JP7077173B2 - Servers and terminals - Google Patents

Description

The present invention relates to a server, a terminal, and the like constituting a communication system that is resistant to man-in-the-middle attacks and the like.

With the development of communication technologies such as the Internet, it has become possible to receive services without actually going to a remote location. For example, Internet banking has become available, and depositors can now use Internet banking to inquire about balances, transfer money, transfer money, and apply for various services from their homes without actually going to a bank branch. rice field.

On the other hand, methods for committing fraud have been developed by being involved in communication via the Internet and the like. For example, man-in-the-browser attacks and man-in-the-midle attacks are known as man-in-the-middle attacks. Man-in-the-middle attack is a method of interrupting in the middle of communication, falsifying data related to communication, and transferring it to a server or terminal. For example, when the user is using Internet banking, the account number specified by the user as the transfer destination is falsified, rewritten to an unauthorized transfer destination, and transferred to the Internet banking server.

For example, Patent Document 1 is known as a technique for detecting the existence of such a man-in-the-middle attack.

U.S. Pat. No. 7,721,333 U.S. Pat. No. 8,370,899

However, even if the existence of a man-in-the-middle attack can be detected as in Patent Document 1, secure communication cannot be performed. Therefore, the present invention provides a technique for more secure communication even in the presence of a man-in-the-middle attack.

As an embodiment of the present invention, a server device having a data receiving unit and a data selecting unit is provided. The data receiving unit receives the genuine data transmitted from the terminal device and input by the user of the terminal device and the fake data generated by the terminal device. The data selection unit selects genuine data from genuine data and false data received by the data receiving unit.

As an embodiment of the present invention, a terminal device having a data receiving unit, a data adding unit, and a data transmitting unit is provided. The data receiving unit receives the data input by the terminal device. The data addition unit adds fake data generated by the terminal device to the genuine data received by the data reception unit. The data transmission unit transmits the data received by the data reception unit and the fake data added by the data addition unit by the data addition unit.

According to the present invention, even if there is a man-in-the-middle attack, communication can be performed more securely.

It is a functional block diagram of the communication system which concerns on one Embodiment of this invention. It is an example diagram of the screen transition in the terminal of the communication system which concerns on one Embodiment of this invention. It is an example diagram of the data sent and received by the communication system which concerns on one Embodiment of this invention. It is a sequence diagram of the processing of the communication system which concerns on one Embodiment of this invention. It is a flowchart of the processing of the terminal of the communication system which concerns on one Embodiment of this invention. It is a flowchart of the process of the server of the communication system which concerns on one Embodiment of this invention. It is a functional block diagram of the communication system which concerns on one Embodiment of this invention.

Hereinafter, embodiments for carrying out the present invention will be described as some embodiments. It should be noted that the present invention can be implemented by variously modifying these embodiments. Therefore, the present invention is not construed as being limited to these embodiments.

(Embodiment 1)
FIG. 1 is a functional block diagram of a communication system according to the first embodiment of the present invention. The communication system 100 includes a terminal 101 and a server 102, and the terminal 101 and the server 102 can communicate with each other via a communication network 10 such as the Internet. Although only one terminal is shown as the terminal 101 in FIG. 1, an arbitrary number of terminals may be able to communicate with the server 102 via the communication network 10 or the like. .. Further, although only one server is shown as the server 102 in FIG. 1, the configuration may be realized by an arbitrary number of servers, such as sharing the functions of the server 102 among a plurality of servers. ..

The terminal 101 has a field data receiving unit 104, a fake field data adding unit 105, and a browser unit 103 including a field data transmitting unit 106. Generally, the terminal 101 is a communication device such as a personal computer or a smart phone, and the user of the terminal 101 operates the browser on the terminal 101 to communicate with the server 102. Therefore, the browser operating on the terminal 101 is used. , The browser unit 103. However, the browser unit 103 is not limited to the browser, and may be a dedicated program for communicating with the server 102.

