WO2015182308A1 - 情報処理端末、情報処理システム、および情報処理方法 - Google Patents

情報処理端末、情報処理システム、および情報処理方法 Download PDF

Info

Publication number
WO2015182308A1
WO2015182308A1 PCT/JP2015/062519 JP2015062519W WO2015182308A1 WO 2015182308 A1 WO2015182308 A1 WO 2015182308A1 JP 2015062519 W JP2015062519 W JP 2015062519W WO 2015182308 A1 WO2015182308 A1 WO 2015182308A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
information
unit
terminal
information processing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2015/062519
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
正樹 若林
裕紀 山▲崎▼
福島 真一郎
宏行 檜垣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Ltd
Original Assignee
Hitachi Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Ltd filed Critical Hitachi Ltd
Publication of WO2015182308A1 publication Critical patent/WO2015182308A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to an information processing terminal, an information processing system, and an information processing method.
  • Patent Document 1 describes two-factor authentication using PIN authentication and one-time password. Security can be maintained by using two authentications. However, since two authentication methods are required every time, if troublesome input is required for authentication, security can be maintained but convenience is not improved.
  • Patent Document 2 an authentication technique using three elements of an information terminal, a personal information storage unit, and a personal information storage terminal is disclosed. However, it takes time to input for PIN authentication.
  • the present invention provides a technique for improving convenience while maintaining the current security.
  • This application includes a plurality of means for solving the above problems.
  • one aspect of the present invention includes the following means.
  • a system having an input unit, an output unit, a storage unit, a processing unit, a communication unit that communicates with an information communication terminal, and an authentication device connection unit that connects an authentication device.
  • a terminal including an input unit, an output unit, a storage unit, a processing unit, a communication unit, and an authentication device connection unit can be used.
  • at least one of the storage unit and the processing unit may be disposed outside the terminal, and connected to the input unit and the output unit via a wired or wireless network. In this way, since the input / output unit and the storage unit are physically separated, the safety of data is further improved. In other words, the terminals share only input / output, and information processing and storage are shared by the server.
  • the system sends the first authentication information input to the input unit to the authentication device, and instructs the execution of the first authentication process using the first authentication information.
  • the authentication device is directly connected to the authentication device connection unit or connected wirelessly.
  • the authentication operation is performed in the authentication device or in an external server via the authentication device. Since the first authentication cannot be performed without using the authentication device, the authentication device plays the role of a key (PIN authentication).
  • PIN authentication PIN authentication
  • the first authentication information when the first authentication process is successful in the authentication device, the first authentication information is stored in the storage unit. By caching the first authentication information, the user does not need to manually input again.
  • the second authentication information input from the input unit is used to instruct execution of the second authentication process by the processing unit.
  • the second authentication process is typically an authentication function (OS login authentication) provided in the OS (operation system) of the system. Double authentication improves safety.
  • OS login authentication provided in the OS (operation system) of the system. Double authentication improves safety.
  • the second authentication information is transmitted to the authentication device to instruct storage. By caching the second authentication information, the user does not need to manually input again.
  • the communication unit has communication means for communicating with the portable information terminal.
  • the third authentication information input to the input unit is stored in the storage unit.
  • the presence or absence of cooperation with a portable information terminal is determined using the third authentication information. For example, when it is determined that the authentication key input to the mobile information terminal is the same as the authentication key stored in the information processing terminal, the mobile information terminal is considered to have a function linked to the information processing terminal. With these configurations, it is possible to authenticate a portable information terminal that cooperates with the system.
  • the portable information terminal detects the state of wireless communication between the portable information terminal and the communication unit that have cooperation. Then, at least part of the operation of the system is restricted according to the state of wireless communication between the portable information terminal and the communication unit. For example, it is detected and limited whether the communication is disconnected, the received signal strength is lower than a predetermined threshold, or the error rate is higher than the predetermined threshold.
  • a portable information terminal is often carried by a user. Therefore, in such a case, there is a high possibility that the mobile information terminal having the cooperation is separated from the system together with the user, and it is preferable to lock the system in the absence of the user.
  • the OS is equipped with a function for locking the system when there is no input for a predetermined time, the safety is further improved.
  • the system safety is improved by using the cooperation function with the portable information terminal.
  • the scope of the present invention includes terminals, systems, methods and servers related to these inventions.
  • the storage and processing functions described above may be arranged in a terminal or in a server connected by a network.
  • the position where the storage unit and the processing unit are arranged does not affect the essence of the present invention.
  • the information processing system Remove the restriction of operations for some parts. That is, in such a state, there is a high possibility that the user has returned to a place where the system can be accessed.
  • the first authentication information is acquired from the storage unit, the first authentication is instructed to the authentication device, and if the first authentication is successful, the second authentication information acquired from the authentication device is The second authentication is used to release the system operation restriction. In this way, the user can save the trouble of the authentication operation.
  • the above processing and functions may be arranged inside the information processing terminal, or arranged on a server connected to the information processing terminal via a network so that the information processing terminal only shares input / output. Good.
  • FIG. 3 is a block diagram illustrating a configuration example of the information processing terminal 1.
  • FIG. 3 is a block diagram illustrating a configuration example of a semiconductor element 2.
  • the block diagram which shows the structural example of the portable information terminal 3.
  • FIG. 5 is a flowchart showing an example of a processing flow related to initial authentication information input in the information processing terminal 1; 4 is a flowchart showing an example of a processing flow regarding wireless connection determination in the information processing terminal 1.
