JP6240102B2 - Authentication system, authentication key management device, authentication key management method, and authentication key management program - Google Patents

Description

  The present invention relates to an authentication system, an authentication key management device, an authentication key management method, and an authentication key management program.

  For service providers that provide services on the Internet, a function for authenticating a user of a communication partner is essential. Conventionally, many service providers perform user authentication by password authentication that confirms an ID and a password.

  However, password authentication is an authentication means that depends on the user's memory, and characteristics related to security strength such as the length of the password and the use of the password for each service provider depend on the user. As a result, the authentication means is weak, and problems such as account theft are frequently occurring.

  In response to this situation, attention is paid to challenge / response authentication using a public key and a secret key instead of password authentication. In challenge-response authentication, a public key is deployed on an authentication server of a service provider, a secret key is deployed on an authentication client used by the user, and the authentication server authenticates the user by confirming possession of the secret key. At the time of this user authentication, the authentication server first issues a random number called a challenge and sends it to the authentication client. The authentication client that has received the challenge encrypts the challenge using the secret key, generates a response, and returns the response to the authentication server. The authentication server decrypts the returned response with the public key and confirms whether or not it matches the issued challenge. If you do not have a private key, it is very difficult to generate a response that matches the challenge issued by decrypting with the public key. The user is confirmed and authentication is completed.

  A technique for dynamically constructing an environment capable of performing this challenge / response authentication for each service is disclosed. For example, a method is disclosed in which an authentication client is provided with a function of generating a private key / public key pair for each Web service, and a user registers a public key in an authentication server when a user registers for use of the service ( Non-patent document 1). According to this method, since the secret key does not come out from the authentication client, it is possible to construct an environment in which challenge-response authentication is dynamically performed for each service without distributing the secret key on the network. Note that the authentication client is normally carried by a Web browser in the terminal.

“FIDO Alliance”, [online], [searched on December 12, 2014], Internet <URL: https://fidoalliance.org/specifications>

  However, in the technology of Non-Patent Document 1, since the secret key is managed in the terminal, if the secret key is lost when the terminal is lost or changed, the user authentication up to that point cannot be continued. End up.

  Therefore, consider backing up the private key separately from the terminal. However, if the private key is backed up via the network, the private key is distributed through the network, so that a decrease in authentication strength cannot be avoided. Further, if the private key is backed up using a special device in a special place such as a mobile phone store instead of via the network, a certain level of security can be maintained. However, since the secret key is dynamically generated for each service used, it is necessary for the user to go to a special place to back up the secret key every time a new service is started. There is a risk that the properties are significantly impaired.

  Further, when a single user uses a plurality of terminals, the technique of Non-Patent Document 1 requires a secret key for each Web service and each terminal used by the user. Therefore, the number of secret keys increases to the product of the number of services used by the user and the number of terminals. In this case, the service provider needs to manage as many public keys as the number of terminals for one user. In addition, when the user changes the terminal, the user has to register again for all the services used by the terminal, which causes a lot of trouble.

  The present invention has been made in view of the above, and a secret key used for authentication of a registered user who registered for use of a service is lost along with the loss or change of a user terminal without distributing it on the network. It is intended to be managed for each service without being added or added with the addition of the user terminal.

  In order to solve the above-described problems and achieve the object, an authentication system according to the present invention includes an authentication client, an authentication server, and an authentication key management device that are communicably connected to each other via a communication network. The authentication client transmits a request for pre-authentication to authenticate the user to the authentication key management device when the user requests to use the service, and performs the pre-authentication by the authentication key management device. A pre-authentication response unit that responds, a public key registration control unit that transmits a request for use registration of a user authenticated by the pre-authentication to an authentication server, and a use of a registered user whose service is registered in the authentication server An authentication response control unit that transmits a start request to the authentication server, and the authentication server sends a public key and a secret when there is a request for use registration of the user. A public key receiving unit that requests and obtains the generation of the public key used for key authentication performed using a key, and associates the user with the acquired public key as the registered user And a public key management unit that stores the challenge and a challenge to be encrypted using the secret key in the key authentication when there is a request to start using the registered user, and the challenge is the authentication key management device A user authentication unit that authenticates the registered user by verifying, using the public key, a response in which the challenge is encrypted using the secret key, and sent back in response to the challenge, The authentication key management device includes the pre-authentication unit that performs the pre-authentication when the pre-authentication is requested, and the public key generation request from the authentication server. Public key And a key pair generation unit for generating the secret key, a public key transmission unit for transmitting the public key generated by the key pair generation unit to the authentication server, and a secret key generated by the key pair generation unit A secret key management unit that stores the user in association with a user; and an authentication response generation unit that generates the response to the challenge using the challenge and the secret key when the challenge is received. It is characterized by.

  According to the present invention, a secret key used for authentication of a registered user who has registered for use of a service can be lost when the user terminal is lost or changed without being distributed on the network. Can be managed for each service without adding.

FIG. 1 is a schematic diagram showing a schematic configuration of an authentication system according to the first embodiment of the present invention. FIG. 2 is a schematic view illustrating a schematic configuration of an authentication system according to another embodiment. FIG. 3 is a diagram illustrating a configuration example of information stored in the pre-authentication management unit of the authentication key management apparatus according to the first embodiment. FIG. 4 is a diagram illustrating a configuration example of information stored in the session management unit of the authentication key management apparatus according to the first embodiment. FIG. 5 is a diagram illustrating a configuration example of information stored in the secret key management unit of the authentication key management apparatus according to the first embodiment. FIG. 6 is a sequence diagram illustrating an authentication processing procedure according to the first embodiment. FIG. 7 is a sequence diagram illustrating an authentication processing procedure according to the first embodiment. FIG. 8 is a diagram illustrating a configuration example of information stored in the pre-authentication management unit according to the second embodiment. FIG. 9 is a sequence diagram illustrating an authentication processing procedure according to the second embodiment. FIG. 10 is a schematic diagram illustrating a schematic configuration of an authentication system according to the fourth embodiment. FIG. 11 is a sequence diagram illustrating an authentication processing procedure according to the fourth embodiment. FIG. 12 is a diagram illustrating a computer that executes an authentication program.

  Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. In addition, this invention is not limited by this embodiment. Moreover, in description of drawing, the same code | symbol is attached | subjected and shown to the same part.

[First Embodiment]
[Configuration of authentication system]
First, the configuration of the authentication system according to the first embodiment will be described with reference to FIG. As shown in FIG. 1, in an authentication system 1, an authentication server 100, an authentication client 200, and an authentication key management device 300 are connected to be communicable with each other via a communication network such as the Internet.

  The authentication server 100 is a server device such as a Web server operated by a service provider who operates an EC (Electronic Commerce) site, and performs registration and authentication of a user who uses the service.

  The authentication client 200 is a terminal device used by a user who requests registration and authentication of service use from the authentication server 100. The authentication client 200 cooperates with each function of the authentication key management device 300 described later, and In response to challenge-response authentication. In the present embodiment, it is realized on the Web browser of the user terminal device.

  The authentication key management device 300 is a device that manages a secret key used for authentication performed between the authentication server 100 and the authentication client 200 for a registered user who has registered for service use. The authentication key management device 300 generates a secret key for challenge / response authentication with the authentication server 100 and a response using this secret key, instead of the authentication client 200. This authentication key management device 300 is operated by, for example, a mobile phone operator and installed in a data center or the like.

  Although FIG. 1 illustrates the authentication system 1 in which one authentication server 100 and one authentication client 200 are arranged, the configuration of the authentication system 1 is not limited to this. For example, as shown in FIG. 2, a plurality of authentication servers 100 and a plurality of authentication clients 200 may be arranged, and the authentication system 1 may be constructed by any combination. For example, one authentication client 200 may use a plurality of authentication key management apparatuses 300 depending on the Web service to be used. A form in which a plurality of authentication servers 100 exist for one Web service is also recognized.

[Configuration of authentication server]
The authentication server 100 functions as a public key reception unit 111 and a user authentication unit 113 by an arithmetic processing device such as a CPU (Central Processing Unit) inside the device executing a control program stored in a memory. The authentication server 100 also includes a public key management unit 112 realized by a semiconductor memory device such as a RAM (Random Access Memory) and a flash memory, or a storage device such as a hard disk and an optical disk.

  The public key management unit 112 stores information in which registered users who have registered for use of services and public keys are associated with each other. Specifically, the public key management unit 112 stores a public key generated for a registered user and a issued service ID in association with each other in a procedure described later.

  The public key receiving unit 111 requests and acquires the generation of a public key used for challenge / response authentication when a user service usage registration request is made. Specifically, the public key receiving unit 111 requests the authentication key management device 300 to generate a public key via the authentication client 200 when the authentication client 200 requests use registration of the service of the user. Receive a public key. At that time, the public key receiving unit 111 issues a service ID for identifying the registered user in the EC site, and stores it in the public key management unit 112 in association with the received public key.

  When there is a request to start using a registered user, the user authentication unit 113 generates a challenge in challenge / response authentication, and verifies the response returned in response to the challenge to authenticate the registered user. Specifically, when the authentication client 200 is requested to log in to the user service, the user authentication unit 113 generates a challenge and transmits the challenge to the authentication key management apparatus 300 via the authentication client 200. Also, the user authentication unit 113 reads the public key from the public key management unit 112 using the service ID of the registered user as key information, and decrypts the response returned from the authentication key management device 300 using the extracted public key. Turn into. Then, the user authentication unit 113 collates the decrypted response with the challenge generated previously, and authenticates as a registered user if they match.

[Authentication client configuration]
In the authentication client 200, a public key registration control unit 211, an authentication response control unit 213, a pre-authentication response response unit 221, an individual authentication response is executed by an arithmetic processing device such as a CPU inside the device executing a control program stored in the memory. Unit 222 and dynamic individual authentication response unit 223.

  When the user requests use of the service, the pre-authentication response unit 221 transmits a pre-authentication request for authenticating the user to the authentication key management device 300 and responds to the pre-authentication by the authentication key management device. Specifically, the pre-authentication response unit 221 requests pre-authentication described later to the authentication key management apparatus 300 with the pre-authentication ID issued to the user in advance, and the pre-authentication performed by the authentication key management apparatus 300 Respond to. When the authentication key management apparatus 300 authenticates a user corresponding to the pre-authentication ID and issues a session ID as a result of the pre-authentication, the pre-authentication response unit 221 receives the session ID and receives an appropriate memory area. To remember.

  The public key registration control unit 211 transmits a request for use registration of the user who has been authenticated by the pre-authentication to the authentication server 100. Specifically, the public key registration control unit 211 requests the authentication server 100 to register service use by a user who has been authenticated by the pre-authentication of the authentication key management apparatus 300 and has received a session ID. The public key registration control unit 211 receives the service ID issued from the authentication server 100 and stores it in an appropriate memory area.

