JP6398308B2 - Information processing system, information processing method, and program - Google Patents

Description

  The present invention relates to an information processing system, an information processing method, and a program.

  Single sign-on is known in which a plurality of servers can be used by a single authentication. The basic mechanism of single sign-on is as follows.

  The server A executes an authentication process in response to an authentication request from the client. If the authentication is successful, the server A generates a token that can be verified by itself and returns the token to the client.

  The client transmits the token to the server B and requests service provision. Server B requests server A to verify the token. If the validity of the token is verified by the server A, the server B provides the requested service to the client.

  However, in the mechanism as described above, when communication between the server A and the server B becomes impossible, there is a high possibility that single sign-on will not function normally.

  The present invention has been made in view of the above points, and an object of the present invention is to reduce the dependence on communication with respect to single sign-on.

  Therefore, in order to solve the above problem, an information processing system including a first information processing device and a second information processing device performs authentication on information transmitted from the client device by the first information processing device. An authentication unit, a first generation unit that generates a hash value of predetermined information when authentication by the authentication unit is successful, and a cipher that generates encrypted data by encrypting the hash value with a first encryption key And a reply unit that returns the encrypted data and the predetermined information to the client device, wherein the second information processing device transmits the encrypted data transmitted from the client device and the predetermined information. A receiving unit that receives a request including information, and the encrypted data included in the request received by the receiving unit is a second encryption key that is the same as the first encryption key or the first encryption key. A decryption unit that decrypts with a second encryption key that is paired with, a second generation unit that generates a hash value of the predetermined information received by the reception unit, a decryption result by the decryption unit, and the second A comparison unit that compares the hash value generated by the generation unit, and executes processing according to the request according to a comparison result by the comparison unit.

  The dependence on communication with respect to single sign-on can be reduced.

It is a figure which shows the structural example of the information processing system in embodiment of this invention. It is a figure which shows the hardware structural example of the server apparatus in embodiment of this invention. It is a figure which shows the function structural example of the information processing system in embodiment of this invention. It is a figure which shows an example of the relationship of the data which comprise a subject. FIG. 11 is a sequence diagram for explaining an example of a single sign-on processing procedure in the information processing system. It is a flowchart for demonstrating an example of an authentication process. It is a figure which shows the structural example of a user information storage part. It is a flowchart for demonstrating an example of the process performed according to the request | requirement accompanied by a subject.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a diagram illustrating a configuration example of an information processing system according to an embodiment of the present invention. The information processing system 1 illustrated in FIG. 1 includes a server device 10A, a server device 10B, and one or more client devices 20 and the like. When the server apparatus 10A and the server apparatus 10B are not distinguished, they are referred to as “server apparatus 10”. Each client device 20 and each server device 10 are communicably connected via a network such as a LAN (Local Area Network) or the Internet.

  The server device 10 is a computer that provides a predetermined service to an authenticated user, or a set of one or more computers. Alternatively, the server device 10 may be a device such as an image forming apparatus.

  The client device 20 is a terminal that functions as a user interface when a user uses a service provided by the server device 10. For example, a PC (Personal Computer), a smartphone, a tablet terminal, a mobile phone, or the like may be used as the client device 20. Alternatively, the client device 20 may be a device such as an image forming apparatus.

  In the present embodiment, an example will be described in which a user authenticated by the server device 10A can use not only the service provided by the server device 10A but also the service provided by the server device 10B. That is, an example in which single sign-on is realized regarding the use of the server device 10A and the server device 10B will be described. Note that network communication may not be possible between the server apparatus 10A and the server apparatus 10B. Also, three or more server devices 10 may be included in the information processing system 1.

  FIG. 2 is a diagram illustrating a hardware configuration example of the server device according to the embodiment of the present invention. The server device 10 in FIG. 2 includes a drive device 100, an auxiliary storage device 102, a memory device 103, a CPU 104, an interface device 105, and the like that are mutually connected by a bus B.