  • 5 is a flowchart showing an example of a processing flow regarding an operation state change in the information processing terminal 1;
  • the flowchart which shows an example of the processing flow regarding the cooperation state setting in the portable information terminal.
  • the top view which shows an example of the screen at the time of lock / logoff in the information processing terminal.
  • FIG. 1 is a block diagram showing the overall system configuration of an embodiment of the present invention.
  • the state transition diagram which shows the state of each element of one Example of this invention.
  • the state transition diagram which shows the state of each element of one Example of this invention (continuation).
  • FIG. 12 shows the overall system configuration of this embodiment.
  • the information processing terminal 1 and the portable information terminal 3 are established by establishing a wireless connection 4.
  • a wireless connection 4 An example in which manual input of PIN authentication and OS login authentication in the terminal 1 is unnecessary will be described.
  • the information processing terminal 1 may cooperate with the server 5 connected via the network 6 for various authentication processes or information storage.
  • FIG. 1 is a diagram illustrating a configuration example of an information processing terminal 1 (for example, a server or a personal computer).
  • the hardware of the information processing terminal 1 includes a storage unit 10, a communication unit 11, a control unit 12, an input unit 13, an output unit 14, and a portable storage medium connection unit (authentication device connection unit) 15.
  • the storage unit 10 and the control unit 12 are built in, but part or all of these are stored in a server (5 in FIG. 12) connected to the network (6 in FIG. 12) via the input / output unit. You may arrange.
  • the storage unit 10 is an information storage medium composed of a semiconductor memory, an HDD, or the like, and may be a fixed type that cannot be removed from the information processing terminal 1 or a removable type that can be removed. Alternatively, it may be arranged in the server 5 instead of in the information processing terminal 1.
  • This storage unit 10 includes PIN information 1001, OS authentication information 1002, OS program 1003, wireless communication setting parameter 1005, reconnection trial time interval 1006, reconnection upper limit count 1007, authentication key 1008, portable information terminal connection state 1009, An OS operation state 1011 and an encryption key 1012 can be stored.
  • PIN information 1001 is secret information used for user authentication processing of the portable storage medium 2.
  • PIN information 1001 is secret information used for user authentication processing of the portable storage medium 2.
  • the OS authentication information 1002 is secret information such as an ID and a password for logging in to the OS of the information processing terminal 1.
  • the OS program 1003 is a basic program executed by the control unit 12 of the information processing terminal 1.
  • the wireless communication setting parameter 1005 is a communication parameter for wireless connection between the information processing terminal 1 and the portable information terminal 3.
  • the communication port number, communication method selection, encryption mode, and the like are applicable.
  • the reconnection trial time interval 1006 is a time interval for determining whether or not the wireless communication between the information processing terminal 1 and the portable information terminal 3 is disconnected.
  • the reconnection upper limit number 1007 is the maximum number of reconnection attempts when the wireless communication between the information processing terminal 1 and the portable information terminal 3 is disconnected, and connection attempts beyond this number are not performed.
  • the authentication key 1008 is secret information for identifying the portable information terminal 3 with which the information processing terminal 1 cooperates.
  • the portable information terminal connection state 1009 indicates a connection state of wireless communication between the information processing terminal 1 and the portable information terminal 3.
  • the state where the wireless communication setting between the information processing terminal 1 and the portable information terminal 3 is completed is set as the initial state.
  • the wireless connection succeeds through the pairing authentication from the initial state, and the state where the cooperation processing between the information processing terminal 1 and the portable information terminal 3 can be executed or is executed is set as the connection state.
  • a state where wireless communication is disconnected from the connected state and communication is disabled is defined as a disconnected state.
  • the OS operation state 1011 indicates the operation state of the OS by the user of the information processing terminal 1. For example, a state where a normal OS operation is possible is set as an operable state. The operation state is temporarily stored, and the state in which the operation in progress can be returned to the operable state by inputting the ID or password is set as the locked state. The operation state is initialized, and a state that can be changed to an operable state by inputting an ID or password is defined as a logoff state.
  • the encryption key 1012 is an encryption key for protecting the PIN information 1001 to be transmitted and the OS authentication information 1002 to be acquired by encryption when instructing the portable storage medium 2 to perform PIN authentication.
  • the communication unit 11 transmits a connection request or an authentication request to another device.
  • an acceptance response or a rejection response to the connection request is transmitted.
  • a processing result response to the authentication request is transmitted.
  • a communication module compatible with Bluetooth (registered trademark) communication will be described as an example, but the communication method is not limited to this.
  • the control unit 12 includes a CPU and a memory that control the communication unit 11 and the input unit 13 described later, and peripheral devices thereof, and implements various functions by executing programs (described in FIG. 11). To do).
  • the input unit 13 has a function of receiving instructions from the user of the information processing terminal 1. For example, in addition to a keyboard and a mouse, a microphone that can input voice information used for user authentication, a sensor that can input biological information, and the like may be used.
  • the input unit 13 also includes buttons, switches, and the like for turning on / off the power.
  • the output unit 14 has a function of displaying and outputting audio and video to the user of the information processing terminal 1.
  • it includes a liquid crystal display for displaying video, a speaker for outputting sound, a vibrator for generating vibration, and the like.
  • the portable storage medium connection unit (authentication device connection unit) 15 is an interface that can connect an external storage medium or information device, and is configured by, for example, a USB jack. It can be connected to an external device connection unit 20 of a portable storage medium (authentication device) 2 described later. There is no need to directly insert the information processing terminal 1 and the portable storage medium 2 may be connected wirelessly.
  • FIG. 11 is a diagram showing a functional configuration of software that operates on the information processing terminal 1.
  • Software includes authentication instruction means 100, PIN input means 101, PIN authentication instruction means 102, OS authentication instruction means 103, PIN cache storage means 104, wireless communication setting means 105, wireless communication connection means 106, pairing authentication means 107, connection
