JP6584460B2 - Authentication system, authentication method and program - Google Patents

Description

  The present invention relates to an authentication system, an authentication method, and a program for authenticating an information processing apparatus.

  When using a service provided on a network using an information processing device such as a mobile terminal, authentication for confirming whether to connect to the network or authentication for confirming whether or not the service can be used is usually used. It is necessary to authenticate. In such authentication, authentication using ID (identification) that is identification information for identifying a user and a password is generally used.

  Since the ID and password are difficult for some users to remember, the ID and password may be forgotten and the service may not be used regardless of having the right to use the service.

  On the other hand, the connection device described in Patent Document 1 takes a sheet of paper on which a QR code (registered trademark) is recorded with a camera, analyzes the QR code, and stores an ID and a password. Can be used easily.

JP 2012-155754 A

  However, immediately after applying for the network connection service, which is a service for connecting to the network, the user may not recognize that the ID and password have been given. For this reason, even if the ID and password can be stored as in the technique described in Patent Document 1, the user who applied for the network connection service will receive the printed form of the ID and password from the service provider by mail or the like. In some cases, it was misunderstood that the network connection service and the network providing service that is a service on the network cannot be used.

  SUMMARY An advantage of some aspects of the invention is that it provides an authentication system, an authentication method, and a program capable of improving the convenience of authentication.

  An authentication system according to the present invention includes a storage unit that stores an IP address assigned in a predetermined network connection device, a receiving unit that receives an IP address assigned to the information processing device from the information processing device, and the receiving unit An authentication unit that performs an address authentication process for authenticating the information processing apparatus using the IP address received by the server and the IP address stored in the storage unit.

  An authentication method according to the present invention includes a step of storing an IP address assigned in a predetermined network connection device, a step of receiving an IP address assigned to the information processing device from the information processing device, and the received IP Performing an address authentication process for authenticating the information processing apparatus using an address and the stored IP address.

  The program according to the present invention includes a procedure for storing an IP address assigned by a predetermined network connection device in a computer, a procedure for receiving an IP address assigned to the information processing device from the information processing device, and the received program. And a procedure for performing an address authentication process for authenticating the information processing apparatus using the stored IP address and the stored IP address.

  According to the present invention, it is possible to improve the convenience of authentication.

It is a figure which shows the communication system of the 1st Embodiment of this invention. It is a block diagram which shows the structural example of a mobile terminal. It is a figure which shows an example of user information. It is a figure which shows an example of the determination information. It is a figure which shows an example of a connection log. It is a figure which shows an example of session DB. It is a block diagram which shows the structural example of a network connection apparatus. It is a block diagram which shows the structural example of a message transmission apparatus. It is a block diagram which shows the structural example of a 1st authentication server. It is a block diagram which shows the structural example of a 2nd authentication server. It is a block diagram which shows the structural example of a service server. It is a sequence diagram for demonstrating operation | movement of the communication system of the 1st Embodiment of this invention.

  Embodiments of the present invention will be described below with reference to the drawings. In addition, in each drawing, the same code | symbol is attached | subjected to what has the same function, and the description may be abbreviate | omitted.

(First embodiment)
FIG. 1 is a diagram illustrating a communication system according to a first embodiment of this invention. The communication system shown in FIG. 1 includes a mobile terminal 1, a user information storage device 2, a connection information storage device 3, a session information storage device 4, a network connection device 5, a message transmission device 6, and a first authentication server. 7, a second authentication server 8, and a service server 9.

  The mobile terminal 1 can be connected to each device on the provider network 13 via the access network 11, the base station 12 and the provider network 13. In this embodiment, the devices on the provider network 13 include a network connection device 5, a message transmission device 6, a first authentication server 7, and a second authentication server 8. In the present embodiment, the device on the provider network 13 does not include the user information storage device 2, the connection information storage device 3, and the session information storage device 4. The mobile terminal 1 can be connected to a service server 9 that is a device on the Internet 14 via the access network 11, the base station 12, the provider network 13, and the Internet 14. Each of the network connection device 5, the message transmission device 6, the first authentication server 7, and the second authentication server 8 can be connected to the user information storage device 2, the connection information storage device 3, and the session information storage device 4.

  In the example of FIG. 1, the access network 11 is a wireless network such as a 3G network, an LTE (Long Term Evolution) network, and a wireless LAN (Local Area Network). The service server 9 may be provided on the provider network 13. The network connection device 5, the message transmission device 6, the first authentication server 7 and the second authentication server 8 are respectively connected to the user information storage device 2, the connection information storage device 3, the session information storage device 4 and the provider network 13. However, it may be connected via the provider network 13.

  The mobile terminal 1 is an information processing device for receiving a network connection service for connecting to devices on the provider network 13 and the Internet 14 and a network providing service provided by these devices. In this embodiment, the network providing service is provided by the service server 9 on the Internet 14. The network providing service is, for example, a content distribution service for distributing content, a message exchange service for exchanging messages, or a change service for changing member information. The mobile terminal 1 is, for example, a smartphone, a tablet computer, a portable game machine, or a mobile PC (Personal Computer).

  FIG. 2 is a block diagram illustrating a configuration example of the mobile terminal 1. 2 includes a display unit 101, an operation unit 102, a terminal storage unit 103, a terminal communication unit 104, and a terminal control unit 105.

  The display unit 101 displays various information. Various operations are performed on the operation unit 102 by the user. The terminal storage unit 103 stores terminal unique information that is unique information unique to the mobile terminal 1. The terminal specific information is, for example, MSISDN (Mobile Station International Subscriber Directory Number) or a telephone number. In the following, it is assumed that the terminal specific information is a telephone number. The terminal storage unit 103 may be a recording medium built in the mobile terminal 1 such as a hard disk, or may be a recording medium detachable from the mobile terminal 1 such as a SIM (Subscriber Identity Module) card.

  The terminal communication unit 104 communicates with each device on the provider network 13 and the Internet 14. For example, the terminal communication unit 104 receives a connection response indicating an authentication result of a connection authentication process, which is an authentication process for receiving a network connection service, from the network connection apparatus 5 and receives a network providing service from the message transmission apparatus 6. A message indicating that the first service authentication process, which is an authentication process, is executable, and requests the first authentication server 7 and the second authentication server 8 to transmit authentication information used for the first service authentication process. An authentication information request and a first authentication response that is an authentication result of the first service authentication process are received. The connection response includes an IP address assigned to the mobile terminal 1 when indicating a successful connection authentication process. In addition, the first authentication response includes session information for managing communication between the mobile terminal 1 and the service server 9 when the authentication is successful.

