JPH10145356A - Information transmitting and receiving control method with user identifying function and recording medium recording method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To dispense with the read/write of a storing medium by the side of a person to be identified and to safely execute user identifying processing by a small program size by initially register the initial values and the identification A of identification data of this time and a time after next and its propriety inspecting data Wn-1 , Wn +1 and Mn , allowing both of a user and a server to calculate through the use of a unidirectional function each time of the identifying request of the user and identifying the user, when these data to increment match. SOLUTION: E is the unidirectional function, and S is a password which the user holds secretly. (+) is exclusive OR. The user initially registers V0 =E(A, S), W0 =E(A, V0 ), V1 =E(A, S(+)1), W1 =E(A, V1 ), M0 =E(W1 , V0 ). The server calculates Vn-1 =E(A, S(+)(n-1)), Vn =E(A, S(+)n), Vn+1 =E(A, S(+)(n+1)), Wn+1 =E(A, Vn+1 ), Mn =E(Wn+1 , Vn ) as an n-th identification value and compares it with a value received from the user.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method for performing user authentication using a password with a high-speed and small program in a network such as the Internet which is easily eavesdropped, that is, in which security (security) is not sufficient. The present invention relates to an information transmission / reception control method (protocol) that can safely transmit and receive information.

[0002]

2. Description of the Related Art With the spread of the Internet, it has become indispensable to authenticate the qualifications of a communication partner and a user during communication. There are various technologies for the authentication method, and they can be roughly classified into two types, one using a public key encryption method and one using a common key encryption method.

[0003] Among them, the method using the public key encryption method has an excellent authentication capability due to its nature, and is expected to be applied to electronic transactions and the like. However, it takes time to process and the program size is large, so PD
In the case of embedding into a terminal having a low processing capability such as A (Personal Digital Assistant: portable terminal) or a communication protocol related to the Internet, there is a problem that its application area is limited.

[0004] Therefore, in such an application area, a method applying a common key type encryption method which can perform much higher processing than the public key encryption method, particularly a password authentication method is often used. The basic password authentication procedure is as follows. First, the subject registers a password with the certifier. At the time of authentication, the subject sends a password to the certifier. The certifier compares the received password with the registered password.

This method has the following problems. (a) The password is stolen by prying the password file on the authentication side. (b) During communication, the password is stolen by wiretapping. (c) The subject must publish the password, which is his / her secret information, to the certifier.

As a method for solving the first problem (a), the authenticated person registers data obtained by applying a one-way function to the password on the authenticator side, and stores the data received by the authenticator at the time of authentication. Apply the same one-way function and compare the results (references: A. Evans, W. Kantrowitz and EW
eiss: "A user authentication scheme not requiring
secrecy in the computer, "Commun. ACM, 17, 8, pp.4
37-442 (1974) and R. Morris and K. Thompson: "Password
security: A case history, "UNIX Programmer's Manua
l, Seventh Edition, 2B (1979)).

A one-way function is a function in which there is no efficient means for obtaining an input from an output other than the brute force of an input. Calculating the input data can prevent impersonation. In general, the one-way function is DE
It can be obtained by a common key encryption method such as S or FEAL. The common key encryption method processes a plaintext input using a common secret key and obtains a ciphertext as an output. Even when the plaintext and the ciphertext are given, the common secret key cannot be calculated.
That is, the common secret key is designed so that there is no means to obtain the key more efficiently than brute force. Therefore, a one-way function depending on the strength of the common key encryption method can be realized by inputting a plaintext, an arbitrary parameter, and a common secret key and outputting a ciphertext by this method. Furthermore,
Common key encryption methods such as DES and FEAL have a feature that even if the input of the plaintext or the common secret key changes by one bit, an output that does not leave any trace of the input change can be obtained.

As described above, the first problem of the basic password authentication method can be solved by the method using the one-way function. However, if this is applied to the Internet where wire tapping is easy, problem (b) cannot be solved. Also, as pointed out in Problem (c), this basic password authentication method can be applied to bank customer authentication, but is not suitable for authentication between users at the same level.

As a method for solving such a problem, La
mport method (L. Lamport: "Password authentication
with insecure communication, "Commun. ACM, 24, 11,
pp.770-772 (1981)), and the CINON method (Chained One-w
ay Data Verification Method) (A. Shimizu, "A Dynami
c Password Authentication Method Using a One-way F
unction "Systtems and Computers in Japan, Vol. 22,
No. 7, 1991, pp. 32-40).

[0010] The method of Lamport is a method in which a one-way function is applied to a password a plurality of times, and data before the application is applied to the certifier one after another so that authentication can be performed a plurality of times. is there. In this method, it is necessary to subtract 1 each time authentication is performed from the initially set maximum number of authentications, and reset the password when the number of authentications is exhausted.
If the number of applications of the one-way function is increased in order to increase the maximum number of authentications, the processing amount increases. Further, there is a problem that the processing capacity is smaller than that of the authenticator and the processing load on the authenticated person is larger.

A method for solving these problems CINON
The authenticated person (user) sends the authenticated data to the authenticator (host) to the authenticator (host), the original data of the authenticated data that has been registered previously, the authenticated data to be used for authentication one after another, By transmitting three data of the validity verification data of the data to be authenticated to be used for the next authentication for each authentication, the authentication can be successively performed one after another while updating the authentication information safely.

Hereinafter, the authentication procedure of CINON will be described. First, the notation used in the following description is shown. <Notation> One-way conversion by the common key encryption algorithm E is represented by C = E (P, K), where C is one-way conversion data, P is plaintext, and K is a common key.

Let S be secret information of the person to be authenticated, that is, a password. n is an integer of 0 or more, and indicates the number of times of authentication. Let A be the identifier of the person to be authenticated, that is, a user ID such as a mail account (a part in which information on the person to be authenticated is accumulated). _Let N _{n be} a random number generated corresponding to the number of authentications n.

_Let M _n be an authenticator. (+) Indicates exclusive OR for each bit. V _n = E (A, S (+) N _n ) And W _n
= E (A, V _n ). That, W _n is S (+) is data that has been subjected twice unidirectional converted to N _n, the W _n, S, difficulty of calculated back N _n or V _n, a common key encryption algorithm Depends on the strength.

<CINON Authentication Procedure (See FIG. 1)>-Initial Registration Process--Step S0: The person to be authenticated (user) performs the initial registration process on the authenticator's device (host device). First, n is set to 0, and the user generates random numbers N ₀ and N ₁ at the user terminal, and sets an identifier A and a password S to be authenticated. The user remembers the password S and saves the random numbers N ₀ and N ₁ on a medium such as his IC card.

Next, the following procedure: V ₀ = E (A, S (+) N ₀ ) W ₀ = E (A, V ₀ ) V ₁ = E (A, S (+) N ₁ ) W ₁ = E (A, V ₁ ) M ₀ = E (W ₁ , V ₀ ) n ← n + 1 to calculate W ₀ , W ₁ , M ₀ , and the authentication side device ( Host device). W ₀ is the next authentication data, W ₁ is the next authentication data, and M ₀ is the validity verification data of W ₁ . --Authentication Process and Content Data Exchange-- After the initial registration process (n = 0), the n-th (n = 1, 2,...) Authentication process is as follows. At this point, the certifier side has W _n−1 , W _n , M corresponding to the identifier A of the subject.
_n-1 and n are registered. Upon receiving the service activation request from the person to be authenticated, the registered n is returned.

Step S1: First, the user sends a user identifier A and a service request to the authenticator, and makes a service activation request. Step S2: Next, the host device sends the value of n registered corresponding to the user identifier A to the user. Step S3: The user receives the value of n from the authenticator,
Read random numbers N _{n -1} and N _n from the IC card and
_{n + 1} is generated, the following _{steps: V n-1 = E (} A, S (+) N n-1) V n = E (A, S (+) N n) V n + 1 = E ( A, S (+) N _{n + 1} ) W _{n + 1} = E (A, V _{n + 1} ) M _n = E (W _{n + 1} , V _n ) and V _n−1 , W _{n + 1} , M Calculate _n .

Step S5: The user sends these data to the certifier. V _n-1 is data that is presumed to be the basis of the data W _n-1 used for the current authentication after the authenticator has completed the previous confirmation of the validity. W _{n + 1} is data used for successive authentications. M _n is data for verifying the validity of the data W _{n + 1} used for the next authentication the next time.

Step S6: The user rewrites the random numbers N _n-1 and N _n of the IC card to N _n and N _{n + 1} . Step S7: Next, the host device by _{V n-1, W n +} 1, M n coming sent from the person to be authenticated side performs the following authentication processing. Wn _-1 is compared with E (A, Vn _-1 ), and if they match, the authenticated person is valid. If they do not match, the user is unjustified and the process is terminated.

When the person to be authenticated is justified, M _n-1
E (W _n , V _n−1 ) are compared, and if they match, W _n is valid. If they do not match, the user is unjustified and the process ends. If both of these verifications validate the subject,
W _n-1 , W _n , and M _n-1 are all authenticated, and step S
At step 8, the content data T is sent to the user. Also, in step S9, W _n , W
_{n + 1} and _Mn are newly registered. Also, n is incremented (+1).