The field data receiving unit 104 receives the data input to the field. Here, the field is an input area displayed on the display by a browser or the like for inputting information. For example, a text area for inputting character string information, a radio button for inputting a selection, and the like are examples of an input area.

More specifically, the field data receiving unit 104 receives, for example, the transfer amount input as a character string in the text area. Further, as another example, selection by a radio button or the like for designating a savings account or a checking account is accepted.

Further, the field data receiving unit 104 may also be able to receive whether or not the link displayed on the display has been selected by a mouse or the like. Further, the button may be regarded as a field, and the fact that the button is pressed or that the mouse cursor is positioned on the button may be input to the field called the button.

Fields such as input areas and links can be displayed in the screen displayed on the display. In this case, the screen is a screen corresponding to a browser or a dedicated program.

The field data receiving unit 104 can receive the data input to the field when, for example, the Submit button on the browser screen is pressed. In addition, when an event indicating that the mouse cursor is positioned on the field or the mouse cursor moves on the field and is clicked occurs due to a script or the like, the field data is accepted by the event processing function corresponding to the event. The unit 104 may operate and be able to accept the data input in the field.

Control of whether or not the field data receiving unit 104 operates may be enabled by, for example, a script embedded in screen information described by HTML transmitted from the transmitting unit of the server 102. Further, such a script may be read and operated by the terminal 101 from another source referenced from the screen information.

The fake field data addition unit 105 generates fake data and adds it to the data received by the field data reception unit 104. The fake data is data that the user of the terminal 101 does not intend to input and transmit. In other words, it is data generated regardless of the user's intention. For example, it can be generated by executing the program transmitted from the transmission unit of the server 102 on the terminal 101. Alternatively, it can be generated by generating a random number at the terminal 101. The above script can also be mentioned as such a program.

When the data received by the field data receiving unit 104 is expressed as genuine data, when the genuine data is expressed as a character string, it is preferable that the false data is also expressed as a character string. Further, in this case, it is preferable that each character of the fake data character string has the same attribute as each character of the genuine data. For example, the characters constituting the character string can be classified into characters having attributes such as numbers, alphabetic characters, and kana characters. Therefore, if the genuine data contains numbers, the fake data also contains numbers, and if the genuine data contains English characters, the fake data also contains English characters, and the genuine data contains pseudonyms. If the characters are included, the pseudonym characters may be included in the fake data. As a result, when the amount data or the account number is genuine data, fake data is also generated as data interpreted as the amount data or the account number, which is the genuine data for a man-in-the-middle attacker. This can make it difficult to determine which is fake data.

Further, the program for generating fake data transmitted from the transmitter of the server 102 is not limited to one, and the server 102 is selected from a plurality of programs providing the same function. It may be transmitted by the transmitting unit. Further, in this case, it is preferable that the selection from the plurality of programs is, for example, a random selection. Further, a program other than the program transmitted to the terminal 101 in the past may be selected. As a result, for a person who performs a man-in-the-middle attack or the like, a different program is executed on the terminal 101 each time, which makes analysis or the like difficult. Further, the program transmitted from the transmission unit of the server 102 may be a program generated by the server 102 each time the transmission is performed.

Further, the number of screens described by HTML or the like transmitted from the transmission unit of the server 102 is not limited to one. For example, when a screen transition occurs and the HTML description of the transition destination screen is transmitted by the transmitter of the server 101, the HTML description of the screen for executing the program that generates fake data However, it may be transmitted from the transmission unit of the server 102 separately from the description by HTML or the like on the screen for inputting genuine data. In this case, it is preferable that the screen described by HTML or the like of the screen for executing the program for generating fake data is not displayed on the display of the terminal 101. For example, it is displayed at a coordinate position outside the range that can be displayed on the display.

Further, the program transmitted from the transmission unit of the server 102 may be executed in the area protected by the sandbox function of the browser.

The field data transmission unit 106 transmits the data received by the field data reception unit 104 and the fake data added by the fake field data addition unit 105 to the server 102 via the communication network 10.