  The first service authentication process includes an address authentication process that is an authentication process using an IP address and a non-address authentication process that is an authentication process using authentication information different from the IP address. The authentication server 7 performs address authentication processing, and the second authentication server 8 performs non-address authentication processing. In the address authentication process, only the IP address may be used as the authentication information, but in this embodiment, the IP address and the terminal specific information are used. In the present embodiment, the non-address authentication process uses a user ID and a password that are identification information for identifying the user of the mobile terminal 1 as the authentication information. For this reason, the authentication information request from the first authentication server 7 is an address request for requesting transmission of an IP address and terminal-specific information as authentication information, and the authentication information request from the second authentication server 8 is a user ID and password. This is a password request for requesting transmission of.

  Further, the message is specifically information indicating that the address authentication process can be executed, and includes position information indicating the position of the first authentication server 7 performing the address authentication process on the network. The message may include location information indicating the location of the service server 9 on the network. Hereinafter, it is assumed that the position information is a URL (Uniform Resource Locator).

  The terminal control unit 105 transmits a connection authentication request for requesting execution of connection authentication processing to the network connection device 5. The connection authentication request includes terminal specific information stored in the terminal storage unit 103.

  When the terminal communication unit 104 receives a connection response, the terminal control unit 105 executes a connection response process according to the connection response. For example, when the connection response indicates successful authentication, the terminal control unit 105 stores the IP address in the connection response in the terminal storage unit 103.

  When the terminal communication unit 104 receives a message, the terminal control unit 105 displays the message on the display unit 101. Thereafter, when a selection operation for selecting the URL of the first authentication server in the message is performed on the operation unit 102, the terminal control unit 105 requests the execution of the first service authentication process based on the URL. One service authentication request is transmitted to the first authentication server 7.

  Note that, when an operation for instructing the operation unit 102 to transmit the first service authentication request is performed, the terminal control unit 105 may transmit the first service authentication request. In this case, the transmission destination of the first service authentication request may be the first authentication server 7 or the second authentication server 8, and is determined according to, for example, the URL input to the operation unit 102.

  When the terminal communication unit 104 receives the authentication information request, the terminal control unit 105 receives the IP address and the terminal specific information stored in the terminal storage unit 103 as the first authentication server 7 if the authentication information request is an address request. If the authentication request is a password request, the user ID and password are transmitted to the second authentication server 8. The user ID and password may be input by the user using the operation unit 102 or may be stored in advance in the terminal storage unit 103.

  When the terminal communication unit 104 receives the first authentication response, the terminal control unit 105 performs a first response process according to the first authentication response. Specifically, the terminal control unit 105 stores the session information in the first authentication response in the terminal storage unit 103 when the first authentication response indicates successful authentication. Thereafter, the terminal control unit 105 transmits a service request for requesting provision of a network providing service to the service server 9 using a predetermined application program such as a Web browser. The service request includes session information stored in the terminal storage unit 103. When the URL of the service server 9 is included in the above message, the terminal control unit 105 transmits a service request to the service server 9 using the URL. The URL of the service server 9 may be input by the user using the operation unit 102.

  The terminal control unit 105 stores session information in a format corresponding to an application program that receives a network providing service, such as a cookie temporarily stored for a Web browser. Further, the terminal control unit 105 may delete the session information stored in the terminal storage unit 103 at a predetermined deletion timing. The deletion timing is determined when the application program that receives the network providing service is closed, when the application program is not re-executed after the application program is closed, and when a predetermined time elapses, after the session information is stored. This is the timing at which time (for example, 24 hours) has elapsed.

  The user information storage device 2, the connection information storage device 3, the session information storage device 4, the network connection device 5, the message transmission device 6, the first authentication server 7 and the second authentication server 8 constitute an authentication system for authenticating the mobile terminal 1. Constitute.

  The user information storage device 2 stores user information regarding users who use the network connection service and the network providing service. The user information is information in which, for each user ID that is identification information for identifying a user, a password, contract information regarding a network connection service with the user, and terminal-specific information of the mobile terminal 1 used by the user are associated with each other. . Further, the contract information may include contract information regarding a network providing service with the user.

  Specifically, the contract information indicates whether or not the use of the network connection service is permitted. Further, the contract information may indicate whether or not the use of the network connection service is permitted for each type of line for using the network connection service. Examples of the line type include an optical line and a mobile line. In the present embodiment, the mobile terminal 1 uses a network connection service using a mobile line. In addition to the above information or in place of the above information, the contract information includes information indicating whether or not transmission of a message to the mobile terminal 1 is permitted, and whether the mobile terminal 1 uses an IP address. It may indicate whether or not the address authentication process, which is one service authentication process, is permitted, and whether or not the use of the network providing service is permitted. Further, the contract information may further indicate a contract date that permits the use of the network connection service, a use start date when the network connection service is first used, and the like.

  FIG. 3 is a diagram illustrating an example of user information. 3 includes a user ID 201, a password 202, contract information 203, and a telephone number 204. The contract information 203 indicates whether or not the use of the network connection service is permitted for each of the optical line and the mobile line. In the example of FIG. 3, “Yes” indicates that the use of the network connection service is permitted, and “No” indicates that the use of the network connection service is not permitted. The telephone number 204 is terminal-specific information that identifies the mobile terminal 1. “-” Indicates that the telephone number 204 is not registered. In addition, the telephone number that is terminal-specific information may include a telephone number such as an optical line. In this case, it is preferable that the telephone number is associated with each line type and stored.

  The connection information storage device 3 is a storage unit that stores connection information related to the connection of the mobile terminal 1 to the network. The connection information includes determination information indicating whether or not the address authentication process, which is the first service authentication process using the IP address, and a connection log indicating a connection history of the mobile terminal to the network. The determination information corresponds to the terminal-specific information of the mobile terminal 1 used by the user, the IP address assigned to the mobile terminal 1, and the situation information indicating the connection status of the mobile terminal 1 to the network for each user ID. Information.

