WO2016039309A1 - 認証システム、リマインダ端末、ならびに、情報記録媒体 - Google Patents
認証システム、リマインダ端末、ならびに、情報記録媒体 Download PDFInfo
- Publication number
- WO2016039309A1 WO2016039309A1 PCT/JP2015/075391 JP2015075391W WO2016039309A1 WO 2016039309 A1 WO2016039309 A1 WO 2016039309A1 JP 2015075391 W JP2015075391 W JP 2015075391W WO 2016039309 A1 WO2016039309 A1 WO 2016039309A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user
- resource server
- password
- character string
- terminal
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/36—User authentication by graphic or iconic representation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/12—Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
Definitions
- the present invention relates to an authentication system suitable for managing at a reminder terminal a password for determining whether or not a request to use a resource of a resource server is possible, a reminder terminal, and a program for causing a computer to function as the reminder terminal.
- the present invention relates to a recorded non-transitory computer-readable information recording medium.
- a system in which a user inputs a password is used to determine whether or not a resource provided by a resource server can be used.
- the resources provided here can have various forms such as transmission and reception of various files, mail, news, still images, moving images, music viewing and viewing, use of various applications, and the like.
- the resource server stores the password itself or a character string randomized by applying a one-way hash function to the password in order to determine whether or not the resource can be used.
- a method of applying a hash function after adding a character string defined for each user called a salt to a password is also used.
- the password matches by comparing the hash value of the password entered by the user with the hash value stored in the resource server instead of comparing the password character string itself. Confirm and authenticate.
- the configuration and settings of the resource server may be different, and a difference in security occurs based on the difference. Therefore, a resource server may be attacked, security information may be leaked from employees, information may be leaked by the user's carelessness, and passwords may be leaked.
- a password for each resource server is obtained when a user inputs a single master password or key on a reminder device that manages passwords.
- An object of the present invention is to solve the above-described problem, and an authentication system suitable for managing a password for determining whether or not a request for using a resource of a resource server is acceptable, by the reminder terminal, the reminder terminal.
- Another object of the present invention is to provide a non-transitory computer-readable information recording medium that records a program that causes a computer to function as the reminder terminal.
- An authentication system includes a reminder terminal, a resource server, a management server, and an access terminal, (A)
- the reminder terminal A table generator that generates a table storing randomly generated character strings in each element; Let the user visually recognize the generated table, (1) Extracting elements from the visually recognized table in the selection order assigned in advance to the user, and arranging the character strings stored in the extracted elements to obtain a registration character string, (2) a password registration unit that prompts the resource server to perform update registration or new registration as the password for the user name of the user, the obtained registration character string;
- a storage unit that stores the viewed table in association with a combination of a resource server name and a user name of the resource server; When the combination is selected according to an instruction from the user, the stored table in association with the combination is presented to the user, (a) Extracting elements from the presented table in a selection order pre-assigned to the user, arranging the character strings stored in the extracted elements, obtaining an authentication character string, (b) a presentation unit that prompts the user to adopt the obtained authentication
- a reminder terminal is a reminder terminal that satisfies the requirement (A) in the authentication system. Since this reminder terminal sends a report indicating the combination of the resource server name and the user name associated with the table presented based on the user's selection to other devices, the combination can be referred to at the time of authentication. To.
- This reminder terminal can be used as a security token, for example.
- requirement using the resource of a resource server with a reminder terminal, the said reminder terminal, and a computer are functioned as the said reminder terminal.
- a non-transitory computer-readable information recording medium in which a program is recorded can be provided.
- FIG. 1 is an explanatory diagram showing an overview of an authentication system according to an embodiment of the present invention. Hereinafter, a description will be given with reference to FIG.
- the authentication system 101 includes a reminder terminal 121, an access terminal 141, a resource server 161, and a management server 181.
- a management server 181 is prepared for a plurality of resource servers 161.
- each resource server 161 may be configured to perform the function of the management server 181 at the same time, and the independent management server 181 may be omitted.
- ⁇ These devices can communicate with each other via a computer communication network 191 such as a wireless LAN (Local Area Network) such as the Internet, a mobile phone communication network, and Wi-Fi (Wireless Fidelity).
- a dedicated line can also be used for communication between the resource server 161 and the management server 181. It is also possible to perform various types of encryption for communication.
- the reminder terminal 121 is configured so that only the user can know the password for the user to use the resources of each resource server 161, that is, the password is not immediately stolen only by a third party stealing it. In such a form, it fulfills the function presented to the user.
- various mobile terminals such as a mobile phone, a smartphone, a tablet, a PDA (Personal Data Assistant), and a wearable terminal can be used.
- the heel access terminal 141 is a terminal for the user to use resources of the resource server 161.
- the user accesses the resource server 161 from a browser operating on the access terminal 141 in order to use the resource of the resource server 161.
- various stationary computers and emulator terminals such as an X terminal can be used.
- the same device as the reminder terminal 121 may be used.
- the resource server 161 provides a resource usage service to the user.
- the resource server 161 obtains the password entered by the user at the access terminal 141 from the access terminal 141, and determines whether or not the user can use the resource by authenticating whether the user has authority to use the password. .
- the user name input at the access terminal 141 can be used, but the identification information of the access terminal 141 itself (for example, the MAC (Media Access Control) address for communication, CPU (Central Processing Unit), the session ID included in the cookie stored in advance in the access terminal 141, etc.) can be used instead of the user name.
- the resource server 161 is assigned a resource server name.
- the resource server name is expressed by a server ID (IDentifier) of a computer functioning as the resource server 161, for example, a host name, an IP (Internet Protocol) address, a domain name, a URL (Universal Resource Locator) serving as a window for providing resources, etc. Is done.
- server ID IDentifier
- IP Internet Protocol
- URL Universal Resource Locator
- the management server 181 makes it possible to refer to the usage status of the reminder terminal 121 in the authentication performed by the resource server 161.
- the reminder terminal 121 generates and stores a table in which a random character string is stored in each element in association with the combination of the server name of each resource server 161 and the user name used by the user in each resource server 161. To do.
- This table is generated by the reminder terminal when the user newly registers an account in each resource server 161 or when the user updates the password of the existing account in each resource server 161, and the reminder terminal 121 is generated The user is made to visually recognize the displayed table. Also, when the user tries to use the resource of each resource server 161 (when trying to log in or sign in), the reminder terminal 121 is configured according to the combination of the resource server name and the user name selected by the user, The table stored in the reminder terminal 121 is presented to the user.
- This table is managed only in the reminder terminal 121, and the basic mode is that the content itself is not informed to each resource server 161 or the management server 181. It is possible to backup the table to each resource server 161 or management server 181. In this case, it is desirable to backup the table after encrypting the table as appropriate.
- the user determines one selection order for himself / herself. This selection order is commonly used in all combinations managed by the reminder terminal 121.
- the basic order of the selection order itself is that the resource server 161 and the management server 181 are not informed of the content itself.
- the reminder terminal 121 When a user intends to newly register with a certain resource server 161 with a certain user name, the combination of the server name of the resource server 161 and the user name used by the user is input to the reminder terminal 121. Then, the reminder terminal 121 generates a table and makes the user visually recognize this table.
- the user extracts elements from the visually recognized table according to the selection order determined by the user, and arranges the character strings stored in the extracted elements.
- the character string obtained here becomes a registration password that is input at the time of new registration with the resource server.
- the user accesses the resource server 161 from the access terminal 141, inputs the user name and the registration password obtained by viewing the reminder terminal 121, and newly registers an account.
- the reminder terminal 121 presents a table stored in association with the combination to the user.
- the user extracts the elements from the presented table in the selection order determined by himself and arranges the character strings stored in the extracted elements, thereby obtaining the authentication character string.
- the user accesses the login form of the resource server 161 via the access terminal 141, inputs the user name and the authentication character string as a password, and requests the resource server 161 to log in.
- the resource server 161 determines whether or not the combination of the user name and the password related to the request is valid. For this determination, a normal password authentication technique can be employed.
- the reminder terminal 121 has a feature that, when a table associated with the combination is presented to the user, the fact is reported to an external device.
- the external device can know that the owner of the reminder terminal 121 is attempting to log in to the resource server 161 having the resource server name related to the combination with the user name related to the combination. .
- the reminder terminal 121 can be used as a security token.
- the management server 181 determines a valid period including the time when the report is received for the combination of the resource server name and the user name related to the report.
- This valid period is a very short period, for example, a period from when the report is received to 5 minutes after the report is received.
- the resource server 161 that has received the login request from the access terminal 141 determines that the combination of the user name and password associated with the request is valid, the resource server 161 is attempting to log in with its own resource server name. A query specifying the user name is transmitted to the management server 181.
- the heel management server 181 determines whether the permission condition is satisfied.
- the permission condition is “the query has been received by the management server 181 within the validity period determined for the combination of the resource server name and the user name related to the query”.
- the fact that the permission condition is satisfied means that, when the user issues a request to the resource server 161, the reminder terminal 121 looks at the table for the resource server 161. Then, the management server 181 transmits to the resource server 161 an answer specifying whether or not the permission condition is satisfied.
- the resource server 161 determines whether or not the resource related to the login request can be used based on whether the response received from the management server 181 is correct. That is, when the combination of the user name and the password is valid and the table in which the passwords are embedded separately is displayed at the reminder terminal 121, the resource server 161 uses the resource. Forgive me. Therefore, in this aspect, the reminder terminal 121 can be used as a security token.
- the device information of the reminder terminal 121 and the personal information of the user who uses the reminder terminal 121 in the management server 181 it is desirable to register the device information of the reminder terminal 121 and the personal information of the user who uses the reminder terminal 121 in the management server 181 in advance. If it is ensured that the personal information of the user associated with the reminder terminal 121 is managed by the management server 181, the personal information of the user is passed to the resource server 161 when newly registering with the resource server 161. There is no need. In other words, it is possible to operate such that personal information is managed by the management server 181 and the personal information is not disclosed from the management server 181 to the resource server 161 unless some kind of accident occurs in the resource server 161. This operation helps protect privacy and increases the possibility of user registration.
- the user can use random passwords in the plurality of resource servers 161 without duplication.
- the access terminal 141 receives a report from the reminder terminal 121 that is determined to be located in the vicinity of the access terminal 141 from the state of wireless communication or wired communication by operating the plug-in program in the browser of the access terminal 141. It is also possible to adopt a mode of This aspect can also be applied to a configuration in which the management server 181 is omitted, that is, the resource server 161 determines whether or not a request can be made based only on a user name and a password. This form will be described later.
- FIG. 2 is an explanatory diagram showing an outline of the reminder terminal according to the embodiment of the present invention. Hereinafter, a description will be given with reference to FIG.
- the reminder terminal 121 includes a storage unit 201 and a presentation unit 202. Further, as an optional element, a transmission unit 203, a table generation unit 204, a password registration unit 205, a table registration unit 206, a reception unit 207, a rule generation unit 208, and an all update unit 209 may be provided. It should be noted that the function of the omitted element can be replaced by the management server 181 by relaxing restrictions on table sharing.
- the table 201 stores a table in association with the combination of the resource server name of the resource server 161 and the user name used to access the resource server 161.
- Each element of each table stores randomly generated information (various characters, numbers, symbols, figures, columns of these, etc.).
- each table can be provided with an additional element in the margin.
- the additional element may store randomly generated information, or may be determined by the user himself / herself at the first registration, or may be omitted.
- the presentation unit 202 displays the table stored in the bag storage unit 201 on the screen of the reminder terminal 121 based on the user's selection.
- This table is preferably stored only in the reminder terminal 121 and is not shared with the resource server 161 or the management server 181 at all for the highest security. In this case, if the table stored in the reminder terminal 121 is to be backed up to the resource server 161 or the management server 181, the resource server 161 or the management server 181 can restore the table from the backup by performing appropriate encryption. Unless the user explicitly obtains an encryption key or the like necessary for permission and restoration, the table cannot be obtained.
- the reminder terminal 121 and the management server 181 may collaborate to perform operations such as updating.
- FIG. 3A is an explanatory diagram showing a state in which a table is displayed on the reminder terminal according to the embodiment of the present invention.
- FIG. 3B is an explanatory diagram showing a state in which a table is displayed on the reminder terminal according to the embodiment of the present invention.
- the table 301 stored in the storage unit 201 in association with the combination of the server name of each resource server 161 and the user name used in the resource server 161 is composed of elements having a predetermined number of rows and columns, and As described above, in each element, information on a character string randomly generated by the reminder terminal 121 is stored.
- a server ID 303 (in this figure, “xxx.yyy.com” represented by the IP address and URL of the resource server 161 is illustrated, and the server ID 303 is a resource server A user name 304 used when the user accesses the resource server 161 (“john2014” is illustrated in these drawings), an optional additional element 305, Appears on the screen.
- These pieces of information are stored in the storage unit 201 in association with each other.
- a combination of a resource server name and a user name is appropriately represented by a resource server name or a server ID.