The server 102 includes a processing unit 107, and the processing unit 107 includes a field data receiving unit 108 and a genuine field data selection unit 109. The processing unit 107 is a unit that processes the data transmitted by the field data transmission unit 106 of the terminal 101. For example, it can be realized by one module of the program operated by the server 102.

The field data receiving unit 108 receives the data transmitted by the field data transmitting unit 106 of the terminal 101 via the communication network 10. Therefore, the field data receiving unit 108 receives the data received by the field data receiving unit 104 of the terminal 101 and the fake data added by the fake field data adding unit 105 of the terminal 101. For example, the data is read through the I / O interface of the server 102 and written to a predetermined address in the memory of the server 102.

The genuine field data selection unit 109 selects genuine data, which is data excluding false data, from the data received by the field data receiving unit 108. The genuine data is the data received by the field data receiving unit 104 of the terminal 101. In other words, it is the data that the user intended to input or send.

The genuine field data selection unit 109 is, for example, a program transmitted to the terminal 101, and can also select genuine data based on a program for generating fake data. For example, the server 102 is provided with a recording unit (not shown), and the recording unit associates information identifying a program transmitted to the terminal 101 with an identifier of the terminal 101 or an identifier of a session with the terminal 101. And record. Then, the genuine field data selection unit 109 searches for a database or the like that stores information for discriminating fake data generated by the program by using the information for identifying the program recorded in the recording unit, thereby fake data. It is also possible to distinguish between genuine data and genuine data.

Further, when the screen description by a plurality of HTML or the like is transmitted to the terminal 101, the field having the HIDDEN attribute includes information that enables it to be determined whether the fake data is from the generated screen. You may do so.

FIG. 2 shows an example of screen transition of the screen displayed on the display displayed on the terminal 101. For example, assume that the server 102 is a server for providing an Internet banking service of a bank. When the user of the terminal 101 selects a link to the server 102 on the portal site or inputs the URL of the server 102 into a browser or the like,
Data described by HTML or the like is transmitted from the server 102 to the terminal 101, and the screen 201 illustrated in FIG. 2A as a login screen is displayed on the display of the terminal 101.

In FIG. 2A, the screen 201 displays an input area 202 for inputting a customer number and an input area 203 for inputting a password. When the user inputs his / her own customer number and password and performs an operation such as pressing the return key, the customer number and password are transmitted to the server 102 as authentication information, and the server 102 authenticates.

If the authentication is successful, the server 102 transmits the data described by HTML or the like for selecting the service required by the user from the Internet banking services to the terminal 102.

FIG. 2B shows an example in which a screen 211 for selecting a service required by a user is displayed on the display of the terminal 102. On the screen 211, a balance inquiry button 212 for confirming the balance of the account and a transfer button 213 for making a transfer are shown.

When the user presses the transfer button 213 or the like, a screen for inputting data for transfer is displayed on the display of the terminal 102. The screen 221 shown in FIG. 2 (c) is an example of a screen for inputting data for transfer.

The user inputs the bank name of the transfer destination in the input area 222, and inputs the branch name of the bank of the transfer destination in the input area 223. Further, the user inputs the type of the transfer destination account in the input area 224, inputs the transfer destination account number in the input area 225, and inputs the transfer amount in the input area 226. The screen for inputting the data for these transfers may be composed of a plurality of screens.

When the user presses the transfer button 227, the field data receiving unit 104 operates and receives the data input to the input areas 222 to 226. For example, when the browser operating on the terminal 101 displays the screens shown in FIGS. 2A to 2C, the field data receiving unit 104 uses the data input by the browser in the input areas 222 to 226. Read data from the memory area where the data is stored.

For example, in the case of FIG. 2C, "rich" is in the input area 222, "golden" is in the input area 223, "normal" is in the input area 224, and "normal" is in the input area 225. , "1234567" is input, and "100,000" is input to the field data 226. Therefore, in the field data receiving unit 104, the browser is "rich", "golden", "normal", "12344567", "100,000" from the memory area in which the data input to the input areas 222 to 226 is stored. "Read out.