  Further, the public key registration control unit 211 relays communication between the authentication server 100 and the authentication key management device 300. Specifically, when the public key registration control unit 211 receives a request for a public key with an authentication server ID that is identification information of the authentication server 100 from the authentication server 100, the public key with the authentication server ID and the session ID is received. The generation request is transmitted to the authentication key management apparatus 300. When the public key generated from the authentication key management apparatus 300 is received with the authentication server ID, the public key is transmitted to the authentication server 100.

  The authentication response control unit 213 transmits, to the authentication server 100, a request for starting use of a registered user who has been registered for service use in the authentication server 100. Specifically, the authentication response control unit 213 requests the authentication server 100 to log in to the service by a registered user who has registered for service use in the authentication server 100 and has issued a service ID.

  Further, the authentication response control unit 213 relays communication between the authentication server 100 and the authentication key management device 300. Specifically, when receiving a challenge from the authentication server 100, the authentication response control unit 213 transmits a request for a response with the authentication server ID, the session ID, and the challenge to the authentication key management apparatus 300. In addition, when receiving a response from the authentication key management apparatus 300, the authentication response control unit 213 transmits a response to the authentication server 100.

  The individual authentication response unit 222 responds to the individual authentication for authenticating the pre-authentication ID among the pre-authentications performed by the authentication key management apparatus 300. The dynamic individual authentication response unit 223 responds to dynamic authentication when dynamic authentication such as key authentication using an authentication key issued online is performed in addition to individual authentication in pre-authentication. Details will be described later.

[Configuration of authentication key management device]
The authentication key management device 300 functions as a pre-authentication unit 330 and an authentication response unit 310 when an arithmetic processing device such as a CPU inside the device executes a control program stored in a memory. The authentication key management device 300 includes a pre-authentication management unit 323 and a session management unit realized by a semiconductor memory device such as a random access memory (RAM) and a flash memory, or a storage device such as a hard disk and an optical disk. 321 and a secret key management unit 322.

  The pre-authentication management unit 323 stores information in which a pre-authentication ID issued to the user in advance is associated with the authentication method. Specifically, the information stored in the pre-authentication management unit 323 includes a pre-authentication ID, an authentication method, and control as illustrated in FIG.

  Here, the pre-authentication ID means information for identifying the user, such as a mobile phone number issued in advance by facing the user at a mobile phone store. Pre-authentication means user authentication corresponding to the pre-authentication ID. The authentication method means an authentication method such as SIM (Subscriber Identity Module) authentication, key authentication, or the like designated in advance to execute pre-authentication for the user corresponding to the pre-authentication ID. Control means information such as AND and OR for designating an authentication method to be applied among one or more authentication methods for the same pre-authentication ID. “AND” is set when all applications of the plurality of authentication methods are designated, and “OR” is set when any one of the plurality of authentication methods is designated. FIG. 3 exemplifies that all of “SIM authentication” and “key authentication” (“AND”) are applied as the authentication method for the pre-authentication ID “090-1234-5678”.

  For example, this authentication method and control may be set via an input unit (not shown) when a pre-authentication ID is issued. At this time, information used for each authentication method is also stored in an appropriate memory area of the pre-authentication management unit 323.

  The session management unit 321 stores information in which the issued session ID and its expiration date are associated with the pre-authentication ID. Specifically, the information stored in the session management unit 321 includes a session ID, a pre-authentication ID, and an expiration date as illustrated in FIG. Here, the session ID is randomly issued when a user corresponding to the pre-authentication ID is authenticated by a procedure described later. The expiration date means the expiration date of the session ID, and when the session ID is issued, for example, a date and time when a predetermined period has elapsed since the session ID is issued is set. FIG. 4 illustrates that the expiration date of the session ID “12345” issued to the pre-authentication ID “090-1234-5678” is “December 31, 2014 23:59:59”. ing.

  The secret key management unit 322 stores information in which the generated secret key is associated with the user. Specifically, the information stored in the secret key management unit 322 includes a pre-authentication ID, an authentication server ID, and a secret key as illustrated in FIG. Here, the authentication server ID means identification information of the authentication server 100 that holds the public key generated together with the secret key by a procedure described later. In FIG. 5, the authentication server ID of the authentication server 100 that holds the public key generated for the pre-authentication ID “090-1234-5678” is “EC01”, and the generated secret key is “PrivateKey1”. Is illustrated.

  The pre-authentication unit 330 performs pre-authentication in response to a request for pre-authentication by the authentication client 200. Specifically, the pre-authentication unit 330 includes a pre-authentication control unit 331, an individual authentication unit 332, and a dynamic individual authentication unit 333. When pre-authentication is requested from the authentication client 200 with the pre-authentication ID, the pre-authentication control unit 331 first identifies the authentication method specified for the pre-authentication ID with reference to the pre-authentication management unit 323. To do. Then, the pre-authentication control unit 331 authenticates the user corresponding to the pre-authentication ID according to the specified authentication method.

  When the user corresponding to the pre-authentication ID is authenticated, the pre-authentication control unit 331 issues a session ID for the pre-authentication ID. The pre-authentication control unit 331 transmits the issued session ID to the authentication client 200 and stores it in the session management unit 321 in association with the expiration date and the pre-authentication ID.

  The individual authentication unit 332 and the dynamic individual authentication unit 333 are controlled by the pre-authentication control unit 331. The individual authentication unit 332 executes individual authentication for authenticating a user corresponding to the pre-authentication ID using information set in advance at the time of a line contract or the like among the pre-authentication. In the pre-authentication, when dynamic authentication such as key authentication using an authentication key dynamically generated online is performed in addition to individual authentication, the dynamic individual authentication unit 333 performs dynamic authentication.