As described above, in CINON, in order for the user to obtain the authentication of the authenticator, the two random numbers N _n−1 ,
N _n must be used. Therefore, when the user obtains the authentication of the certifier from the terminal at the destination, the user carries a storage medium such as an IC card storing the random numbers N _n-1 and N _n and uses the random number at the terminal at the destination. Must. In addition, the terminal needs a function of generating a random number and a function of reading and writing an IC card. On the other hand, in the Internet, products called Internet home appliances that add an Internet connection function to television sets, word processors, and mobile terminals are going to be introduced to the market. , "IEICE Technical Report, OFS96-1, pp.1-6 (199
6.5)).

[0022] With the spread of such Internet home appliances, the demand for transmission and reception of information having an authentication process is expected to increase. , The above-mentioned random number N _n-1 ,
In most cases, there is no mechanism for generating N _n or reading and writing them to a storage medium such as an IC card.
Further, since the storage area of the processing program is also limited, it is desired to realize such authentication processing as simply and with a small program size as possible.

[0023]

SUMMARY OF THE INVENTION It is an object of the present invention to provide a mechanism for reading and writing a storage medium such as an IC card on the side of an authenticated person in transmitting and receiving information between the authenticated person and the authenticated person on a network having insufficient security. It is an object of the present invention to provide a secure information transmission / reception control method and apparatus capable of performing a user authentication process with a small program size without the need for a program, and a recording medium recording the method.

[0024]

According to a first aspect of the present invention, information transmission / reception for performing an authentication process between a user terminal device used by a user on a network and a verifier device of a verifier is provided. The control method includes the following steps: (a) As an initial registration procedure, the user obtains the next authentication data W ₀ , the next and subsequent authentication data W ₁ , based on his / her own identifier A and secretly held password S, Next, three times of the validity verification data M ₀ of the authentication data W ₁ are calculated and registered in the authenticator apparatus together with the initial value n = 1 of the number of authentications n in correspondence with the identifier A, and (b) Assuming that n is a positive integer, in the n-th authentication, the authenticator apparatus receives a service activation request and a notification of the identifier A of the user from the user terminal apparatus, and reads the authentication number n of the user. , Notify the user terminal device In (c) the user terminal device, the user identifier A, using a password S held in the authentication number n and a secret sent, data V _n-1 to be the current authentication, the after next The data W _{n + 1} used for authentication, the data M _n for verifying the validity of the authentication data W _{n + 1 after} the next time are calculated, and if there is content data to be transmitted, the authenticator device together with the data is transmitted. (D) In the authenticator apparatus, the user identifier A
The data W _n-1 calculated from the current data V _n-1 to be authenticated and sent in step (c) above is compared with the registered authentication data W _n-1 and The next authentication data W _n and the validity verification data M _n-1 calculated from the current data to be authenticated V _n-1 are compared with the registered validity verification data M _n-1 , e) As a result of the comparison in the step (d), when they match, the authenticator apparatus validates the user, transmits / receives information of the service requested by the user, and receives the next authentication data W _n received previously.
And the next-time authentication data W _{n +1} sent this time and the validity verification data M _n of the second-time authentication data W _{n + 1} are replaced with the previously registered W _n-1 , W _n , M _n-1 Register, increment the number of authentications n, and (f) As a result of the comparison
If they do not match, the user is unjustified and the subsequent information transmission / reception is refused, and the previously registered W _n−1 , W _n , M _n and n are kept as they are.

According to a second aspect of the present invention, a user terminal device and a relay server are connected to the Internet, respectively, and an authenticator device is connected to an intranet connected to the Internet. An information transmission / reception control method for performing an authentication process between the user and the authenticator in a system for transmitting / receiving information between the user and the authenticator device via the relay server, including the following steps: (A) From the user identifier A and the secretly held password S, the next authentication data W ₀ , the next and next authentication data
W _1, 3 of the validity verification data M ₀ of the after next authentication data W ₁
Is calculated and registered in the authenticator apparatus in association with the identifier A, and the initial value n = 1 of the number of authentications n is held in the authenticator apparatus and the relay server in association with the identifier A, respectively. , (B) When n is a positive integer, in the n-th authentication, when the relay server receives the service request and the identifier A from the user terminal device, the relay server reads the corresponding authentication number n, and (C) The user terminal device uses the identifier A of the user, the number of times of authentication n sent, and the password S held secretly to transmit the data V _n-1 to be authenticated this time. Calculates the validity verification data _Mn of the next authentication data W _{n + 1} and the next authentication data W _{n + 1} , and if there is content data to be transmitted, the authentication is performed via the relay server together with the data. Device Once disconnected from the rear the relay server, (d) In the verifier apparatus, calculated from the authentication data V _n-1 Tokyo this time that has been sent by the identifier A and the step of the user (c) the current authentication data W _n-1, compared with the authentication data W _n-1 which is registered, and the next authentication data W _n being registered above this the authentication data V _n-1
The validity verification data M _n-1 calculated from the above is compared with the registered validity verification data M _n-1.
As a result of the comparison in (d), if they match, the authenticator wants to justify the user and transfer the information of the service requested by the user to the relay server and store or transmit it there. If there is content information, send it with the authenticated user's credentials,
Transmits the confirmation information indicating that it has completed the relay server, (f) the verifier apparatus further next authentication data W _n that received last, after next authentication data W _{n + 1} and that have been sent now that the validity verification data M _n of after next authentication data, registered by replacing W _n-1, W _n the previously registered, and M _n-1, authentication number of times n
Is incremented, and as a result of the comparison in the above step (d),
If they do not match, the user is unjustified and rejects subsequent information transmission and reception, and retains W _n-1 , W _n , M _n and n registered previously, and (g) the relay server sets the service information or the After receiving the transmission confirmation information, the number of authentications n
(H) the user reconnects to the relay server at an arbitrary time after a certain period of time has elapsed after disconnecting the connection with the relay server, and performs the service with the relay server. Performing authentication processing for verifying the validity of the user with respect to the information, receiving the service information, and exchanging information between the user terminal device and the relay server using a high-speed communication protocol; The exchange of information between the authenticator and the authenticator is performed using an e-mail protocol.

According to the third aspect of the present invention, the user terminal device, the service provider, and the authenticator device (charging management center) are connected to the Internet, and the user can provide services from the service provider on the Internet. An information transmission / reception control method for a user to perform an authentication process with a billing management center when receiving the information, including the following steps: (a) As an initial registration procedure, an account A of the user
From the password S, calculate the next authentication data W ₀ , the second authentication data W ₁ , and the validity verification data M ₀ of the next authentication data M _0. (B) The user sends a service request signal for requesting a desired service and the account A to the service provider, and (c) the service provider transfers the received account A to the charging management center. (D) The charging management center reads out the number of authentications n corresponding to the account A and sends it to the service provider. (E) The service provider sends the received number of authentications n together with the Applet program of the authentication procedure to the user terminal device. (F) The user calculates the authentication data V _n−1 , W _{n + 1} , M _n according to the above authentication procedure, and together with the account A, the service provider Feeding the divider, (g) the service provider sends the account A _P of the service provider along with the data _{V n-1, W n +} 1, M n, the amount x with respect to the service to the accounting management center, (h) The charging management center confirms that the service amount x is equal to or less than the remaining amount X registered for the account A, and verifies the received data V _n-1 and the registered next authentication data W _n . If both are correct, an authentication confirmation signal OK is sent to the service provider, and the data W _n , W _{n + 1} ,
Updated to M _n, is incremented authentication count n, the balance X of the account A updated in Xx, updates the balance XP account A _P of the provider X _P + x, (i) the service provider When the confirmation signal OK is received, the specified service is provided to the user.

According to a fourth aspect of the present invention, there is provided an authenticator apparatus for performing information transmission / reception control for authenticating a user on a network, and includes the following: When n is a positive integer, Authentication data W _n-1 , authentication data W _{n one after another} ,
Registration data storage means for registering the validity verification data M _n-1 of the authentication data W _n with the identifier A at the time of the (n-1) -th authentication together with the number of authentications n; Receiving a service activation request from the user's terminal device and the notification of the user's identifier A, reading out the number of authentications n of the user from the registration data storage means, and notifying the user terminal device of the number of authentications; to be authenticated this time sent from the user terminal data V _n-1, authentication data W _{n + 1} of the after next, a receiving means for receiving after next authentication data W _{n + 1} of the validity verification data M _n, the user the identifier a and said received for this time is calculated from the authentication data V _n-1 Metropolitan authentication data W _n-1, compared with the registration data storing unit is registered in the authentication data W _n-1, And the next registered certification date And W _n, the time of the authentication data
V _n-1 and the validity verification data M _n-1 calculated from the authentication means to compare with the registered validity verification data M _n-1 and, as a result of the comparison by the authentication means, if they match, The next authentication data W registered that the user is valid and registered
_n and, as after next authentication data W _{n + 1} received this time, and the validity verification data M _n of the current received after next authentication data _{W n + 1, W n-} 1 registered in the registration data storage means ,
Registration updating means for registering by replacing W _n , M _n-1 and incrementing the number of authentications n.