In order to transmit the read data to the server 102, the field data receiving unit 104, for example, as shown in FIG. 3A, "bank =" rich "& branch =" golden "& account =" normal "& It can be converted into the data of number = "12345667" & amount = "100,000" & Ser = 10. The converted data "Ser = 10" indicates a data number or the like, and is not essential for the present invention.

Next, the fake field data addition unit 105 generates fake data and adds it to the data received by the field data reception unit 104. For example, as shown in FIG. 3 (b), "bank =" poor "& branch =" earth and stone "& account =" ordinary "& number =" 7654321 "& amount =" 40,
Generates fake data such as "000"& Ser = 20 "and" Bank = "Smooth"& Branch = "Full sail"& Account = "Current"& Number = "5671234"& Amount = "120,000"& Ser = 30 " Then, add it to the data "Bank =" Rich "& Branch =" Golden "& Account =" Normal "& Number =" 1234567 "& Amount =" 100,000 "& Ser = 10".

Here, "bank =" poor "& branch =" earth and stone "& account =" normal "& number =" 7654321 "& amount =" 40,000 "& Ser = 20" and "bank =" smooth "& branch =" The fake data of "full sail" & account = "current" & number = "5671234" & amount = "120,000" & Ser = 30 "is different from the data entered by the user on the screen 221 and is used. It is generated regardless of the person's intention. In this way, the fake field data addition unit 105 generates fake data that is different from a part or all of the data received by the field data reception unit 104.

In the example shown in FIG. 3B, the order of the names of the data items such as "bank" and "branch" is the same for the genuine data and the fake data, but the order of the names of the data items is the authentic data and It may be different for each of the fake data. However, the order of the names of the data items is the same for the genuine data and the fake data, and the value of the data item (for example, "rich", "poor", "smooth" for the data item "bank") is a character string. It is preferable that the attributes of are the same in the genuine data and the false data as described above. In this case, "rich", "poor", and "smooth" are character strings having the attribute of Chinese characters.

Next, the field data transmission unit 106 transmits the data received by the field data reception unit 104 and the fake data added by the fake field data addition unit 105 to the server 102 via the communication network 10.

The field data transmission unit 106 may transmit the data shown in FIG. 3B in series to the server 102 using one session. Alternatively, the data shown as each row in FIG. 3B may be transmitted in parallel to different sessions by enabling communication with the server 102 by a plurality of sessions.

In FIG. 3B, the data received and converted by the field data receiving unit 104 is arranged and shown in the first line. However, the present invention is not limited to this, and the data received and converted by the field data receiving unit 104 may be arranged at an arbitrary position.

For example, the hash values of the data received and converted by the field data receiving unit 104 and the data added by the fake field data adding unit 105 are calculated, the hash values are interpreted as numerical values, and the fields are sorted in ascending or descending order. The data transmission unit 106 can also transmit data.

The data transmitted by the field data transmission unit 106 is received by the field data reception unit 108 of the server 102 and stored in the memory area of the server 102.

Next, the genuine field data selection unit 109 selects genuine data that is data excluding the data added by the false field data addition unit 105 from the data stored in the memory area. The selected data is transferred to a unit (module) that performs subsequent processing of the processing unit 107. In this case, the data is transferred as "bank =" rich "& branch =" golden "& account =" normal "& number =" 1234567 "& amount =" 100,000 "& Ser = 10".

There are several conceivable methods for the authentic field data selection unit 109 to determine whether or not the data is authentic. For example, the fake field data addition unit is generated by storing the genuine data transmitted by the user using the terminal 101 in the previous session in the storage unit of the terminal 101 and reading the stored data in the next session. Then, it is added to the data received by the field data receiving unit 104. The authenticity field data selection unit 109 determines that the data received in the previous session is not authentic, and determines that the data not received in the previous session is authentic.

In the transfer process, the same user may transfer the same amount to the same transfer destination at different dates and times, and in this case, the data that should be genuine has been sent even in the previous session. It may be judged as fake data. Therefore, as shown in FIG. 3, the field data receiving unit 104 may add data for distinguishing from the data transmitted to the previous session, for example, "Ser = 10", to the received data. ..