  • the device determination unit 108, the wireless connection state monitoring unit 109, the operation state change unit 110, the PIN cache acquisition unit 111, the PIN cache deletion unit 112, and the OS authentication information storage unit 113 are configured.
  • the signal strength acquisition unit 114 can be omitted in the first embodiment and will be described in the second embodiment.
  • a software configuration a software program is acquired from the storage unit 10 via the input / output device 1203 and executed by the CPU 1201 and the memory 1202, for example. Further, an instruction is given to the outside of the control unit 12 such as the storage unit 10 and the portable storage medium connection unit 15 via the input / output device 1203 as necessary.
  • the authentication instruction unit 100 controls the PIN authentication instruction unit 101 that performs authentication using PIN information for the user. Further, it controls the OS authentication instruction means 103 that performs login authentication for transitioning the information processing terminal 1 to the operable state.
  • the PIN input unit 101 controls the user of the information processing terminal 1 so that the input unit 13 can input PIN information. While the user is inputting the PIN information, the control unit 12 may detect the user input and update an image displayed on the output unit 14 or output a sound.
  • the PIN authentication instruction unit 102 acquires the PIN information 1001 acquired by the PIN input unit 101 from the storage unit 10 and transmits it to the IC chip 21 via the external device connection unit 20 of the portable storage medium 2. 2 is instructed to authenticate.
  • the OS authentication instruction unit 103 instructs OS authentication when a response indicating that the authentication is successful is received from the portable storage medium 2 as a result of processing by the PIN authentication unit 102. That is, control is performed so that the user of the information processing terminal 1 can input the OS authentication information 1002 by the input unit 13.
  • the OS authentication information 1002 is input, it is stored in the storage unit 10. Subsequently, the OS authentication information 1002 is passed to the OS running on the information processing terminal 1, and the execution of the OS login authentication process is instructed.
  • the PIN cache storage unit 104 stores the PIN information 1001 in the storage unit 10 when the OS authentication instruction unit 103 succeeds in authentication.
  • the wireless communication setting unit 105 performs basic settings for performing wireless communication between the information processing terminal 1 and a portable information terminal 3 described later. For example, the communication port is specified and the wireless communication parameter 1005 is set.
  • the wireless communication connection unit 106 transmits a connection request from the communication unit 11 of the information processing terminal 1 to the wireless communication unit 32 of the portable information terminal 3 in the wireless communication setting designated by the wireless communication unit 105.
  • the pairing authentication means 107 performs pairing processing for authenticating each other's devices when the information processing terminal 1 and the portable information terminal 3 start communication for the first time. For example, a search is performed from the information processing terminal 1 to surrounding wireless communication devices, the discovered portable information terminal 3 is displayed on the input unit 13, and the user selects a pairing target. Next, in the case where the passwords input via the input unit 13 of the information processing terminal 1 and the input unit 33 of the selected portable information terminal 3 match, control is performed so as to permit future connections.
  • the connected device determining unit 108 determines whether the portable information terminal 3 is selected to cooperate.
  • the wireless connection state monitoring unit 109 monitors the connection state of the communication unit 11 and determines the connection state and the disconnection state in wireless communication with the portable information terminal 3.
  • the operation state changing unit 110 instructs the OS of the information processing terminal 1 to lock or log off the operation state.
  • the PIN cache acquisition unit 111 has a function of reading the PIN information 1001 stored in the storage unit 10 and transmitting it to the portable storage medium 2.
  • the PIN cache erasure unit 112 has a function of erasing the PIN information 1001 stored in the storage unit 10.
  • the OS authentication information storage unit 113 has a function of storing the OS authentication information 1002 in the storage unit 10 when authentication is successful in the OS login authentication process. Further, when the verification is successful and the user can log in to the OS, the input OS authentication information is stored as the OS authentication information 2002 in the storage unit 211 of the portable storage medium 2.
  • FIG. 2 is a diagram illustrating a configuration example of the portable storage medium (authentication device) 2.
  • the portable storage medium 2 includes an external device connection unit 20, an IC chip 21, a control unit 210, a storage unit 211, a PIN authentication unit 220, an OS authentication information output unit 221, and an OS authentication information input unit 222.
  • This portable storage medium (authentication device) has an authentication function.
  • the control unit 210 and the storage unit 211 are built in, but a server (5 in FIG. 12) in which all or a part of these are connected to the network (6 in FIG. 12) via the external device connection unit 20 You may arrange in.
  • the external device connection unit 20 is an interface through which devices can be connected from the outside.
  • An example is USB (Universal Serial Bus).
  • the external device connection unit 20 is connected to the portable storage medium connection unit 15 of the information processing terminal 1.
  • the IC chip 21 includes a storage unit 211 configured by a read-only memory or a rewritable memory, and a control unit 210 configured by a microprocessor or the like.
  • the microprocessor and the memory have a one-chip configuration, but they may be separate chips.
  • the storage unit 211 configured by the memory of the IC chip 21 can store the PIN information 2001, the OS authentication information 2002, and the number of times PIN can be entered 2003. It is desirable that the IC chip 21 has tamper resistance, and data is protected together with processing using the IC chip 21.
  • the PIN information 2001 is secret information for determining the user of the portable storage medium 2. For example, a PIN number or password is applicable.
  • the OS authentication information 2002 is secret information for the user to log in to the information processing terminal 1, and corresponds to, for example, an ID or a password.
  • the possible PIN input count 2003 is an upper limit number of times that can be mistaken when the PIN information 2001 is collated with the PIN information input by the user. If collation of PIN information fails continuously after exceeding the number of times of input, the portable storage medium 2 can be locked without considering the PIN information input person as a legitimate user.
  • the control unit 210 of the IC chip 21 includes a PIN authentication unit 220, an OS authentication information output unit 221, and an OS authentication information input unit 222.
  • these means are constituted by software that operates in the control unit 210 constituted by a microprocessor.
  • a hardware configuration may also be used.
  • the PIN authentication means 220 realizes an authentication function using the PIN information 2001 stored in the storage unit 211.