  FIG. 4A is a diagram illustrating an example of determination information. The determination information 300 illustrated in FIG. 4 includes a user ID 301, a telephone number 302, IP address information 303, and a situation 304. The telephone number 302 is terminal-specific information that identifies the mobile terminal 1. The IP address information 303 indicates an IP address assigned to the mobile terminal 1 or that an IP address is not assigned to the mobile terminal 1. In the example of FIG. 4A, “-” indicates that no IP address is assigned. The status 304 is status information. In the example of FIG. 4A, when the mobile terminal 1 is connected to the Internet 14, it indicates “connected”, and when the mobile terminal 1 is not connected to the Internet 14, “disconnect”. Indicates. Here, the user ID 301 stored as the determination information may be determined based on the contract information in the user information stored in the user information storage device 2. For example, the first service authentication process using an IP address such as when the contract information permits the use of a mobile line and the use of a network-provided service or the address authentication process is permitted. When it is shown that the address authentication process can be used, the user ID corresponding to the contract information is stored as determination information.

  The connection log includes a record in which the user ID, the IP address assigned to the mobile terminal 1 used by the user, and start date information indicating the connection start date and time when the mobile terminal 1 is connected to the network are associated with each other. Is the information accumulated every time it connects to the network. Note that the connection log record may include information indicating a date and time different from the connection start date and time, such as the date and time when the mobile terminal 1 disconnected from the network. The connection log also includes a log when an information processing apparatus installed in a home such as a desktop PC other than the mobile terminal 1 uses a network connection service using a fixed line such as an optical line. There is. For this reason, the connection log record may include connection line information indicating the type of the network line connected to the mobile terminal 1 or the information processing apparatus using the network connection service.

  FIG. 4B is a diagram illustrating an example of a connection log. The connection log 310 illustrated in FIG. 4B includes a user ID 311, an IP address 312, a start date and time 313, and a connection line 314. The start date / time 313 is start date / time information. The connection line 314 is connection line information.

  The session information storage device 4 is a session information storage unit that stores a session DB (database) related to session information of the mobile terminal 1. The session DB is information in which session information of the mobile terminal 1 used by the user is associated with generation date / time information indicating the generation date / time when the session information is generated for each user ID. In the session DB, validity determination information indicating whether or not the session information is valid may be associated with the session information. Hereinafter, session information associated with validity determination information indicating validity may be referred to as valid session information.

  FIG. 5 is a diagram illustrating an example of the session DB. The session DB 400 illustrated in FIG. 5 includes a user ID 401, session information 402, and a generation date / time 403. The generation date / time 403 is generation date / time information.

  The network connection device 5 is a device that provides a network connection service to the mobile terminal 1. The network connection device 5 includes, for example, at least one of a network access server, a gateway server, and a RADIUS (Remote Authentication Dial-in User Service) server. FIG. 6 is a block diagram illustrating a configuration example of the network connection device 5. The network connection device 5 illustrated in FIG. 6 includes a connection communication unit 501, a connection storage unit 502, and a connection control unit 503.

  The connection communication unit 501 communicates with a device such as the mobile terminal 1. For example, the connection communication unit 501 receives a connection authentication request from the mobile terminal 1. The connection storage unit 502 stores, for each IP address that can be assigned to the mobile terminal 1, pool information indicating whether or not the IP address has been assigned.

  When the connection communication unit 501 receives the connection authentication request, the connection control unit 503 uses the terminal specific information in the connection authentication request and the user information stored in the user information storage device 2 to request a connection authentication request. Connection authentication processing is performed for the mobile terminal 1 that is the transmission source. For example, the connection control unit 503 checks whether or not the contract information corresponding to the terminal specific information in the connection authentication request permits the use of the network connection service in the user information stored in the user information storage device 2. . The connection control unit 503 determines that the authentication is successful if the contract information permits the use of the network connection service, and determines that the authentication fails if the contract information does not permit the use of the network connection service. Further, the connection control unit 503 may determine whether or not the user information stored in the user information storage device 2 includes terminal-specific information in the connection authentication request. In this case, the connection control unit 503 determines that the authentication is successful if the terminal specific information is included, and determines that the authentication fails if the terminal specific information is not included.

  When performing the connection authentication process, the connection control unit 503 transmits a connection response that is an authentication result of the connection authentication process to the mobile terminal 1. At this time, if the authentication is successful, the connection control unit 503 assigns one of the IP addresses not yet assigned to the mobile terminal 1 based on the pool information stored in the connection storage unit 502, and assigns the assigned IP address. The IP address is included in the connection response. Then, the connection control unit 503 updates the pool information so that the IP address assigned to the mobile terminal 1 is already assigned.

  Furthermore, the connection control unit 503 updates the connection information stored in the connection information storage device 3 based on the IP address assigned to the mobile terminal 1. Specifically, the connection control unit 503 obtains a user ID corresponding to the terminal specific information in the connection authentication request from the user information storage device 2, and the contract information corresponding to the user ID uses the IP address as the first information. When the address authentication process, which is a service authentication process, indicates that it can be used, the user ID and terminal specific information, the assigned IP address, and the status information indicating the connection are associated with each other in the connection information storage device 3 as determination information. Remember. As a result, the connection information storage device 3 stores the IP address assigned by the network connection device 5 that is a predetermined network connection device. In addition, the connection control unit 503 stores the acquired user ID, the assigned IP address, and start date / time information indicating the current date / time as the connection start date / time in the connection information storage device 3 as a connection log.

  The message transmission device 6 is a device that transmits a message to the mobile terminal 1. FIG. 7 is a diagram illustrating a configuration example of the message transmission device 6. The message transmission device 6 illustrated in FIG. 7 includes a message communication unit 601, a message storage unit 602, and a message control unit 603. The message communication unit 601 is connected to the mobile terminal 1 or the like. The message storage unit 602 stores the URL of the first authentication server 7 as position information indicating the position of the first authentication server 7 on the network. The message storage unit 602 may store the URL of the service server 9 as position information indicating the position of the service server 9 on the network.

  The message control unit 603 performs transmission processing for transmitting a message. Specifically, the message control unit 603 monitors the connection information stored in the connection information storage device 3 and determines whether or not the network connection device 5 has newly assigned an IP address to the mobile terminal 1. . For example, the message control unit 603 monitors the determination information or the connection log in the connection information, and when the user ID is newly added to the determination information or the connection log, the network connection device 5 assigns the IP address to the mobile terminal 1. It is determined that a new assignment has been made.