Further, as described above, when the genuine field data selection unit 109 sorts and transmits data based on the hash value of data and fake data, it is specific in the order in which the data and fake data are received. The data arranged at the position may be used as genuine data. The user may determine which position to use by inputting a number generated by, for example, a token card given to the user.

FIG. 4 shows a sequence diagram of transmission and reception in the system 100. In step S401, the screen information request is transmitted from the terminal 101 to the server 102. This screen information request is for requesting screen information which is a description by HTML or the like of the authentication screen shown in FIG. 2 (a).

In step S402, the server 102 transmits the screen information to the terminal 101 in response to the screen information request. When the screen information is received at the terminal 101, for example, the screen 201 is displayed on the display of the terminal 101.

When the user inputs necessary information (authentication information in this case) on the screen 201 displayed on the display of the terminal 101, the authentication information is transmitted from the terminal 101 to the server 102 in step S403.

If the authentication is successful in the server 102, the next screen information is transmitted from the server 102 to the terminal 101 in step S404. The next screen information is, for example, a description by HTML for displaying the screen 211 on the display of the terminal 101.

The screen 211 is displayed on the display of the terminal 101, and when the user selects a transfer by, for example, pressing the transfer button 213, selection information indicating the content of the selection is transmitted from the terminal 101 to the server 102 in step S405. ..

When the server 102 receives the selection information, the next screen information is transmitted in step 406 according to the received selection information, and the terminal 102 receives the selection information. The next screen information is described by, for example, HTML for displaying the screen 221 on the display of the terminal 101.

When the screen 221 is displayed on the display of the terminal 101, the user inputs the information necessary for the transfer, and the transfer button 227 is pressed, the field data reception unit 104, the fake field data addition unit 105, and the field are as described above. The data transmission unit 106 operates, and the data as shown in FIG. 3B is transmitted from the terminal 101 to the server 102 in step S407.

After that, in the server 102, the field data receiving unit 108 and the genuine field data selection unit 109 operate, the selected transfer process is performed, and when the process is completed, the process is completed from the server 102 to the terminal 101 in step S408. The completion screen information for displaying the result on the display of the terminal 101 is transmitted from the server 102 to the terminal 101.

FIG. 5 is a flowchart illustrating processing in the terminal 101. In step S501, wait until, for example, the transfer button 227 is pressed. In step S502, the data input to the input area is read by the field data receiving unit 104. In step S503, the fake field data addition unit 105 adds fake data. In step S504, data is transmitted by the field data transmission unit 106.

FIG. 6 is a flowchart illustrating processing in the server 102. In step S601, wait until the data is received by the field data receiving unit 108. When the data is received by the field data receiving unit 108, the received data is stored in the memory of the server 102. In step S603, the authenticity field data selection unit 109 selects authentic data. In step S604, processing is performed using the genuine data selected by the genuine field data selection unit 109.

As described above, in the present embodiment, false data that is not genuine is added to the data input by the user to the terminal and transmitted to the server. For this reason, even if a man-in-the-middle attack is performed, it becomes difficult to determine which is genuine data, and damage due to falsification or the like is reduced. Therefore, more secure communication is realized.

Further, when a man-in-the-middle attack is performed, the content of the communication is rewritten by the man-in-the-middle, but the rewriting is fluctuated in the time when the data and the fake data are received by the field data receiving unit 108 of the server 102. It is also possible to detect by. Further, if it is clear that a long period of time has passed, the transaction or transaction generated by the communication may be canceled. An average of the time from when a certain screen is displayed on the terminal to when the data transmitted from the terminal is received is calculated from the communication history so far, and for example, three times or more time has elapsed from the average. In some cases, it is clear that a long time has passed. It is preferable to calculate the average of such time for each user.

(Embodiment 2)
In the first embodiment, fake data is added to the genuine data input by the user and transmitted. In the second embodiment of the present invention, in addition to adding fake data to the data input by the user, a fake workflow is generated in addition to the genuine workflow operated by the user, making it difficult for a man-in-the-middle attack. Explain what to do.