  • the OS authentication information output unit 221 can acquire the OS authentication information 2002 stored in the storage unit 211 and output it from the external output terminal 20 when the authentication process by the PIN authentication unit 220 is successful.
  • the OS authentication information input unit 222 can store the OS authentication information 2002 input via the external output terminal 20 in the storage unit 211.
  • FIG. 3 is a diagram illustrating a configuration example of the portable information terminal 3.
  • the portable information terminal 3 includes a control unit 30, a storage unit 31, a wireless communication unit 32, an input unit 33, an output unit 34, a cooperation state setting unit 300, a cooperation state display unit 301, and a signal strength acquisition unit 302.
  • the control unit 30 includes a CPU and a memory that control a wireless communication unit 32 and an input unit 33, which will be described later, and peripheral devices thereof, and implements various functions by executing programs.
  • a cooperation state setting unit 300 there are a cooperation state setting unit 300, a cooperation state display unit 301, a signal strength acquisition unit 302, and a wireless communication connection unit 303 as programs to be executed.
  • the signal strength acquisition unit 302 can be omitted in the example of the first embodiment, and details will be described in the second embodiment.
  • the storage unit 31 is a storage medium composed of a semiconductor memory, an HDD, or the like, and may be a fixed type or a removable type.
  • the storage unit 31 can store a wireless communication setting 311, an authentication key 312, a connection state 313, and a signal strength 314.
  • the wireless communication unit 32 is a communication module that can wirelessly communicate with the communication unit 11 of the information processing terminal 1.
  • Bluetooth communication will be described as an example, but the present invention is not limited to this.
  • the input unit 33 is a device that receives an instruction from the user of the portable information terminal 3.
  • a microphone, a sensor, or the like may be used in addition to a keyboard, a mouse, a touch panel, and the wireless communication setting 311 with the information processing terminal 1 and an authentication key 312 are input.
  • the output unit 34 is a device that displays and outputs characters, sounds, videos, and the like to the user of the portable information terminal 3.
  • it is composed of a liquid crystal display, a speaker, a vibrator, and the like, and displays a cooperation state and a connection state with the information processing terminal 1.
  • the cooperation state setting unit 300 acquires the state of wireless communication with the information processing terminal 1 from the wireless communication unit 32 in the storage unit 31 and stores it as the connection state 313.
  • the cooperation state display unit 301 reads the connection state 313 of the storage unit 31 and displays it on the output unit 34.
  • the wireless communication connection unit 303 inputs an input of a wireless communication setting 311 and an authentication key 312 for establishing wireless communication between the communication unit 11 of the information processing terminal 1 and the wireless communication unit 32 of the portable information terminal 3. It is suggested using the output unit 34 that the user is allowed to input through the terminal 33. Thereafter, a connection with the information processing terminal 1 is tried, and an instruction from the information processing terminal 1 is waited for.
  • FIG. 4 is a diagram showing an example of a processing flow related to initial authentication information input in the information processing terminal 1. The configuration of the information processing terminal 1 will be described with reference to the reference numerals in FIGS.
  • the power source of the information processing terminal 1 is set as a starting point (S401).
  • the user activates the information processing terminal 1 by the input unit 13.
  • the control unit 12 reads and executes the OS program 1003 stored in the storage unit 10 and displays a screen suggesting insertion of the portable storage medium 2 on the output unit 14 ( S402).
  • the OS program 1003 will be described by taking Windows (registered trademark) of Microsoft Corporation as an example.
  • the authentication instruction unit 100 detects the insertion and inputs the PIN information.
  • the suggesting screen is displayed on the output unit 14 (S403).
  • the PIN information is input by the user using the input unit 13 in accordance with the screen displayed on the output unit 14. While inputting, images and sounds may be output using the output unit 14, but this is not essential.
  • the PIN authentication instructing means 102 transmits the PIN information input using the control unit 12 to the portable storage medium 2 and instructs the comparison and collation.
  • the PIN authentication means 220 of the portable storage medium 2 compares the received PIN information with the PIN information 2001 stored in the storage unit 211, and returns the result to the information processing terminal 1 (S404).
  • the authentication instruction unit 100 controls the output unit 14 to display an error, and reduces the number of possible PIN inputs 1004 in the storage unit 10. Later, the process returns to S403 (S405). When the number of possible PIN inputs reaches zero, the subsequent verification by PIN input is locked and cannot be used thereafter unless the lock is released by the administrator of the portable storage medium 2 or the like.
  • the PIN cache storage unit 104 stores the input PIN information in the storage unit 10 of the information processing terminal 1 (S406). Subsequently, the authentication unit 100 displays a screen suggesting an input for OS login authentication on the output unit 14. (S407).
  • the OS login authentication is input by the user via the input unit 13 or the OS authentication instruction unit 103 can acquire the OS authentication information 1002 in the storage unit 10, the OS login authentication is instructed to the OS ( S408). The OS performs verification processing using the input login information.
  • the OS authentication information storage unit 113 stores the input OS authentication information as the OS authentication information 2002 in the storage unit 211 of the portable storage medium 2, and S 410 Proceed to (S409).
  • the control unit 12 of the information processing terminal 1 determines whether the information processing terminal 1 and the information portable terminal 3 are set in cooperation (S410). If No, the normal state is maintained (S411). If Yes, it is determined whether or not the cooperation function is activated (S412). If the cooperation function is not activated, it is activated (S413).
  • the wireless connection determination in the cooperation function will be described with reference to FIG. On the other hand, when collation fails as a result of OS login authentication, the process proceeds to S405, and the control unit 12 displays a screen that suggests login failure on the output unit 14.
  • FIG. 5 is a diagram illustrating an example of a processing flow relating to wireless connection determination in the information processing terminal 1.
  • the wireless communication setting unit 105 controls the output unit 14 to display a screen that suggests registration of a communication port or the like included in the wireless communication setting 1005 for communicating with the portable information terminal 3 (S501).
  • the wireless communication setting unit 105 can set a reconnection trial time interval 1006, a reconnection upper limit number of times 1007, and the like as a wireless communication setting parameter 1005 in addition to a communication port.
  • control is performed so as to display an error via the output unit 14 (S502).
  • the portable information terminal cooperation means 114 changes the portable information terminal connection state 1009 to the initial state (S503).