  When the network connection device 5 newly assigns an IP address to the mobile terminal 1, the message control unit 603 gives the URL of the first authentication server 7 stored in the message storage unit 602 to the mobile terminal 1. Send a message containing. The message is preferably an SMS (short message service) message addressed to a telephone number, which is terminal-specific information corresponding to the newly added user ID, in the user information stored in the user information storage device 2. Other messages may be used. Further, the message includes not only the URL of the first authentication server but also the URL of the service server 9 or information indicating that it is recommended to connect to the first authentication server in order to receive the network providing service by the service server 9. May be included.

  When the network connection device 5 newly assigns an IP address to the mobile terminal 1, the message control unit 603 determines whether or not the address authentication process can be performed for the mobile terminal 1, and the address authentication process is possible. A message may be sent. In this case, the message control unit 603 determines whether or not the address authentication process for the mobile terminal 1 is possible based on the contract information corresponding to the added user ID in the user information stored in the user information storage device 2. For example, when the contract information indicates that the use of the network connection service is permitted, the message control unit 603 determines that the address authentication process for the mobile terminal 1 is possible. Further, in addition to permitting the use of the network connection service in the contract information, the use of the network providing service is permitted, the transmission of a message to the mobile terminal 1 is permitted, or the mobile terminal Used for address authentication processing, which is the first service authentication processing using IP address as the contract information, such as permitting address authentication processing for 1, or if two or all of them are permitted When it is possible, it may be determined that the address authentication process for the mobile terminal 1 is possible.

  In addition, the message control unit 603 transmits a message when the network connection device 5 newly assigns an IP address to a new mobile terminal that is a mobile terminal 1 that has not been subjected to address authentication processing so far. Also good. In this case, for example, the message control unit 603 searches the connection log for the user ID newly added to the determination information or the connection log, and determines whether an IP address has been assigned to the new mobile terminal. Further, the message control unit 603 determines whether or not a connection flag indicating that address authentication has been performed is associated with the user ID (or terminal specific information) in the user information stored in the user information storage device 2. It may be determined whether or not an IP address has been assigned to a new mobile terminal. At this time, if the connection flag is not associated, the message control unit 603 determines that an IP address has been assigned to the new mobile terminal, transmits a message, and in the user information, the user ID (or terminal-specific information) ) Is associated with the connection flag. If the connection flag is associated, the message control unit 603 determines that an IP address has been assigned to a non-new mobile terminal, and ends the process.

Note that when the message control unit 603 determines that an IP address has been assigned to a new mobile terminal, the newly added user in the user information stored in the user information storage device 2 with the current date and time as the use start date You may add to the contract information corresponding to ID. When the message control unit 603 determines that an IP address has been assigned to the new mobile terminal, the message control unit 603 includes the URL of the first authentication device in the message,
If it is determined that an IP address is assigned to a non-new mobile terminal, the URL of the first authentication device may not be included in the message.

  The first authentication server 7 performs a first service authentication process and a second service authentication process, which are authentication processes for receiving a network providing service for the mobile terminal 1. The first service authentication process performed by the first authentication server 7 is an address authentication process as described above. FIG. 8 is a block diagram illustrating a configuration example of the first authentication server 7. The first authentication server 7 illustrated in FIG. 8 includes a first authentication communication unit 701 and a first authentication unit 702.

  The first authentication communication unit 701 is a receiving unit that receives a first service authentication request, an IP address, and terminal specific information from the mobile terminal 1. Further, the first authentication communication unit 701 receives a second service authentication request for requesting execution of the second service authentication process for the mobile terminal 1 from the service server 9. The second service authentication request includes session information for managing communication between the mobile terminal 1 to be subjected to the second service authentication process and the service server 9. The second service authentication process may be referred to as a session authentication process.

  When the first authentication communication unit 701 receives the first service authentication request, the first authentication unit 702 transmits an authentication information request to the mobile terminal 1 that has transmitted the first service authentication request. When the first authentication communication unit receives the IP address and the terminal unique information, the first authentication unit 702 determines that the same combination of the received terminal unique information and the IP address is the determination information in the connection information storage device 3 ( Alternatively, the address authentication process for the mobile terminal 1 is performed by confirming whether or not it is stored as connection information). At this time, the first authentication unit 702 determines that the authentication is successful if the same set is stored, and determines that the authentication fails if the same set is not stored. When the first authentication communication unit receives only the IP address, the first authentication unit 702 stores the same IP address as the received IP address as determination information (or connection information) in the connection information storage device 3. The address authentication process for the mobile terminal 1 may be performed by confirming whether or not At this time, the first authentication unit 702 determines that the authentication is successful if the same IP address is stored, and determines that the authentication fails if the same IP address is not stored.

  When the first authentication unit 702 performs the first service authentication process, the first authentication unit 702 transmits a first authentication response that is an authentication result of the first service authentication process to the mobile terminal 1. At this time, if the authentication is successful, the first authentication unit 702 generates unique session information for managing communication between the mobile terminal 1 and the service server 9 using a predetermined method, and the session information is generated. It is included in the first authentication response. Then, the first authentication unit 702 acquires a user ID corresponding to the received terminal specific information from the user information storage device 2, and generates the session information by using the acquired user ID, the generated session information, and the current date and time. The generation date / time information indicated as the date / time is associated with the session DB stored in the session information storage device 4 and added. Since the session information stored in the mobile terminal 1 is deleted at a predetermined deletion timing, the first authentication unit 702 also deletes or invalidates the session information stored in the session information storage device 4 at a predetermined invalid timing. May be used. For example, the first authentication unit 702 deletes the session information at a timing when a predetermined time (for example, 24 hours) has elapsed since the session information is stored, or when the session information is transmitted to the same mobile terminal 1. Or disable it.

  When the first authentication communication unit 701 receives the second service authentication request, the first authentication unit 702 uses the session information in the second service authentication request received by the first authentication communication unit 701 to A second service authentication process is performed. Specifically, the first authentication unit 702 checks whether or not the same session information as the session information in the second service authentication request is stored in the session information storage device 4, so that the second authentication for the mobile terminal 1 is performed. Perform service authentication processing. At this time, the first authentication unit 702 determines that the second service authentication process is successful when the same session information is stored, and determines that the second service authentication process is unsuccessful when the same session information is not stored. To do. When the validity determination information is associated with the session information, the first authentication unit 702 stores the same session information, and if the validity determination information associated with the session information indicates validity, It is determined that the two-service authentication process is successful.