  For example, when SIM authentication and key authentication are designated as the authentication method set in the pre-authentication management unit 323, the individual authentication unit 332 authenticates the SIM card corresponding to the pre-authentication ID. Execute. In addition, the dynamic individual authentication unit 333 performs key authentication. Here, as the key authentication, challenge / response authentication using secret information such as a random character string issued in advance together with a pre-authentication ID at a mobile phone store or the like and stored in a memory area or the like of the authentication client 200 is exemplified. . The secret key / public key used for the challenge / response authentication is dynamically issued by the authentication client 200 when, for example, a SIM card is attached to the authentication client 200 for the first time and the authentication key management apparatus 300 is accessed. The authentication client 200 manages the secret key, and the authentication key management apparatus 300 manages the public key. A specific processing procedure will be described later. Thereby, for example, even if the SIM card is subsequently stolen, a terminal that does not hold the secret key does not authenticate the user by pre-authentication.

  The authentication response unit 310 responds to challenge / response authentication with the authentication server 100 instead of the user who has been authenticated by the pre-authentication and has issued the session ID, that is, the authentication client 200. Specifically, the authentication response unit 310 includes a key pair generation unit 314, a public key transmission unit 311, and an authentication response generation unit 313.

  The key pair generation unit 314 generates a public key and a secret key used for challenge / response authentication when there is a request to generate a public key from the authentication server 100. Specifically, when receiving a public key generation request from the authentication server 100 with the authentication server ID and the session ID via the authentication client 200, the key pair generation unit 314 refers to the session management unit 321; After confirming that the session ID is within the validity period, the associated pre-authentication ID is extracted. Then, the key pair generation unit 314 generates a public key / private key pair.

  The public key transmission unit 311 transmits the public key to the authentication server 100. Specifically, the public key transmission unit 311 transmits the public key generated by the key pair generation unit 314 to the authentication server 100 via the authentication client 200. The public key transmission unit 311 stores the secret key in the secret key management unit 322 in association with the pre-authentication ID and the authentication server ID.

  The authentication response generation unit 313 generates a response in response to the challenge in challenge / response authentication. Specifically, when the authentication response generation unit 313 receives a challenge from the authentication server 100 via the authentication client 200, that is, from the authentication client 200, a request for a response with a session ID, an authentication server ID, and a challenge is received. At this time, a response is generated by the following procedure. First, the authentication response generation unit 313 refers to the session management unit 321, confirms that the session ID is within the expiration date, and extracts the associated pre-authentication ID. Next, the authentication response generation unit 313 refers to the secret key management unit 322 and extracts the secret key associated with the pre-authentication ID and the authentication server ID. Then, the authentication response generation unit 313 generates a response obtained by encrypting the challenge using this secret key, and returns the response to the authentication server 100 via the authentication client 200.

[Authentication procedure]
Next, an authentication processing procedure in the authentication system 1 will be described with reference to FIGS. 6 and 7. The authentication process of the present embodiment includes pre-setting, pre-authentication, user registration, and login processes.

[Preset]
FIG. 6 is a sequence diagram exemplifying pre-setting, pre-authentication, and user registration processing procedures. As shown in FIG. 6, in order for a user to request use registration of a service to the authentication server 100 using the authentication client 200, first, pre-authentication performed between the authentication client 200 and the authentication key management apparatus 300 is performed. Pre-setting for performing is performed (S1).

  Specifically, a pre-authentication ID such as “090-1234-5678” is issued by facing the user at a mobile phone store or the like. At that time, secret information represented by a random character string or the like such as “ABCDEFGHIJKL” is also generated. The pre-authentication ID and the secret information are safely written in the SIM card at a mobile phone store or the like that issued the pre-authentication ID. Further, the pre-authentication ID and the secret information are stored in association with each other in an appropriate memory area of the authentication key management apparatus 300.

  Also, a pre-authentication method for authenticating the user corresponding to the pre-authentication ID is determined and stored in the pre-authentication management unit 323. In this embodiment, since the authentication method for pre-authentication is SIM authentication and key authentication, the authentication client 200 generates a pre-authentication private key and a pre-authentication public key used for this key authentication. For example, when the authentication client 200 accesses the authentication key management apparatus 300 for the first time using a SIM card, the pre-authentication response unit 221 of the authentication client 200 uses the pre-authentication private key and the pre-authentication public key. Generate a pair. The generated pre-authentication private key is stored in an appropriate memory area of the authentication client 200. On the other hand, the generated pre-authentication public key is stored in an appropriate memory area of the authentication key management apparatus 300 in association with the pre-authentication ID.

[Pre-authentication]
When the user requests use registration for the EC site service, first, a pre-authentication request including a pre-authentication ID is transmitted from the pre-authentication response unit 221 of the authentication client 200 to the pre-authentication control unit 331 of the authentication key management device 300. (S11).

  The pre-authentication control unit 331 that has received the pre-authentication request refers to the pre-authentication management unit 323 to identify the pre-authentication method associated with the pre-authentication ID, and the individual authentication unit 332 and the dynamic individual authentication unit 333 is controlled to perform pre-authentication (S12). Specifically, the individual authentication unit 332 performs SIM authentication in cooperation with the individual authentication response unit 222 of the authentication client 200. In addition, the dynamic individual authentication unit 333 performs key authentication in cooperation with the dynamic individual authentication response unit 223 of the authentication client 200. That is, challenge / response authentication is performed between the dynamic individual authentication unit 333 and the dynamic individual authentication response unit 223 using the secret information, the pre-authentication secret key, and the pre-authentication public key shared by the presetting. Thereby, the user corresponding to the pre-authentication ID is authenticated.