  • the wireless communication connection means 106 tries to connect to the portable information terminal 3 via the communication port (S504), and determines the trial result (S505).
  • connection to the portable information terminal 3 fails, after the time specified by the reconnection trial time interval 1006 of the storage unit 10 has elapsed, the process returns to S501 and tries again.
  • the connected device determination unit 108 receives a connection key input from the input unit 33 of the portable information terminal 3.
  • the storage unit of the information processing terminal 1 stores authentication keys 1008 for one or more portable information terminals. When there are a plurality of portable information terminals 3 linked to the information processing terminal 1, the portable information terminal 3 depends on which of the stored authentication keys matches the connection key from the portable information terminal. It is determined whether or not it is possible to cooperate with (S506).
  • the portable information terminal cooperation means 114 changes the portable information terminal connection state 1009 to the connected state (S507). On the other hand, if it does not match the connection key, the process proceeds to S601.
  • the wireless communication state monitoring means 109 After the connection state is established in S507, the wireless communication state monitoring means 109 notifies the OS that the wireless connection with the portable information terminal 3 has been successful, and the OS notifies the user of the connection establishment (S508).
  • the wireless communication state monitoring unit 109 determines whether the wireless connection with the portable information terminal 3 can be continued. At the same time, it is determined whether or not the connection key matches 1008 with the authentication key (S509).
  • the process returns to S509 to determine the connection state.
  • the connection state is determined by returning to S509 while the reconnection upper limit count 1007 is not exceeded (S510).
  • the portable information terminal cooperation means 114 changes the portable information terminal connection state 1009 between the information processing terminal 1 and the portable information terminal 3 to the unconnected state (S511).
  • the wireless communication state monitoring unit 109 notifies the OS that the wireless connection with the portable information terminal 3 has been disconnected, and proceeds to S601 (S512).
  • FIG. 6 is a diagram illustrating an example of a processing flow relating to an operation state change in the information processing terminal 1.
  • the assumption here is that, for example, after the user has logged on to the information processing terminal 1, the user is away from the information processing terminal 1 with the mobile information terminal 3 (separated from the information processing terminal 1). The connection is broken.
  • the control unit 12 instructs the OS operation state to be locked or to log off using the operation state changing unit 110 based on the portable information terminal connection state 1009 (S601).
  • control unit 12 causes the output unit 14 to display a screen that suggests insertion of the portable storage medium 2 (S602).
  • the PIN input means 101 When the user starts to connect the portable storage medium 2 to the portable storage medium connection unit 15 of the information processing terminal 1 or the portable storage medium 2 remains connected, the PIN input means 101 The output unit 14 is controlled to display a screen that suggests input (S603).
  • the PIN input unit 101 maintains the state of S603. It is determined whether the user is inputting a PIN via the input unit 13 (S605).
  • the PIN cache acquisition unit 111 determines whether or not the PIN information 1001 in the storage unit 10 exists. If it exists, the process proceeds to S607. If not, the process returns to S603 (S606).
  • the PIN authentication instruction unit 102 instructs the portable storage medium 2 to perform comparison and collation using the PIN information input in S605 or the PIN information 1001 acquired by the PIN cache acquisition unit 111. At this time, the PIN authentication instruction unit 102 selects an application to be communicated with in the portable storage medium 2 and exchanges an encryption key for encrypting communication contents. As a result, the PIN authentication instruction unit 102 encrypts and protects the PIN information to be compared with the encryption key.
  • the PIN authentication means 220 of the portable storage medium 2 decrypts the PIN information received from the information processing terminal 1, compares it with the PIN information 2001 stored in the storage unit 211, and returns the result to the information processing terminal 1 ( S607).
  • the authentication instruction unit 100 controls the output unit 14 to display an error, and reduces the number of possible PIN inputs 1004 in the storage unit 10. Later, the process returns to S603 (S608).
  • the portable storage medium 2 is locked. As long as the administrator of the portable storage medium 2 does not release the block, it can be prevented from being used thereafter to prevent unauthorized access. However, the block release process is not described here.
  • the OS authentication instruction unit 103 instructs the portable storage medium 2 to acquire OS authentication information.
  • the OS authentication information output unit 221 of the portable storage medium 2 reads and encrypts the OS login information 2002 in the storage unit 211 and transmits it to the information processing terminal 1. After the information processing terminal 1 decrypts the received OS login information 2002, the authentication instruction unit 100 passes the OS login information 2002 to the OS to instruct OS login authentication processing.
  • the portable information terminal connection state 1009 releases the information processing terminal 1 from the locked state or the logoff state to the operation state changing unit 110 and enters the operable state.
  • An instruction is given to make a transition (S609). If the OS login information 2002 does not match, the process returns to S608 to display an error.
  • FIG. 7 is a diagram illustrating an example of a processing flow related to cooperation state setting in the portable information terminal 3. This will be described with reference to the reference numerals in FIG.
  • the power source of the portable information terminal 3 is OFF (S701).
  • the portable information terminal 3 is activated by pressing the power switch or remotely (S702).
  • the process returns to S703 and waits for an operation to be started via the input unit 33.
  • the cooperation state setting unit 300 determines whether or not the authentication key 312 of the storage unit 31 is stored (S704).
  • the process returns to S707 and waits for an operation to be started via the input unit 33.
  • the cooperation status display unit 301 is operating, it is similarly determined whether or not the authentication key 312 is stored in the storage unit 31 (S708).
  • a screen that suggests input via the input unit 33 is displayed on the output unit 34 or an error screen indicating that it is not input is displayed (S709).
  • the output unit 34 displays that it is in a disconnected state (S710).
  • the wireless communication connection unit 303 controls the wireless communication unit 32 to process the information processing terminal. Connection with the first communication unit 11 is attempted (S711). At this time, Bluetooth communication requires pairing authentication in advance.
  • the cooperation status display means 301 uses a pictogram icon via the output unit 34 indicating that the communication with the information processing terminal 1 has been connected. Are displayed, and the communication from the information processing terminal 1 is waited (S713).