  When the first authentication unit 702 performs the second service authentication process, the first authentication unit 702 transmits a second authentication response, which is an authentication result of the second service authentication process, to the service server 9.

  The second authentication server 8 performs a first service authentication process for the mobile terminal 1. The first service authentication process performed by the second authentication server 8 is a non-address authentication process as described above. FIG. 9 is a block diagram illustrating a configuration example of the second authentication server 8. The second authentication server 8 illustrated in FIG. 9 includes a second authentication communication unit 801 and a second authentication unit 802. The second authentication communication unit 801 receives the first service authentication request, the user ID, and the password from the mobile terminal 1.

  The second authentication unit 802 is a non-address authentication unit that performs non-address authentication processing as the first service authentication processing. Specifically, when the second authentication communication unit 801 receives the first service authentication request, the second authentication unit 802 transmits an authentication information request to the mobile terminal 1 that has transmitted the first service authentication request. When the first authentication communication unit receives the user ID and password, the second authentication unit 802 confirms whether the same set as the received user ID and password set is stored in the user information storage device 2. Thus, the non-address authentication process for the mobile terminal 1 is performed. At this time, the second authentication unit 802 determines that the authentication is successful if the same set is stored, and determines that the authentication fails if the same set is not stored.

  When performing the first service authentication process, the second authentication unit 802 transmits a first authentication response, which is an authentication result of the first service authentication process, to the mobile terminal 1. At this time, if the authentication is successful, the second authentication unit 802 generates unique session information for managing communication between the mobile terminal 1 and the service server 9 using a predetermined method, and the session information is It is included in the first authentication response. Then, the second authentication unit 802 associates the received user ID, the generated session information, and the generation date / time information indicating the current date / time as the generation date / time of the session information, and stores the session stored in the session information storage device 4 Add to DB.

  The service server 9 is a service providing device that provides a network providing service to the mobile terminal 1. FIG. 10 is a block diagram illustrating a configuration example of the service server 9. The service server 9 illustrated in FIG. 10 includes a server communication unit 901 and a service providing unit 902. The server communication unit 901 receives a service request from the mobile terminal 1 and receives a second authentication response from the first authentication server 7.

  When the server communication unit 901 receives a service request, the service providing unit 902 transmits a second service authentication request including session information in the service request to the first authentication server 7.

  When the server communication unit 901 receives the second authentication response, the service providing unit 902 performs a second response process according to the second authentication response. Specifically, when the second authentication response indicates successful authentication, the service providing unit 902 provides the network providing service to the mobile terminal 1. When the second authentication response indicates a failure of authentication, the service providing unit 902 transmits error information indicating that the authentication by the second service authentication process has failed to the mobile terminal 1. When the second authentication response indicates that the authentication has failed, the service providing unit 902 may switch the connection destination of the mobile terminal 1 to the second authentication server 8 that performs non-address authentication. A password authentication request for requesting execution of the first service authentication using the user ID and password may be transmitted. Further, the service providing unit 902 may include the URL of the second authentication server 8 in the password authentication request.

  Next, the operation will be described.

  FIG. 11 is a sequence diagram for explaining the operation of the communication system of the present embodiment. In the following operation, for simplification of description, description of processing related to connection to the access network 11 and the base station 12 by the mobile terminal 1 and authentication for the connection is omitted.

  First, the terminal control unit 105 of the mobile terminal 1 acquires terminal specific information from the terminal storage unit 103, and sends a connection authentication request including the terminal specific information to the terminal communication unit 104, the access network 11, the base station 12, and the provider network. 13 to the network connection device 5 (step S111).

  The timing for transmitting the connection authentication request is not particularly limited. For example, the connection authentication request is transmitted at the following timing. First, when a SIM card is inserted into the mobile terminal 1 and the mobile terminal 1 is powered on, the terminal control unit 105 transmits a connection request for requesting connection to the Internet to the network connection device 5. When the connection communication unit 501 of the network connection device 5 receives the connection request, the connection control unit 503 transmits an identification information request for requesting terminal specific information to the mobile terminal 1. When the terminal communication unit 104 of the mobile terminal 1 receives the identification information request, the terminal control unit 105 transmits a connection authentication request.

  When receiving the connection authentication request, the connection communication unit 501 of the network connection apparatus 5 transmits the connection authentication request to the connection control unit 503. Upon receiving the connection authentication request, the connection control unit 503 connects to the user information storage device 2 via the connection communication unit 501. The connection control unit 503 performs connection authentication processing for the mobile terminal 1 based on the terminal specific information in the connection authentication request and the user information stored in the user information storage device 2 (step 112).

  The connection control unit 503 generates an authentication result of the connection authentication process as a connection response, and transmits the connection response to the mobile terminal 1 via the connection communication unit 501, the provider network 13, the base station 12, and the access network 11 ( Step S113).

  At this time, if the connection authentication process is successful, the connection control unit 503 allocates one of the unused IP addresses to the mobile terminal 1 based on the pool information stored in the connection storage unit 502, and the allocation The pool information is updated so that the IP address assigned to the mobile terminal 1 is already assigned. Further, the connection control unit 503 obtains a user ID corresponding to the terminal specific information in the connection authentication request from the user information storage device 2, and the first service authentication process in which the contract information corresponding to the user ID uses the IP address. If the address authentication process is available, the user ID and terminal specific information, the assigned IP address, and the status information indicating the connection are associated with each other and stored in the connection information storage device 3 as determination information. Further, the connection control unit 503 stores the acquired user ID, the assigned IP address, and start date / time information indicating the current date / time as the connection start date / time in the connection information storage device 3 as a connection log.

  The terminal communication unit 104 of the mobile terminal 1 receives the connection response and transmits the connection response to the terminal control unit 105. When receiving the connection response, the terminal control unit 105 performs connection response processing according to the connection response (step S114). For example, when the connection response indicates that the connection authentication process has failed, the terminal control unit 105 displays error information indicating that the connection to the Internet 14 could not be made on the display unit 101. When the connection response indicates that the connection authentication process is successful, the terminal control unit 105 stores the IP address included in the connection response in the terminal storage unit 103.