  A program for realizing processing in the server device 10 is provided by a recording medium 101 such as a CD-ROM. When the recording medium 101 storing the program is set in the drive device 100, the program is installed from the recording medium 101 to the auxiliary storage device 102 via the drive device 100. However, the program need not be installed from the recording medium 101 and may be downloaded from another computer via a network. The auxiliary storage device 102 stores the installed program and also stores necessary files and data.

  The memory device 103 reads the program from the auxiliary storage device 102 and stores it when there is an instruction to start the program. The CPU 104 executes functions related to the server device 10 in accordance with a program stored in the memory device 103. The interface device 105 is used as an interface for connecting to a network.

  FIG. 3 is a diagram illustrating a functional configuration example of the information processing system according to the embodiment of the present invention.

  In FIG. 3, the client device 20 includes a client unit 21. The client unit 21 provides a user interface for using the server device 10, transmits a request to the server device 10, and receives and displays information returned from the server device 10 in response to the request. The client unit 21 is realized, for example, by processing that a dedicated application program, a Web browser program, or the like causes the CPU of the client device 20 to execute.

  The server device 10A includes a request reception unit 111, an authentication unit 112, a hash value generation unit 113, a token generation unit 114, a response unit 115, and the like. Each of these units is realized by processing that a program installed in the server device 10A causes the CPU 104 of the server device 10A to execute. The server device 10A also uses the user information storage unit 116. The user information storage unit 116 can be realized by using the auxiliary storage device 102 of the server device 10A or a storage device connected to the server device 10A via a network.

  The request receiving unit 111 receives a request transmitted from the client unit 21. When the request from the client unit 21 is a login request, the authentication unit 112 performs an authentication process on the authentication information included in the login request. The authentication process is performed, for example, by collating the authentication information with information stored in the user information storage unit 116. The authentication information is, for example, a user name and a password. However, when an IC card or the like is used, the card information may be authentication information. When biometric authentication is performed, the biometric information may be authentication information.

  The user information storage unit 116 stores authentication information, attribute information, and the like of each user who is permitted to use the information processing system 1. Hereinafter, information including the authentication information and attribute information is referred to as user information.

  The hash value generation unit 113 generates a hash value of a part or all of the user information of the user regarding the user who has been successfully authenticated by the authentication unit 112. Part or all of the user information used to generate the hash value is hereinafter referred to as “hash source information”.

  The token generation unit 114 encrypts the hash value generated by the hash value generation unit 113 and information indicating the expiration date using an encryption key. The data generated by the encryption is hereinafter referred to as “token”. The information indicating the expiration date is date / time information indicating the expiration date of the token. The encryption key is stored in, for example, the auxiliary storage device 102 of the server device 10A. Alternatively, a security chip or the like may be used for storing the encryption key.

  The response unit 115 returns a response to the request received by the request reception unit 111 to the client unit 21 that has transmitted the request. For example, when the request is a login request and authentication by the authentication unit 112 is successful, the response unit 115 returns a token generated by the token generation unit 114 and hash source information regarding the token to the client unit 21 To do. Hereinafter, the combination of the token and the hash source information is referred to as “subject”.

  FIG. 4 is a diagram illustrating an example of a relationship between data constituting a subject. As shown in FIG. 4, the subject includes a token and hash source information. The token is obtained by encrypting the hash value of the hash source information and the date / time information indicating the expiration date.

  The server device 10B includes a request reception unit 121, a decryption unit 122, a validity determination unit 123, a hash value generation unit 124, a verification unit 125, a process execution unit 126, and the like. Each of these units is realized by processing that the program installed in the server device 10B causes the CPU 104 of the server device 10B to execute.

  The request receiving unit 121 receives a request transmitted from the client unit 21 to which a subject has been issued by the server device 10A. The request includes a subject.