According to a fifth aspect of the present invention, there is provided a recording medium recording an authentication procedure of an authenticator for authenticating a user on a network, wherein the authentication procedure includes the following: The following one-way function V ₀ = E (A, S) W ₀ = E (A, V ₀ ) V ₁ = E (A, S (+) 1) W ₁ = E (A, V ₁ ) M ₀ = Calculate and register the data initial values W ₀ , W ₁ , M ₀ by E (W ₁ , V ₀ ), and (b)
Assuming that n is a positive integer, in the n-th authentication, upon receiving a service activation request and a notification of the identifier A of the user from the terminal device of the user, the number of authentications n of the user is read from the registration data storage means. However, it is transmitted to the user terminal device, and (c) the validity of the current authentication data V _n−1 , the next authentication data W _{n + 1} , and the next authentication data W _{n + 1} transmitted from the user terminal device. Sexuality verification data M _n
(d) one-way function from the identifier A and said received time of the authentication data V _n-1 Metropolitan of the user _{W n-1 = E (A} , V n-1) of the current by the authentication data W _n-1 Is calculated and compared with the authentication data W _n-1 registered in the registration data storage means, and the next authentication data W _n registered and the current authentication data W _n-1 are registered.
V _n−1 and the one _- way function M _n−1 = E (W _n , V _{n− 1} ) to calculate the validity verification data M _n−1 , and the registered validity verification data M _n−1 (E) If the two comparison results are the same at the same time, the user is justified and the next authentication data W _n registered and the next received authentication data W _{n + 1} received this time
And the validity verification data _Mn of the second-time authentication data received this time are registered in the registration data storage unit.
The registration is performed by replacing with W _n−1 , W _n , and M _n−1, and the authentication count n is incremented.

According to a sixth aspect of the present invention, there is provided a recording medium recording a user-side procedure for obtaining an authentication of a user from an authenticator on a network, the procedure including: (a) service request and When the identifier A of the user is transmitted to the authenticator apparatus, and (b) n is a positive integer, the number of authentications n is received from the authenticator apparatus, and (c) the identifier A of the user,
Using the received number of times of authentication n and the password S kept secret, the validity verification data of the current authentication data V _n−1 , the next authentication data W _{n + 1} , and the next authentication data W _{n + 1 Let} M _n be the following one _- way function: V _n-1 = E (A, S (+) (n-1)) V _n = E (A, S (+) n) V _{n + 1} = E (A, S (+) (n + 1)) W _{n + 1} = E (A, V _{n + 1} ) M _n = E (W _{n + 1} , V _n ) and sends it to the authenticator apparatus.

The most important feature of the present invention is that, in the authentication procedure, the number of times of authentication is used in place of the random number used when generating the data to be authenticated in the prior art. In the present invention, a common key encryption method such as DES or FEAL is used for one-way conversion used for generating data to be authenticated. As described above, these cryptographic methods can provide an output that does not leave any trace of the input even if the input of the plaintext or the common secret key changes by one bit. Focusing on this feature of the one-way conversion, the conventional technology generates the data to be authenticated using two keys, a random number and a secretly held password, whereas one of the two is a constant which is a constant. By setting the number of times, it is possible to have an authentication function having the same strength as that of the related art, and to provide an IC card for storing a random number, which is the object of the present invention, a simple read / write mechanism for the IC card, and a simple random number generating mechanism. Information transmission and reception can be realized. In other words, in the present invention, the number of authentications is used instead of the conventional random number.
That is, it depends on the strength of the common encryption method, and there is no effect of changing the number of times of authentication.

[0031]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiment 1 FIG. 2 is a diagram for explaining the outline of a first embodiment of the present invention. With the spread of the Internet, e-mail has come to be widely used as a means of communication via the Internet, especially in the business field. Along with this, demands for sending and receiving e-mail messages from outside the office have been increasing, mainly for business users.

In the case of the personal computer communication, a common center is accessed using a telephone network to read and write a message. To send and receive messages. On the Internet, on the other hand, the mail server can be considered as a center and accessed via the telephone network in the same way as personal computer communication in the telephone network. Often, they call back a number or restrict access through a modem. In general, it is often difficult to access from a place where the location is not determined, such as the number of telephone lines prepared for modem access is small and the line is often busy.

Further, the IP which is an inherent feature of the Internet
In consideration of connection at the address level (connection at layer 3), a connection request from an undetermined destination, that is, an unspecified IP address, is provided at the entrance to the internal network 12 where the mail server 13 is located. Rejected by 12F. In other words, the protocol used for e-mail (Layer 7) (that is, SMTP: Simple Mail Transfer P)
rotocol) is designed to be able to pass through firewalls. In this embodiment, a user of a mail server in a public e-mail transfer service capable of safely retrieving and sending a mail message addressed to the user via the Internet without using a telephone network from a destination and bypassing a firewall. A case in which the present invention is applied to authentication for a password will be described.

The general requirements and security requirements of the public electronic mail transfer service are described.
First, the general requirements of the public e-mail transfer service described in this specification are as follows. (1) A user (user) of this service has a mail account unique to a certain mail server on the Internet.

(2) The user can use an application of this service resident in an environment where a user-specific mail account exists, and an application program of this service in an environment where he / she is away. (3) The user can use a temporary account on the go and receive an e-mail that has arrived at the original account. Similarly, use a temporary account,
You can send emails from your original account. here,
The temporary account is, for example, a terminal connected to the Internet, an account of another user, or the like, which is provided for use by the public.

In the example of FIG. 2, an internal network 12 such as a corporate LAN is connected to the Internet 11, and a host device (server device: authenticator device) 13 having a mail account of the user U1 is connected to the internal network 12.
Is connected, and the user U1 can receive the e-mail arriving at the mail account of the host device 13 via the internal network 12 connected to the host device 13.

In a state where the user U1 moves and moves to the outside of the internal network 12, the user U1 moves to the destination, for example, the personal computer 14 subscribed to the Internet 11.
1 and sends the identifier A of the user U1 as an e-mail to the host device (authenticatee device) 13 having the mail account of the user U1 via the Internet 11 and the internal network 12, If the authentication procedure according to the present invention is performed with the device 13, it is possible to receive an e-mail that has reached the mail account of the user U1. In other words, the personal computer 14 can temporarily borrow an account subscribed to the Internet 11 and receive an electronic mail addressed to the original account A.

Further, the user U1 inputs his / her own identifier A and password S to a terminal 16 accommodated in another internal network 15 connected to the Internet 11, and uses the identifier A as an electronic mail as the internal network 15-Internet 11-. Host device 1 via internal network 12
By inputting to 3 and performing the authentication procedure according to the present invention, the e-mail that has arrived at its own e-mail account can be retrieved.

However, even if another user U2 impersonates the user U1 through the terminal 17, and tries to retrieve the information delivered to the mail account,
Even if the user accesses the host device 13 using the identifier A of No. 1, the user cannot know the password S of the user U1, and therefore cannot execute the authentication procedure correctly.
You cannot retrieve the information that arrives at your email account.

Although reading (receiving) of an e-mail has been described above, writing (sending) of an e-mail can be similarly performed. According to the general requirements that the public e-mail transfer service should have, it is possible to receive and send e-mails as described above. The security requirements that the public e-mail transfer service should have are as follows.

(1) By authenticating the stored password and the like, the user can bypass the firewall set in the environment where the mail server is located, and can safely receive the mail transmission / reception service on the go. it can. On the other hand, sending and receiving e-mail of unqualified persons is prevented. (2) The password of the user cannot be stolen from the database on the line or in the mail server.

(3) The processing load for authentication is small in both the environment where the user's mail account is located and the environment where the user is going. In particular, data flowing over the Internet
Since the eavesdropping is easily performed, a procedure in which the password flows directly on the line is not used. The first embodiment is a case where the present invention is applied to an authentication procedure in an electronic mail transfer service satisfying the conditions (1), (2) and (3).
Therefore, communication between the user and the mail server is performed using the e-mail protocol. The notation used in the following description is the same as that used in the description of the related art. <Initial Registration Process (FIG. 3)> Step S0: As an initial registration process, the user directly sets an identifier (mail account) A and an initial number of authentications n = 0 in the mail server 13.

Next, the user performs the following procedure on the mail server 13: V ₀ = E (A, S) (1a) W ₀ = E (A, V ₀ ) (1b) V ₁ = E (A, S ( +) 1) (1c) W 1 = E (a, V 1) (1d) M 0 = E (W 1, V 0) (1e) in calculating the _{W 0, W 1, M 0} , the user's e-mail It is registered in the mail server (authenticator device) in association with account A. Further, n is incremented to 1 and registered corresponding to the identifier A. W ₀ represents the next authentication data, W ₁ represents the next authentication data, and M ₀ represents the validity verification data of W ₁ . <Authentication Process and Exchange of Mail Message> FIG. 3 shows the n-th (n = 1, 2,...) Authentication procedure after the end of the initial registration process.

Step S1: A user who is out of the office first sends an e-mail having a specific header (SMTP) to a mail server having his or her mail account by using the outgoing terminal (terminal 14 in FIG. 2). It sends out a service request (hereinafter, referred to as a mail request) and notifies the mail account A. The mail request specifies one of mail transmission, mail reception, file transfer transmission, and file transfer reception.