  When the user corresponding to the pre-authentication ID is authenticated, the pre-authentication control unit 331 of the authentication key management apparatus 300 issues a session ID as a mark that the pre-authentication is completed. Also, the pre-authentication control unit 331 stores the issued session ID in the session management unit 321 in association with the pre-authentication ID together with the expiration date (S13). In addition, the pre-authentication control unit 331 transmits the issued session ID to the pre-authentication response unit 221 of the authentication client 200 (S14). The pre-authentication response unit 221 of the authentication client 200 stores the issued session ID in an appropriate memory area.

  The pre-authentication request is obtained when, for example, the user inputs an instruction to request use registration to the authentication client 200 from an unillustrated input unit realized by a Web browser or the like, the authentication client 200 receives a session ID within the expiration date. Whether or not pre-authentication is necessary is determined based on the presence / absence or the like, and is transmitted when pre-authentication is determined to be necessary. Alternatively, the authentication client 200 may periodically check whether there is a session ID within the expiration date, and may transmit a pre-authentication request when the session ID within the expiration date is not held.

[user registration]
The public key registration control unit 211 of the authentication client 200 that has acquired the session ID transmits a user registration request for requesting service use registration to the authentication server 100, which is an EC site (S21). Upon receiving this, the public key receiving unit 111 of the authentication server 100 transmits a public key generation request with the authentication server ID to the authentication client 200 (S22). Upon receiving this public key request, the public key registration control unit 211 transmits a public key generation request with a session ID and an authentication server ID to the authentication key management apparatus 300 (S23).

  The public key transmission unit 311 that has received the public key generation request refers to the session management unit 321 and confirms that the session ID is within the validity period, and then controls the key pair generation unit 314 to control the public key and the private key. Are generated (S24). The public key transmission unit 311 stores the generated secret key in the secret key management unit 322 in association with the authentication server ID and the pre-authentication ID extracted with reference to the session management unit 321 (S25). Further, in response to the public key generation request, the public key transmission unit 311 returns the generated public key to the public key registration control unit 211 of the authentication client 200 (S26).

  If the session ID is not within the expiration date, the authentication client 200 notified to that effect acquires the session ID by the above-described pre-authentication process in steps S11 to S14, and then starts the process in step S21. To do.

  Upon receiving the generated public key, the public key registration control unit 211 returns the received public key to the authentication server 100 in response to the public key generation request (S27). The public key receiving unit 111 of the authentication server 100 that has received the public key issues a service ID, associates the service ID with the public key, and stores them in the public key management unit 112 (S28). Thus, the user registration process for registering the user as a registered user in the authentication server 100 is completed.

  The public key receiving unit 111 also transmits the issued service ID to the authentication client 200 (S29). The public key registration control unit 211 of the authentication client 200 that has received the service ID stores the service ID in an appropriate memory area. This service ID is used at the time of login described later.

[Login]
FIG. 7 is a sequence diagram illustrating the login processing procedure. As shown in FIG. 7, when the user logs in to the service site, the authentication client 200 first acquires a session ID by the pre-authentication process in steps S11 to S14. When the authentication client 200 holds a session ID within the expiration date, the pre-authentication process is omitted and the process proceeds to the following process.

  When the user requests login using the browser or the like of the authentication client 200, the authentication response control unit 213 of the authentication client 200 transmits a service request to the authentication server 100 (S31). The user authentication unit 113 of the authentication server 100 that has received the service request returns the display data of the login screen to the authentication response control unit 213 of the authentication client 200 (S32). When the user selects challenge / response authentication as an authentication means using the login screen, the authentication response control unit 213 transmits a challenge / response authentication request with a service ID to the authentication server 100 (S33). Upon receiving the challenge / response authentication request, the user authentication unit 113 of the authentication server 100 generates a challenge used for challenge / response authentication (S34), and transmits the challenge together with the authentication server ID to the authentication response control unit 213 of the authentication client 200 (S35). ).

  The authentication response control unit 213 transmits a response request including the received authentication server ID, challenge, and session ID to the authentication key management apparatus 300 (S36). The authentication response generation unit 313 of the authentication key management apparatus 300 that has received the response request refers to the session management unit 321, confirms that the session ID is within the validity period, and extracts the associated pre-authentication ID. . Further, the authentication response generation unit 313 refers to the secret key management unit 322, and extracts the secret key associated with the pre-authentication ID and the authentication server ID (S37). Then, the authentication response generation unit 313 generates a response by encrypting the received challenge with the extracted secret key (S38), and transmits the response to the authentication client 200 (S39).

Upon receiving the response, the authentication response control unit 213 of the authentication client 200 returns a response to the user authentication unit 113 of the authentication server 100 in response to the challenge (S40).
The user authentication unit 113 that has received the response refers to the public key management unit 112, extracts the public key associated with the service ID, and decrypts the received response with the public key. The user authentication unit 113 performs response verification comparing the decrypted response with the generated challenge (S41). As a result of the response verification, if they match, the registered user is authenticated and login is completed. Thereby, a service is started (S42).

  As described above, in the authentication system 1 according to the present embodiment, the authentication key management apparatus 300 issues a session ID by performing user pre-authentication corresponding to the pre-authentication ID. In response to a user registration request, the authentication server 100 transmits a public key generation request to the authentication key management apparatus 300 via the authentication client 200. The authentication key management device 300 generates a public key and a private key used for the challenge / response authentication in response to a request for generating a public key with a session ID within the validity period, and transmits the public key to the authentication server 100. The private key is stored in association with the pre-authentication ID. Further, the authentication key management apparatus 300 generates a response in challenge / response authentication of the registered user between the authentication server 100 and the authentication client 200 using the secret key. As a result, the secret key used for authentication of the registered user who registered for use of the service is also added along with the addition of the user terminal without being distributed on the network and lost due to the loss or change of the user terminal. In addition, it can be generated and managed for each service regardless of the user terminal.