  The decryption unit 122 decrypts the token constituting the subject included in the request received by the request reception unit 121 with the encryption key. The encryption key is stored in, for example, the auxiliary storage device 102 of the server device 10B. Alternatively, a security chip or the like may be used for storing the encryption key. The encryption key used by the decryption unit 122 is a common encryption key with the encryption key used by the token generation unit 114. Alternatively, the encryption key used by the decryption unit 122 and the encryption key used by the token generation unit 114 may be asymmetric. That is, the encryption key used by the token generation unit 114 may be a secret key, and the encryption key used by the decryption unit 122 may be a public key that is paired with the secret key.

  The validity determination unit 123 determines whether or not the token is within the expiration date based on information indicating the expiration date obtained by decrypting the token.

  The hash value generation unit 124 generates a hash value of hash source information that constitutes a subject included in the request received by the request reception unit 121. For the generation of the hash value, the same hash function as the hash function used by the hash value generation unit 113 is used.

  The verification unit 125 verifies the validity of the subject by comparing the hash value included in the decryption result of the token by the decryption unit 122 with the hash value generated by the hash value generation unit 124. That is, if the compared hash values match, it is verified that the token is generated by the server device 10A, and the hash source information is verified not to be falsified. However, it is assumed that such an encryption key in the server device 10A is not leaked to the outside.

  The process execution unit 126 executes a process according to the request received by the request reception unit 121 according to the comparison result by the verification unit 125.

  The server apparatus 10A may further have a functional configuration that the server apparatus 10B has. The server device 10B may further have a functional configuration that the server device 10A has.

  Hereinafter, a processing procedure executed in the information processing system 1 will be described. FIG. 5 is a sequence diagram for explaining an example of a single sign-on processing procedure in the information processing system.

  In step S101, the client unit 21 of the client device 20 transmits, for example, a login request including authentication information input via the login screen to the server device 10A. The login request includes item names of one or more items to be acquired among items constituting the user information of the user related to the authentication information. For example, “user name”, “name”, “mail address”, and the like may be items to be acquired. In the present embodiment, for convenience, an example in which a user name and a password are used as authentication information will be described.

  The login request is received by the request receiving unit 111 of the server device 10A. When the login request is received, the server device 10A executes an authentication process (S102). Details of the authentication process will be described later. Subsequently, the response unit 115 of the server device 10A returns a response to the login request to the client unit 21 (S103). When the authentication is successful, the response includes a subject. When authentication fails, the response includes, for example, information indicating that authentication has failed.

  If the authentication is successful, the client unit 21 transmits a service provision request to the server device 10B (S104). FIG. 5 shows an example in which an API (Application Program Interface) “getXX” is called as a service provision request. In the service provision request, for example, the subject returned in step S103 and an argument specific to “getXX” are specified.

  The service provision request is received by the request receiving unit 121 of the server apparatus 10B. When the service provision request is received, the server apparatus 10B executes a process corresponding to the request (S105).

  Next, details of step S102 will be described. FIG. 6 is a flowchart for explaining an example of the authentication process.

  In step S <b> 201, the authentication unit 112 authenticates the authentication information included in the login request by checking with the authentication information stored in the user information storage unit 116.

  FIG. 7 is a diagram illustrating a configuration example of the user information storage unit. In FIG. 7, the user information storage unit 116 stores a user name, password, name, address, telephone number, mail address, and the like for each user.

  The user name is information for identifying each user by a computer or the like constituting the information processing system 1. The password is a password of the user related to the user name. In addition, when information other than a password (card information, biometric information, etc.) is used for authentication, the password may not be stored. The name, address, telephone number, and mail address are the name, address, telephone number, and mail address of the user associated with the user name, respectively.

  In step S201, the authentication unit 112 determines that the authentication is successful if a record including the user name and password included in the login request is stored in the user information storage unit 116, and the corresponding record is determined to be a user. If it is not stored in the information storage unit 116, it is determined that the authentication has failed.