  On the other hand, the message control unit 603 of the message transmission device 6 monitors the determination information or connection log stored in the connection information storage device 3 via the message communication unit 601, and the user ID is newly added to the determination information or connection log. If so, it is determined that the network connection device 5 has newly assigned an IP address to the mobile terminal 1. Then, the message control unit 603 connects to the user information storage device 2 via the message communication unit 601, and acquires a telephone number that is terminal specific information corresponding to the newly added user ID from the user information storage device 2. . Thereafter, the message control unit 603 acquires the URL of the first authentication server 7 from the message storage unit 602, and sends a message including the acquired URL to the mobile terminal 1 having the acquired telephone number, the message communication unit 601, the provider Transmission is performed via the network 13, the base station 12, and the access network 11 (step S115).

  Note that the timing at which the message control unit 603 transmits a message is not particularly limited, but the timing at which a new user ID is added is desirable. In this case, for example, if the connection authentication request is transmitted when the mobile terminal 1 is powered on as described above, the message is also transmitted at the timing when the mobile terminal 1 is powered on.

  When the terminal communication unit 104 of the mobile terminal 1 receives the message, the terminal communication unit 104 transmits the message to the terminal control unit 105. When the terminal control unit 105 receives the message, the terminal control unit 105 displays the message on the display unit 101. Thereafter, when a selection operation for selecting the URL of the first authentication server in the message is performed on the operation unit 102, a terminal storage unit sends a first service authentication request to the first authentication server 7 indicated by the URL. 103 is transmitted through the terminal communication unit 104, the access network 11, the base station 12, and the provider network 13 in the terminal 103 (step S116).

  When receiving the first service authentication request, the first authentication communication unit 701 of the first authentication server 7 transmits the first service authentication request to the first authentication unit 702. When the first authentication unit 702 receives the first service authentication request, the first authentication communication unit 701, the provider network 13, the base station 12, and the access network request an authentication information request for requesting the IP address and terminal-specific information as authentication information. 11 to the mobile terminal 1 (step S117).

  When receiving the authentication information request, the terminal communication unit 104 of the mobile terminal 1 transmits the authentication information request to the terminal control unit 105. Upon receiving the authentication information request, the terminal control unit 105 acquires an IP address and terminal specific information from the terminal storage unit 103, and uses the IP address and terminal specific information as the terminal communication unit 104, the access network 11, the base station 12, and It transmits to the 1st authentication server 7 via the provider network 13 (step S118).

  When receiving the IP address and terminal specific information, the first authentication communication unit 701 of the first authentication server 7 transmits the IP address and terminal specific information to the first authentication unit 702. When receiving the IP address and the terminal specific information, the first authentication unit 702 connects to the connection information storage device 3 via the first authentication communication unit 701. Then, the first authentication unit 702 confirms whether or not the same set as the received set of the IP address and the terminal specific information is stored as the determination information (or connection log) in the connection information storage device 3, and the mobile A first service authentication process for the terminal 1 is performed (step S119). Here, when the first authentication unit 702 receives the IP address and the terminal specific information, the first authentication unit 702 further connects to the user information storage device 2 via the first authentication communication unit 701, and the contract information of the user information storage device 2. The mobile terminal 1 confirms whether the contract information of the user ID corresponding to the received IP address and terminal specific information indicates that the address authentication process, which is the first service authentication process using the IP address, is available. The first service authentication process may be performed on

  The first authentication unit 702 transmits a first authentication response, which is an authentication result of the first service authentication process, to the mobile terminal 1 via the first authentication communication unit 701, the provider network 13, the base station 12, and the access network 11. (Step S120). At this time, if the first service authentication process is successful, the first authentication unit 702 generates unique session information by a predetermined method and includes the session information in the first authentication response. Also, the first authentication unit 702 connects to the user information storage device 2 via the first authentication communication unit 701, and obtains a user ID corresponding to the terminal specific information in the first service authentication request from the user information storage device 2. To do. Then, the first authentication unit 702 connects to the session information storage device 4 via the first authentication communication unit 701, and indicates the acquired user ID, the generated session information, and the current date and time as the generation date and time of the session information. The generation date and time information is associated with each other and stored in the session information storage device 4.

  When receiving the first authentication response, the terminal communication unit 104 of the mobile terminal 1 transmits the first authentication response to the terminal control unit 105. Upon receiving the first authentication response, the terminal control unit 105 performs a first response process corresponding to the first authentication response (step S121). For example, when the first authentication response indicates an authentication failure, the terminal control unit 105 displays error information indicating that the authentication has failed on the display unit 101. When the first authentication response indicates successful authentication, the terminal control unit 105 stores the session information in the first authentication response in the terminal storage unit 103.

  Thereafter, the terminal control unit 105 sends a service request including session information stored in the terminal storage unit 103 using a predetermined application program via the terminal communication unit 104, the access network 11, the base station 12, and the provider network 13. And transmitted to the service server 9 (step S122). The service request may not include session information. In this case, when the server communication unit 901 of the service server 9 receives the service request, the service providing unit 902 transmits a session information request for requesting session information to the mobile terminal 1. When the terminal communication unit 104 of the mobile terminal 1 receives the session information request, the service providing unit 902 transmits the session information to the service server 9.

  When receiving the service request, the server communication unit 901 of the service server 9 transmits the service request to the service providing unit 902. Upon receiving the service request, the service providing unit 902 transmits a second service authentication request including session information in the service request to the first authentication server 7 via the server communication unit 901, the Internet 14, and the provider network 13. (Step S123)

  When receiving the second service authentication request, the first authentication communication unit 701 of the first authentication server 7 transmits the second service authentication request to the first authentication unit 702. When receiving the second service request, the first authentication unit 702 connects to the session information storage device 4 via the first authentication communication unit 701. Then, the first authentication unit 702 confirms whether or not the same session information as the session information in the second service request is stored in the session information storage device 4 as valid session information, and the second authentication for the mobile terminal 1 Service authentication processing is performed (step S124).

  The first authentication unit 702 transmits a second authentication response, which is an authentication result of the first service authentication process, to the service server 9 via the first authentication communication unit 701, the provider network 13, and the Internet 14 (step S125).