Step S2: When the mail server receives the service activation request mail from the user who is on the go, the number of authentications n registered for mail account A
Replies by e-mail. At this point, the host side, _{already, W n-1, W n} , M n-1 is registered. Step S3: The user sends an e-mail from the mail server,
And the following procedure: V _n-1 = E (A, S (+) (n-1)) (2a) V _n = E (A, S (+) n) (2b) V _{n + 1 = E (A, S (} +) (n + 1)) (2c) W n + 1 = E (A, V n + 1) (2d) M n = E (W n + 1, V n) ( In step 2e), V _n−1 , W _{n + 1} , and M _n are calculated. Further, in step S4, these data and, if there is an e-mail to be transmitted, are sent to the mail server by e-mail. I do. V _n-1 is the source of the data (called one-way conversion data) W _n-1 obtained by the conversion of the one-way function used for the current authentication, which has been previously verified on the mail server side. It is data that is presumed to have been lost. W _{n + 1} is one-way conversion data used for successive authentications. _Mn is authentication data for confirming the validity of the one-way conversion data Wn _{+ 1} to be used for the next authentication next time.

Step S5: The mail server performs the following authentication processing based on V _n−1 , W _{n + 1} , and M _n received from the user side. The registered W _n-1 is compared with E (A, V _n-1 ) calculated by the one-way function E using the received V _n-1, and if they match, the user is valid. . If they do not match, the user is unjustified and the process ends.

If the user is justified, M _n-1 and E
(W _n , V _n−1 ) are compared, and if they match, W _n is valid. If they do not match, the process is terminated as unfair the W _n.
This justified W _n is the data in the next (n + 1) authentication.
W _n−1 is used to determine the validity of the received V _n−1 (user validity). If these authentication process user and W _n is determined as valid, if there is new mail addressed to the user at step S6, it sends email it to the user. If there is a mail to be sent from the user, the mail is sent using the user's original account.

[0048] Further, instead of the data W _n-1, W _n that are currently registered in step S7, the _{M n-1, W n,} W n + 1, newly registers the M _n. Also, n is incremented. FIG. 4 shows a functional block diagram of the user terminal used in the first embodiment described above. The user terminal includes an input unit 21, a control unit 22, a reception unit 23, a transmission unit 24, an authentication data generation unit 30
, A memory 25, and an output unit 26.
The user inputs information such as an identifier A, a password S, a connection destination address (mail server address), a mail request, and the like to the input unit 21. The control unit 22 transmits the mail request and the identifier A to the mail server from the transmission unit 24, and sets the identifier A and the password S in the authentication data generation unit 30. The number of authentications n from the mail server received by the receiving unit 23 is subtracted by 1 in the subtractor 31a, and the output n−
1 is exclusive-ORed with the password S in the exclusive-OR unit 32a. The output of the exclusive OR unit 32a is the identifier A
Is given to the one-way function unit 33a, and the data V _{n -1} is calculated by the equation (2a). Number of authentications n from receiving unit 23
Is also given to the addition unit 31c, 1 is added, and the addition result n + 1 is XORed with the password S by the exclusive OR unit 32c. The output of the exclusive OR unit 32c is provided to the one-way function unit 33c together with the identifier A, and the expression (2c)
Calculates data Vn _{+ 1} . Data V _{n + 1} is the identifier A
Is supplied to the one-way function part 34d, and the data W _{n + 1} is calculated by the equation (2d). The number of authentications n is also given to the exclusive OR unit 32b, and the exclusive OR with the password S is obtained. Its output is given together with the identifier A one-way function unit 33b, is calculated data V _n by the formula (2b), furthermore, the output W of the data V _n way function unit 34d
_{n + 1} is given to the one-way function part 34e, and the data _Mn is calculated by the equation (2e). The authentication data V _n−1 , W _{n + 1} , and M _n calculated in this manner are temporarily stored in the register 35 and sent from the transmission unit 24 to the mail server.

After the authentication by the mail server 13, the mail message received from the mail server 13 is temporarily stored in the memory 25 and output to an output unit 26 such as a printer or a display as needed. The control unit 22, the memory 25, and the authentication data generation unit 30 in the functional configuration of the user terminal shown in FIG. 4 are actually realized as software of a computer. That is, the terminal computer has a recording medium on which a program for executing the user-side processing procedure in FIG. 3 is recorded, and executes the user-side authentication processing procedure according to the program.

FIG. 5 shows a functional block diagram of the mail server 13 in the embodiment of FIGS. Mail server 1
Reference numeral 3 denotes an input unit 41, an initial registration unit 50, an authentication unit 60, a control unit 44, an authentication count increment unit 45, and a memory 43. The initial registration unit 50 performs the initial registration (step S0).
From the identifier (mail account) A and the password S input by the user from the input unit 41, V
₀ way function unit 51 for calculating a one-way function unit 52 for calculating the W ₀ by the formula (1b) from the V ₀ and identifier A
And an exclusive-OR unit 53 for calculating the exclusive-OR of the password S and 1 in the equation (1c), and calculating V ₁ from the exclusive-OR output and the identifier A by the equation (1c). a one-way function unit 54, the one-way to calculate a one-way function unit 55 for calculating the W ₁ by V ₁ and a Tocharian formula (1d), W ₁ and V ₀ Tokara formula M0 by (1e) And a sex function section 56.

The control unit 44 calculates the calculated initial values W ₀ ,
W ₁ and M ₀ are registered in the memory 43 in association with the identifier A.
Also, the number of authentications n is incremented by one by the stepping unit 45 and stored in the memory 43 in association with the identifier A. In the n-th authentication of the user, the number of authentications n read from the memory 43 is incremented by
Step result n + 1 and the authentication data received from the user
W _{n + 1} and M _n and the data W _n read from the memory 43 are temporarily stored. The authentication unit 60 uses the identifier A received from the user having the identifier A and the data V _n−1.
The one-way function unit 61 for calculating E (A, V _n-1 ) is compared with the calculated data W _n-1 and the data W _n read from the memory 43 in correspondence with the identifier A, and a match is obtained. (OK), a comparison unit 62 that outputs a comparison result OK / NG of mismatch (NG), and a data M _n-1 calculated from the received data V _n-1 and the data W _n read from the memory 43. Directional function unit 63 and its data M
_n-1 is compared with the data M _n-1 read from the memory 43,
A comparison unit 64 that outputs a comparison result of matching or mismatching. If the outputs of the comparison units 62 and 64 are both OK, the control unit 44 reads the mail message addressed to the user stored in the memory 43 corresponding to the identifier A, and sends the mail message to the user from the transmission / reception unit 42. At the same time, the data n, W _n , W _{n + 1} , and M _n−1 held in the register 46 are
Data W _n−1 , W _n ,
Rewrite M _n-1 .

The memory 43, control unit 44, stepping unit 45, register 46, initial registration unit 50, and authentication unit 60 in the functional configuration of the mail server device shown in FIG. 5 are realized as software of a computer. That is, the mail server computer has a recording medium in which a program for executing the mail server-side processing procedure in FIG. 3 is recorded, and executes the server-side authentication processing according to the program.

In the above-described first embodiment, when the one-way conversion is realized by the FEAL encryption method, the authentication processing on the side of the person to be authenticated can be described by a program of about 0.6 KByte (of which FEAL is 0.4 KByte). it can. As described above, in the present invention, the user does not transmit his / her password S to the mail server in the authentication process as in the case of CINON shown in FIG.
Authentication processing via the Internet can be performed safely. Moreover, since the random numbers required by CINON are not used, a recording medium such as an IC card for storing the random numbers is not required, and a random number generation function and a read / write function for the IC card are not required. . Further, since a random number is not used, the data size of the authentication processing may be correspondingly small. Therefore, the authentication processing time is short in the host device. This indicates that the present invention can be used with a host device having a low processing capability. Embodiment 2 In the above-described first embodiment, the case where the authentication method of the present invention is applied to the authentication procedure between the user and the mail server by e-mail using SMTP communication has been described. The present invention may be applied to an authentication procedure between a user and a host when receiving various services using HTTP communication. An embodiment in that case will be described next. Here, a case where an authentication procedure (program) on the user side is received as an applet from the host side and is used will be further described.

In response to the sophistication and diversification of the use of the Internet, the terminal does not have various programs built in.
Each time, the terminal is sent from a partner (server) via communication, and a method of executing the sent processing procedure by the terminal is spreading. This is because, when there is an information transmission / reception request from the user on the Internet, the server side performs a requested processing procedure in a predetermined language, for example, a specific communication unit described in Java, for example,
This is a revolutionary method that changes the concept of the conventional operating system (OS) by sending the embedded data to the Applet to the user and executing the processing based on the processing procedure (program) on the user side. It is. In the future, with the spread of information transmission / reception using such a method, a user authentication function becomes more and more important. In the second embodiment, the authentication method of the present invention is applied to such a method environment.

The notation used in the following description is the same as that used in the above description. In the following description of the operation, communication is performed by HTTP. <Initial Registration Process (FIG. 6)> Step S1: The user (authenticatee) sends an initial registration request together with an identifier (account) A to the server (authenticator device).