[Second Embodiment]
In the above embodiment, the authentication key management apparatus 300 is illustrated as being operated by a mobile phone operator, but is not limited thereto. For example, a form in which a fixed communication carrier or an SI (System Integration) carrier operates the authentication key management device 300 may be used. In the second embodiment, a case where the fixed communication carrier operates the authentication key management apparatus 300 will be described. In this case, fixed line authentication is applied to the pre-authentication instead of the SIM authentication in the above embodiment. For the fixed line authentication, information related to the laying of the fixed line such as the port number of the line concentrator switch and the MAC (Media Access Control) address of the line terminating device, which is set when the fixed line is laid, is used. Therefore, in the pre-setting (S1) process, information related to the laying of the fixed line is set in association with the issued pre-authentication ID.

  In advance setting (S1), a password is set in association with the pre-authentication ID issued to the user. As a result, when the user accesses the authentication key management apparatus 300 via the fixed line at the time of pre-authentication, password authentication is performed together with the fixed line authentication to maintain the high security strength and Users can be identified and authenticated.

  Furthermore, on the premise that pre-authentication has been performed, such as when the pre-authentication is performed for the first time, the authentication client 200 dynamically generates a pair of a pre-authentication private key and a pre-authentication public key, and makes it public The key may be transmitted to the authentication key management device 300 in advance. The key authentication using the dynamic pre-authentication private key and the pre-authentication public key may be performed as pre-authentication instead of fixed line authentication and password authentication. Even when the user accesses the authentication key management device 300 from the authentication client 200 without going through a fixed line set in advance when going out, etc., it becomes possible to perform pre-authentication by key authentication, and the authentication key management device 300 is used. can do.

  The authentication method of the pre-authentication described above can be specified by setting the information stored in the pre-authentication management unit 323 as illustrated in FIG. That is, FIG. 8 exemplifies that either “line authentication + password authentication” or “key authentication” (“OR”) is applied as an authentication method for the pre-authentication ID “01234456789”.

  FIG. 9 is a sequence diagram illustrating the preset processing procedure for the pre-authentication described above. As shown in FIG. 9, first, the authentication client 200 transmits a pre-setting request to the authentication key management apparatus 300 via a fixed line (S51). The pre-authentication control unit 331 of the authentication key management apparatus 300 that has received the pre-configuration request controls the individual authentication unit 332 (S52) to confirm information necessary for fixed line authentication (S53). The pre-authentication control unit 331 controls the individual authentication unit 332 to set a password for the pre-authentication ID necessary for password authentication with the authentication client 200 (S54).

  The pre-authentication control unit 331 receives a key authentication application from the authentication client 200 after receiving a user authentication completion notification corresponding to the pre-authentication ID from the individual authentication unit 332 by fixed line authentication and password authentication (S55). (S56, S57). In this case, the pre-authentication control unit 331 controls the dynamic individual authentication unit 333 to collect information necessary for the key authentication function (S58). When the pre-authentication control unit 331 receives the pre-authentication public key request transmitted by the dynamic individual authentication unit 333 (S59), the pre-authentication control unit 331 transfers the request to the authentication client 200 (S60). Upon receiving the request for the pre-authentication public key, the authentication client 200 generates a key pair of the pre-authentication public key and the pre-authentication private key (S61), and sends the pre-authentication public key via the pre-authentication control unit 331. It transmits to the dynamic individual authentication part 333 (S62, S63). Thereby, the pre-setting for pre-authentication by “line authentication + password authentication” or “key authentication” is completed.

[Third Embodiment]
In the third embodiment, a case where the SI provider operates the authentication key management apparatus 300 will be described. Since the SI provider does not normally distribute hardware that can be used for user identification such as SIM or fixed line, it cannot perform pre-authentication by SIM authentication or fixed line authentication as described above. Therefore, pre-setting for pre-authentication is performed as follows by face-to-face work with the user.

  In the present embodiment, it is assumed that a corporation that is a customer of an SI provider manages the authentication server 100 and the authentication client 200. In this case, the SI provider that operates the authentication key management apparatus 300 selects a secure authentication method such as a fingerprint authentication device or an electronic certificate to be applied to pre-authentication between the authentication server 100 and the authentication client 200 in advance. And secret information used for the selected authentication method is exchanged between the authentication server 100 and the authentication client 200 in advance. For example, the authentication security token itself may be set in the authentication client 200. Thereby, secure pre-authentication can be performed regardless of SIM authentication or fixed line authentication.

  Even when the authentication key management apparatus 300 is operated by a mobile phone carrier or a fixed communication carrier, an authentication method using fingerprint authentication, an electronic certificate, or the like can be applied to pre-authentication. For example, a mobile phone operator may apply fingerprint authentication to pre-authentication instead of SIM authentication. If a fingerprint authentication device is registered online on the premise of SIM authentication, if a SIM card is lost, a malicious person registers a false fingerprint authentication device using the lost SIM card. Is also possible. Therefore, if a fingerprint authentication device is registered by facing a user at a mobile phone store or the like, secure pre-authentication instead of SIM authentication can be performed.