  If the authentication fails (No in S202), steps S203 and after are not executed. In this case, the response unit 115 returns, for example, information indicating a failure of authentication to the client unit 21 in step S103 of FIG.

  On the other hand, when the authentication is successful (Yes in S202), the authentication unit 112 acquires the information specified as the acquisition target in the login request from the user information storage unit 116 (S203). For example, the values of “user name”, “name”, and “mail address” of the user who has been successfully authenticated are acquired.

  Subsequently, the hash value generation unit 113 generates the hash value of the hash source information using the acquired information as hash source information (S204). The hash source information is information including the item name and the value of the acquired information, such as “user name: XXX, name: YYY, mail address: ZZZ”.

  Subsequently, the token generation unit 114 encrypts the hash value generated by the hash value generation unit 113 and the date / time information indicating the expiration date by using the encryption key stored in the server device 10A. A token is generated (S205). Note that the information indicating the expiration date may be information indicating a certain period after the current date and time, for example.

  When step S205 is executed, the response unit 115 returns the subject including the generated token and the hash source information to the client unit 21 in step S103 of FIG.

  Next, details of step S105 in FIG. 5 will be described. FIG. 8 is a flowchart for explaining an example of processing executed in response to a request with a subject.

  In step S301, the decryption unit 122 decrypts the token included in the received subject using the encryption key stored in the server device 10B. When decryption fails (No in S302), the process execution unit 126 rejects execution of the process according to the request (S307). This is because there is a high possibility that the token is not generated by the server device 10A. In other words, successful decryption means that there is a high possibility that the token is generated by the server device 10A.

  When the decryption is successful (Yes in S302), the validity determination unit 123 determines whether the token is within the expiration date based on the information indicating the expiration date obtained by decoding the token (S303). . For example, if the information indicating the expiration date has not passed the current date and time, it is determined that the token is within the expiration date.

  If the token is out of validity (No in S303), the process execution unit 126 rejects execution of the requested process (S307).

  If the token is within the validity period (Yes in S303), the hash value generation unit 124 generates a hash value of the hash source information included in the received subject (S304). Subsequently, the verification unit 125 determines whether or not the hash value obtained by decoding the token matches the hash value generated by the hash value generation unit 124 (S305). If the compared values do not match (No in S305), the process execution unit 126 rejects execution of the requested process (S307). In this case, it is highly likely that the hash source information has been tampered with, and there is a high possibility that it is an unauthorized request. In the present embodiment, the hash source information includes user identification information such as a user name. Therefore, for example, it is conceivable that the hash source information is falsified for the purpose of impersonation.

  On the other hand, when the compared values match (S305), the process execution unit 126 executes the requested process (S306). Note that the process execution unit 126 may change the execution content of the requested process in accordance with the user name included in the hash source information. For example, an executable process may be limited based on authority information managed in association with a user name.

  Note that the client unit 21 may transmit a service provision request to the server device 10A between step S103 and step S104 in FIG. In this case, a subject may be specified in the request. The server apparatus 10A may execute a process similar to the process described in FIG. 8 in response to the request. Further, the client unit 21 may transmit a request in which a subject is designated to a server device 10 different from the server device 10A and the server device 10B. In response to the request, the server device 10 may execute a process similar to the process described in FIG.

  The token may not include an expiration date. In this case, an encrypted hash value of the hash source information may be used as a token.

  The hash source information may not be user information. For example, it may be bibliographic information of a document or information that does not have a special meaning.

  As described above, according to the present embodiment, single sign-on can be realized without communication between server device 10A and server device 10B. In other words, single sign-on can be realized even when communication between the server device 10A and the server device 10B becomes impossible. Therefore, the dependence on communication with respect to single sign-on can be reduced.