Step S2: The server registers the user identifier A in response to the request. Step S3: The server further sends a communication unit (Applet) describing the initial registration process to the user. Step S4: The user who has received the communication unit program sets the user identifier A and the password S using the applet program in the user terminal.

[0057] Step S5: The user further uses the applet program, the following _{steps: V 0 = E (A,} S) W 0 = E (A, V 0) V 1 = E (A, S (+) 1 ) W ₁ = E (A, V ₁ ) M ₀ = E (W ₁ , V ₀ ) n ← n + 1, and the initial data W ₀ , W ₁ , M ₀ are calculated.

Step S6: The user sends the service together with the identifier A.
To the server side. W₀Is the next authentication data, W₁Is next
Authentication data of each time, M₀Is W₁Data for validity verification
is there. Step S7: On the server side, correspond to the received identifier A
Then, the initial value n = 1 of the number of authentications n and the received data
W₀, W₁, M₀Register <Authentication processing and information exchange (FIG. 7)> Initial registration processing
N-th time after the process (step S7 in FIG. 6) is completed.
The authentication procedure of (n = 1, 2,...) Is as follows. In addition, this
At the time, the host already has n, W _n-1, W_n, M_n-1But
It is registered. Step S1: The user first sends a service to the server.
Sends a request to start the service and notifies the user identifier A.
You.

Step S2: When the server receives the service activation request and the user identifier A from the user who is away, the server returns an authentication process Applet and the number of authentications n registered corresponding to the identifier A to the user. . Step S3: User performs authentication process Applet from server side
And the value of n, according to the applet program: V _n-1 = E (A, S (+) (n-1)) V _n = E (A, S (+) n) V _{n + 1} = E (A, S (+ ) (n + 1)) W n + 1 = E (A, V n + 1) M n = E authentication data _{(W n + 1, V n} ) V n-1 , W _{n + 1} and M _n are calculated.

Step S4: The user further sends these data V _n−1 , W _{n + 1} , M _{n and} , if any, information to be transmitted to the server. Step S5: The server the user data V _n-1 has been sent from the _{side, W n + 1, M n} , performs the following authentication processing. The data W _n−1 registered corresponding to the identifier A is compared with E (A, V _n−1 ) calculated from the received data V _n−1 , and if they match, the user is valid. . If they do not match, the user is unjustified and the process ends.

If the user is justified, the registered M _n-1 is compared with E (W _n , V _n-1 ).
_n is justified. If they do not match, the process is terminated as unfair the W _n. Step S6: The server when it is determined that the legitimate both user and W _n, starts providing the requested information transceiver service.

Step S7: The server further replaces the currently registered data W _n−1 , W _n , M _n−1 with new W _n , W _{n + 1} , M _n corresponding to the identifier A. Register with. Also, n is incremented. In this embodiment, as in the case of the first embodiment, when the one-way function E is realized by the FEAL encryption method, the authentication processing is about 0.6 KByte (of which, FEAL is 0.4 KByte).
Program. This size is
When writing a program in Applet, the scale will hardly cause a load on communication.

In the first embodiment, the present invention is applied to an e-mail, and the e-mail temporarily borrows the environment of the e-mail subscriber at the destination terminal and receives a message to itself without being affected by the firewall. In the second embodiment, the communication protocol (HTTP) is used.
Indicates that this authentication process is performed. Further, a form such as a third embodiment described below in which these two embodiments are combined is also possible. Embodiment 3 In general, the Internet is congested and information cannot be transmitted and received smoothly in many cases. As described in the first embodiment, when exchanging authentication information by an e-mail protocol to avoid a firewall, it takes several minutes depending on conditions. During this time, if it is considered that it is not preferable for the service to force the user to wait, a relay server 18 is provided between the user terminal 14 and the mail server 13 as shown in FIG. While the mail server 13 is inside the firewall 12F, that is, on the internal network of the intranet 12, the relay server 18 is on the Internet 11 and is open to the outside.
It is assumed that the relay server 18 has an authentication function for a user. The authentication function may be any of those conventionally proposed, but in the following description, it is assumed that an authentication process to which the present invention is applied is performed. The user initially registers data n = 1, W ₀ , W ₁ , and M ₀ in the mail server 13 in advance in the same manner as in the first or second embodiment described above, in correspondence with the identifier A. Also, the number of authentications between the user and the relay server is n ′
The data n ′ = 1, W ₀ , W ₁ , and M ₀ are initially registered in the relay server in association with the user identifier A.

In the third embodiment, communication between the terminal 14 connected to the Internet and the mail server 13 connected to the intranet 12 is performed via the relay server 18, and the terminal 14 connected to the Internet 11 Between the relay server 18 and the relay server 18 using a high-speed transfer protocol such as HTTP.
It communicates with e-mail using an e-mail protocol such as SMTP.

FIG. 9 shows the procedure in such a system in which the user goes to the mail server 13 and retrieves an electronic mail from the Internet terminal 14 to the mail server 13 for the nth time. However, at this point, the data n, W _n−1 , W _n , and M _n−1 are registered in the mail server 13 corresponding to the identifier A, and the data n corresponding to the identifier A is registered in the relay server 18. ', W _n'-1 , W _n' , M _n'-1 are registered.

Step S1: The user is connected to the Internet 11
Sends a mail request and its own identifier A from the terminal 14 connected to the relay server 18. Step S2: The relay server 18 sends the received mail request and the identifier A to the mail server 13 by e-mail. Step S3: The mail server 13 sends the number of authentications n corresponding to the received identifier A to the relay server 18 by e-mail, and Step S4: The relay server 18 transfers the number of authentications n to the user.

Step S5: The user calculates the authentication data V _n−1 , W _{n + 1} , M _n using the received number of authentications n in the same procedure as in step S3 of FIG. 3 or 7, and further proceeds to step S6. : The user identifies the authentication data with identifier A
And a mail request to the relay server. If the e-mail request is e-mail transmission, the e-mail message to be transmitted is also transmitted. Here, the user temporarily disconnects the connection with the relay server 18 and executes another task as needed.

Step S7: The relay server 18 receives the identifier A, the mail request (and the message to be transmitted),
The authentication data V _n−1 , W _{n + 1} , and M _n are transferred to the mail server 13 by electronic mail. Step S8: The mail server 13 reads out the registered data W _n−1 , W _n , M _n−1 corresponding to the received identifier A, and receives the data in the same procedure as in step S5 of FIG. 3 or FIG. The authenticity of V _{n−1 and} the validity of W _n to be used for the next n + 1 authentication are authenticated. If these two are determined to be valid, step S9: the mail server forwards the mail message addressed to the user corresponding to the identifier A to the relay server, or transmits a message to be transmitted, and relays the transmission confirmation information. Send to server. Step S10: The mail server registers the registered data.
W _n−1 , W _n , M _n−1 are rewritten to W _n , W _{n + 1} , M _n and n
Is incremented.

Step S11: The relay server stores the received e-mail message addressed to the identifier A and / or the transmission confirmation information corresponding to the identifier A. Step S12: After disconnecting the connection with the relay server for several minutes, the user sets the identifier A to the relay server at an arbitrary time.
And send an email request. Step S13: The relay server reads out the number of authentications n ′ registered corresponding to the identifier A and sends it to the user.

Step S14: The user calculates the authentication data V _n′−1 , W _{n ′ + 1} , M _{n ′} using the received n ′ in the same procedure as in step S3 of FIG. 3 or FIG. S15: The user sends them to the relay server. Step S16: The relay server receives the data V _n′−1 , W
_{From n '+ 1} , M _n', the validity of V _n'-1 and W _{n '} is authenticated in the same procedure as in step S5 of FIG. Step S17: The relay server forwards the stored e-mail message corresponding to the identifier A to the user. Step S18: The relay server registers the registered data W
_n'-1, W _{n ',} the M _n'-1 W _n', rewritten to _{W n '+ 1, M n} ', n '
Is incremented.