- the table 301 is configured in 5 rows and 5 columns.
- each element of the table 301 stores randomly generated two lowercase letters.
- each element of table 301 stores one randomly generated hiragana character and a Roman spelling that represents this in lowercase letters. Note that the display of Roman spellings can be omitted.
- a selection order for selecting each element in the table 301 is used instead of the master password in the prior art.
- FIG. 4 is an explanatory diagram illustrating an example of the selection order according to the embodiment of the present invention. Hereinafter, a description will be given with reference to FIG.
- a selection order for selecting four elements so as to draw a check mark is shown along the thick black arrow at the lower right of the table 301.
- four elements are extracted in the order of an element of 4 rows and 2 columns, an element of 5 rows and 3 columns, an element of 4 rows and 4 columns, and an element of 3 rows and 5 columns.
- the number of elements to be extracted in which order can be appropriately changed according to the required level of security, user proficiency level, and the like.
- each element of the table 301 stores a lowercase character string.
- use of a password consisting only of lowercase letters may be prohibited.
- the additional element 305 is for dealing with restrictions on character types that can be used as passwords. For example, for resource server 161 that adopts the policy of including all uppercase letters, lowercase letters, numbers, and symbols, it can be handled by making uppercase letters, numbers, and symbols easy as additional elements 305. is there. As described above, the additional element 305 may not be used.
- the password becomes “Chitago”.
- this character string can be entered as a password as it is.
- the password “titagowa” can be obtained by arranging the Roman spellings that are additionally shown in each element.
- the password is “titagowa # X5”.
- each element of the table 301 is not limited to a lowercase character string, and arbitrary information such as uppercase letters, lowercase letters, numbers, symbols, and the like can be used.
- guide characters are assigned to the positions of the respective elements so as to be common to all the tables 301 managed by the reminder terminal 121.
- the guide character can be omitted.
- the guide character is displayed in small capital letters in the upper right corner of each element.
- the guide character may be displayed whenever the table 301 is displayed, or may be displayed based on a user instruction. For example, when the user gives an instruction by shaking the reminder terminal 121 or the like, the guide character is displayed for several seconds to several tens of seconds.
- the guide character string in which the guide characters for the selection order assigned to the user are arranged is a character string that can be easily memorized to some extent.
- the reminder terminal 121 presents a plain table to the user and causes the elements to be selected in the selection order determined by the user. Then, the reminder terminal 121 appropriately selects a word having the length of the selected element from the dictionary or allows the user to determine the character included in the word as an element extracted in the selection order. Assign in order. All other elements may be assigned other characters randomly and without duplication.
- the password be different for each resource server, and it is desirable that the password be a character string that is not listed in the dictionary, but the user can remember many such passwords. It is difficult to leave. Therefore, as described above, in this aspect, the user stores his / her selection order.
- the user visually checks the table, extracts the elements in the selection order assigned to the user, arranges the contents of the extracted elements, and A password is obtained by adding an additional element 305 as appropriate. Since each element of the table 301 is random, the obtained password is a random character string preferable for security.
- the password for each resource server 161 is divided and stored in an element selected from the table 301 based on the selection order of the user, and stored in the additional element 305 as necessary.
- the reminder terminal 121 stores random secret information that is mixed with other random dummy information. Therefore, the password cannot be stolen only by stealing the table 301 displayed on the screen of the reminder terminal 121. Therefore, random passwords can be managed safely.
- navigation 311 for selecting the server name of the resource server 161, navigation 312 for tracing the table history, and navigation 313 for switching the user name are displayed. If the user operates the navigation 311 or 312, the combination of the resource server name and the user name is switched, the display is switched to the information for the other resource server 161, or the resource server 161 has been used before. It is possible to trace the history of the table that was stored.
- UIs User Interface
- the navigations 311 and 313 are list boxes for display fields of the server ID 303 and the user name 304.
- the server ID registered in the reminder terminal 121 and the user in the resource server are displayed.
- a list of names is displayed.
- the navigation 311 for opening the list box is displayed as a black triangle when there are other candidates (server ID 303), and displayed as a white triangle when there are no other candidates (user name 304). ).
- the user selects a desired one from them.
- a bar indicating a period during which the table has been used is displayed. When the bar is tapped or clicked, the display / non-display of the table used in the period is switched.
- a cross mark is displayed at the top of the displayed bar, and a white square is displayed at the top of the closed bar.
- the transmission unit 203 which is an optional element, transmits a report that the table 301 is presented to the user to an external device.
- the transmission unit 203 transmits a report that the table 301 is presented to the user to an external device.
- the table 301 for the resource server 161 is presented to the user at the reminder terminal 121 as a necessary condition for accessing the resource server 161 by the user.
- the reminder terminal 121 serves not only to manage passwords but also to function as an authentication token.
- the password for each resource server 161 and the selection order assigned to the user are updated at an appropriate timing or based on the user's intention. These aspects will be described later.
- FIG. 5 is an explanatory diagram showing how information is exchanged in the authentication system according to the embodiment of the present invention. Hereinafter, a description will be given with reference to FIG.
- the resource server 161 that has received the access request transmits a login form to the access terminal 141 as a response to the access request (352).
- the login form received by the access terminal 141 is displayed on the browser or the like of the access terminal 141 (353).
- FIG. 6 is an explanatory diagram showing a state of the browser displaying the login form according to the embodiment of the present invention.
- the URL of the resource server 161 is displayed in the URL column 502
- the login form 511 is displayed in the content column 503.
- a user name column 512, a password column 513, and a login button 514 are arranged in the login form 511.
- a plug-in icon 521 for executing processing by the plug-in installed in the browser 501 is also displayed.
- the user activates the reminder application on the portable terminal or the like. Then, the portable terminal or the like starts to function as the reminder terminal 121.
- the reminder terminal 121 presents the table 301 and the like assigned to the combination of the server name and the user name of the resource server 161 on the screen of the reminder terminal 121 based on the user selection (354) (355).
- the reminder terminal 121 transmits a report indicating that the table 301 and the like have been presented to the user to the management server 181 (356).
- the management server 181 determines a valid period including the time when the report is received for the user and the resource server 161 for the combination of the resource server name and the user name related to the report.
- the valid period may be, for example, “within 5 minutes after the report is received”.
- the user inputs his / her user name in the user name field 512 of the login form 511, and further obtains an authentication character string based on his / her selection order by visually checking the table 301 displayed on the reminder terminal 121. Then, the obtained authentication character string is input into the password field 513 of the login form 511, and the login button 514 is clicked or tapped (357).
- a login request with the user name and password is transmitted from the access terminal 141 to the resource server 161 (358).
- the resource server 161 that has received the login request performs the main authentication with the user name and the password, and if the main authentication is successful, the permission condition is satisfied with respect to the user and the resource server 161 for the current date and time to the management server 181. It is inquired whether or not (359).
- the user can It can be determined whether or not the user has a reminder terminal 121 that functions as a token.
- the management server 181 returns an answer to the inquiry to the resource server 161 (360).
- the permission condition is satisfied, it is determined that the user has the authority to use the resource of the resource server 161 by the user name, and the resource server 161 transmits a successful authentication to the access terminal 141. (361) The user uses the resource of the resource server 161 via the access terminal 141 (362).
- the resource server 161 transmits a message indicating that it is outside the valid period to the access terminal 141.
- the user is prompted to activate the reminder terminal 121.
- the user tries to log in again from the login form 511 displayed on the access terminal 141 (not shown).
- the resource server 161 If the main authentication with the user name and password fails, the resource server 161 transmits an authentication failure message to the access terminal 141. The user needs to re-enter the user name or password on the login form 511 displayed on the access terminal 141 and then try to log in again (not shown).
- the permission condition inquiry / answer may be made in advance in the resource server 161 prior to the main authentication using the user name and password.
- the establishment of the permission condition is adopted as pre-authentication, it is possible to prevent the access terminal 141 from inputting a password unless the pre-authentication is successful, as will be described later.
- the resource server 161 makes an inquiry to the management server 181 as to whether or not the permission condition “the current date and time is included in the validity period determined for the user and the resource server 161” is satisfied. , You may inquire about the validity period itself. In this case, the management server 181 replies that the latest valid period or the latest valid period has never been set. Further, the resource server 161 may inquire the management server 181 about the reception date and time of the report. In this case, the management server 181 replies that the most recently received report has been received, or that no recent report has been received, and the resource server 161 determines the validity period for the user.
- the reminder terminal 121 is used as a security token, but this function can be omitted.
- the validity period is not determined or determined, and only the main authentication using the user name and password is performed by the resource server 161.
- the login form 511 displayed on the browser 501 or the like of the access terminal 141 may be configured as follows using a script by AJAX or the like, which is an asynchronous XML communication technology by JavaScript (registered trademark).
- the access terminal 141 sends the user name to the resource server 161 or management server 181 and the current date and time is a user consisting of the character string already entered in the user name field 512. Queries the user with the first name whether it is within the specified validity period.
- the inquiry destination answers the inquiry from the access terminal 141. If the inquiry destination is the resource server 161, the resource server 161 makes an inquiry regarding the validity period to the management server 181 as appropriate, and replies to the access terminal 141 based on the contents. (3a) If within the valid period, the script sets the password field 513 to be editable and visible.
- the script sets the password field 513 to be uneditable or invisible.
- the script sets the login button 514 to an inoperable or invisible state until a character string is input in the password field 513, and sets the login button 514 to an operable and visible state after the character string is input.
- the plug-in of the browser 501 monitors whether or not the content of the displayed URL includes a field for hiding and inputting characters.
- the plug-in executes a process for sending a notification to the mobile terminal that implements the reminder terminal 121 automatically or triggered by the user clicking the plug-in icon 521 or the like. Typically, the following processing is performed.
- the plug-in transmits a request specifying the destination user of the notification, the destination application, and the notification content to a notification server prepared by a vendor that provides an OS (Operating System) such as a portable terminal.
- the plug-in may take a form in which a request is sent to the management server 181 and the management server 181 that receives the request accesses the notification server.
- the information on the destination user linked to the mobile terminal or the like is set by the user when the plug-in is installed.
- the notification server that has received the request identifies the destination user's mobile terminal specified in the request, and notifies the notification content specified in the application of the mobile terminal or the like.
- the mobile terminal or the like that has received the notification displays the notification contents in a pop-up display or a notification center.
- an application related to the notification is activated, and processing corresponding to the notification content is started.
- the notification content includes the URL of the content displayed in the browser. Therefore, if the table 301 associated with the server ID that matches the URL is registered, the reminder terminal 121 presents this to the user. Most simply, if the domain name shown in the URL matches the domain name used as the server ID, the URL is determined to match, but the entire URL matches, or the URL is optional. It may be determined whether or not the match is possible, for example, by matching the parts from which the parameters are removed.
- the reminder terminal 121 may display a warning that it is not registered, or may ask the user to register the table 301 for the resource server 161. The process for requesting registration will be described later.
- the table 301 for the resource server 161 is displayed on the reminder terminal 121 automatically or manually. If the reminder terminal 121 cannot display the table 301 because the resource server 161 is not registered, the user can know that, and can input the password field 513 and operate the login button 514. Disappear. For this reason, for example, login to a camouflage site can be controlled effectively.
- the user registers the table 301 including the current password for the resource server 161 at the reminder terminal 121, or to update the password at the resource server 161 and start management at the reminder terminal 121.
- a report to that effect is made from the reminder terminal 121, and the password field 513 can be input and the login button 514 can be operated.
- the proximity communication described below may be used for the notification to the mobile terminal without using the notification server.
- the plug-in of the browser 501 that operates on the access terminal 141 communicates with the mobile terminal or the like in the vicinity and gives a chance to start the program on the mobile terminal or the like as needed, and the mobile terminal or the like functions as the reminder terminal 121
- the plug-in is operating on the access terminal 141.
- This plug-in is a program that provides an extended function to the browser or a resident program that monitors the operation of the browser.
- the plug-in monitors whether there is a reminder terminal 121 capable of near-field communication in the vicinity of the access terminal 141 at all times, intermittently, or based on a user instruction operation such as clicking on the plug-in icon 521.
- the proximity communication can employ a wired connection or a wireless connection established within a predetermined distance. For example, when the access terminal 141 and the reminder terminal 121 are wirelessly connected to the same WIFI access point, or when the access terminal 141 and the reminder terminal 121 are capable of wireless communication by Bluetooth (registered trademark) or NFC, It is assumed that near field communication is established when the terminal 141 and the reminder terminal 121 are directly connected by a USB cable or the like.
- the reminder terminal 121 When the reminder terminal 121 presents the table to the user, the reminder terminal 121 transmits a report to that effect to the access terminal 141 that has established near field communication.
- the plug-in of the access terminal 141 that received the report determines whether the URL of the login form 511 displayed on the browser of the access terminal 141 matches the resource server name related to the report, and the result is a reminder terminal Sent to 121. Furthermore, if there is a match, the plug-in of the access terminal 141 inputs the user name related to the report in the user name column 512 of the login form 511.