FIG. 7 shows a functional block diagram of the system 700 according to the present embodiment. The system 700 includes a terminal 701 and a server 702, and the terminal 701 and the server 702 can communicate with each other via a communication network 70 such as the Internet. Similar to the first embodiment, the number of terminals and the number of servers are not limited to one, and the system 700 may be configured with any number of terminals.

The terminal 701 has a browser unit 703, and the browser unit 703 has a user workflow unit 704 and a fake workflow unit 705. The server 702 has a user workflow processing unit 706 and a fake workflow processing unit 707.

The user workflow unit 704 is a unit that executes a workflow by screen transition by the user on the terminal 701. For example, the screen is displayed according to the screen information transmitted from the server 702 like a normal browser, a request or the like is transmitted to the server 702 according to the user's operation, and the screen information transmitted accordingly is displayed next. do.

The user workflow processing unit 706 processes the request generated by the user workflow unit 704 and transmits the screen information to be displayed next on the display of the terminal 701 to the terminal 701.

The fake workflow unit 706 executes a fake workflow that is not intended by the user on the terminal 701. For example, data indicating the state transition of the screen transition is stored in the memory of the terminal 701, and a request for moving to the next state is transmitted to the server 702 according to the data indicating the state transition, and is transmitted accordingly. Repeatedly receiving screen information. For example, when there is a branch in the state transition, the branch destination is randomly selected and the workflow is executed.

The fake workflow unit 707 processes the request generated by the fake workflow unit 706 and transmits the next screen information to the terminal 701.

Whether it is a workflow by the user workflow unit 704 or a workflow by the fake workflow unit 705 is determined by, for example, when the user is authenticated in each workflow, the workflow that succeeds in the authentication is the workflow by the user workflow unit 704. Therefore, the workflow for which authentication has failed can be a workflow by the fake workflow unit 705.

In the present embodiment, as in the first embodiment, the user workflow unit 704 adds fake data and sends it to the server, and the user workflow processing unit 706 selects genuine data and performs processing. You can also do it.

In this embodiment, a plurality of workflows are generated, including a fake workflow. For this reason, even if a man-in-the-middle attack is performed, it becomes difficult to determine which is the genuine workflow, and damage due to falsification or the like is less likely to occur. Therefore, more secure communication is realized.

(Embodiment 3)
In the second embodiment, the true workflow and the fake workflow are mainly described as different workflows. However, the present invention is not limited to this, and when a screen transition occurs in a genuine workflow, a fake workflow can be branched from the genuine workflow.

In this case, when the user workflow processing unit 706 processes the screen transition or the like, information indicating that the screen transition or the like has been processed is transmitted to the fake workflow processing unit 707, and the fake workflow processing unit 707 changes from a genuine workflow to a fake. The screen information for branching the workflow is transmitted to the fake workflow unit 705 of the terminal 701. In this case, it is preferable that the screen information for branching the fake workflow is not displayed on the display of the terminal 701. For example, by setting the coordinate position where the screen information for branching the fake workflow is displayed outside the display range of the display of the terminal 701, the screen information for branching the fake workflow is removed from the rendering target.

Further, when the fake workflow branches from the genuine workflow, the number of fake workflows is not limited to 1, and can be any number.

100 system, 101 terminal, 102 server, 103 browser unit, 104 field data reception unit, 105 false field data addition unit, 106 field data transmission unit, 107 processing unit, 108 field data reception unit, 109 genuine field data selection unit 109

Claims (1)

Authentic data transmitted from the terminal device and input by the user of the terminal device, fake data generated by the terminal device and having the same data items as the genuine data, and genuine data transmitted and previously. A data receiver that receives control information to distinguish it from the data sent to the session in
A data selection unit that selects genuine data from genuine data and false data received by the data receiving unit, and a data selection unit.
Have,
The data selection unit is a server device that uses the same data as fake data including the data previously transmitted from the terminal device and the control information.

Images