processing for the one-time authentication in phase 1 is executed.

  On the other hand, if it is determined in step S101 that the received one-time authenticator C is not registered in the phase 1 table 72a, the server-side authentication processing unit 82 stores the received one-time authenticator C in the phase 2 table 72b. It is determined whether it is any of the registered phase 2 client-side one-time authenticators C2 (n-1) (step S121).

  When the received one-time authenticator C is any one of the phase-two client-side one-time authenticators C2 (n−1) registered in the phase-two table 72b, the server-side authentication processing unit 82 uses the phase-two table 72b. In step S122, the management number associated with the received one-time authenticator C is specified. In this case, phase 2 one-time authentication is performed.

  The server-side authentication processing unit 82 reads Q2 (n−1) and K2 (n−1) associated with the specified management number from the seed table 71 (step S123).

  Then, the server-side authentication processing unit 82 decrypts the received K2 (n−1) * R2 (n) to R2 (n) with the read K2 (n−1), and R2 (n) Write to the seed table 71 in association with the management number (step S124).

  Next, the server-side authentication processing unit 82 generates a next-authentication server-side seed. First, when the server side authentication processing unit 82 generates a random number Q and uses this random number Q as the next authentication server side seed, the next authentication phase 2 client side one-time authenticator is changed to another phase 2. It is determined whether the client-side one-time authenticator and the phase-one client-side one-time authenticator are matched (step S126). That is, it is determined whether or not the uniqueness of the client-side one-time authenticator (that is, that there is no other one-time authenticator having the same value) when the generated random number Q is used is determined.

  At this time, the server-side authentication processing unit 82 calculates the next-time authentication phase 2 client-side one-time authenticator X2 when this random number Q is used as the next-authentication server-side seed according to the following equation. It is determined whether or not the authenticator X2 is registered in the phase 2 table 72b.

  X2 = hc (Q, R2 (n))

  When it is determined that the generated random number Q does not ensure uniqueness, the server-side authentication processing unit 82 regenerates the random number Q until the uniqueness is ensured.

  On the other hand, if it is determined that the generated random number Q is unique, the server-side authentication processing unit 82 sets the random number Q to the next authentication phase 2 server-side seed Q2 (n), and the seed Q2 ( n) is written in the seed table 71 in association with the management number (step S127).

  Then, the server-side authentication processing unit 82 generates the phase 2 server-side one-time authenticator S2 (n-1) and the next authentication phase 2 server-side seed K2 (n-1) * Q2 (n) after encryption. And it transmits to the terminal device 1 (step S128).

  Further, the server side authentication processing unit 82 sets X2 calculated at the time of determination in step S126 as the next authentication phase 2 client side one-time identifier C2 (n), and in C2 (n), in the phase 2 table 72b, The one-time identifier associated with the management number is updated (step S129). At this time, the server-side authentication processing unit 82 reads the phase 2 address associated with the management number from the seed table 71, identifies the record of the management number in the phase 2 table 72b with the phase 2 address, Update the one-time identifier in the record.

  Thereafter, the server-side authentication processing unit 82 sorts the records in the phase 2 table 72b so that the values of the one-time identifiers are in ascending order. The phase 2 address associated with the management number is updated (step S130).

  Then, the server-side authentication processing unit 82 generates the next authentication phase 2 common encryption key K2 (n), and writes it in the seed table 71 in association with the management number (step S131).

  Further, the server side authentication processing unit 82 uses the seed for the next authentication of the management number and the common encryption key R2 (n), Q2 (n), K2 (n) in the seed table 71 and the seed for the current authentication. The common encryption keys R2 (n-1), Q2 (n-1), and K2 (n-1) are updated (step S132).

  In this way, data processing for the one-time authentication in phase 2 is executed.

  As described above, according to the second embodiment, a plurality of IC cards can be managed with a management number, and one-time authentication can be performed independently for each IC card.

  Each embodiment described above is a preferred example of the present invention, but the present invention is not limited to these, and various modifications and changes can be made without departing from the scope of the present invention. It is.