- the reminder terminal 121 Based on the result received from the access terminal 141, the reminder terminal 121 indicates that the table for the login form 511 displayed on the browser of the access terminal 141 is presented to the user at the reminder terminal 121. Each time an operation for selecting each element or additional element 305 (for example, an operation for tapping or clicking an element in the table) is performed, the character string stored in the selected element is sent to the access terminal 141.
- the plug-in of the access terminal 141 inputs the character string sent from the reminder terminal 121 into the password field 513 of the login form 511. Therefore, the reminder terminal 121 functions as a special keyboard for the access terminal 141.
- the user After completing the element selection according to his / her selection order, the user operates the login button 514 on the login form 511 of the access terminal 141.
- the user does not need to visually check the table and extract a random character string, nor does it need to input the authentication character string directly in the password field 513 of the login form 511. Therefore, while the proximity communication between the reminder terminal 121 and the access terminal 141 is established, it is sufficient to display buttons and labels that can select and operate each element of the table 301 and the additional element 305. There is no need to display the stored string.
- the guide characters may be displayed for easy confirmation of the positions of the cells of each element in the table 301, and the display of the guide characters may be omitted.
- the auxiliary authentication (for example, the reminder) prepared separately on the reminder terminal 121 is displayed on the predetermined reminder terminal 121. Authentication using a personal identification number or fingerprint authentication implemented by an OS such as a mobile phone constituting the terminal 121 may be required.
- the reminder terminal 121 displays the table 301 while the proximity communication with the plug-in of the access terminal 141 is established. If the proximity communication is disconnected, the auxiliary authentication is successful at the reminder terminal 121. Unless otherwise, the table 301 may not be displayed.
- the reminder terminal 121 functions as a special keyboard using the proximity communication between the access terminal 141 and the reminder terminal 121
- the elements related to the management server 181 can be omitted from the authentication system 101.
- the password brute force Attacks can be effectively suppressed.
- the user can confirm that the reminder terminal 121 functions as an authentication token.
- an access request is sent from the access terminal 141 to the resource server 161
- a login form 511 is sent from the resource server 161 to the access terminal 141
- the user inputs a password to the access terminal 141.
- the authentication terminal may be the same device as the reminder terminal 121 or a different device.
- the resource server 161 identifies an authentication terminal such as a smartphone assigned in advance to the user name specified in the access request, and the authentication terminal Send a notification to the application running above. Further, the browser of the access terminal 141 displays a screen waiting for authentication.
- the application is activated at the authentication terminal and the login form 511 is displayed.
- these pieces of information are sent to the resource server 161, and login authentication is performed.
- the browser of the access terminal 141 shifts from the screen waiting for authentication to the screen display of the access table. Then, the user can use the resources of the resource server 161 via the access terminal 141.
- the authentication terminal and the reminder terminal 121 can be realized on the same terminal. That is, when a notification about an access request is sent to the reminder terminal 121, the user name registered for the resource server 161, the table 301 associated with the resource server 161, and an input field for entering a password Is displayed on the screen.
- the user enters the password in the input field while looking at the table 301 on the reminder terminal 121.
- the user name and password are sent from the reminder terminal 121 to the resource server 161. If the authentication with the resource server 161 is successful, the user can use the resource of the resource server 161 via the access terminal 141.
- the following modes are also possible. That is, when the plug-in is activated at the stage where the login form 511 is displayed on the access terminal 141, a notification is sent to the reminder terminal 121.
- the user name registered for the resource server 161, the table 301 associated with the resource server 161, and the input field for entering the password are displayed in the reminder terminal 121. Displayed on the screen.
- the user enters the password in the input field while looking at the table 301.
- the user name and password are sent to the browser plug-in of the access terminal 141.
- the browser plug-in inputs the received user name and password into the login form 511 and operates the login button 514 (the user may operate it). Then, a login request is transmitted from the access terminal 141 to the resource server 161. The same applies to the following.
- the reminder terminal 121 can be used simply by installing a browser plug-in on the access terminal 141. Password management is possible.
- the user name and password can be authenticated by the resource server 161 to the management server 181.
- the user name and password are transmitted to the management server 181 as appropriate, and the resource server 161 inquires of the management server 181 whether or not the authentication is successful.
- the reminder terminal 121 presents a plain table to the user.
- the user divides the password of the existing resource server 161 by himself and manually writes it in the plain table according to his / her selection order.
- the reminder terminal 121 embeds a randomly generated character string in the other elements.
- the completed table is stored in the storage unit 201 of the reminder terminal 121 in association with the server ID of the existing resource server 161.
- the reminder terminal 121 may inspect whether the completed table is sufficiently random. If randomness is low, it is desirable to let the user change the password. In addition, when the user finishes writing the divided password, the written element is duplicated in comparison with the element at the same location in another table already registered in the reminder terminal 121. In addition, it is desirable to prompt the user to change the password instead of using the existing password as it is.
- the reminder terminal 121 helps to register and update the password.
- the table generation unit 204 of the reminder terminal 121 performs an update associated with each combination of the resource server name and the user name, or after being registered and the table stored in the storage unit 201. When the period elapses, a new table is generated.
- the update period is from the generation of the previous table until a certain period elapses.
- the update period may be set according to the presentation frequency of the table.
- the information stored in each element is randomly generated.
- the additional element may be designated by the user, information of the same character type as that of the currently used table may be randomly generated, or the current additional element may be inherited as it is.
- the password registration unit 205 presents the generated table, and in the case of update registration, the password registration unit 205 displays the current table for the resource server 161 and the new table. The table is presented to prompt the user to newly register or update the password in the resource server 161.
- FIG. 7 is an explanatory diagram showing a state of a table displayed for password update according to the embodiment of the present invention.
- a description will be given with reference to FIG.
- the reminder terminal 121 be configured so that the history of the table used for each resource server 161 can be browsed.
- the user can save time if the old and new tables can be viewed simultaneously.
- This figure shows a display example on the reminder terminal for updating the password based on the table shown in FIG. 3A.
- Each element and additional element 305 in the table 301 include the current element at the top and the new element at the bottom. Is displayed.
- clicking or tapping the completion button 321 causes the table registration unit 206 to associate the new table with the resource server 161.
- the data is stored in the storage unit 201.
- update registration the previous table is stored as history information. At this time, it is possible to perform a process of encrypting and backing up the information of the table managed by the reminder terminal 121 in the management server 181. Clicking or tapping the cancel button 322 cancels the update.
- the user manually updates the password.
- the reminder terminal 121 or the management server 181 and can be referred to as necessary, the reminder terminal 121 is used.
- the management server 181 accesses the resource server 161 to update the password periodically and automatically.
- the reminder terminal 121 obtains both the old and new passwords by causing the user to tap the table 301 displayed in FIG. 7 in the selection order of the user, and the reminder terminal A mode may be adopted in which 121 uses the acquired old and new passwords to access the resource server 161 and automatically update the passwords.
- the password is temporarily stored after the password is updated. It is desirable to erase the area.
- a random character string that is not listed in the dictionary can be used as the password for the resource server 161, and the password can be easily updated periodically.
- the reminder terminal 121 when the user tries to update the selection order, the reminder terminal 121 generates a new guide character string for the user.
- the table 301 is composed of 5 rows and 5 columns, and one uppercase guide character is assigned to each element.
- a selection order in which four elements are sequentially selected from the table 301 is adopted. Therefore, a new guide character string for the user, which is composed of four uppercase letters and each character does not overlap each other, is generated.
- the guide character string can be randomly generated. It is also possible to use a spelling that is easy to memorize using a dictionary or the like. For example, a word consisting of 4 letters (for example, “SNOW”, “MAZE”) may be adopted, or a prefix of 5 words or more (for example, “TABLE” prefix “TABL”, “SCHOOL” The prefix “SCHO”) may be adopted.
- the user may be allowed to select one of the above-mentioned easy-to-store spelling candidates after presenting it to the user at random.
- “SCHO” is generated as a new guide character string.
- FIG. 8A is an explanatory diagram showing how the selection order used so far is selected by the user.
- a description will be given with reference to FIG.
- the trial table 551 is composed of 5 rows and 5 columns, and in each element, the same information as the table element for the resource server 161 used last is the reference for the user. Is displayed to do.
- the accepting unit 207 of the reminder terminal 121 requests the user to select the elements of the trial table 551 by tapping or clicking in the selection order assigned to the user.
- the user is currently using the selection order (4 rows and 2 columns, 5 rows and 3 columns, 4 rows and 4 columns, 3 rows and 5 columns) shown in FIG.
- FIG. 8B is an explanatory diagram showing how the selection order used so far is selected by the user. As shown in this figure, when the user selects the first element (4 rows and 2 columns) in the trial table 551, the first character “S” of the new guide character string generated as the guide character in the element Is added.
- FIG. 8C is an explanatory diagram showing a state in which the selection order used so far is selected by the user. As shown in this figure, when you select the second element (5 rows and 3 columns) in trial table 551, the first character ⁇ C '' of the new guide character string generated as the guide character in that element is Added.
- FIG. 8D is an explanatory diagram showing how the selection order used so far is selected by the user. As shown in this figure, when the third element (4 rows and 4 columns) is selected in the trial table 551, the first character “H” of the new guide character string generated as the guide character in the element is displayed. Added.
- FIG. 8E is an explanatory diagram showing how the selection order used so far is selected by the user.
- the fourth element (3 rows and 5 columns) is selected in the trial table 551
- the first character “O” of the new guide character string generated as the guide character in the element is displayed. Added.
- FIG. 9A is an explanatory diagram showing how a new selection order is selected by the user. As shown in the figure, the accepting unit 207 displays the migration table 561 on the screen of the reminder terminal 121.
- the migration table 561 is a plain table with 5 rows and 5 columns, and the reminder terminal 121 allows the user to select elements in the migration table 561 in the selection order that the user intends to use by tapping or clicking. Ask for.
- FIG. 9B is an explanatory diagram showing a state where the first new selection order is selected by the user.
- FIG. 9C is an explanatory diagram showing how the second selection order is selected by the user.
- FIG. 9D is an explanatory diagram showing a state in which the user selects the third new selection order.
- FIG. 9E is an explanatory diagram showing a state where the user selects the fourth new selection order.
- the location of the fourth selection order has not changed, but the location of the first to third selection orders has changed.
- the selection order is updated, only a part of the selection order may be changed, or the whole may be changed.
- the last referenced password is sequentially displayed in the transition table 561, and a new guide character string is sequentially displayed. Therefore, the user can check whether there is an error in the input of the selection order so far, and can check a new guide character string that helps to store the new selection order.
- the reminder terminal 121 inquires of the user whether the selection order may be updated.
- the user desires to update the selection order, the user selects the update button 562.
- the rule generation unit 208 of the reminder terminal 121 generates one table conversion rule. This conversion rule satisfies the following. (s) Move the contents of the elements extracted by the selection order adopted by the user in the sample table to the elements extracted by the selection order adopted by the user in the plain table, (t) The contents of the elements other than the elements extracted by the selection order assigned in advance are moved to the elements other than the elements extracted by the selection order to be newly assigned.
- Rule (s) is based on a user instruction.
- the rule (t) is to move the remaining elements (elements other than the elements included in the user's selection order so far) at random.
- the all updating unit 209 of the reminder terminal 121 updates the table stored in association with each resource server according to the generated conversion rule.
- the tables for all combinations of server names and user names of registered resource servers, including those included in the past history are updated in a batch according to common conversion rules.
- the updated information is backed up in the management server 181.
- the user's selection order can be easily updated.
- the corners will gradually become less visible depending on the number of times the table is displayed and the elapsed time since the selection order was updated.
- the password may be obtained based on the characters at the corners, and the password may be extracted from the table in the order of their selection without depending on the characters at the corners as they become accustomed.
- the corner characters may be arranged so that the words are easy to memorize.
- the reminder terminal 121 selects a word having the same number of characters as the length of the new selection order, and includes different characters from a dictionary or the like, and places it at the corner of each element according to the new selection order. Characters spelled in words are arranged in order, and characters that do not appear in the selected word are randomly arranged in the other elements so as not to overlap each other.
- FIG. 10 is an explanatory diagram showing the state of the table updated according to the new selection order. This figure is an update of the selection order for the table shown in FIG. 3A by the above procedure.
- FIG. 11 is an explanatory diagram showing a state before and after another table is updated according to a new selection order. This figure shows how the selection order is updated for the tables stored for other combinations of resource server names and user names stored in the same reminder terminal 121 in the above procedure.
- the table shown in this figure manages a 4-digit password.
- the position of each element in the table is changed by a conversion rule common to each other before and after the update.
- the guide characters change before and after the update independently of the replacement by the conversion rule.
- the layout of the guide characters is the same for the tables before the update, and the tables after the update are also the same. Yes. That is, which guide character is displayed at which position in the table for any resource server 161 is common.