  In the present embodiment, the server apparatus 10A is an example of a first information processing apparatus. The server device 10B is an example of a second information processing device. The hash value generation unit 113 is an example of a first generation unit. The token generation unit 114 is an example of an encryption unit. A token is an example of encrypted data. The response unit 115 is an example of a reply unit. The request receiving unit 121 is an example of a receiving unit. The hash value generation unit 124 is an example of a second generation unit. The verification unit 125 is an example of a comparison unit.

  As mentioned above, although the Example of this invention was explained in full detail, this invention is not limited to such specific embodiment, In the range of the summary of this invention described in the claim, various deformation | transformation・ Change is possible.

DESCRIPTION OF SYMBOLS 1 Information processing system 10A Server apparatus 10B Server apparatus 20 Client apparatus 21 Client part 100 Drive apparatus 101 Recording medium 102 Auxiliary storage apparatus 103 Memory apparatus 104 CPU
105 interface device 111 request reception unit 112 authentication unit 113 hash value generation unit 114 token generation unit 115 response unit 116 user information storage unit 121 request reception unit 122 decoding unit 123 validity determination unit 124 hash value generation unit 125 verification unit 126 process execution Part B Bus

JP 2002-335239 A

Claims (4)

An information processing system including a first information processing device and a second information processing device,
The first information processing apparatus includes:
An authentication unit that performs authentication on user identification information transmitted from the client device;
One or more pieces of data indicated by information transmitted from the client device together with the user identification information, out of a data group associated with the user identification information and stored in the storage unit when the authentication unit is successfully authenticated. A first generator for generating a hash value of
An encryption unit that encrypts the hash value with a first encryption key to generate encrypted data;
A reply unit that returns the encrypted data and the one or more data to the client device;
The second information processing apparatus
A receiving unit for receiving a request including the encrypted data and the one or more data transmitted from the client device;
Decryption for decrypting the encrypted data included in the request received by the receiving unit with a second encryption key identical to the first encryption key or a second encryption key paired with the first encryption key And
A second generator that generates a hash value of the one or more data received by the receiver;
A comparison unit that compares the decryption result by the decryption unit and the hash value generated by the second generation unit;
Depending on the comparison result by the comparison unit, processing according to the request is performed.
An information processing system characterized by this. The encryption unit encrypts the hash value generated by the first generation unit and information indicating the date and time to generate encrypted data,
The second information processing apparatus executes processing according to the request according to information indicating a date and time included in a decoding result by the decoding unit.
The information processing system according to claim 1. An information processing method executed by a first information processing apparatus and a second information processing apparatus,
The first information processing apparatus is
An authentication procedure for authenticating user identification information transmitted from the client device;
One or more pieces of data indicated by information transmitted from the client device together with the user identification information out of a data group associated with the user identification information and stored in a storage unit when the authentication in the authentication procedure is successful A first generation procedure for generating a hash value of
An encryption procedure for generating encrypted data by encrypting the hash value with a first encryption key;
A reply procedure for returning the encrypted data and the one or more data to the client device;
The second information processing apparatus is
A reception procedure for receiving a request including the encrypted data and the one or more data transmitted from the client device;
Decryption for decrypting the encrypted data included in the request received in the reception procedure with a second encryption key identical to the first encryption key or a second encryption key paired with the first encryption key Procedure and
A second generation procedure for generating a hash value of the one or more data received in the reception procedure;
Performing a comparison procedure for comparing the decryption result in the decryption procedure with the hash value generated in the second generation procedure;
Depending on the comparison result in the comparison procedure, processing according to the request is performed.
An information processing method characterized by the above. On the computer,
An authentication procedure for authenticating user identification information transmitted from the client device;
One or more pieces of data indicated by information transmitted from the client device together with the user identification information out of a data group associated with the user identification information and stored in a storage unit when the authentication in the authentication procedure is successful A first generation procedure for generating a hash value of
An encryption procedure for generating encrypted data by encrypting the hash value with an encryption key;
A program for executing a reply procedure for returning the encrypted data and the one or more data to the client device.

Images