  When the server communication unit 901 of the service server 9 receives the second authentication response, the server communication unit 901 transmits the second authentication response to the service providing unit 902. When the service providing unit 902 receives the second authentication response, the service providing unit 902 confirms the second authentication response and performs second response processing according to the confirmation result (step S126). For example, when the second service authentication process is successful, the service providing unit 902 provides a service to the mobile terminal 1 (step S127). On the other hand, when the second service authentication process fails, the service providing unit 902 transmits error information indicating that the authentication has failed to the mobile terminal 1.

  In the above operation, when the user transmits a service request from the mobile terminal 1 to the service server 9 without performing the first service authentication process, the session information storage device 4 stores the session information corresponding to the mobile terminal 1. Since it is not stored, the second service authentication process fails. For this reason, the user cannot receive the network providing service provided by the service server 9. Therefore, the error information may include the URL of the second authentication server that performs the first service authentication process using the user ID and password. Further, the service providing unit 902 may switch the connection destination of the mobile terminal 1 to the second authentication server 8.

  According to the present embodiment described above, the connection information storage device 3 stores the IP address assigned by the network connection device 5. The first authentication communication unit 701 receives an IP address assigned to the mobile terminal from the mobile terminal 1. The first authentication unit 702 performs an address authentication process for authenticating the mobile terminal using the IP address received by the first authentication communication unit 701 and the IP address stored in the connection information storage device 3. For this reason, since authentication using an IP address assigned at the time of network connection is possible, even if the user does not recognize that an ID and a password have been assigned, authentication is performed and the network providing service is used. It becomes possible. Therefore, the convenience of authentication can be improved.

(Second Embodiment)
In the present embodiment, the first authentication unit 702 of the first authentication server 7 invalidates the address authentication process using the IP address at a predetermined invalid timing, and thereafter, as the first service authentication process, the second authentication server 8 Only the non-address authentication process performed by the second authentication unit 802 is valid.

  The invalid timing is a timing at which a predetermined period (for example, 30 days) has elapsed from a predetermined time point such as a contract date or a use start date. In this case, for example, in the first authentication server 7, when the first authentication communication unit 701 receives the first service authentication request, the first authentication unit 702 determines whether or not the address authentication process is invalid as follows. That is, the first authentication unit 702 confirms the contract date or the use start date indicated by the contract information corresponding to the terminal-specific information received from the mobile terminal 1 in the user information stored in the user information storage device 2, and from that date It is determined whether or not a predetermined period has elapsed. The first authentication server 7 validates the address authentication process when the predetermined period has not elapsed, and invalidates the address authentication process when the predetermined period has elapsed.

  The contract information may further indicate whether or not the address authentication process is valid. In this case, when the first authentication communication unit 701 receives the first service authentication request, the first authentication unit 702 checks whether or not the contract information indicates that the address authentication process is valid, and the address authentication process is valid. As described above, the contract date or the start date of use indicated by the contract information is checked to determine whether the address authentication process is valid. If it is determined that the address authentication process is invalid, the contract information is invalidated. Update to show. In addition, in the user information stored in the user information storage device 2, information indicating whether or not the address authentication process is valid may be associated with the user ID separately from the contract information.

  The invalid timing is not limited to the above example. For example, the invalid timing may be a timing when an administrator of the first authentication server 7 or the service server 9 sets invalidity of the address authentication process. The timing at which the administrator or the like sets invalidity of the address authentication processing includes the timing at which the administrator receives notification of the loss of the mobile terminal 1 from the user, the timing at which the membership card is mailed to the user, and the contract regarding the address authentication processing is canceled For example, the timing of completion.

  When the address authentication process is invalidated, the first authentication unit 702 transmits, for example, a password authentication request for requesting execution of the first service authentication process using a user ID and a password to the mobile terminal 1. The password authentication request may include the URL of the second authentication server that performs the first service authentication process using the user ID and password. The first authentication unit 702 may switch the connection destination of the mobile terminal 1 to the second authentication server 8.

  According to the present embodiment, it is possible to perform the address authentication process only for a necessary period, so that the convenience of authentication can be further improved.

  In each embodiment described above, the illustrated configuration is merely an example, and the present invention is not limited to the configuration.

  For example, the function of each device in the communication system described in each embodiment is to record a program for realizing the function on a computer-readable recording medium, and store the program recorded on the recording medium. It may be realized by being read and executed by a computer.

  In addition, an information processing apparatus installed in a home such as a desktop PC may be used instead of the mobile terminal 1, or an ADSL (Asymmetric Digital Subscriber Line) is used instead of the access network 11 and the base station 12. A wired network such as a network or an optical line network may be used.

  Also, a part of each of the user information storage device 2, connection information storage device 3, session information storage device 4, network connection device 5, message transmission device 6, first authentication server 7, second authentication server 8 and service server 9. Or all may be integrated. For example, the network connection device 5 and the message transmission device 6 may be integrated, the first authentication server 7 and the second authentication server 7 may be integrated, the connection information storage device 3 and the session information storage device. 4 may be integrated. At this time, the determination information and the session DB may be configured by the same data table.

DESCRIPTION OF SYMBOLS 1 Mobile terminal 2 User information storage device 3 Connection information storage device 4 Session information storage device 5 Network connection device 6 Message transmission device 7 First authentication server 8 Second authentication server 9 Service server 11 Access network 12 Base station 13 Provider network 14 Internet 101 display unit 102 operation unit 103 terminal storage unit 104 terminal communication unit 105 terminal control unit 601 message communication unit 602 message storage unit 603 message control unit 701 first authentication communication unit 702 first authentication unit 801 second authentication communication unit 802 second Authentication unit 901 Server communication unit 902 Service providing unit

Claims (9)