- the password “bpppjsld # X5” is obtained based on the guide character “DICE”, and for the table shown in FIG. 10 after the selection rule is updated.
- the password “bpppjsld # X5” is obtained based on the guide character “SCHO”.
- the combination of the server name “www.zzz.com” and the user name “paul” of the resource server 161 shown in FIG. 11 has no additional elements.
- the 4-digit password “6441” is obtained, and after the update, the same password “6441” is obtained based on the guide character “SCHO”.
- the guide character string for the selection order is temporarily stored in the reminder terminal 121 when the selection order is updated, and then deleted from the memory, so that even if the reminder terminal 121 is stolen, the selection order Will not leak immediately.
- the user can rely on the characters in the corners in the grid to obtain a password. Based on the fact that a certain period of time has passed since the update, or that the guide characters were not displayed when Table 301 was displayed, it was determined that the user learned a sufficiently new selection order. In some cases, the guide characters may be completely erased. In this case, the guide characters used so far are not displayed at the next update of the selection order. In this aspect, security can be further improved.
- the resource server 161 inquires of the management server 181 whether or not the pre-authentication is successful.
- the resource server 161 prior to the main authentication in the resource server 161, the resource server 161 inquires about the success or failure of the pre-authentication from the resource server 161, and the management server 181 answers the resource server 161 that the pre-authentication is successful. It is assumed that the resource server 161 will later contact the management server 181 as to whether or not this authentication has succeeded.
- the resource server X in addition to “the user has viewed the table for the resource server X at the reminder terminal 121”, or in combination with this, “the resource server X In the dependent resource server Y, this authentication is successful, and the present time is within the dependency period determined from the date and time of the success.
- the dependence period can be determined as appropriate.
- this authentication is typically performed with the password for the resource server X, but this can be omitted. For example, if the authentication is successful within the resource server Y within a predetermined short period, the authentication at the resource server X is omitted.
- a level may also be set for pre-authentication. For example, if the authentication is successful within the resource server Y within a predetermined short period of time, the user can simply browse the table for the resource server X at the reminder terminal 121. In this mode, if a considerable period has passed since the main authentication was successful, the main authentication is requested by inputting the password for the resource server X.
- the dependency period can be determined as appropriate.
- the resource server Y is an on-campus system for students to view announcements from universities and submit reports
- the resource server X is a bulletin board system provided by an off-campus company to students at a university.
- the dependency period in the resource server X is from “when a student succeeds in the main authentication in the resource server Y” to “the last day of the year including the time when the main authentication is successful”. .
- the encryption method for time synchronization can be shared between the reminder terminal 121 and the resource server 161 in order to increase security.
- a different seed may be given to each user name managed by a resource server 161, and time synchronization may be performed using different encryption methods, or encryption in which time synchronization is performed for all users of the resource server 161 based on one seed. You may share the method.
- the reminder terminal 121 and the resource server 161 share an encryption method for time synchronization.
- the table 301 is presented to the user. At this time, the character string stored in each element may be displayed or hidden.
- the reminder terminal 121 reads the character string and the additional element stored in the selected element ( Concatenated to obtain a character string.
- the concatenated character string is encrypted by the above-mentioned time synchronization encryption method, and this is sent to the access terminal 141 as an authentication character string.
- the password field 513 is not filled every time an element is selected, but only when the cell of the additional element 305 is selected, the character string of the element in the table 301 selected so far and the additional element are selected. Are concatenated and encrypted.
- This user interface can be changed.
- the reminder terminal 121 prepares an object indicating completion of input such as a “send” button.
- the user selects a cell for each element in the table 301 and then selects a “Send” button or the like, the character string of the element in the table 301 and the additional element are connected and encrypted.
- the access terminal 141 inputs this in the password field 513.
- the subsequent processing may be the same as in the above example, or the login form may be sent to the resource server 161 immediately after input.
- the resource server 161 When the resource server 161 accepts the request from the access terminal 141, the resource server 161 decrypts the authentication character string specified in the request based on the encryption method for time synchronization.
- the decrypted character string is regarded as a password and authentication is performed.
- the reminder terminal 121 encrypts the element and sends it to the access terminal 141 each time the user selects each element or additional element of the table 301, and the access terminal 141
- the converted character string may be filled in the password field 513.
- the authentication character string specified in the request sent from the access terminal 141 is divided into encrypted character strings, and decryption is attempted for each. It is a password.
- encryption is performed so that the encrypted character string does not contain a specific delimiter (for example, blank), and the authentication character string is divided by the delimiter, and then each of the division results is decrypted.
- a specific delimiter for example, blank
- the reminder terminal 121 and the resource server 161 share the random number seed in time synchronization.
- This seed is updated based on a predetermined seed random number update algorithm at regular intervals such as every few minutes.
- the reminder terminal 121 acquires the latest and latest seed v at the time the table is presented.
- the resource server 161 obtains the latest and latest seeds u [1], u [2], ..., u [N] at the time when the login request arrives.
- the size of N may be determined by experiment in consideration of the update interval of the shared seed, the distribution of input time by the user, the time error of various devices, and the like.
- the reminder terminal 121 and the resource server 161 also share a random number sequence generation algorithm.
- the random number sequence generation algorithm may be the same as or different from the seed random number update algorithm. Given the seed p, the random number sequence g (p, 1), g (p, 2),... Can be calculated by the seed random number update algorithm.
- the reminder terminal 121 uses the character e (g (v, k), s [k]) for the kth character s [k] in the concatenated character string.
- the operation e (x, y) satisfies the following relationship with the operation c (x, z) described later.
- y c (x, e (x, y))
- e (x, y) and c (x, z) are bit-exclusive ORs of the arguments, the above holds.
- encryption may be performed in which a character code is circulated in a character set that the resource server 161 can accept as a password.
- r [1] (c (g (u [1], 1), E [1]), c (g (u [1], 2), E [2]),..., c (g (u [ 1], M), E [M]));
- r [2] (c (g (u [2], 1), E [1]), c (g (u [2], 2), E [2]),..., c (g (u [ 2], M), E [M])); ...;
- r [N] (c (g (u [N], 1), E [1]), c (g (u [N], 2), E [2]),..., c (g (u [ N], M), E [M]));
- N character strings r [1], r [2],..., ⁇ ⁇ ⁇ r [N] and authentication character string E are adopted as password candidates to perform password authentication. If password authentication is successful with any of the character strings r [q], it is assumed that the main authentication based on the user name and password is successful. If password authentication fails for any of the N character strings r [1], r [2],..., R [N] and the authentication character string E, it is assumed that this authentication also fails.
- the resource server 161 when it is determined that the user has manually entered the password, the resource server 161 sends, for example, an email or a short message to the mobile phone registered in advance for the user, Security may be enhanced by performing two-step authentication as appropriate, such as prompting confirmation.
- encryption is performed each time the characters s [1], s [2], ... are obtained one by one, and when the encryption is completed to the end (the end is determined by selecting additional elements) It is also possible to determine the end by selecting the “Send” button or the like.)
- the value of k is reset to 1 and the encryption method is initialized.
- this configuration is also suitable for the configuration of the authentication system 101 in which the management server 181 is omitted.
- the reminder terminal 121 indicates that the table 301 associated with the combination of the server name of the resource server 161 to be accessed and the user name used for access is presented to the user. Reported to an external device, so that the reminder terminal 121 could function as a security token or special keyboard.
- the reminder terminal 121 is used only as a device for managing a random password that cannot be stored by the user.
- the table 301 displayed by the reminder terminal 121 does not represent the password for logging in to the resource server 161, so even if the table 301 is seen by a third party, the password is immediately There is no leakage.
- a function of printing the table 301 from the reminder terminal 121 on paper based on a user instruction may be added. If the paper on which the table 301 is printed is used, it is possible to log in to the resource server 161 even when the reminder terminal 121 is turned off. In addition, after logging in to the resource server 161 using the paper on which the table 301 is printed, even if the paper is forgotten on the desk or the like and the table 301 is seen by a third party, the password is leaked immediately. There is nothing.
- the reminder terminal 121, the access terminal 141, the resource server 161, and the management server 181 of each of the above embodiments can be realized by executing various programs on various computer hardware.
- a computer reads a program recorded on a non-transitory information recording medium into a RAM (Random Access Memory) which is a temporary storage device, and then a CPU (Central Processing Unit).
- the processor executes a command included in the read program.
- the CPU directly reads and executes a command included in the program stored in the ROM.
- a CPU or a processor controls devices such as a NIC (Network Interface Card), a display, a microphone, and a speaker provided in the hardware in cooperation with a RAM or the like.
- NIC Network Interface Card
- each program is read by a computer such as a compact disk, flexible disk, hard disk, magneto-optical disk, digital video disk, magnetic tape, ROM (Read Only Memory), EEPROM (Electrically Erasable Programmable ROM), flash memory, semiconductor memory, etc. It can be recorded on possible non-transitory information recording media. This information recording medium can be distributed and sold independently of each hardware.
- the above program can be distributed to each hardware from a distribution device or the like via a transitory transmission medium such as a computer communication network, independently of the computer on which the program is executed.
- the above program can be described in a programming language for describing the behavioral level of the electronic circuit.
- various design drawings such as wiring diagrams and timing charts of the electronic circuit are generated from the program, and the electronic circuit constituting the image processing apparatus can be created based on the design drawing.
- the above image processing device can be configured from the above program on hardware that can be reprogrammed by FPGA (Field Programmable Gate Array) technology, and also by ASIC (Application Specific Specific Integrated Circuit) technology. It is also possible to configure a dedicated electronic circuit.
- FPGA Field Programmable Gate Array
- ASIC Application Specific Specific Integrated Circuit
- each part of the reminder terminal 121, the access terminal 141, the resource server 161, and the management server 181 is configured to execute processing assigned thereto.
- the authentication system includes a reminder terminal, a resource server, a management server, and an access terminal.
- the reminder terminal A table generator that generates a table storing randomly generated character strings in each element; Let the user visually recognize the generated table, (1) Extracting elements from the visually recognized table in the selection order assigned in advance to the user, and arranging the character strings stored in the extracted elements to obtain a registration character string, (2) a password registration unit that prompts the resource server to perform update registration or new registration as the password for the user name of the user, the obtained registration character string;
- a storage unit that stores the viewed table in association with a combination of a resource server name and a user name of the resource server; When the combination is selected according to an instruction from the user, the stored table in association with the combination is presented to the user, (a) Extracting elements from the presented table in a selection order pre-assigned to the user, arranging the character strings stored in the extracted elements, obtaining an authentication character string, (b) a presentation unit that prompts the user
- the access terminal and the reminder terminal are communicably connected by a wired connection or a wireless connection established within a predetermined distance, the report is transmitted via the wired connection or the wireless connection.
- a login form for inputting a user name and password relating to a request to use the resource server resource from the access terminal is displayed on the screen of the access terminal, and the combination selected by the reminder terminal.
- the access terminal inputs a user name related to the selected combination into a user name field of the login form,
- the reminder terminal causes the user to select an element from the presented table,
- the reminder terminal obtains a transmission character string by arranging the character strings stored in the selected element,
- the reminder terminal transmits the obtained transmission character string to the access terminal via the wired connection or the wireless connection,
- the access terminal can be configured to input a transmission character string transmitted from the reminder terminal into a password field of the login form.
- the reminder terminal hides the character string stored in each element of the table and presents the table, The reminder terminal encrypts a character string stored in the selected element by an encryption method that synchronizes time with the resource server, and forms the transmission character string. If the decrypted character string obtained by decrypting the authentication character string according to the request by the encryption method matches the password registered for the user name, the resource server determines that the password according to the request is the user. It can be configured to be considered to match the password registered for the first name.
- the reminder terminal is a reminder terminal in the authentication system, Each time the user selects the element from the presented table, the character string stored in the selected element is encrypted by the encryption method and then transmitted to the access terminal, The access terminal is configured to additionally input the transmitted encrypted character string in the password field of the login form each time the encrypted character string is transmitted from the reminder terminal. be able to.
- this reminder terminal Along with the table, generate an additional element that is a randomly generated character string and has a character type different from the character string stored in each element of the table, Along with the generated additional elements, the generated table is made visible and presented to the user,
- the registration character string and the authentication character string can be configured to be obtained by arranging the character string stored in the extracted element and the additional element.
- the table generation unit After the table is stored in association with the combination, when an update period associated with the resource server name related to the combination has elapsed, The table generation unit generates a new table, The password registration unit causes the user to visually recognize the generated new table, (1) A new registration character string is obtained by extracting elements from the visually recognized new table in the selection order assigned in advance to the user and arranging the character strings stored in the extracted elements. And (2) The obtained new registration character string is urged to be updated and registered in the resource server as a password for the user name related to the combination, A table registration unit for storing the new table in the storage unit in association with the combination can be further provided.