[Fourth Embodiment]
In the fourth embodiment, as illustrated in FIG. 10, the pre-authentication unit 330 and the pre-authentication management unit 323 are realized by the pre-authentication device 400 separated from the authentication key management device 300. In this embodiment, it is assumed that the key management company operates the authentication key management apparatus 300 and the communication carriers A and B operate the pre-authentication apparatus 400 respectively. In this case, there is a trust relationship between the key management company and each of the communication carriers A and B, and information related to authentication can be securely distributed in both pre-authentication and challenge / response authentication after pre-authentication. And

  In the above embodiment, the authentication results can be linked by distributing the session ID between the pre-authentication unit 330 and the authentication response unit 310. On the other hand, in the present embodiment, since the provision subject of the pre-authentication unit 330 and the authentication response unit 310 is different, authentication cooperation is realized by applying a protocol such as SAML (Security Assertion Markup Language).

  For example, the pre-authentication apparatus 400 can issue a session ID to form a SAML push type that cooperates with the authentication key management apparatus 300. In this case, the authentication system 1 operates in the same manner as in the above embodiment.

  On the other hand, the authentication key management device 300 may be in the form of a SAML pull type in which a session ID is issued. In this case, the operation differs from the above embodiment in the pre-setting and the pre-authentication. The pre-setting and pre-authentication processing procedures in this case will be described with reference to FIG.

  As shown in FIG. 11, first, prior setting such as SIM issuance is performed between the authentication client 200 and the pre-authentication apparatus 400 (S1). In addition, pre-setting for authentication cooperation is performed between the pre-authentication apparatus 400 and the authentication key management apparatus 300 on the premise of the trust relationship between the providers (S71). Specifically, the pre-authentication device 400 issues a signature private key and public key, stores the private key in an appropriate memory area, and passes the public key to the authentication key management device 300. Further, when either the pre-authentication device 400 or the authentication key management device 300 issues a pre-authentication ID, the pre-authentication ID is shared.

  When the pre-authentication is necessary, the authentication client 200 transmits a pre-authentication request including the pre-authentication ID to the authentication key management device 300 (S11). The authentication key management apparatus 300 that has received the pre-authentication request issues a session ID and stores it in the session management unit 321 in association with the pre-authentication ID (S81). Also, the authentication key management apparatus 300 transmits an authentication cooperation request with the issued session ID and pre-authentication ID to the pre-authentication apparatus 400 via the authentication client 200 using redirection or the like (S82).

  The pre-authentication unit 330 that has received the authentication cooperation request performs pre-authentication such as SIM authentication as in the above embodiment (S12). When the user corresponding to the pre-authentication ID is authenticated by the pre-authentication, the pre-authentication unit 330 generates a signature text using the signature private key, and the signed session with the signature text attached to the received session ID The ID is transmitted to the authentication client 200 (S83).

  The authentication client 200 stores the received signed session ID in an appropriate memory area. When the public key generation request (S22) or challenge (S35) received from the authentication server 100 is relayed to the authentication key management apparatus 300 (S23 or S36), a signed session is used instead of the session ID of the above embodiment. Send an ID.

  The authentication key management apparatus 300 that has received the information with the signed session ID verifies the signature using the signature public key (S84). When the signature passes verification, it is confirmed that the signature is a signature by the pre-authentication unit 330 having a trust relationship. Thereby, it is confirmed that the pre-authentication of the authentication client 200 by the pre-authentication apparatus 400 is completed.

  In addition, since the authentication key management device 300 and the pre-authentication device 400 are in a trust relationship, for example, when the user changes the carrier from the communication carrier A to the communication carrier B, cooperation between the providers is performed according to the user's offer. Can do. Thereby, even if a user changes a communication carrier, it is possible to take over the pre-authentication ID and the secret key associated with the pre-authentication ID. In this case, even if the pre-authentication is changed to the line authentication or SIM authentication provided by the communication carrier B, the secret key that has been used can be used continuously.

  As described above, by setting the pre-authentication unit 330 and the pre-authentication management unit 323 as the pre-authentication device 400 separated from the authentication key management device 300, for example, the pre-authentication device 400 is operated by a communication carrier and authenticated. The key management device 300 different from the communication carrier can operate the key management device 300 in common for a plurality of communication carriers. In this case, for example, even when the user changes the communication carrier, it is possible to continue using the secret key managed by the key management provider common to a plurality of communication carriers, which is convenient for the user. Can be further increased.

  It should be noted that the pre-authentication device 400 and the authentication key management device 300 are not necessarily operated by a different operator. The authentication key management apparatus 300 may be linked to a plurality of pre-authentication apparatuses 400, and the pre-authentication apparatus 400 may be selected and linked to the authentication key management apparatus 300 according to the business operator used by the user.

[Other Embodiments]
[program]
It is also possible to create a program in which processing executed by the authentication key management apparatus 300 according to the above embodiment is described in a language that can be executed by a computer. In this case, the same effect as the above-described embodiment can be obtained by the computer executing the program. Furthermore, the program similar to the above-described embodiment may be realized by recording the program on a computer-readable recording medium, and reading and executing the program recorded on the recording medium. Hereinafter, an example of a computer that executes an authentication key management program that realizes the same function as the authentication key management apparatus 300 will be described.

  As shown in FIG. 12, a computer 1000 that executes an authentication key management program includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, A network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1031. The disk drive interface 1040 is connected to the disk drive 1041. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041. For example, a mouse 1051 and a keyboard 1052 are connected to the serial port interface 1050. For example, a display 1061 is connected to the video adapter 1060.

  Here, as shown in FIG. 12, the hard disk drive 1031, for example, the OS 1091, the application program 1092, the program module 1093, and the program data 1094 are stored. Each table described in the above embodiment is stored in the hard disk drive 1031 memory 1010, for example.