In this example, for simplicity, step S14
Shows the case where the same identifier A and password S used in the authentication processing between the mail server and the same are used for calculating the authentication data in the above. Good. In that case,
The data W ₀ , W ₁ , and M ₀ registered in advance in the relay server are also obtained using S ′. Alternatively, the user may use the same password S and identifier A as the authentication processing with the mail server for the authentication processing with the relay server, and perform the following processing. Advance the mail server and the respective A _M and A _R published an identifier of the relay server, in the authentication process between the user and the mail server, for initial registration of the aforementioned formula (1a) ~ (1e) and verification In the equations (2a) to (2e), the following equation is used: V ₀ = E (A (+) _AM , S) (1a ′) W ₀ = E (A (+) _AM , V ₀ ) (1b ′) _{) V 1 = E (A (} +) A M, S (+) 1) (1c ') W 1 = E (A (+) A M, V 1) (1d') M 0 = E (W 1, V ₀ ) (1e ′) and V _n−1 = E (A (+) A _M , S (+) (n−1)) (2a ′) V _n = E (A (+) A _M , S ( +) n) (2b ') Vn _{+ 1} = E (A (+) _AM , S (+) (n + 1)) (2c') Wn _{+ 1} = E (A (+) _AM , as in the _{V n + 1) (2d '} ) M n = E (W n + 1, V n) (2e'), use the a (+) a _M in place of the identifier a, authentication step S8 of the mail server Where W _n-1 = E (A (+) A _M , V _n-1 )
And M _n-1 = E (W _n , V _n-1 ) are verified. Similarly, in the authentication process between the user and the relay server, the above-described equations (1a) to (1e) for the initial registration and the equation (2) for the authentication are used.
(instead of the identifier A in 2e), the following equation _{V 0 = E (A (+} ) a) ~ A R, S) (1a ") W 0 = E (A (+) A R, V 0) ( _{1b ") V 1 = E (} A (+) A R, S (+) 1) (1c") W 1 = E (A (+) A R, V 1) (1d ") M 0 = E (W _{1, V 0) (1e "} ) and _{V n'-1 = E (A} (+) A R, S (+) (n'-1)) (2a") V n '= E (A (+) A _R , S (+) n ') (2b ") V _{n' + 1} = E (A (+) A _R , S (+) (n '+ 1)) (2c") W _{n' + 1} = _{E (a (+) a R} , V n '+ 1) (2d ") M n' = E (W n '+ 1, V n') (2e") to use the a (+) a _R as in the authentication step S16 by the relay server _{W n'-1 = E (a} (+) a R, V n'-1) match and M _n'-1 = E
Verify that (W _{n ′} , V _n′−1 ) matches. According to this method, the user has the same password S and identifier A without losing security.
Can be used for both the authentication processing with the mail server and the authentication processing with the relay server.

As described above, in the embodiment of FIG. 9, after the user sends a mail request to the mail server 13 in step S6, the connection with the relay server 18 can be cut off and the task can be switched to another task. The requested mail can be picked up at the relay server at any time after a lapse of several minutes after the connection with the relay server is disconnected. Therefore, after the mail request is authenticated by the mail server from the mail request in step S6 (step S8), there is no need to wait with the communication connected until the mail is transferred to the relay server.

In the embodiment shown in FIG. 9, as in the first and second embodiments, the case where the number of authentications n between the user and the mail server 13 is given from the mail server 13 is shown. However, if the relay server has both the number of authentications n and n ′ in correspondence with the identifier A in FIG. 9, steps S2 and S3 can be omitted. FIG. 10 shows the n-th authentication process in that case.

In the example shown in FIG. 10, the mail server sends an authentication count initial value n = 1 out of the initially registered data to the relay server in advance. In the relay server, n ′, W _n′−1 , W _{n ′} , and M _n′−1 are registered in _association with the identifier A as in the case of FIG. The authentication number n is also registered in the relay server in association with the identifier A.

When the relay A receives the identifier A and the mail request from the user in step S1, the relay server does not transfer the mail request and the identifier A to the mail server, and immediately returns the number of authentications n corresponding to the identifier A to the user in step S2. I do. Therefore, the user calculates the authentication data V _n−1 , W _{n + 1} , M _n in step S3 using _n , and in step S4, transmits the authentication data together with the identifier A and the mail request via the relay server. It can be sent to the mail server, and then disconnect from the relay server and switch the terminal to another task. Steps S4 to S15 are exactly the same as steps S6 to S17 in FIG. Relay server authentication data W _n'-1 in step S16, W _{n ',} the M _{n'- 1} W _n',
Rewrite to W _{n ′ + 1} , M _{n ′} and increment the relay server authentication count n ′ and the mail server authentication count n, respectively. The increment of the number of authentications n may be performed any time after receiving the information indicating that the authentication has been performed from the mail server in step S7.

In the embodiment shown in FIG. 10, the authentication process between the user and the mail server is performed in the same manner as described with reference to FIG.
Instead of the identifier A use A (+) A _M, the authentication between the user and the relay server, it is preferable to use instead A (+) A _R of A. As described above, in the embodiment of FIGS. 9 and 10, the user activates the authentication procedure by transmitting the service request and the user identifier A to the relay server 18 using the relay server 18, and then temporarily establishes a connection with the relay server. Disconnect. Using the authentication data sent from the user, the relay server 18 sends the data to the mail server, which is the authenticator device, performs authentication processing, and receives an e-mail if OK. After a while, the user performs the authentication process again with the relay server, and can obtain necessary information transfer.

By adopting such a configuration, a high-speed transfer protocol such as HTTP can be used between the user and the relay server because the relay server is open to the public. In addition, although the communication between the relay server and the mail server inside the intranet uses the e-mail protocol to avoid the firewall, the transfer speed can be increased because the number of hosts that pass through is small.

Further, in order to realize further high-speed processing, the number of times of authentication n used for authentication is shared between the mail server and the relay server, and is updated synchronously every time authentication is performed. The authentication procedure can be reduced by one round trip. Embodiment 4 Next, an embodiment in which the authentication method of the present invention is applied to a billing system for services on the Internet is shown in FIG.
This will be described with reference to FIGS. In recent years, it is expected that shopping on the Internet will be realized. In conventional Internet shopping, a user generally accesses a homepage of a service provider on the Internet and pays for a desired product or service by a credit card. However, payment by credit card has a relatively large minimum amount that can be used at one time, and is inconvenient for daily use. Moreover, since the user needs to transmit the credit card number to the provider, there is a security problem.

An unspecified number of users collectively pay the determined amount $ X to the charging management center 21 provided on the Internet using a credit card, for example, by using a telephone. Alternatively, a different set of the password S and the account A is given by a message, for example, by mail or directly from the telephone by a method such as paying by a dial Q2 (toll collection service). Step S0: The charging management center stores the amount X paid for each account A and the initial registration data n = 1, W ₀ , W ₁ , M ₀ used in the authentication procedure according to the present invention in a memory (not shown). ).

Step S1: The user obtains a service catalog from the homepage of the service provider 22 on the Internet or the like, and sends a service request signal designating a desired service and an account A to the service provider. Step S2: The service provider sends the user's account A to the charging management center, and requests the corresponding authentication number n.

Step S3: The center reads the number of authentications n corresponding to account A from the memory and sends it to the service provider. Step S4: The provider sends the number of authentications n to the user together with the user-side authentication procedure program described in Java Applet. Step S5: The user has password S, account A,
Equations (2a) to (2e) are calculated according to the authentication procedure using the number of authentications n, and authentication data V _n−1 , W _{n + 1} , M _n are obtained.
Send to service provider at 6.

[0082] Step S7: The provider transfers the amount x of the service designated by the user, with the provider of the account A _P, the authentication data _{V n-1, W n +} 1, M n and user account A to the billing management center I do. Step S8: center determines whether payment amount x is less than the balance X corresponding to the user account A, as in step S5 in FIG. 3, if less, validity and registration data V _n-1 received Verify the validity of the data W _n
If these are correct, a confirmation signal OK is transmitted to the provider in step S9.

Step S10: The center further updates the registration data to W _n , W _{n + 1} , M _n , increments the number of authentications _n, and updates the user's balance X to Xx. Also, to update the balance X _P of the provider of the account A _P to X _P + x. Step S11: Upon receiving the confirmation signal OK from the center, the service provider provides the service specified by the user.

As described above, by applying the authentication procedure of the present invention to authentication in Internet shopping,
Small payments are possible, and payments can be made securely.

[0085]

As described above, in the information transmission / reception control method of the present invention, in the authentication procedure, I
It does not require a mechanism for reading and writing to a storage medium such as a C card or a random number generating mechanism, and enables processing with a small program size. It is possible to provide a secure information storage and retrieval service.

[Brief description of the drawings]

FIG. 1 is a diagram showing a conventional CISON authentication procedure.

FIG. 2 is a diagram showing an outline of a public electronic mail transfer service system according to the first embodiment of the present invention;

FIG. 3 is a diagram showing details of a public electronic mail transfer protocol according to the first embodiment.

FIG. 4 is a functional block diagram of a user terminal according to the first embodiment.

FIG. 5 is a functional block diagram of a mail server according to the first embodiment.

FIG. 6 is a flowchart showing an initial registration procedure when the present invention is applied to a case where an authentication procedure is executed using an authentication procedure provided from a server using a Java Applet.

FIG. 7 is a flowchart showing an n-th authentication procedure in the second embodiment.

FIG. 8 is a system diagram of a third embodiment to which the present invention is applied when a mail server is accessed via a relay server on the Internet.

FIG. 9 is a flowchart showing an authentication procedure according to a third embodiment in the system of FIG. 8;

FIG. 10 is a flowchart showing a modification of the third embodiment.

FIG. 11 shows systems when the authentication method according to the present invention is applied to Internet shopping.

FIG. 12 is a flowchart showing a procedure of Internet shopping to which the authentication method of the present invention is applied.