- this reminder terminal A receiving unit that accepts an input of a selection order pre-assigned to the user and a selection order to be newly assigned to the user from the user; When the input is accepted, (s) Move the content of the element extracted by the pre-assigned selection order to the element extracted by the selection order to be newly assigned, (t) Rule generation for generating a conversion rule that randomly moves the contents of elements other than the elements extracted according to the previously assigned selection order to elements other than the elements extracted according to the newly assigned selection order Part,
- the table stored in the storage unit may be configured to further include an all update unit that updates all the tables stored in the storage unit by converting the table according to the generated conversion rule.
- this reminder terminal Prior to reception by the reception unit, a guide character string having the same length as the length of the selection order is generated and does not include duplicate characters,
- the reception unit (u) When the user selects an element from the table, an input of a selection order assigned in advance to the user is accepted, and each time the element is selected, the element in the generated guide character string Display the characters associated with the selected order, (v) When the user selects an element from the table, an input of a selection order to be newly assigned to the user is accepted, and each time the element is selected, the element is included in the generated guide character string.
- the all update unit Display the characters associated with the selected order of The all update unit, among the positions in the table, (x) assigning characters that are associated in that order in the guide character string to positions in the order selected in the selection order that should be newly assigned to the user; (y) assigning a guide character to each position in the table by randomly assigning characters without duplication to a position other than the order selected in the selection order to be newly assigned to the user;
- the presenting unit displays the guide characters assigned to the respective positions in the table together with the elements of the respective positions. Can be configured to present.
- the authentication system includes a reminder terminal, an access terminal, and a resource server.
- the access terminal A request from a user who intends to use the resource of the resource server is transmitted to the resource server;
- the reminder terminal Presenting the table stored in association with the resource server to the user; Send a report that the table is presented to the user to the management server or the resource server,
- the access terminal In the input field included in the presented login form, from the user, accepting a password obtained by extracting and arranging the elements of the presented table in a selection order pre-assigned to the user, Sending the accepted password to the resource server;
- the management server or the resource server When the report is received, a validity period including the time when the report is received is defined, (g) The resource server If the time point at which the password is received is included in the predetermined validity period
- the reminder terminal transmits the report to the management server
- the resource server may be configured to inquire the management server about the validity period, or to inquire whether the time point when the password is received is included in the predetermined validity period.
- the reminder terminal transmits the report to the management server
- the access terminal inquires about the validity period to the management server, or inquires whether the current time is within the predetermined validity period; (i) If the current time is within the determined validity period, set the input field so that the password can be received from the user, (j) If the valid period is not defined, or if the current time is outside the defined valid period, the input field may be configured so that the password cannot be accepted from the user. it can.
- the management server When the access terminal accepts a reminder display instruction regarding the resource server from the user presented with the login form, the management server causes the management server to send a notification to the reminder terminal,
- the reminder terminal can be configured to present the table stored in association with the resource server to the user when the notification is received.
- the reminder terminal presenting the table to the user receives an input of a password from the user, and transmits the input password to the access terminal,
- the access terminal can be configured to enter the transmitted password into the login form.
- the reminder terminal After the table is stored in association with the resource server, when an update period associated with the resource server has elapsed, a new table is randomly generated, Urging the user to update the password for the resource server with a new password obtained by extracting and arranging elements of the generated table in the selection order pre-assigned to the user; When the password for the resource server is updated to the new password, the new table can be configured to be stored in association with the resource server.
- the presented table includes additional elements in the margin
- the password can be obtained by extracting the elements of the presented table in the selection order previously assigned to the user and arranging them together with the additional elements included outside the column of the presented table. .
- the authentication system includes another resource server, When the other resource server receives, from the access terminal, another request from the user who intends to use the resource of the other resource server, whether or not it is determined for the request to the resource server and Based on the timing of the determination, it is possible to determine whether or not the other request from the user is acceptable.
- This reminder terminal A storage unit for storing a table associated with each resource server of a plurality of resource servers; A presentation unit that presents to the user a table stored in the storage unit in association with the selected resource server according to an instruction from the user to select one of the plurality of resource servers; Each element of the table associated with each resource server stores randomly generated information, From the table associated with each resource server, a password for determining whether or not to use the resource of each resource server is obtained by extracting and arranging the elements in the selection order previously assigned to the user.
- the information processing apparatus may further include a transmission unit that transmits a report indicating that the table is presented to the user to the management server or each resource server associated with the presented table.
- this reminder terminal After the table associated with each resource server of the plurality of resource servers is stored in association with each resource server, a new table is generated when an update period associated with each resource server has elapsed.
- the table generator A password for determining whether or not the resource of the resource server can be used by the user is a new password obtained by extracting and arranging the elements of the generated table in the selection order assigned to the user in advance.
- a password update unit that prompts the user to update or orders the management server;
- a table registration unit for storing the new table in association with the resource server when a password for determining whether the user can use the resource of the resource server is updated with the new password; It can comprise so that it may be provided.
- this reminder terminal A receiving unit that accepts an input of a selection order pre-assigned to the user and a selection order to be newly assigned to the user from the user; When the input is accepted, (s) Move the content of the element extracted by the pre-assigned selection order to the element extracted by the selection order to be newly assigned, (t) a rule generation unit for generating a conversion rule for moving the contents of elements other than the elements extracted by the selection order assigned in advance to the elements other than the elements extracted by the selection order to be newly assigned; Full update that updates all tables stored in the storage unit by converting the table stored in the storage unit in association with each resource server of the plurality of resource servers according to the generated conversion rule It can comprise so that a part may be further provided.