  For example, in the first and second embodiments, an electronic device such as a mobile phone having an IC card function may be used as the portable storage device instead of the IC card 5.

  In the first and second embodiments, the reader / writer 2 may be built in the terminal device 1.

  In the first and second embodiments, the portable storage device may be directly connected to the terminal device 1 without using the reader / writer 2 like a USB memory.

  In the first and second embodiments, the phase 1 seed and the common encryption key are directly used as the initial values of the phase 2 seed and the common encryption key. Instead, a predetermined function (for example, a hash function or one In the terminal device 1 and the server device 4, the initial values of the phase 2 seed and the common encryption key may be derived from the phase 1 seed and the common encryption key.

  In the first and second embodiments, the one-time authenticator may be a one-time password. When the one-time authenticator is a one-time password, the determination on the uniqueness of the client-side one-time authenticator (steps S106, S107, S126) is unnecessary. In this case, the terminal device 1 uses the IC card 5 The card ID 101 is read out, and the card ID 101 is transmitted to the server apparatus 4 together with the one-time authenticator. The server apparatus 4 refers to the card attribute table 73 and specifies the IC card 5 based on the card ID 101.

  In the first and second embodiments, the timing for setting the phase flag P to 2 is after the end of the one-time authentication in the phase 1, and the first server-side one-time authenticator S2 (0) in the phase 2 is set. Any timing may be used before reception.

  The present invention is applicable to user authentication in network services, for example.

1 Terminal device (example of client device)
3 Network 4 Server device 5 IC card (an example of portable storage device)
13 RAM (an example of memory)
31 One-time authentication program (an example of a client computer program)
42 Communication Processing Unit 43 Authentication Processing Unit 102 Seed

Claims (9)