  • the wireless communication connection unit 303 When there is communication from the information processing terminal 1, the wireless communication connection unit 303 returns the authentication key 312, and also returns the signal strength 313 acquired by the signal strength acquisition unit 302 to cooperate with the information processing terminal 1. To do. Thereafter, the process returns to either S712 or S713, and the determination of the connection state is continued (S714).
  • the cooperation status display unit 301 controls the output unit 34 to display a connection error and disconnection, and proceeds to S710 (S715).
  • FIG. 8 is a diagram showing an example of a screen at the time of lock / logoff in the information processing terminal 1.
  • the screen (a-1) is in a state where the portable storage medium (authentication device) 2 is not inserted in the portable storage medium connection unit 15 of the information processing terminal 1, and the information processing terminal 1, the portable information terminal 3, This is an example of a screen that is displayed via the output unit 14 when the two are not linked.
  • the screen (a-2) is in a state where the portable storage medium (authentication device) 2 is not inserted in the portable storage medium connection unit 15 of the information processing terminal 1, and the PIN information 1001 is stored in the storage unit 10.
  • FIG. 6 is an example of a screen displayed via the output unit 14 when not.
  • the screen (a-3) is in a state where the portable storage medium (authentication device) 2 is not inserted in the portable storage medium connection unit 15 of the information processing terminal 1, and the PIN information 1001 is stored in the storage unit 10. It is an example of a screen displayed via the output unit 14 when
  • the screen (b-1) is in a state where the portable storage medium (authentication device) 2 is inserted in the portable storage medium connection unit 15 of the information processing terminal 1, but the information processing terminal 1, the portable information terminal 3, This is an example of a screen that is displayed via the output unit 14 when the two are not linked.
  • FIG. 6 is an example of a screen displayed via the output unit 14 when not.
  • the screen (b-3) is in a state where the portable storage medium (authentication device) 2 is inserted in the portable storage medium connection unit 15 of the information processing terminal 1, and the PIN information 1001 is stored in the storage unit 10. It is an example of a screen displayed via the output unit 14 when
  • “automatic logon is possible” indicates that the user can automatically log on without input from the user in cooperation with the portable information terminal 3.
  • the wireless connection state monitoring unit 109 detects a successful wireless communication connection with the portable information terminal 3 by bringing the information portable terminal 3 closer to the information processing terminal 1 or the like, Log on.
  • FIG. 9 is a diagram showing an example of a wireless communication setting screen with the portable information terminal 3 in the information processing terminal 1.
  • the input information is stored in the storage unit 10 as a wireless communication setting parameter 1005, an authentication key 1008, and the like as necessary.
  • a check box for enabling the cooperation function with the portable information terminal 3 it is configured with a COM port designation as a communication parameter, a text box for inputting an authentication key, a display of the current connection state, and the like.
  • UI parts are not particularly limited to these.
  • the screen (a) is in a state where cooperation with the portable information terminal 3 has not been started since the COM port is not specified and the authentication key is not input.
  • Screen (b) shows a state in which the COM port and the authentication key are correctly input and the mobile information terminal 3 is normally linked. If the connection state is changed, the user may be notified using a notification function such as a balloon provided by the OS instead of the display on the wireless communication setting screen.
  • FIG. 10 is a diagram illustrating an example of a wireless communication cooperation screen with the information processing terminal 1 in the portable information terminal 3.
  • Screen (a) shows a check box for selecting whether or not portable information terminal 3 can cooperate with information processing terminal 1, a text box for inputting an authentication key, and a method for notifying a user when a wireless connection with information processing terminal 1 is established.
  • the UI parts are not particularly limited to these.
  • the screen (b) is an example of an icon displayed via the output unit 34 of the portable information terminal 3 when the display of the notification icon is selected when the wireless connection is established on the screen (a). is there. Users are notified by displaying icons in the notification area and pictogram area.
  • FIG. 13 is a state transition diagram of the information processing terminal 1 and the like in the present embodiment described above.
  • the horizontal axis is the time axis.
  • (A) shows the operation of the information processing terminal 1
  • (B) shows the operation of the portable storage medium 2
  • (C) shows the operation of the portable information terminal 3.
  • the information processing apparatus 1 When the user turns on the information processing apparatus 1 and connects the portable storage medium 2, the information processing apparatus 1 prompts the user to input the PIN information 1001 (1301).
  • the information processing apparatus 1 transfers the PIN information 1001 input by the user to the portable storage medium 2 and instructs authentication (1302).
  • the portable storage medium 2 performs authentication using the transferred PIN information 1001 (1303), and returns the authentication result to the information processing apparatus 1 (1304).
  • the information processing apparatus prompts the user to input the OS authentication information 1002, and performs an authentication operation based on the input OS authentication information (1305).
  • the information processing apparatus 1 stores the PIN information 1001 in the storage unit 10 (1306).
  • the information processing apparatus 1 sends the OS authentication information 1002 to the portable storage medium (1307).
  • the portable storage medium 2 When the portable storage medium 2 receives the OS authentication information 1002, it stores it in the storage unit 211 (1308).
  • (D) indicates that the information processing terminal 1 is operable (high) and locked (low).
  • the information processing terminal 1 can be operated in the operable state, and the information processing terminal 1 is locked in the locked state.
  • the OS authentication is successful (1306)
  • the state is changed to an operable state (login).
  • the mobile terminal 3 shifts to the locked state.
  • the information processing terminal 1 can be powered off or logged out according to a user instruction.
  • (E) shows the cache state of the PIN information 1001 in the storage unit 10 of the information processing terminal 1 and the cache state of the OS authentication information 1002 in the portable storage medium 2 (the cache start is slightly different in time). Is a difference that can be ignored from the user's perspective). High has cache. Low is no cache. In FIG. 13, the cache state continues after the OS authentication information 1002 is stored in the storage unit 211 of the information processing terminal 1. The cache state is released when the information processing terminal 1 is turned off or when an instruction from the user is given.
  • the cooperation between the information processing terminal 1 and the portable information terminal 3 will be described with reference to FIG. For convenience, it is assumed that the login state of the information processing terminal 1, the cache state of the PIN information, and the OS authentication information are continued. Further, it is assumed that the wireless communication setting parameter 1005 and the authentication key 1008 are already set in the storage unit 10 of the information processing terminal 1.