- the stored table includes additional elements outside the fields
- the password can be configured to be obtained by extracting the elements of the presented table in the selection order previously assigned to the user and arranging them together with the additional elements included outside the stored table.
- this reminder terminal Prior to reception by the reception unit, a guide character string having the same length as the length of the selection order is generated and does not include duplicate characters,
- the reception unit (u) When the user selects an element from the table, an input of a selection order assigned in advance to the user is accepted, and each time the element is selected, the element in the generated guide character string Display the characters associated with the selected order, (v) When the user selects an element from the table, an input of a selection order to be newly assigned to the user is accepted, and each time the element is selected, the element is included in the generated guide character string.
- a guide character may be assigned to each position in the table by randomly assigning a character to a position other than the order selected in the selection order to be newly assigned to the user without duplication. it can.
- the presenting unit When presenting any of the tables associated with the plurality of resource servers to the user, the presenting unit displays the guide characters assigned to the respective positions in the table together with the elements of the respective positions. Can be configured to present.
- requirement using the resource of a resource server with a reminder terminal, the said reminder terminal, and a computer are functioned as the said reminder terminal.
- a non-transitory computer-readable information recording medium in which a program is recorded can be provided.
Abstract
Description
(A)前記リマインダ端末は、
ランダムに生成された文字列を各要素に格納した表を生成する表生成部、
前記生成された表をユーザに視認させて、前記ユーザに、
(1)前記ユーザにあらかじめ割り当てられた選択順序で前記視認された表から要素を抜き出し、前記抜き出された要素に格納された文字列を並べることにより、登録用文字列を得て、
(2)前記得られた登録用文字列を、前記ユーザが有するユーザ名に対するパスワードとして、前記リソースサーバにおいて更新登録もしくは新規登録する
ように促すパスワード登録部、
前記リソースサーバが有するリソースサーバ名および前記ユーザ名の組み合わせに対応付けて、前記視認された表が記憶される記憶部、
前記ユーザからの指示により前記組み合わせが選択されると、前記組み合わせに対応付けて前記記憶された表を前記ユーザに提示して、前記ユーザに、
(a)前記ユーザにあらかじめ割り当てられた選択順序で前記提示された表から要素を抜き出し、前記抜き出された要素に格納された文字列を並べることにより、認証用文字列を得て、
(b)前記得られた認証用文字列を、前記ユーザ名により前記リソースサーバの資源を利用する要求に係るパスワードに採用する
ように促す提示部、
前記組み合わせに対応付けて前記記憶された表が前記ユーザに提示された旨の報告を送信する送信部、
を備え、
(B)前記管理サーバは、
前記リマインダ端末から送信された前記報告が前記管理サーバにより受信されると、前記報告に係る組み合わせに対する有効期間であって前記報告が前記管理サーバに受信された時点を含む有効期間を定め、
(C)前記リソースサーバは、
前記ユーザ名により前記リソースサーバの資源を利用する要求が、前記アクセス端末から前記リソースサーバへ送信され、前記要求に係るパスワードが、前記リソースサーバにて前記ユーザ名に対して登録されたパスワードと一致すると、前記管理サーバへ、前記ユーザ名に係る問合せを送信し、
(D)前記管理サーバは、
前記問合せが前記管理サーバにより受信されると、許可条件「前記問合せの送信元であるリソースサーバのサーバ名および前記問合せに係るユーザ名の組み合わせに対して定められた有効期間内に、前記問合せが前記管理サーバにより受信された」が成立するか否かを判定し、前記判定された結果が指定された回答を、前記リソースサーバへ送信し、
(E)前記リソースサーバは、
前記回答が前記リソースサーバにより受信され、前記受信された回答にて前記許可条件が成立する旨が指定されていれば、前記リソースサーバの資源を利用させるための応答を前記アクセス端末へ送信する。
以下では、本発明の典型的な態様の概要を説明する。リマインダ端末121は、各リソースサーバ161のサーバ名および当該各リソースサーバ161にてユーザが使用するユーザ名の組み合わせに対応付けて、各要素にランダムな文字列が格納された表を生成して記憶する。
また、ユーザが各リソースサーバ161の資源を利用しようとする際(ログインあるいはサインインしようとする際)にも、リマインダ端末121は、ユーザが選択したリソースサーバ名とユーザ名の組み合わせに応じて、リマインダ端末121内に記憶された表をユーザに提示する。
図2は、本発明の実施例に係るリマインダ端末の概要を示す説明図である。以下、本図を参照して説明する。
図3Aは、本発明の実施例に係るリマインダ端末に表が表示される様子を示す説明図である。図3Bは、本発明の実施例に係るリマインダ端末に表が表示される様子を示す説明図である。以下、これらの図を参照して説明する。
図4は、本発明の実施例に係る選択順序の例を示す説明図である。以下、本図を参照して説明する。
図5は、本発明の実施例に係る認証システムにおける情報のやりとりの様子を示す説明図である。以下、本図を参照して説明する。
なお、アクセス端末141のブラウザ501等に表示されたログインフォーム511においては、JavaScript(登録商標)による非同期XML通信技術であるAJAX等によるスクリプトを用いて、以下のように構成しても良い。
(1)スクリプトは、ユーザ名欄512に文字が入力される度に、アクセス端末141は、リソースサーバ161もしくは管理サーバ181へ、現在日時が、ユーザ名欄512に入力済の文字列からなるユーザ名を持つユーザに対して定められた有効期間内か、を問い合わせる。
(2)問い合わせ先は、アクセス端末141からの問い合わせに回答する。問い合わせ先がリソースサーバ161であれば、リソースサーバ161は、管理サーバ181へ適宜有効期間に係る問い合わせを行って、その内容に基づいて、アクセス端末141へ回答する。
(3a)有効期間内であれば、スクリプトは、パスワード欄513を編集可能ならびに可視状態に設定する。
(3b)有効期間外であれば、スクリプトは、パスワード欄513を編集不可能もしくは不可視状態に設定する。
(4)スクリプトは、パスワード欄513に文字列が入力されるまでは、ログインボタン514を操作不可能もしくは不可視状態に設定し、文字列が入力された後に、操作可能ならびに可視状態に設定する。
上記説明では、リソースサーバ161にアクセスしようとするユーザが自発的にリマインダ端末121を起動していたが、アクセス端末141で動作するブラウザ501のプラグイン、および、携帯端末等が備える通知の受取機能を利用することで、簡易にリマインダ端末121を起動することができる。
リマインダ端末121とアクセス端末141が近傍にあって通信可能であることを利用すれば、ユーザが手作業で認証用文字列を入力するのではなく、リマインダ端末121に提示された表から要素を順に選択するだけで、アクセス端末141に表示されたログインフォーム511のユーザ名欄512とパスワード欄513に認証用文字列が入力されるように構成することもできる。
上記の態様では、アクセス要求がアクセス端末141からリソースサーバ161へ送られ、ログインフォーム511がリソースサーバ161からアクセス端末141へ送られ、ユーザはパスワードをアクセス端末141に入力することとしていたが、パスワードの入力は、アクセス端末141以外の認証端末から行われることとしても良い。認証端末は、リマインダ端末121と同じ機器でも良いし、異なる機器でも良い。
上記の説明では、リマインダ端末121に登録された表301の各要素は、ランダムに生成されていることを前提としていたが、既存のリソースサーバ161をパスワードを変更せずにリマインダ端末121に登録する際には、たとえば、以下のような手順をとれば良い。
(1)リマインダ端末121は、ユーザに、無地の表を提示する。
(2)ユーザは、既存のリソースサーバ161のパスワードを自分で分割して、自分の選択順序にしたがって、無地の表に手動で書き込んでいく。
(3)分割されたパスワードの書き込みが終わったら、リマインダ端末121が、それ以外の要素に、ランダムに生成された文字列を埋め込む。
(4)できあがった表を、既存のリソースサーバ161のサーバIDに対応付けて、リマインダ端末121の記憶部201に記憶する。
当初からリマインダ端末121にてリソースサーバ161用のパスワードの管理を開始する際には、リソースサーバ161のリソースサーバ名およびユーザ名の組み合わせに対する表を新たに生成して、その表から取得された登録用文字列をパスワードとしてリソースサーバ161に登録する必要がある。
また、一旦リマインダ端末121にてリソースサーバ161用のパスワードの管理を開始した後は、定期的に、パスワードを変更することが望ましい。従来より、サーバへログインした時に、パスワードが前回更新されてから一定期間(たとえば90日間)経過していると、パスワードを変更するよう警告する対策はとられているが、パスワードを変更する際には、新たなパスワードを考え直す手間がある。
本実施例によれば、各リソースサーバ用のパスワードを個別に更新するだけでなく、ユーザに割り当てられる選択順序を更新することもできる。これは、従来技術でいうマスターパスワードの更新に相当する。
(s)サンプルの表においてユーザが採用した選択順序により抜き出される要素の内容を、無地の表においてユーザが採用した選択順序により抜き出される要素に移動し、
(t)前記あらかじめ割り当てられた選択順序により抜き出される要素以外の要素の内容を、前記新たに割り当てられるべき選択順序により抜き出される要素以外の要素に移動する。
4行2列 -> 1行1列;
5行3列 -> 2行2列;
4行4列 -> 5行5列;
3行5列 -> 2行5列
のように、要素が移動される。
上記した態様には、リソースサーバ161の資源を利用するための事前認証として、当該リソースサーバ161用の表がリマインダ端末121において表示されることを利用し、管理サーバ181と協働することによって事前認証が成功したことを条件に、リソースサーバ161にてユーザ名とパスワードによる本認証に進める態様、すなわち、許可条件が成立したことを確認した後に本認証を行う態様が含まれている。この態様では、リソースサーバ161は、事前認証が成功したか否かを、管理サーバ181に問い合わせていた。
リマインダ端末121を特殊キーボードとする態様では、セキュリティを高めるため、リマインダ端末121とリソースサーバ161との間で時刻同期する暗号化方式を共有することもできる。あるリソースサーバ161で管理されるユーザ名毎に異なるシードが与えられ、異なる暗号化方式により時刻同期することとしても良いし、リソースサーバ161のユーザ全体が1つのシードに基づいて時刻同期する暗号化方式を共有しても良い。
e(g(v,k),s[k])
を計算する。ここで、演算e(x,y)は、後述する演算c(x,z)に対して、以下のような関係を満たす。
y = c(x,e(x,y))
S = 〔s[1], s[2], …, s[M]〕
であったとする。すると、暗号化済文字列Eは、以下のように表現できる。
E = 〔E[1], E[2], …, E[M]〕=〔e(g(v,1),s[1]), e(g(v,2),s[2]), …, e(g(v,M),s[M])〕
r[1] = 〔c(g(u[1],1),E[1]), c(g(u[1],2),E[2]), …, c(g(u[1],M),E[M])〕;
r[2] = 〔c(g(u[2],1),E[1]), c(g(u[2],2),E[2]), …, c(g(u[2],M),E[M])〕;
…;
r[N] = 〔c(g(u[N],1),E[1]), c(g(u[N],2),E[2]), …, c(g(u[N],M),E[M])〕;
上記態様では、リマインダ端末121にて、これからアクセスしようとするリソースサーバ161のサーバ名ならびにアクセスに使用するユーザ名の組み合わせに対応付けられた表301が、ユーザに提示されたことを、リマインダ端末121が外部の機器に報告することにより、リマインダ端末121をセキュリティトークンや特殊キーボードとして機能させることができた。
上記の各実施例のリマインダ端末121、アクセス端末141、リソースサーバ161、管理サーバ181は、各種のプログラムを各種のコンピュータのハードウェア上で実行することにより、実現することができる。
以上説明した通り、本認証システムは、リマインダ端末と、リソースサーバと、管理サーバと、アクセス端末と、を備え、
(A)前記リマインダ端末は、
ランダムに生成された文字列を各要素に格納した表を生成する表生成部、
前記生成された表をユーザに視認させて、前記ユーザに、
(1)前記ユーザにあらかじめ割り当てられた選択順序で前記視認された表から要素を抜き出し、前記抜き出された要素に格納された文字列を並べることにより、登録用文字列を得て、
(2)前記得られた登録用文字列を、前記ユーザが有するユーザ名に対するパスワードとして、前記リソースサーバにおいて更新登録もしくは新規登録する
ように促すパスワード登録部、
前記リソースサーバが有するリソースサーバ名および前記ユーザ名の組み合わせに対応付けて、前記視認された表が記憶される記憶部、
前記ユーザからの指示により前記組み合わせが選択されると、前記組み合わせに対応付けて前記記憶された表を前記ユーザに提示して、前記ユーザに、
(a)前記ユーザにあらかじめ割り当てられた選択順序で前記提示された表から要素を抜き出し、前記抜き出された要素に格納された文字列を並べることにより、認証用文字列を得て、
(b)前記得られた認証用文字列を、前記ユーザ名により前記リソースサーバの資源を利用する要求に係るパスワードに採用する
ように促す提示部、
前記組み合わせに対応付けて前記記憶された表が前記ユーザに提示された旨の報告を送信する送信部、
を備え、
(B)前記管理サーバは、
前記リマインダ端末から送信された前記報告が前記管理サーバにより受信されると、前記報告に係る組み合わせに対する有効期間であって前記報告が前記管理サーバに受信された時点を含む有効期間を定め、
(C)前記リソースサーバは、
前記ユーザ名により前記リソースサーバの資源を利用する要求が、前記アクセス端末から前記リソースサーバへ送信され、前記要求に係るパスワードが、前記リソースサーバにて前記ユーザ名に対して登録されたパスワードと一致すると、前記管理サーバへ、前記ユーザ名に係る問合せを送信し、
(D)前記管理サーバは、
前記問合せが前記管理サーバにより受信されると、許可条件「前記問合せの送信元であるリソースサーバのサーバ名および前記問合せに係るユーザ名の組み合わせに対して定められた有効期間内に、前記問合せが前記管理サーバにより受信された」が成立するか否かを判定し、前記判定された結果が指定された回答を、前記リソースサーバへ送信し、
(E)前記リソースサーバは、
前記回答が前記リソースサーバにより受信され、前記受信された回答にて前記許可条件が成立する旨が指定されていれば、前記リソースサーバの資源を利用させるための応答を前記アクセス端末へ送信する
ように構成する。
前記アクセス端末と前記リマインダ端末とが、所定の距離内で確立された有線接続もしくは無線接続により通信可能に接続されていれば、前記報告は、前記有線接続もしくは前記無線接続を介して、前記アクセス端末に送信され、
前記アクセス端末から前記リソースサーバの資源を利用する要求に係るユーザ名およびパスワードを入力するためのログインフォームが、前記アクセス端末の画面に表示されており、かつ、前記リマインダ端末にて選択された組み合わせに係るサーバ名が、前記リソースサーバのサーバ名であれば、
前記アクセス端末は、前記選択された組み合わせに係るユーザ名を、前記ログインフォームのユーザ名欄に入力し、
前記リマインダ端末は、前記提示された表から、前記ユーザに要素を選択させ、