A server device;
A client device;
A portable storage device capable of reading and writing data by the client device when placed in a predetermined position;
Each of the server device and the client device generates a seed, encrypts and transmits the seed to each other, generates and transmits a one-time authenticator from the seed, and transmits the seed generated by the server device. It said authenticates for the one-time authentication code to each other on the basis of the said seed that has been generated by the client device, continue to update the seed in the next authentication seed to each successful in the authentication,
The portable storage device holds the seed of the server device and the client device,
In the phase 1, the client device reads the seed of the phase 1 from the portable storage device, generates a one-time authenticator based on the read seed, transmits the one-time authenticator to the server device, and transmits it to the server device When the authentication for the one-time authenticator and the one-time authenticator received from the server device is successful, the next authentication seed of the phase 1 is written in the portable storage device, and the phase after the phase 1 2, the initial authentication seed of the phase 2 is derived from the next authentication seed of the phase 1, and the one-time authenticator of the phase 2 is generated from the initial authentication seed of the phase 2 to the server device. sent, transmitted one-time authenticator and the service of the phase 2 to the server device Upon successful authentication of one-time authentication code of the phase 2 received from the device, it updates the seed of the Phase 2 generates a next authentication seed in the phase 2,
The server device holds the next authentication seed in the phase 1 until the next authentication in the phase 1 and derives the initial authentication seed in the phase 2 from the next authentication seed. If authentication is successful for the one-time authenticator, generating a seed for next authentication in the phase 2 and updating the seed;
One-time authentication system characterized by The portable storage device and the server device hold a phase 1 client side seed and a phase 1 server side seed as the seed,
The client device is
(A1) Read the phase 1 client-side seed and the phase 1 server-side seed from the portable storage device,
(A2) generating a phase 1 client side one-time authenticator from the phase 1 client side seed and the phase 1 server side seed;
(A3) Generate the next authentication phase 1 client-side seed,
(A4) transmitting the phase 1 client-side one-time authenticator and the encrypted next-phase authentication phase 1 client-side seed to the server device;
(A5) receiving a phase 1 server side one-time authenticator and an encrypted next authentication phase 1 server side seed from the server device;
(A6) When the authentication is successful for the phase 1 server-side one-time authenticator, the next authentication phase 1 client-side seed and the next authentication phase 1 server-side seed are written to the portable storage device,
(A7) Upon successful authentication of the phase 1 server-side one-time authenticator, the next authentication phase 1 client-side seed and the next authentication phase 1 server-side seed to the initial authentication phase 2 client-side seed and initial authentication Derive phase 2 server side seed,
(A8) generating an initial authentication phase 2 client-side one-time authenticator from the initial authentication phase 2 client-side seed and the initial authentication phase 2 server-side seed;
(A9) Generate the next authentication phase 2 client-side seed,
(A10) transmitting the initial authentication phase 2 client side one-time authenticator and the encrypted next authentication phase 2 client side seed to the server device;
(A11) receiving a phase 2 server side one-time authenticator and an encrypted next phase phase 2 server side seed from the server device;
(A12) When the authentication is successful for the phase 2 server side one-time authenticator, the next authentication phase 2 client-side seed and the next authentication phase 2 client-side seed are changed to the next authentication phase 2 client-side one-time authenticator. Generate
The server device
(B1) receiving the phase 1 client side one-time authenticator from the client device and the phase 1 client side seed for next authentication after encryption;
(B2) If the authentication is successful for the phase 1 client-side one-time authenticator, the next phase 1 server-side seed for authentication is generated,
(B3) A phase 1 server side one-time authenticator is generated from the next authentication phase 1 client side seed and the phase 1 server side seed,
(B4) transmitting the phase 1 server side one-time authenticator and the encrypted next phase phase 1 server side seed to the client device;
(B5) Deriving the initial authentication phase 2 client-side seed and the initial authentication phase 2 server-side seed from the next authentication phase 1 client-side seed and the next authentication phase 1 server-side seed,
(B6) receiving the initial authentication phase 2 client-side one-time authenticator and the encrypted next authentication phase 2 client-side seed from the client device;
(B7) When the first authentication phase 2 client side one-time authenticator is successfully authenticated based on the initial authentication phase 2 client side seed and the initial authentication phase 2 server side seed, the next authentication phase 2 server side Generate seed,
(B8) generating an initial authentication phase 2 server-side one-time authenticator from the next authentication phase 2 client-side seed and the initial authentication phase 2 server-side seed;
(B9) transmitting the initial authentication phase 2 server-side one-time authenticator and the encrypted next authentication phase 2 server-side seed to the client device;
The one-time authentication system according to claim 1. The phase 1 client-side one-time authenticator and the phase 2 client-side one-time authenticator are calculated with the same one-way function,
The one-way function takes two arguments and has different function values depending on the order of the arguments.
When the order of arguments for the phase 1 client-side one-time authenticator is the order of the phase 1 client-side seed and the phase 1 server-side seed, the order of arguments for the phase 2 client-side one-time authenticator is , Phase 2 server-side seed, phase 2 client-side seed,
If the order of arguments for the phase 1 client-side one-time authenticator is the order of the phase 1 server-side seed and the phase 1 client-side seed, the order of arguments for the phase 2 client-side one-time authenticator is The order of the phase 2 client-side seed and the phase 2 server-side seed,
The one-time authentication system according to claim 2. The phase 1 server-side one-time authenticator and the phase 2 server-side one-time authenticator are calculated with the same one-way function,