A storage unit for storing an IP address assigned to the information processing apparatus in a predetermined network connection apparatus;
A receiving unit that receives an IP address assigned to the information processing apparatus from the information processing apparatus;
A first authentication unit that performs an address authentication process for authenticating the information processing apparatus using the IP address received by the reception unit and the IP address stored in the storage unit;
A second authentication unit that performs an identification information authentication process for authenticating the information processing apparatus using authentication information different from the IP address ;
The storage unit further stores availability information indicating whether or not the address authentication process can be used in correspondence with the information processing apparatus,
In addition to the address authentication process, the first authentication unit performs a process of confirming whether or not the use information indicates that the address authentication process is available to the information processing apparatus. To authenticate the information processing device ,
The authentication system, wherein the first authentication unit invalidates the address authentication process at a predetermined invalid timing and requests the information processing apparatus to execute the identification information authentication process by the second authentication unit . A storage unit for storing an IP address assigned to the information processing apparatus in a predetermined network connection apparatus;
A receiving unit that receives an IP address assigned to the information processing apparatus from the information processing apparatus;
A first authentication unit that performs an address authentication process for authenticating the information processing apparatus using the IP address received by the reception unit and the IP address stored in the storage unit;
And a second authentication unit that performs identity authentication process for authenticating the information processing apparatus by using a different authentication information from the IP address,
The storage unit further stores availability information indicating whether or not the address authentication process can be used in correspondence with the information processing apparatus,
In addition to the address authentication process, the first authentication unit performs a process of confirming whether or not the use information indicates that the address authentication process is available to the information processing apparatus. To authenticate the information processing device ,
The first authentication unit invalidates the address authentication process when the predetermined period has elapsed from the predetermined date information indicated by the availability information at the timing of performing the address authentication process, and causes the information processing apparatus to An authentication system that requests execution of the identification information authentication process by the second authentication unit . A storage unit for storing an IP address assigned to the information processing apparatus in a predetermined network connection apparatus;
A receiving unit that receives an IP address assigned to the information processing apparatus from the information processing apparatus;
A first authentication unit that performs an address authentication process for authenticating the information processing apparatus using the IP address received by the reception unit and the IP address stored in the storage unit;
A second authentication unit that performs an identification information authentication process for authenticating the information processing apparatus using authentication information different from the IP address ;
The storage unit further stores availability information indicating whether or not the address authentication process can be used in correspondence with the information processing apparatus,
In addition to the address authentication process, the first authentication unit performs a process of confirming whether or not the use information indicates that the address authentication process is available to the information processing apparatus. To authenticate the information processing device ,
When the first authentication unit succeeds in authenticating the information processing apparatus, the first authentication unit generates session information for managing communication with the information processing apparatus, and transmits the session information to the information processing apparatus.
A session information storage unit for storing session information generated by the first authentication unit;
The receiving unit receives session information for managing communication with the information processing apparatus from a service providing apparatus that provides a service to the information processing apparatus;
The first authentication unit performs session authentication processing for authenticating the information processing apparatus by confirming whether the same session information as the session information received by the reception unit is stored in the session information storage unit. ,
It said service providing apparatus, when the session authentication processing fails, requests the execution of the identification information authentication process by the second authentication unit to the information processing apparatus, the authentication system. The storage unit stores the assigned IP address and unique information unique to the information processing apparatus to which the IP address is assigned in association with each other,
The receiving unit further receives unique information unique to the information processing apparatus from the information processing apparatus;
In the address authentication process, the first authentication unit confirms whether or not the same set as the set of the IP address and unique information received by the receiving unit is stored in the storage unit. authenticate, the authentication system according to any one of claims 1 to 3. When the network connection apparatus newly assigns an IP address to the information processing apparatus, if the address authentication processing indicates that the address authentication process can be used in the availability information corresponding to the information processing apparatus, the IP address is stored in the storage unit. authentication system according to the connection with the control unit, any one of claims 1 to 4 for storing the. An authentication method performed by an authentication system having a storage unit that stores availability information indicating whether or not address authentication processing for authenticating using an IP address corresponding to an information processing device is available,
Storing the IP address assigned to the information processing device by the authentication system in a predetermined network connection device in the storage unit;
The authentication system receiving an IP address assigned to the information processing apparatus from the information processing apparatus;
The authentication system performing an address authentication process for authenticating the information processing apparatus using the received IP address and the IP address stored in the storage unit;
The authentication system performing identification information authentication processing for authenticating the information processing apparatus using authentication information different from the IP address;
The authentication system confirms whether or not the address authentication process is available to the information processing apparatus by the use permission / prohibition information, thereby performing a process of authenticating the information processing apparatus. Steps to do,
An authentication method comprising: invalidating the address authentication process at a predetermined invalid timing and requesting the information processing apparatus to execute the identification information authentication process . An authentication method performed by an authentication system having a storage unit that stores availability information indicating whether or not address authentication processing for authenticating using an IP address corresponding to an information processing device is available,
Storing the IP address assigned to the information processing device by the authentication system in a predetermined network connection device in the storage unit;
The authentication system receiving an IP address assigned to the information processing apparatus from the information processing apparatus;
The authentication system performing an address authentication process for authenticating the information processing apparatus using the received IP address and the IP address stored in the storage unit;
The authentication system performing identification information authentication processing for authenticating the information processing apparatus using authentication information different from the IP address;
The authentication system confirms whether or not the address authentication process is available to the information processing apparatus by the use permission / prohibition information, thereby performing a process of authenticating the information processing apparatus. Steps to do,
When the authentication system performs the address authentication process, if a predetermined period has elapsed from the predetermined date information indicated by the availability information, the address authentication process is invalidated and the information processing apparatus Requesting execution of the identification information authentication process . An authentication method performed by an authentication system having a storage unit that stores availability information indicating whether or not address authentication processing for authenticating using an IP address corresponding to an information processing device is available,
Storing the IP address assigned to the information processing device by the authentication system in a predetermined network connection device in the storage unit;
The authentication system receiving an IP address assigned to the information processing apparatus from the information processing apparatus;
The authentication system performing an address authentication process for authenticating the information processing apparatus using the received IP address and the IP address stored in the storage unit;
The authentication system performing identification information authentication processing for authenticating the information processing apparatus using authentication information different from the IP address;
The authentication system confirms whether or not the address authentication process is available to the information processing apparatus by the use permission / prohibition information, thereby performing a process of authenticating the information processing apparatus. Steps to do,
When the authentication system succeeds in authenticating the information processing apparatus, generating session information for managing communication with the information processing apparatus and transmitting the session information to the information processing apparatus;
The authentication system storing the generated session information in a session information storage unit;
The authentication system receiving session information for managing communication with the information processing apparatus from a service providing apparatus that provides a service to the information processing apparatus;
The authentication system performs a session authentication process for authenticating the information processing apparatus by confirming whether the same session information as the received session information is stored in the session information storage unit;
An authentication method comprising: requesting the information processing apparatus to execute the identification information authentication process when the service authentication apparatus fails in the session authentication process .   The program for making a computer perform each step of the authentication method of Claim 6 or 7.

Images