Claims (20)

[Claims] 1. An information transmission / reception control method for performing an authentication process between a user terminal device used by a user on a network and a verifier of a verifier, the method including the following steps: As a registration procedure, the user obtains the next authentication data W ₀ , the next and the next authentication data W ₁ , and the next and the second authentication data from the identifier A and the secretly held password S.
W ₁ of calculating the three validity verification data M _0, and registered with an initial value n = 1 of the authentication number n corresponds to the above identifier A to the verifier device, (b) Next, the n positive In the n-th authentication, the authenticator apparatus receives a service activation request and a notification of the user identifier A from the user terminal apparatus,
Read out the number of authentications n of the user and notify the user terminal device; (c) In the user terminal device, the identifier A of the user;
Using the number of times of authentication n and the password S kept secret, the authenticated data V _n−1 , the next authentication data W _{n + 1} , and the next authentication data W _{n + 1} are transmitted. The verification data _Mn is calculated, and if there is content data to be transmitted, the data is notified to the authenticator apparatus together with the data, and (d) the authenticator apparatus transmits the identifier A of the user and the step (c). This authentication data V _n-1
The authentication data W _n-1 the current calculated from the, compared to the authentication data W _n-1 which is registered, and the next authentication data W _n being registered above this the authentication data V _n-1 The validity verification data M _n-1 calculated from the above is compared with the registered validity verification data M _n-1 . (E) If the result of the comparison in step (d) above matches, the authenticator in device to justify its user, performs transmission and reception of the service information which the user has requested, next the authentication data W _n that received last, after next authentication data W _{n + 1} that has been sent now and after next legitimate authentication data Sex verification data
When the M _n, W _n-1 the previously registered, W _n, to register is replaced with M _n-1, and increments the authentication count n, (f) the result of the comparison in step (d), which do not coincide,
The user is unjustified and rejects subsequent information transmission and reception, and retains the previously registered data W _n−1 , W _n , M _n and n as they are. 2. The method of claim 1, wherein the user performs the initial registration procedure of step (a) on the authenticator device. 3. The method according to claim 1, wherein an e-mail protocol is used for data transmission and reception between the user terminal device and the authenticator device, and the content data of the communication process is converted into an e-mail addressed to the user. The electronic mail information of the user is transferred to the user terminal device at a remote place, or the electronic mail is transmitted from the remote place with the mail address of the user. 4. The method of claim 1, wherein the user is configured to store the data W ₀ , W ₁ , M _{0 at the} user terminal.
Is generated and transmitted to the authenticator apparatus together with the authentication count initial value n = 1, thereby executing the initial registration procedure of step (a). 5. The method according to claim 4, wherein the authenticator device executes the program in which the user-side authentication procedure of the step (c) is described in the step (b) by a predetermined method for a specific communication unit. The communication unit is sent to the user terminal device, and in the step (c), the user terminal device executes the sent communication unit program to execute an authentication procedure. 6. The method according to claim 4, wherein the authenticator apparatus sets the initial registration procedure of the step (a) to a specific communication unit in advance of the step (a) in response to a user request. The communication unit of the program described in the above method is sent to the user terminal device, and in the step (a), the user terminal device executes the initial registration procedure by executing the communication unit program. 7. In the method according to claim 1, wherein (+) is an exclusive-OR and E is a one-way function, the step (a) is performed by the following procedure: V ₀ = E (A, S) _{W 0 = E (A, V} 0) V 1 = E (A, S (+) 1) W 1 = E (A, V 1) M 0 = E (W 1, V 0) in the data initial value W _0, W _1, to calculate the M _0, the above-mentioned step
(c) The following procedure _{V n-1 = E (A} , S (+) (n-1)) V n = E (A, S (+) n) V n + 1 = E (A, S ( +) (n + 1)) W _{n + 1} = E (A, V _{n + 1} ) M _n = E (W _{n + 1} , V _n ) and the authentication data V _n−1 , W _{n + 1} , calculates M _n, the step (d) of the data V _n-1 received from the user, data a that is registered, E and a _{W n (a, V n-} 1) and E (W _n, V _n-1 )
Are calculated, and it is determined whether or not they match the registered data W _n−1 and M _n−1 respectively. 8. The method according to claim 1, wherein said network includes an Internet to which said user terminal device is connected, and an intranet connected to said Internet, and said authenticator device is provided connected to said intranet. A relay server opened on the Internet is connected to the relay server, and transmission and reception are performed between the user and the relay server using a high-speed communication protocol. The transmission and reception are performed using an e-mail protocol between the terminals, whereby the exchange of authentication information between the user terminal device and the authentication device is performed via the relay server. 9. The method according to claim 8, wherein the user once disconnects the connection with the relay server after transmitting the data V _n−1 , W _{n + 1} , M _n in the step (c), When the authentication is completed in the step (e), the authenticator device transfers the information of the service requested by the user to the relay server and stores it therein, and the user establishes a connection with the relay server. Connect to the relay server again at an arbitrary time after a lapse of a predetermined time from the disconnection, perform authentication processing for verifying the validity of the user with respect to the service information with the relay server, and perform the service information To receive. 10. A user terminal device and a relay server are connected to the Internet, respectively, and an authenticator device is connected to an intranet connected to the Internet, and a connection between the user terminal device and the authenticator device is provided. In the case where information transmission / reception is performed via the relay server, in the system where the user terminal device and the relay server are performed using a high-speed communication protocol, and the relay server and the authenticator device are performed using an e-mail protocol. An information transmission / reception control method for performing an authentication process between the user and the authenticator, the method including the following steps: (a) From the identifier A of the user and the password S held secretly, Authentication data W ₀ , authentication data one after another
W ₁ , 3 of the validity verification data M ₀ of the above-mentioned successive authentication data W ₁
Is calculated and registered in the authenticator apparatus in association with the identifier A, and the initial value n = 1 of the number of authentications n is held in the authenticator apparatus and the relay server in association with the identifier A, respectively. , (B) If n is a positive integer, in the n-th authentication,
Upon receiving the service request and the identifier A from the user terminal device, the relay server reads the corresponding authentication count n and sends it to the user terminal device. (C) In the user terminal device, the user identifier A,
Using the transmitted authentication count n and the secretly held password S, the current authentication data V _n−1 , the next authentication data W _{n + 1} , and the next authentication data W _{n + 1} are valid. Calculate the sex verification data _Mn , if there is content data to be transmitted, send it to the authenticator device via the relay server together with the data, and then disconnect the connection with the relay server once, (d) In the authenticator apparatus, the user identifier A and the current authentication data V _n-1 transmitted in step (c) are sent.
The authentication data W _n-1 the current calculated from the, compared to the authentication data W _n-1 which is registered, and the next authentication data W _n being registered above this the authentication data V _n-1 The validity verification data M _n-1 calculated from the above is compared with the registered validity verification data M _n-1 . (E) If the result of the comparison in step (d) above matches, the authenticator In the device, the user is authorized, and the information of the service requested by the user is transferred to the relay server and stored there, or if there is content information to be transmitted, the device is authenticated by the authenticated user. The information is transmitted, and confirmation information indicating the completion of the transmission is transmitted to the relay server. (F) The authenticator further transmits the next authentication data received last time.
And W _n, registered this time the sent to have after next authentication data W _{n + 1,} and the validity verification data M _n of after next authentication data, data were last registered W _n-1, W _n, replace the M _n-1 And the number of authentications n
Is incremented, and as a result of the comparison in the above step (d),
If they do not match, the user is unjustified and rejects subsequent information transmission and reception, and keeps the previously registered W _n-1 , W _n , M _n and n as they are, and (g) the relay server sets the service information or the After receiving the transmission confirmation information, the number of authentications n is incremented. (H) The user reconnects to the relay server at an arbitrary time after a certain time has elapsed since the connection with the relay server was disconnected. Connect, perform authentication processing for verifying the validity of the user for the service information with the relay server, and receive the service information. 11. The method according to claim 9 or claim 10, wherein
_Assuming that (+) is an exclusive OR, E is a one-way function, and the identifier of the authenticator apparatus is A _M , in the step (a), the three data W ₀ , W ₁ , M ₀ in the following procedure V ₀ = E (A (+) A _M , S) W ₀ = E (A (+) A _M , V ₀ ) V ₁ = E (A (+) A _M , S (+ ) 1) W ₁ = E (A (+) _AM , V ₁ ) M ₀ = E (W ₁ , V ₀ ), and the user obtains the data V _n−1 , W in the _n-th authentication. _{n + 1,} M _n: a _{V n-1 = E (a} (+) a M, S (+) (n-1)) V n = E (a (+) a M, S (+) n) Vn _{+ 1} = E (A (+) _AM , S (+) (n + 1)) Wn _{+ 1} = E (A (+) _AM , Vn _{+ 1} ) _Mn = E ( W _{n + 1} , V _n ), and the authenticator apparatus performs the comparison processing by W
It carried out by verifying the coincidence of the _{n-1 = E (A (} +) A M, V n-1), the coincidence of _{M n-1 = E (W} n, V n-1). In the method of 12. The method of claim 11, authentication between said user and said relay server, and the authentication number and n ', the identifier of the relay server if the A _R, comprising the steps of: (a ') As an initial registration procedure, the user uses the one-way function E to obtain the next authentication data W ₀ , the next authentication data