The one-way function takes two arguments and has different function values depending on the order of the arguments.
If the order of arguments for the phase 1 server-side one-time authenticator is the next authentication phase 1 client-side seed and the order of the phase 1 server-side seed, the argument for the phase 2 server-side one-time authenticator Is the order of the phase 2 server-side seed and the next authentication phase 2 client-side seed,
If the order of arguments for the phase 1 server side one-time authenticator is the order of the phase 1 server side seed and the next authentication phase 1 client side seed, the argument for the phase 2 server side one-time authenticator The order of the next authentication phase 2 client-side seed and the phase 2 server-side seed,
The one-time authentication system according to claim 2 or claim 3, wherein   The client device holds the next authentication phase 1 client-side seed and the next authentication phase 1 server-side seed in a memory until it is written in the portable storage device, and the next authentication phase 1 client-side seed and the next authentication phase 1 client-side seed 3. The one-time authentication system according to claim 2, wherein the authentication phase 1 server-side seed is erased from the memory after being written into the portable storage device. The portable storage device and the server device hold a phase 1 common encryption key,
The client device reads the phase 1 common encryption key from the portable storage device, encrypts the next authentication phase 1 client-side seed with the phase 1 common encryption key, and the phase 1 server-side one-time authenticator. If the authentication is successful, the phase 1 common encryption key is updated, the updated phase 1 common encryption key is written in the portable storage device, and the phase 1 common encryption key is updated from the updated phase 1 common encryption key. Deriving an initial value, encrypting the next authentication phase 2 client-side seed with the phase 2 common encryption key, and updating the phase 2 common encryption key after successful authentication of the phase 2 server side one-time authenticator And
The server device encrypts the phase 1 server-side seed for the next authentication with the phase 1 common encryption key, and updates the phase 1 common encryption key when the authentication is successful for the phase 1 client-side one-time authenticator. The updated phase 1 common encryption key is held until the next authentication in phase 1, and the initial value of the phase 2 common encryption key is derived from the updated phase 1 common encryption key, Encrypting the next phase 2 server-side seed for next authentication with an encryption key, and succeeding in authenticating the one-time authenticator on the phase 2 client side, updating the phase 2 common encryption key;
The one-time authentication system according to claim 2.   The client device holds the updated phase 1 common encryption key in a memory until it is written to the portable storage device, and writes the updated phase 1 common encryption key to the portable storage device, 7. The one-time authentication system according to claim 6, wherein the one-time authentication system is erased from the memory. In the terminal device,
A communication processing unit that communicates with a server device via a network;
Generate a seed and receive the server device seed from the server device using the communication processing unit, generate a one-time authenticator from the generated seed and the received seed, and use the communication processing unit And authenticating the one-time authenticator received from the server device based on the generated seed and the seed of the server device, and each time the authentication is successful, the seed is set with the next authentication seed. With a renewed authentication processing unit,
The authentication processing unit obtains the seed of the phase 1 on the server device side and the terminal device side from the portable storage device that can read and write data by the terminal device when placed in a predetermined position in the phase 1. read, read on the basis of the seed to generate a one-time authenticator said transmitted to the server apparatus, the authentication for the one-time authenticator received from the one-time authenticator and the server apparatus that has transmitted to the server device If successful, the next authentication seed of the phase 1 for the server device side and the terminal device side is written to the portable storage device, and in the phase 2 after the phase 1, the next authentication seed for the phase 1 to derive the initial certification for seed of the phase 2 from seed, Sea for the initial certification of the phase 2 The phase to generate a one-time authenticator 2 sends to the server device, to authenticate the one-time authenticator Phase 2 of the one-time authenticator and the server device of the Phase 2 that is transmitted to the server device from If successful, generating a seed for next authentication in phase 2 and updating the seed in phase 2 ;
A terminal device characterized by the above. The computer in the terminal device
Generate a seed and receive the server device seed from the server device, generate and transmit a one-time authenticator from the generated seed and the received seed, and based on the generated seed and the server device seed A client computer program for authenticating a one-time authenticator received from the server device and functioning as an authentication processing unit that updates the seed with a next authentication seed each time the authentication is successful. And
The authentication processing unit obtains the seed of the phase 1 on the server device side and the terminal device side from a portable storage device that allows data reading and writing by the terminal device when placed in a predetermined position in the phase 1. read, read on the basis of the seed to generate a one-time authenticator it said transmitted to the server apparatus, the authentication for the one-time authenticator received from the one-time authenticator and the server apparatus that has transmitted to the server device If successful, the next authentication seed of the phase 1 for the server device side and the terminal device side is written to the portable storage device, and in the phase 2 after the phase 1, the next authentication seed for the phase 1 to derive the initial certification for seed of the phase 2 from seed, Sea for the initial certification of the phase 2 The phase to generate a one-time authenticator 2 sends to the server device, to authenticate the one-time authenticator Phase 2 of the one-time authenticator and the server device of the Phase 2 that is transmitted to the server device from If successful, generating a seed for next authentication in phase 2 and updating the seed in phase 2 ;
A client computer program characterized by the above.

Images