  • the information processing terminal 1 performs a search for peripheral wireless communication devices. This may be based on a user instruction or may be performed periodically without a user instruction. For example, the information processing terminal 1 transmits a beacon. The portable information terminal 3 that has received the beacon returns a response, so that the information processing terminal 1 and the portable information terminal are physically communicable (1309).
  • (F) Indicates the communication status as high when communication is possible and low when communication is not possible.
  • the information processing terminal 1 requests a connection key from the cellular phone 3 (1310).
  • the portable information terminal 3 transmits the connection key input by the user to the information processing terminal 1 (1311). At this time, the connection key stored in the portable information terminal 3 may be automatically transmitted, but the safety is poor.
  • the information processing terminal 1 that has received the connection key collates with the authentication key 1008.
  • the cooperation function is activated (1312).
  • (G) indicates the cooperation state between the information processing terminal 1 and the portable information terminal 3. High is linked. Low is not linked. The linked state (assuming that pairing has been completed) is canceled when the information processing terminal 1 or the portable information terminal 3 is turned off or an instruction is given from the user.
  • FIG. 14 is a state transition diagram of the information processing terminal 1, which is a continuation of FIG. (A) to (F) are the same as in FIG.
  • the portable information terminal 3 is separated from the information processing terminal 1 and the information processing terminal 1 and the portable information terminal are physically unable to communicate with each other.
  • the wireless connection state monitoring unit 109 of the information processing terminal 1 detects this state, the operation state changing unit 110 shifts to a locked state where the information processing terminal 1 cannot be operated (1401).
  • a conventional method of locking by detecting that there is no input for a predetermined time using a timer by the function of the OS of the information processing terminal 1 may be used together.
  • the lock can be released by OS authentication using the OS function.
  • the wireless connection state monitoring unit 109 of the information processing terminal 1 detects this state (1402).
  • the PIN cache acquisition unit 111 reads the PIN information 1001 and sends it to the portable storage medium 2 (1403).
  • the portable storage medium 2 that has received the PIN information 1001 performs an authentication operation (1404). If the authentication is successful, the OS authentication information 2002 is transmitted to the information processing apparatus 1 (1405), and the information processing terminal 1 performs OS authentication (1406). If the authentication is successful, the operation state changing unit 110 changes the state to an operable state (1407).
  • the information processing terminal 1 When the user's operation is completed, the information processing terminal 1 is turned off, the connection between the information processing terminal 1 and the portable storage medium 2 is disconnected, the user's instruction is given, or a combination thereof ( 1408), the state transitions to logoff, (D), and the cache is erased (E). The communication status becomes incapable of communication (F), and the linkage status is canceled (the pairing completion status is maintained) (G).
  • the portable information terminal 3 in addition to the two-factor authentication constituted by the combination of the physical authentication by the conventional portable storage medium 2 and the information authentication by PIN verification, the portable information terminal 3 as the third factor A wireless connection established with the information processing terminal 1 is used.
  • the wireless connection is started, the wireless connection is established when the authentication keys of the portable information terminal 3 and the information processing terminal 1 are matched and matched.
  • the PIN information and OS login authentication information cached in the information processing terminal 1 can be used. Thereby, it is possible to log in to the information processing terminal 1 without having to input PIN information and OS login authentication information. Therefore, the convenience can be improved while maintaining the security of the conventional two-factor authentication.
  • the wireless connection between the information processing terminal 1 and the portable information terminal 3 is established, and the timing at which manual input for PIN authentication and OS login authentication in the information processing terminal 1 is not required using the strength of the signal strength.
  • a description will be given by taking an example of adjusting.
  • the signal strength acquisition means 114 (FIG. 11) is added to the information processing terminal 1 or the signal strength acquisition means 302 (FIG. 3) is added to the portable information terminal 3 to the configuration described in the first embodiment.
  • the signal strength acquisition unit 114 acquires the signal strength in wireless communication between the information processing terminal 1 and the portable information terminal 3 from the communication unit 11 in order to determine whether the wireless connection is continued.
  • the signal strength acquisition unit 302 of the portable information terminal 3 acquires the signal strength on behalf and transmits the signal strength to the information processing terminal 1.
  • the information processing terminal 1 may determine the distance and connection state with the portable information terminal 3.
  • the information processing terminal 1 and the portable information terminal 3 set a low threshold for determining a change from the connected state to the disconnected state in S509 illustrated in FIG. Communication is not disconnected unless it is far from 1. If this threshold is set high, the OS is frequently locked as a result of determining that the mobile information terminal 3 is slightly disconnected from the information processing terminal 1 or the communication state becomes slightly unstable and is disconnected. Since it becomes a state and an authentication process is required each time, convenience is reduced.
  • the threshold value for determining the change from the disconnected state to the connected state is set higher than the above-described threshold value. As a result, communication is not resumed unless the portable information terminal 3 is close to the information processing terminal 1. If this threshold is set low, the operating state of the OS is released from the locked state and becomes operable even when the user with the portable information terminal 3 is far away. Until the information processing terminal 1 comes close to the information processing terminal 1, the risk of an unauthorized user's operation increases, and the safety remains uneasy.
  • the present invention is not limited to the above-described embodiment, and includes various modifications.
  • a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment.
  • the present invention can be used in technical fields such as an information processing terminal, an information processing system, and an information processing method.
  • Memory unit 220 PIN authentication method 221 ... OS authentication information output means 3 Mobile information terminal 30 ... Control unit 31 ... Memory part 32 ... Wireless communication part 33 ... Input section 34 ... Output section 300 ... Link status setting method 301 ... Link status display means 302 ... Signal strength acquisition means 303 ... Wireless communication connection means