  Further, the authentication key management program is stored in the hard disk drive 1031 as a program module 1093 in which a command executed by the computer 1000 is described, for example. Specifically, a program module describing each process executed by the authentication key management apparatus 300 described in the above embodiment is stored in the hard disk drive 1031.

  Data used for information processing by the authentication key management program is stored as program data 1094 in, for example, the hard disk drive 1031. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the hard disk drive 1031 to the RAM 1012 as necessary, and executes the above-described procedures.

  Note that the program module 1093 and the program data 1094 related to the authentication key management program are not limited to being stored in the hard disk drive 1031, but are stored in a removable storage medium, for example, by the CPU 1020 via the disk drive 1041 or the like. It may be read out. Alternatively, the program module 1093 and the program data 1094 related to the authentication key management program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and the network interface 1070 is stored. Via the CPU 1020.

  As mentioned above, although embodiment which applied the invention made | formed by this inventor was described, this invention is not limited with the description and drawing which make a part of indication of this invention by this embodiment. That is, other embodiments, examples, operational techniques, and the like made by those skilled in the art based on this embodiment are all included in the scope of the present invention.

DESCRIPTION OF SYMBOLS 1 Authentication system 100 Authentication server 111 Public key receiving part 112 Public key management part 113 User authentication part 200 Authentication client 211 Public key registration control part 213 Authentication response control part 221 Pre-authentication response part 222 Individual authentication response part 223 Dynamic individual authentication response Unit 300 authentication key management device 310 authentication response unit 311 public key transmission unit 313 authentication response generation unit 314 key pair generation unit 321 session management unit 322 secret key management unit 323 pre-authentication management unit 330 pre-authentication unit 331 pre-authentication control unit 332 individual Authentication unit 333 Dynamic individual authentication unit 400 Pre-authentication device

Claims (7)

An authentication system in which an authentication client, an authentication server, and an authentication key management device are communicably connected to each other via a communication network,
The authentication client is
A pre-authentication response unit that transmits a request for pre-authentication to authenticate the user to the authentication key management device when the user requests use of the service, and responds to the pre-authentication by the authentication key management device;
A public key registration control unit that transmits a request for use registration of a user authenticated by the pre-authentication to an authentication server;
An authentication response control unit that transmits to the authentication server a request to start use of a registered user who has registered for use of the service in the authentication server,
The authentication server is
A public key receiving unit that requests and acquires the generation of the public key used for key authentication performed using a public key and a secret key when there is a request for use registration of the user;
A public key management unit that stores the user as the registered user in association with the acquired public key;
When there is a request to start using the registered user, a challenge that is encrypted using the secret key in the key authentication is generated, the challenge is transmitted to the authentication key management device, and the challenge is answered. A user authentication unit that authenticates the registered user by verifying, using the public key, a response in which the challenge is encrypted using the private key.
The authentication key management device includes:
A pre-authentication unit that performs the pre-authentication when the pre-authentication is requested;
A key pair generation unit that generates the public key and the secret key when the authentication server requests generation of the public key;
A public key transmission unit that transmits the public key generated by the key pair generation unit to the authentication server;
A secret key management unit that stores the secret key generated by the key pair generation unit in association with the user;
An authentication system comprising: an authentication response generation unit that generates the response to the challenge using the challenge and the secret key when the challenge is received.   The said pre-authentication part contains the dynamic authentication part which performs challenge response authentication using the private key and public key which were produced | generated when communicated with the said authentication client legally, The said authentication part is characterized by the above-mentioned. Authentication system.   The authentication system according to claim 1, wherein the pre-authentication unit authenticates the user by using a SIM card attached to a mobile phone.   The authentication system according to claim 1, wherein the pre-authentication unit authenticates the user using line identification information of a fixed telephone line. A pre-authentication unit that performs pre-authentication to authenticate a user who requests use of the service;
A key pair generation unit for generating the public key and the secret key used for key authentication performed using the public key and the secret key when there is a request for use registration of the user authenticated by the pre-authentication;
A public key transmission unit that transmits the public key generated by the key pair generation unit to an authentication server;
A secret key management unit that stores the secret key generated by the key pair generation unit in association with the user;
An authentication response generation unit that generates a response to the challenge using the challenge and the secret key when a challenge encrypted using the secret key is received in the key authentication;
An authentication key management device comprising: An authentication key management method executed by an authentication key management device,
A pre-authentication step in which a pre-authentication unit performs pre-authentication to authenticate a user who requests use of the service;
The key pair generation unit generates the public key and the secret key used for key authentication performed using the public key and the secret key when there is a request for use registration of the user authenticated by the pre-authentication. A key pair generation process;
A public key transmitting unit that transmits the public key generated in the key pair generating step to the authentication server;
A secret key management step in which a secret key management unit stores the secret key generated in the key pair generation step in association with the user;
An authentication response generation step of generating a response to the challenge using the challenge and the secret key when the authentication response generation unit receives a challenge encrypted using the secret key in the key authentication; ,
Including an authentication key management method. Computer
Pre-authentication means for performing pre-authentication to authenticate a user who requests use of the service;
Key pair generating means for generating the public key and the secret key used for key authentication performed using the public key and the secret key when there is a request for use registration of the user authenticated by the pre-authentication;
Public key transmitting means for transmitting the public key generated by the key pair generating means to an authentication server;
Secret key management means for storing the secret key generated by the key pair generation means in association with the user;
An authentication response generating means for generating a response to the challenge using the challenge and the secret key when a challenge encrypted using the secret key is received in the key authentication;
Authentication key management program to function as

Images