前記リマインダ端末は、前記選択された要素に格納された文字列を並べることにより、伝達用文字列を得て、
前記リマインダ端末は、前記得られた伝達用文字列を、前記有線接続もしくは前記無線接続を介して、前記アクセス端末に伝達し、
前記アクセス端末は、前記リマインダ端末から伝達された伝達用文字列を、前記ログインフォームのパスワード欄に入力する
ように構成することができる。
前記リマインダ端末は、前記表の各要素に格納された文字列を隠して、前記表を提示し、
前記リマインダ端末は、前記リソースサーバと時刻同期する暗号化方式により、前記選択された要素に格納された文字列を暗号化して、前記伝達用文字列とし、
前記リソースサーバは、前記要求に係る認証用文字列を前記暗号化方式により復号した復号済文字列が、前記ユーザ名に対して登録されたパスワードと一致すれば、前記要求に係るパスワードが前記ユーザ名に対して登録されたパスワードと一致するとみなす
ように構成することができる。
前記提示された表から前記要素を前記ユーザが選択するごとに、前記選択された要素に格納された文字列を前記暗号化方式により暗号化してから前記アクセス端末に伝達し、
前記アクセス端末は、前記リマインダ端末から前記暗号化された文字列が伝達されるごとに、前記ログインフォームのパスワード欄に、前記伝達された前記暗号化された文字列を追加入力する
ように構成することができる。
前記表とともに、ランダムに生成された文字列であって前記表の各要素に格納された文字列とは字種が異なる付加要素を生成し、
前記生成された付加要素とともに、前記生成された表を、前記ユーザに視認させならびに提示し、
前記登録用文字列ならびに前記認証用文字列は、前記抜き出された要素に格納された文字列ならびに前記付加要素を並べることにより得られる
ように構成することができる。
前記表が前記組み合わせに対応付けられて記憶されて後、前記組み合わせに係るリソースサーバ名に対応付けられる更新期間を経過すると、
前記表生成部は、新たな表を生成し、
前記パスワード登録部は、前記生成された新たな表を前記ユーザに視認させて、前記ユーザに、
(1)前記ユーザにあらかじめ割り当てられた選択順序で前記視認された新たな表から要素を抜き出し、前記抜き出された要素に格納された文字列を並べることにより、新たな登録用文字列を得て、
(2)前記得られた新たな登録用文字列を、前記組み合わせに係るユーザ名に対するパスワードとして、前記リソースサーバにおいて更新登録する
ように促し、
前記組み合わせに対応付けて、前記新たな表を、前記記憶部に記憶させる表登録部
をさらに備える
ように構成することができる。
前記ユーザにあらかじめ割り当てられた選択順序と、前記ユーザに新たに割り当てられるべき選択順序と、の入力を、前記ユーザから受け付ける受付部、
前記入力が受け付けられると、
(s)前記あらかじめ割り当てられた選択順序により抜き出される要素の内容を、前記新たに割り当てられるべき選択順序により抜き出される要素に移動し、
(t)前記あらかじめ割り当てられた選択順序により抜き出される要素以外の要素の内容を、前記新たに割り当てられるべき選択順序により抜き出される要素以外の要素にランダムに移動する
変換規則を生成する規則生成部、
前記記憶部に記憶される表を、前記生成された変換規則により変換することにより、前記記憶部に記憶されるすべての表を更新する全更新部
をさらに備える
ように構成することができる。
前記受付部による受付に先立って、前記選択順序の長さと同じ長さのガイド文字列であって重複する文字を含まないガイド文字列を生成し、
前記受付部は、
(u)前記ユーザが表から要素を選択することにより、前記ユーザにあらかじめ割り当てられた選択順序の入力を受け付け、前記要素が選択されるごとに、当該要素に前記生成されたガイド文字列内の当該選択の順に対応付けられる文字を表示し、
(v)前記ユーザが表から要素を選択することにより、前記ユーザに新たに割り当てられるべき選択順序の入力を受け付け、前記要素が選択されるごとに、当該要素に前記生成されたガイド文字列内の当該選択された順に対応付けられる文字を表示し、
前記全更新部は、前記表内の位置のうち、
(x)前記ユーザに新たに割り当てられるべき選択順序で選択される順の位置に、前記ガイド文字列内の当該順に対応付けられる文字を割り当て、
(y)前記ユーザに新たに割り当てられるべき選択順序で選択される順以外の位置に、ランダムに重複なく文字を割り当てる
ことにより、前記表内の各位置にガイド文字を割り当て、
前記提示部は、前記複数のリソースサーバに対応付けられる表のいずれを前記ユーザに提示する際にも、当該表内の各位置に割り当てられたガイド文字を、当該各位置の要素とともに、前記ユーザに提示する
ように構成することができる。
(a)前記アクセス端末は、
前記リソースサーバの資源を利用しようとするユーザからの要求を、前記リソースサーバに送信し、
(b)前記リソースサーバは、前記送信された要求を受信すると、
前記アクセス端末に、ログインフォームを送信し、
(c)前記アクセス端末は、前記送信されたログインフォームを受信すると、
前記受信されたログインフォームを前記ユーザに提示し、
(d)前記リマインダ端末は、
前記リソースサーバに対応付けられて記憶された表を、前記ユーザに提示し、
前記表が前記ユーザに提示された旨の報告を、管理サーバもしくは前記リソースサーバへ送信し、
(e)前記アクセス端末は、
前記提示されたログインフォームに含まれる入力欄において、前記ユーザから、前記ユーザにあらかじめ割り当てられた選択順序で前記提示された表の要素を抜き出して並べることにより得られるパスワードを、受け付け、
前記受け付けられたパスワードを、前記リソースサーバに送信し、
(f)前記管理サーバもしくは前記リソースサーバは、
前記報告が受信されると、当該報告が受信された時点を含む有効期間を定め、
(g)前記リソースサーバは、
前記パスワードが受信された時点が、前記定められた有効期間に含まれれば、前記受信されたパスワードに基づいて、前記ユーザからの前記要求に対する可否を決定する。
前記リマインダ端末は、前記報告を前記管理サーバへ送信し、
前記リソースサーバは、前記管理サーバへ前記有効期間を問い合わせ、もしくは、前記パスワードが受信された時点が前記定められた有効期間に含まれるか否かを問い合わせる
ように構成することができる。
前記リマインダ端末は、前記報告を前記管理サーバへ送信し、
前記アクセス端末は、前記管理サーバへ前記有効期間を問い合わせ、もしくは、現時点が前記定められた有効期間内であるか否かを問い合わせ、
(i)現時点が前記定められた有効期間内であれば、前記ユーザから前記パスワードを受け付けできるように前記入力欄を設定して、
(j)前記有効期間が定められておらず、もしくは、現時点が前記定められた有効期間外であれば、前記ユーザから前記パスワードを受け付けできないように前記入力欄を設定する
ように構成することができる。
前記アクセス端末は、前記ログインフォームが提示された前記ユーザから、前記リソースサーバに関するリマインダ表示の指示を受け付けると、前記管理サーバに、通知を前記リマインダ端末へ送信させ、
前記リマインダ端末は、前記通知が受信されたことを契機として、前記リソースサーバに対応付けられて記憶された前記表を、前記ユーザに提示する
ように構成することができる。
前記ユーザに前記表を提示したリマインダ端末は、前記ユーザからパスワードの入力を受け付け、前記入力されたパスワードを、前記アクセス端末に伝達し、
前記アクセス端末は、前記伝達されたパスワードを、前記ログインフォームに入力する
ように構成することができる。
前記リマインダ端末は、
前記表が、前記リソースサーバに対応付けられて記憶された後、前記リソースサーバに対応付けられる更新期間を経過すると、新たな表をランダムに生成し、
前記ユーザに、前記リソースサーバに対するパスワードを、前記ユーザにあらかじめ割り当てられた前記選択順序で前記生成された表の要素を抜き出して並べることにより得られる新たなパスワードに更新するよう促し、
前記リソースサーバに対するパスワードが、前記新たなパスワードに更新されると、前記新たな表を、前記リソースサーバに対応付けて記憶する
ように構成することができる。
前記提示された表は、欄外に付加要素を含み、
前記パスワードは、前記ユーザにあらかじめ割り当てられた選択順序で前記提示された表の要素を抜き出し、前記提示された表の欄外に含まれる付加要素とともに並べることにより、得られる
ように構成することができる。
前記認証システムは、他のリソースサーバを含み、
前記他のリソースサーバは、前記他のリソースサーバの資源を利用しようとする前記ユーザからの他の要求を、前記アクセス端末から受信すると、前記リソースサーバへの前記要求に対して決定された可否ならびに当該決定の時期に基づいて、前記ユーザからの前記他の要求に対する可否を決定する
ように構成することができる。
複数のリソースサーバの各リソースサーバに対応付けられる表が記憶される記憶部、
前記複数のリソースサーバからいずれかを選択するユーザの指示により、前記選択されたリソースサーバに対応付けられて前記記憶部に記憶された表を、前記ユーザに提示する提示部
を備え、
前記各リソースサーバに対応付けられる表の各要素には、ランダムに生成された情報が格納され、
前記各リソースサーバに対応付けられる表から、前記ユーザにあらかじめ割り当てられた選択順序で要素を抜き出して並べることにより、前記各リソースサーバの資源の利用の可否を決定するためのパスワードが得られる。
前記表が前記ユーザに提示された旨の報告を、管理サーバもしくは前記提示された表に対応付けられる前記各リソースサーバへ送信する送信部
をさらに備えるように構成することができる。
前記複数のリソースサーバの各リソースサーバに対応付けられる前記表が、前記各リソースサーバに対応付けられて記憶された後、前記各リソースサーバに対応付けられる更新期間を経過すると、新たな表を生成する表生成部、
前記ユーザによる前記リソースサーバの資源の利用の可否を決定するためのパスワードを、前記ユーザにあらかじめ割り当てられた前記選択順序で前記生成された表の要素を抜き出して並べることにより得られる新たなパスワードに更新するように、前記ユーザに促し、もしくは、前記管理サーバに命ずるパスワード更新部、
前記ユーザによる前記リソースサーバの資源の利用の可否を決定するためのパスワードが、前記新たなパスワードに更新されると、前記新たな表を、前記リソースサーバに対応付けて記憶する表登録部
をさらに備えるように構成することができる。
前記ユーザにあらかじめ割り当てられた選択順序と、前記ユーザに新たに割り当てられるべき選択順序と、の入力を、前記ユーザから受け付ける受付部、
前記入力が受け付けられると、
(s)前記あらかじめ割り当てられた選択順序により抜き出される要素の内容を、前記新たに割り当てられるべき選択順序により抜き出される要素に移動し、
(t)前記あらかじめ割り当てられた選択順序により抜き出される要素以外の要素の内容を、前記新たに割り当てられるべき選択順序により抜き出される要素以外の要素に移動する
変換規則を生成する規則生成部、
前記複数のリソースサーバの各リソースサーバに対応付けて前記記憶部に記憶される表を、前記生成された変換規則により変換することにより、前記記憶部に記憶されるすべての表を更新する全更新部
をさらに備えるように構成することができる。
前記記憶される表は、欄外に付加要素を含み、
前記パスワードは、前記ユーザにあらかじめ割り当てられた選択順序で前記提示された表の要素を抜き出し、前記記憶された表の欄外に含まれる付加要素とともに並べることにより、得られる
ように構成することができる。
前記受付部による受付に先立って、前記選択順序の長さと同じ長さのガイド文字列であって重複する文字を含まないガイド文字列を生成し、
前記受付部は、
(u)前記ユーザが表から要素を選択することにより、前記ユーザにあらかじめ割り当てられた選択順序の入力を受け付け、前記要素が選択されるごとに、当該要素に前記生成されたガイド文字列内の当該選択の順に対応付けられる文字を表示し、
(v)前記ユーザが表から要素を選択することにより、前記ユーザに新たに割り当てられるべき選択順序の入力を受け付け、前記要素が選択されるごとに、当該要素に前記生成されたガイド文字列内の当該選択された順に対応付けられる文字を表示し、
前記全更新部は、前記表内の位置のうち、
(x)前記ユーザに新たに割り当てられるべき選択順序で選択される順の位置に、前記ガイド文字列内の当該順に対応付けられる文字を割り当て、
(y)前記ユーザに新たに割り当てられるべき選択順序で選択される順以外の位置に、ランダムに重複なく文字を割り当てる
ことにより、前記表内の各位置にガイド文字を割り当てる
ように構成することができる。
前記提示部は、前記複数のリソースサーバに対応付けられる表のいずれを前記ユーザに提示する際にも、当該表内の各位置に割り当てられたガイド文字を、当該各位置の要素とともに、前記ユーザに提示する
ように構成することができる。
本願においては、世界知的所有権機関に対して平成26年(2014年)9月8日(月)に出願した国際出願PCT/JP2014/073704を基礎とする優先権を主張するものとし、指定国の法令が許す限り、当該基礎出願の内容を本願に取り込むものとする。
121 リマインダ端末
141 アクセス端末
161 リソースサーバ
181 管理サーバ
191 コンピュータ通信網
201 記憶部
202 提示部
203 送信部
204 表生成部
205 パスワード登録部
206 表登録部
207 受付部
208 規則生成部
209 全更新部
301 表
303 サーバID
304 ユーザ名
305 付加要素
311 ナビゲーション
312 ナビゲーション
313 ナビゲーション
321 完了ボタン
322 キャンセルボタン
501 ブラウザ
502 URL欄
503 コンテンツ欄
511 ログインフォーム
512 ユーザ名欄
513 パスワード欄
514 ログインボタン
521 プラグインアイコン
551 試行表
552 進むボタン
561 移行表
562 更新ボタン
Claims (10)
- リマインダ端末と、リソースサーバと、管理サーバと、アクセス端末と、を備える認証システムであって、
(A)前記リマインダ端末は、
ランダムに生成された文字列を各要素に格納した表を生成する表生成部、
前記生成された表をユーザに視認させて、前記ユーザに、
(1)前記ユーザにあらかじめ割り当てられた選択順序で前記視認された表から要素を抜き出し、前記抜き出された要素に格納された文字列を並べることにより、登録用文字列を得て、
(2)前記得られた登録用文字列を、前記ユーザが有するユーザ名に対するパスワードとして、前記リソースサーバにおいて更新登録もしくは新規登録する
ように促すパスワード登録部、
前記リソースサーバが有するリソースサーバ名および前記ユーザ名の組み合わせに対応付けて、前記視認された表が記憶される記憶部、
前記ユーザからの指示により前記組み合わせが選択されると、前記組み合わせに対応付けて前記記憶された表を前記ユーザに提示して、前記ユーザに、
(a)前記ユーザにあらかじめ割り当てられた選択順序で前記提示された表から要素を抜き出し、前記抜き出された要素に格納された文字列を並べることにより、認証用文字列を得て、
(b)前記得られた認証用文字列を、前記ユーザ名により前記リソースサーバの資源を利用する要求に係るパスワードに採用する
ように促す提示部、
前記組み合わせに対応付けて前記記憶された表が前記ユーザに提示された旨の報告を送信する送信部、
を備え、
(B)前記管理サーバは、
前記リマインダ端末から送信された前記報告が前記管理サーバにより受信されると、前記報告に係る組み合わせに対する有効期間であって前記報告が前記管理サーバに受信された時点を含む有効期間を定め、
(C)前記リソースサーバは、
前記ユーザ名により前記リソースサーバの資源を利用する要求が、前記アクセス端末から前記リソースサーバへ送信され、前記要求に係るパスワードが、前記リソースサーバにて前記ユーザ名に対して登録されたパスワードと一致すると、前記管理サーバへ、前記ユーザ名に係る問合せを送信し、
(D)前記管理サーバは、
前記問合せが前記管理サーバにより受信されると、許可条件「前記問合せの送信元であるリソースサーバのサーバ名および前記問合せに係るユーザ名の組み合わせに対して定められた有効期間内に、前記問合せが前記管理サーバにより受信された」が成立するか否かを判定し、前記判定された結果が指定された回答を、前記リソースサーバへ送信し、
(E)前記リソースサーバは、
前記回答が前記リソースサーバにより受信され、前記受信された回答にて前記許可条件が成立する旨が指定されていれば、前記リソースサーバの資源を利用させるための応答を前記アクセス端末へ送信する
ことを特徴とする認証システム。 - 前記アクセス端末と前記リマインダ端末とが、所定の距離内で確立された有線接続もしくは無線接続により通信可能に接続されていれば、前記報告は、前記有線接続もしくは前記無線接続を介して、前記アクセス端末に送信され、
前記アクセス端末から前記リソースサーバの資源を利用する要求に係るユーザ名およびパスワードを入力するためのログインフォームが、前記アクセス端末の画面に表示されており、かつ、前記リマインダ端末にて選択された組み合わせに係るサーバ名が、前記リソースサーバのサーバ名であれば、
前記アクセス端末は、前記選択された組み合わせに係るユーザ名を、前記ログインフォームのユーザ名欄に入力し、
前記リマインダ端末は、前記提示された表から、前記ユーザに要素を選択させ、
前記リマインダ端末は、前記選択された要素に格納された文字列を並べることにより、伝達用文字列を得て、
前記リマインダ端末は、前記得られた伝達用文字列を、前記有線接続もしくは前記無線接続を介して、前記アクセス端末に伝達し、
前記アクセス端末は、前記リマインダ端末から伝達された伝達用文字列を、前記ログインフォームのパスワード欄に入力する
ことを特徴とする請求項1に記載の認証システム。 - 前記リマインダ端末は、前記表の各要素に格納された文字列を隠して、前記表を提示し、
前記リマインダ端末は、前記リソースサーバと時刻同期する暗号化方式により、前記選択された要素に格納された文字列を暗号化して、前記伝達用文字列とし、
前記リソースサーバは、前記要求に係る認証用文字列を前記暗号化方式により復号した復号済文字列が、前記ユーザ名に対して登録されたパスワードと一致すれば、前記要求に係るパスワードが前記ユーザ名に対して登録されたパスワードと一致するとみなす
ことを特徴とする請求項2に記載の認証システム。 - 請求項3に記載の認証システムにおけるリマインダ端末であって、
前記提示された表から前記要素を前記ユーザが選択するごとに、前記選択された要素に格納された文字列を前記暗号化方式により暗号化してから前記アクセス端末に伝達し、
前記アクセス端末は、前記リマインダ端末から前記暗号化された文字列が伝達されるごとに、前記ログインフォームのパスワード欄に、前記伝達された前記暗号化された文字列を追加入力する
ことを特徴とするリマインダ端末。 - 前記リマインダ端末は、
前記表とともに、ランダムに生成された文字列であって前記表の各要素に格納された文字列とは字種が異なる付加要素を生成し、
前記生成された付加要素とともに、前記生成された表を、前記ユーザに視認させならびに提示し、
前記登録用文字列ならびに前記認証用文字列は、前記抜き出された要素に格納された文字列ならびに前記付加要素を並べることにより得られる