W _1, and calculates the three after next authentication data W ₁ of the validity verification data M _0, to register with = 1 'the initial value n of the' authentication count n corresponding with the identifier A to the relay server, (b ') Next, assuming that n' is a positive integer, in the n'th authentication, the relay server receives a service request and a notification of the user identifier A from the user terminal device, and authenticates the user. (C ') In the user terminal device, the user identifier A, the transmitted authentication number n' and the password S held secretly are read out. By using this authentication data V
_n'-1 , the next authentication data W _{n '+ 1} , the next authentication data W
_{n '+ 1} for validity verification data M _n' calculates, (d ') above the relay server, the identifier A and the step of the user (c' current of the authentication data V which have been sent by)
_The current authentication data W _n′-1 calculated from _n′−1 is compared with the registered authentication data W _n′−1 , and the registered next authentication data W _{n ′} and the current authentication data W _{n ′} Authentication data V
_n'-1 Metropolitan validity verification data M _n'1 calculated from comparison with the validity verification data M _n'-1 that are registered, the result of the comparison of (e ') in step (d') , If matched,
Justifying the user, transmitting and receiving information of the service requested by the user, the next authentication data Wn _' received last time, and the next and next authentication data Wn _{' + 1} sent this time,
Then, the validity verification data _{Mn '} of the authentication data is replaced with the previously registered _Wn'-1 , _{Wn '} , _Mn'-1 and registered, and the number of authentications n 'is incremented. 13. The method according to claim 12, wherein said step (a ′) is performed after said next authentication data W ₀ ,
W _1, after next authentication data W ₁ of the validity verification data M ₀ the following equation _{V 0 = E (A (+} ) A R, S) W 0 = E (A (+) A R, V 0) V 1 = _{E (A (+) A R} , S (+) 1) W 1 = E (A (+) A R, V 1) calculated by _{M 0 = E (W 1,} V 0), the step (b ' ) _{Represents the} current authentication data V _n′−1 , the next authentication data W _{n ′ + 1} , and the validity verification data M _{n ′} of the next authentication data W _{n ′ + 1 in} the following equation: V _n′−1 = E _{(A (+) A R,} S (+) (n'-1)) V n '= E (A (+) A R, S (+) n') V n '+ 1 = E (A (+ ) A _R , S (+) (n '+ 1)) W _{n' + 1} = E (A (+) A _R , V _{n '+ 1} ) M _n' = E (W _{n '+ 1} , V _{n '} ), And the above step (d') is performed in this authentication data W
_n'-1 = E (A (+) A _R , V _n'-1 ) with the registered authentication data W
Next authentication data W _{n '} that is compared with and registered with _n'-1
When, the validity was calculated from the authentication data V _n'-1 Metropolitan of this verification data _{M n'- 1 = E (W n} ', V n'-1) the validity is registered verification data M Compare with _n'-1 . 14. A user terminal device, a service provider, and an authenticator device are connected to the Internet,
An information transmission / reception control method for a user to perform an authentication process with a verifier device when the user receives a service from a service provider over the Internet, and includes the following steps: (a) As an initial registration procedure, Account A of the above user
When, next time authentication data W from password S _0, after next authentication data W _1, the validity verification of the above after next authentication data W ₁ data M ₀
Is calculated and registered in correspondence with the account A together with the initial number of authentications n = 1 and the amount of money X. (b) The user inputs a service request signal for requesting a desired service from the service provider and the account A (C) the service provider transfers the received account A to the charging management center, and (d) the charging management center reads out the number of authentications n corresponding to the account A and sends it to the service provider. (e) The service provider sends the received authentication count n to the user terminal together with the Applet program for the authentication procedure. (f) The user sends the authentication data V according to the authentication procedure.
_n-1 , W _{n + 1} , M _n are calculated and sent to the service provider together with the account A, and (g) the service provider transmits the data V _n-1 , W _{n + 1} , M _n together with the data of the service provider. The account _AP and the amount x for the service are sent to the charging management center. (H) The authenticator confirms that the service amount x is equal to or less than the remaining amount X registered for the account A. Then, the received data V _n-1 and the registered next authentication data W _n are verified, and if both are correct, an authentication confirmation signal
OK is sent to the service provider, and the data W _n ,
Updated to W _{n + 1,} M _n, is incremented authentication count n, the balance X of the account A updated in Xx, updates the balance XP account A _P of the provider X _P + x, (i The service provider, upon receiving the confirmation signal OK, provides the specified service to the user. 15. An authenticator device for controlling information transmission / reception for authenticating a user on a network,
Including: If n is a positive integer, the next authentication data W
_n-1, after next authentication data W _n, the after next authentication data W validity verification data _n M _n-1 the identifier A together with the authentication number n
Registration data storage means registered at the time of the (n-1) th authentication in response to the service start request and notification of the user identifier A from the terminal device of the user in the nth authentication; Authentication number sending means for reading out the number of authentications n from the registered data storage means and notifying the user terminal apparatus; and the current authentication data V _n-1 sent from the user terminal apparatus, and the next and subsequent authentication data. W _{n + 1} , receiving means for receiving the validity verification data M _n of the second-time authentication data W _{n + 1} , and the current time calculated from the user identifier A and the received current data to be authenticated V _n-1 authentication data W _n-1, compared with the registration data storing unit is registered in the authentication data W _n-1, and the next authentication data W _n that is registered, the time of the authentication data V _n- Validity verification data calculated from ₁
The authentication means for comparing M _n-1 with the registered validity verification data M _n-1 , and as a result of the comparison by the authentication means, if they match, the user is justified and the next authentication registered The data W _n and the next received authentication data W _{n + 1} received this time
If, and the validity verification data M _n for after next authentication data received this time, the registration data is registered in the storage means data W _n-1, W _n, to register is replaced with M _n-1, the number of authentication times n
Means for updating the registration. The apparatus of claim 16 according to claim 15, the authentication means, the data V _n-1 received from the user, data A that is registered, one-way function and a W _n E (A, V _{n -1} ) and
E (W _n , V _n-1 ) is calculated and the data W
Means for determining whether each of the _values matches _n-1 and M _n-1 is included. 17. A user terminal device for performing information transmission / reception control for obtaining authentication from a certifier to a user on a network, including: an authentication count receiving means for receiving an authentication count n from the certifier device; Of the current authentication data V _n−1 , the next authentication data W _{n + 1} , the next authentication data W _{n + 1} Authentication data calculation means for calculating each of the validity verification data _Mn as authentication data, and authentication data transmission means for transmitting the authentication data to the authenticator apparatus. 18. The apparatus according to claim 17, wherein (+) is an exclusive-OR, said authentication data calculating means performs the following one _- way function V _n-1 = E (A, S (+) _{(n-1)) V n} = E (A, S (+) n) V n + 1 = E (A, S (+) (n + 1)) W n + 1 = E (A, V n + ₁ ) A means for calculating the authentication data V _n−1 , W _{n + 1} , M _n from M _n = E (W _{n + 1} , V _n ). 19. A recording medium which records an authentication procedure of a certifier for authenticating a user on a network,
The above authentication procedure includes the following: (a) If (+) is exclusive-ORed, the following one-way function V ₀ = E (A, S) W ₀ = using the user identifier A and the password S _{E (A, V 0) V} 1 = E (A, S (+) 1) W 1 = E (A, V 1) M 0 = E (W 1, V 0) by the data initial value W _0, W ₁ , M ₀ is calculated and registered. (B) When n is a positive integer, in the n-th authentication,
Upon receiving a service activation request and a notification of the identifier A of the user from the terminal device of the user, the number of authentications n of the user
Is read from the registration data storage means, and transmitted to the user terminal device. (C) The current authentication data V _n-1 transmitted from the user terminal device, the authentication data W _{n + 1} successively, and the like. after next authentication data W _{n + 1} of the received validity verification data M _n, (d) one-way function from the identifier a and said received time of the authentication data V _n-1 Metropolitan of the user W _n-1 = The current authentication data W _n-1 is calculated by E (A, V _n-1 ), compared with the authentication data W _n-1 registered in the registration data storage means, and the next authentication data registered W _n and the above data to be authenticated
V _n−1 and the one _- way function M _n−1 = E (W _n , V _{n− 1} ) to calculate the validity verification data M _n−1 , and the registered validity verification data M _n−1 compared, if (e) 2 one comparison result is matched simultaneously, the user as a legitimate, and next authentication data W _n being registered,
And after next authentication data W _{n + 1} received this time, and the data W _n-1 for the validity verification data M _n for after next authentication data W _{n + 1} received this time, are registered in the registration data storage means,
The registration is performed by replacing with W _n and M _n−1, and the number of authentications n is incremented. 20. A recording medium for recording a user-side procedure for obtaining authentication of a user from an authenticator on a network, the procedure including the following: (a) A service request and a user identifier A are stored in the authenticator. (B) When n is a positive integer, the number of authentications n is received from the authenticator, and (c) When (+) is an exclusive OR, the user identifier A is received. Using the number of authentications n and the password S held secretly, the current authentication data V _n−1 , the next authentication data W _{n + 1} , and the validity verification data M of the second authentication data W _{n + 1 Let n} be the following one _- way function: V _n-1 = E (A, S (+) (n-1)) V _n = E (A, S (+) n) V _{n + 1} = E (A, S (+) (n + 1)) W _{n + 1} = E (A, V _{n + 1} ) M _n = E (W _{n + 1} , V _n ), and transmits to the authenticator apparatus.