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephone Function (AREA)
PCT/JP2015/062519 2014-05-28 2015-04-24 情報処理端末、情報処理システム、および情報処理方法 Ceased WO2015182308A1 (ja)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2014110468A JP6114716B2 (ja) 2014-05-28 2014-05-28 情報処理端末、情報処理システム、および情報処理方法
JP2014-110468 2014-05-28

Publications (1)

Publication Number Publication Date
WO2015182308A1 true WO2015182308A1 (ja) 2015-12-03

Family

ID=54698649

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2015/062519 Ceased WO2015182308A1 (ja) 2014-05-28 2015-04-24 情報処理端末、情報処理システム、および情報処理方法

Country Status (2)

Country Link
JP (1) JP6114716B2 (enExample)
WO (1) WO2015182308A1 (enExample)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107070918A (zh) * 2017-04-14 2017-08-18 天地融科技股份有限公司 一种网络应用登录方法和系统
CN119853970A (zh) * 2024-12-17 2025-04-18 建信金融科技有限责任公司 双重安全认证方法、装置和电子设备

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6207651B2 (ja) * 2016-03-30 2017-10-04 キヤノン株式会社 情報処理装置およびその制御方法、並びにプログラム
KR102609470B1 (ko) * 2021-11-22 2023-12-04 주식회사 케이티앤지 사용자 입력에 따라 잠금을 해제하는 방법 및 장치

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006235731A (ja) * 2005-02-22 2006-09-07 Ricoh Co Ltd 認証システム
JP2009510644A (ja) * 2005-10-03 2009-03-12 エンキャップ アー エス 安全な認証のための方法及び構成
JP2011128771A (ja) * 2009-12-16 2011-06-30 Konica Minolta Business Technologies Inc 情報処理装置、情報処理方法および情報処理プログラム
US20120272307A1 (en) * 2005-11-16 2012-10-25 Broadcom Corporation Multi-Factor Authentication Using A Smartcard

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006235731A (ja) * 2005-02-22 2006-09-07 Ricoh Co Ltd 認証システム
JP2009510644A (ja) * 2005-10-03 2009-03-12 エンキャップ アー エス 安全な認証のための方法及び構成
US20120272307A1 (en) * 2005-11-16 2012-10-25 Broadcom Corporation Multi-Factor Authentication Using A Smartcard
JP2011128771A (ja) * 2009-12-16 2011-06-30 Konica Minolta Business Technologies Inc 情報処理装置、情報処理方法および情報処理プログラム

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107070918A (zh) * 2017-04-14 2017-08-18 天地融科技股份有限公司 一种网络应用登录方法和系统
CN119853970A (zh) * 2024-12-17 2025-04-18 建信金融科技有限责任公司 双重安全认证方法、装置和电子设备

Also Published As

Publication number Publication date
JP6114716B2 (ja) 2017-04-12
JP2015225539A (ja) 2015-12-14

Similar Documents

Publication Publication Date Title
EP3090373B1 (en) An authentication apparatus with a bluetooth interface
US10165440B2 (en) Method and apparatus for remote portable wireless device authentication
JP7299973B2 (ja) リモコン装置、情報処理方法及びプログラム
JP6114716B2 (ja) 情報処理端末、情報処理システム、および情報処理方法
TW202016779A (zh) 具有嵌入式無線用戶驗證之自我加密模組
WO2016072833A1 (en) System and method to disable factory reset
US20210103491A1 (en) Techniques for repairing an inoperable auxiliary device using another device
KR200478030Y1 (ko) 무선통신을 이용한 원격 자물쇠 시스템
TWI651458B (zh) 電子鎖及其控制方法
CA2905373A1 (en) Method and apparatus for remote portable wireless device authentication
CN112668032B (zh) 加解密计算机的方法及系统、计算机、服务器和移动设备
JP6201835B2 (ja) 情報処理装置、情報処理方法及びコンピュータプログラム
JP2007074704A (ja) リモートロックシステム、通信端末、リモートロック方法、および通信ネットワーク用サーバー
JP2017045192A (ja) 認証システム、認証デバイス、情報端末、及びプログラム
KR102229116B1 (ko) 데이터에 대한 액세스 인에이블링
JP2009163282A (ja) 情報処理装置、アクセス制御方法およびアクセス制御プログラム
EP3346406A1 (en) Data input method, and electronic device and system for implementing the data input method
CN116092219A (zh) 诸如无线电子锁的iot设备的空中更新
JP2013225233A (ja) 仮想計算機システム、仮想計算機システムにおけるユーザ認証方法、プログラム、および集積回路
JP2009043158A (ja) クライアント装置、認証代行装置、サービス提供システムおよびプログラム
JP5211918B2 (ja) 携帯端末装置及び認証管理方法
JP2009230161A (ja) 情報処理システム、端末装置およびユーザインタフェースロック方法
WO2016132686A1 (ja) 電子機器
JP6536118B2 (ja) 通信システム及びプログラム
JP7012190B1 (ja) 認証装置、認証方法、認証システム、及びプログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15798784

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15798784

Country of ref document: EP

Kind code of ref document: A1