ことを特徴とする請求項4に記載のリマインダ端末。 - 前記表が前記組み合わせに対応付けられて記憶されて後、前記組み合わせに係るリソースサーバ名に対応付けられる更新期間を経過すると、
前記表生成部は、新たな表を生成し、
前記パスワード登録部は、前記生成された新たな表を前記ユーザに視認させて、前記ユーザに、
(1)前記ユーザにあらかじめ割り当てられた選択順序で前記視認された新たな表から要素を抜き出し、前記抜き出された要素に格納された文字列を並べることにより、新たな登録用文字列を得て、
(2)前記得られた新たな登録用文字列を、前記組み合わせに係るユーザ名に対するパスワードとして、前記リソースサーバにおいて更新登録する
ように促し、
前記組み合わせに対応付けて、前記新たな表を、前記記憶部に記憶させる表登録部
をさらに備えることを特徴とする請求項4に記載のリマインダ端末。 - 前記ユーザにあらかじめ割り当てられた選択順序と、前記ユーザに新たに割り当てられるべき選択順序と、の入力を、前記ユーザから受け付ける受付部、
前記入力が受け付けられると、
(s)前記あらかじめ割り当てられた選択順序により抜き出される要素の内容を、前記新たに割り当てられるべき選択順序により抜き出される要素に移動し、
(t)前記あらかじめ割り当てられた選択順序により抜き出される要素以外の要素の内容を、前記新たに割り当てられるべき選択順序により抜き出される要素以外の要素にランダムに移動する
変換規則を生成する規則生成部、
前記記憶部に記憶される表を、前記生成された変換規則により変換することにより、前記記憶部に記憶されるすべての表を更新する全更新部
をさらに備えることを特徴とする請求項4に記載のリマインダ端末。 - 前記リマインダ端末は、
前記受付部による受付に先立って、前記選択順序の長さと同じ長さのガイド文字列であって重複する文字を含まないガイド文字列を生成し、
前記受付部は、
(u)前記ユーザが表から要素を選択することにより、前記ユーザにあらかじめ割り当てられた選択順序の入力を受け付け、前記要素が選択されるごとに、当該要素に前記生成されたガイド文字列内の当該選択の順に対応付けられる文字を表示し、
(v)前記ユーザが表から要素を選択することにより、前記ユーザに新たに割り当てられるべき選択順序の入力を受け付け、前記要素が選択されるごとに、当該要素に前記生成されたガイド文字列内の当該選択された順に対応付けられる文字を表示し、
前記全更新部は、前記表内の位置のうち、
(x)前記ユーザに新たに割り当てられるべき選択順序で選択される順の位置に、前記ガイド文字列内の当該順に対応付けられる文字を割り当て、
(y)前記ユーザに新たに割り当てられるべき選択順序で選択される順以外の位置に、ランダムに重複なく文字を割り当てる
ことにより、前記表内の各位置にガイド文字を割り当て、
前記提示部は、前記複数のリソースサーバに対応付けられる表のいずれを前記ユーザに提示する際にも、当該表内の各位置に割り当てられたガイド文字を、当該各位置の要素とともに、前記ユーザに提示する
ことを特徴とする請求項7に記載のリマインダ端末。 - コンピュータを、請求項4に記載のリマインダ端末の各部として機能させることを特徴とするプログラムが記録された非一時的なコンピュータ読取可能な情報記録媒体。
- 前記リソースサーバと、前記管理サーバと、が、一つのサーバコンピュータにより実現されることを特徴とする請求項1に記載の認証システム。
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201580056707.7A CN107077559B (zh) | 2014-09-08 | 2015-09-08 | 认证系统、提醒终端、以及信息记录介质 |
JP2015560117A JP5906363B1 (ja) | 2014-09-08 | 2015-09-08 | 認証システム、リマインダ端末、ならびに、情報記録媒体 |
EP15840293.3A EP3193273B1 (en) | 2014-09-08 | 2015-09-08 | Authentication system, reminder terminal, and information recording medium |
US15/509,459 US10425404B2 (en) | 2014-09-08 | 2015-09-08 | Authentication system, reminder terminal, and information recording medium |
US16/562,039 US11277400B2 (en) | 2014-09-08 | 2019-09-05 | Reminder terminal apparatus and authentication method |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2014/073704 WO2016038665A1 (ja) | 2014-09-08 | 2014-09-08 | 認証システム、ならびに、リマインダ端末 |
JPPCT/JP2014/073704 | 2014-09-08 |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2014/073704 Continuation-In-Part WO2016038665A1 (ja) | 2014-09-08 | 2014-09-08 | 認証システム、ならびに、リマインダ端末 |
Related Child Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/509,459 A-371-Of-International US10425404B2 (en) | 2014-09-08 | 2015-09-08 | Authentication system, reminder terminal, and information recording medium |
US16/562,039 Division US11277400B2 (en) | 2014-09-08 | 2019-09-05 | Reminder terminal apparatus and authentication method |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016039309A1 true WO2016039309A1 (ja) | 2016-03-17 |
Family
ID=55458458
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2014/073704 WO2016038665A1 (ja) | 2014-09-08 | 2014-09-08 | 認証システム、ならびに、リマインダ端末 |
PCT/JP2015/075391 WO2016039309A1 (ja) | 2014-09-08 | 2015-09-08 | 認証システム、リマインダ端末、ならびに、情報記録媒体 |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2014/073704 WO2016038665A1 (ja) | 2014-09-08 | 2014-09-08 | 認証システム、ならびに、リマインダ端末 |
Country Status (5)
Country | Link |
---|---|
US (2) | US10425404B2 (ja) |
EP (1) | EP3193273B1 (ja) |
JP (3) | JP5906363B1 (ja) |
CN (1) | CN107077559B (ja) |
WO (2) | WO2016038665A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20230164112A1 (en) * | 2019-07-24 | 2023-05-25 | Lookout, Inc. | Service protecting privacy while monitoring password and username usage |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10395065B2 (en) * | 2015-12-28 | 2019-08-27 | International Business Machines Corporation | Password protection under close input observation based on dynamic multi-value keyboard mapping |
US10341448B2 (en) | 2016-06-12 | 2019-07-02 | Apple Inc. | Notification extensions for applications |
JP6093102B1 (ja) | 2016-08-22 | 2017-03-08 | パスロジ株式会社 | 認証システム、ならびに、プログラム |
US10628567B2 (en) * | 2016-09-05 | 2020-04-21 | International Business Machines Corporation | User authentication using prompted text |
US10171465B2 (en) * | 2016-09-29 | 2019-01-01 | Helene E. Schmidt | Network authorization system and method using rapidly changing network keys |
KR102489487B1 (ko) * | 2017-12-19 | 2023-01-18 | 삼성전자주식회사 | 전자 장치, 그 제어 방법 및 컴퓨터 판독가능 기록 매체 |
JP6635495B1 (ja) | 2018-12-25 | 2020-01-29 | パスロジ株式会社 | リモコンシステム、リモコン方法、ならびに、プログラム |
CN109714365B (zh) * | 2019-02-25 | 2019-08-16 | 南京金信通信息服务有限公司 | 基于多重散列计算的密码管理方法和系统 |
US11546334B2 (en) * | 2019-07-29 | 2023-01-03 | Citrix Systems, Inc. | Client device configuration for remote digital workspace access |
CN111612475A (zh) * | 2020-04-03 | 2020-09-01 | 佛山市一鼎医疗器械有限公司 | 一种医疗器械防伪认证方法 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2008027222A (ja) * | 2006-07-21 | 2008-02-07 | Nomura Research Institute Ltd | 認証システム、認証方法および認証プログラム |
WO2013070124A1 (en) * | 2011-11-08 | 2013-05-16 | Telefonaktiebolaget L M Ericsson (Publ) | Apparatus and methods for obtaining a password hint |
US20130312088A1 (en) * | 2012-05-18 | 2013-11-21 | Hon Hai Precision Industry Co., Ltd. | Electronic device and method for managing accounts and passwords of application systems |
Family Cites Families (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6052785A (en) * | 1997-11-21 | 2000-04-18 | International Business Machines Corporation | Multiple remote data access security mechanism for multitiered internet computer networks |
US6571336B1 (en) * | 1998-02-12 | 2003-05-27 | A. James Smith, Jr. | Method and apparatus for securing a list of passwords and personal identification numbers |
US6981028B1 (en) | 2000-04-28 | 2005-12-27 | Obongo, Inc. | Method and system of implementing recorded data for automating internet interactions |
JP3696804B2 (ja) * | 2001-06-04 | 2005-09-21 | エヌ・ティ・ティ・コミュニケーションズ株式会社 | サービス提供方法、サービス提供システム、処理センタ装置及びプログラム |
JP3809441B2 (ja) | 2002-02-13 | 2006-08-16 | 秀治 小川 | ユーザ認証方法およびユーザ認証システム |
JP4294987B2 (ja) * | 2003-01-09 | 2009-07-15 | 株式会社山武 | パスワード入力用テーブル作成方法、パスワード入力用テーブル作成装置及びパスワード入力用テーブル作成プログラム |
JP2006311529A (ja) | 2005-03-30 | 2006-11-09 | Seiko Epson Corp | 認証システムおよびその認証方法、認証サーバおよびその認証方法、記録媒体、プログラム |
US7743256B2 (en) | 2005-05-02 | 2010-06-22 | Vince Yang | Method for verifying authorized access |
JP2007102777A (ja) * | 2005-10-04 | 2007-04-19 | Forval Technology Inc | ユーザ認証システムおよびその方法 |
JP2007108833A (ja) | 2005-10-11 | 2007-04-26 | Nec Corp | 複数パスワード記憶装置及びパスワード管理方法 |
CA2524971A1 (en) * | 2005-10-14 | 2006-09-22 | Timur Medjitov | Personal passwords management system |
JP2008234440A (ja) | 2007-03-22 | 2008-10-02 | Sharp Corp | パスワード入力システム及び方法 |
US8255696B2 (en) * | 2007-05-01 | 2012-08-28 | Microsoft Corporation | One-time password access to password-protected accounts |
JP2009301446A (ja) * | 2008-06-17 | 2009-12-24 | Kddi Corp | 複数の端末を用いた利用者の認証方法、認証サーバ及びプログラム |
US8949955B2 (en) * | 2008-10-29 | 2015-02-03 | Symantec Corporation | Method and apparatus for mobile time-based UI for VIP |
WO2010079617A1 (ja) * | 2009-01-09 | 2010-07-15 | Ogawa Hideharu | 認証システム |
US9608988B2 (en) * | 2009-02-03 | 2017-03-28 | Inbay Technologies Inc. | Method and system for authorizing secure electronic transactions using a security device having a quick response code scanner |
CA2689853C (en) * | 2010-01-29 | 2011-05-17 | Norman F. Goertzen | Secure access by a user to a resource |
SG183313A1 (en) | 2010-02-15 | 2012-09-27 | Cse Co Ltd | Content presentation-type authentication system |
JP2011215753A (ja) * | 2010-03-31 | 2011-10-27 | Nomura Research Institute Ltd | 認証システムおよび認証方法 |
US9705874B2 (en) * | 2010-08-31 | 2017-07-11 | Hideharu Ogawa | Communication apparatus, reminder apparatus, and information recording medium |
JP5843261B2 (ja) * | 2011-12-16 | 2016-01-13 | インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation | 文字列がオートマトンに受理されるか否かを認証するシステム |
-
2014
- 2014-09-08 WO PCT/JP2014/073704 patent/WO2016038665A1/ja active Application Filing
-
2015
- 2015-09-08 CN CN201580056707.7A patent/CN107077559B/zh active Active
- 2015-09-08 WO PCT/JP2015/075391 patent/WO2016039309A1/ja active Application Filing
- 2015-09-08 US US15/509,459 patent/US10425404B2/en active Active
- 2015-09-08 EP EP15840293.3A patent/EP3193273B1/en active Active
- 2015-09-08 JP JP2015560117A patent/JP5906363B1/ja active Active
-
2016
- 2016-03-18 JP JP2016055206A patent/JP6549058B2/ja active Active
-
2019
- 2019-06-26 JP JP2019118776A patent/JP6721924B2/ja active Active
- 2019-09-05 US US16/562,039 patent/US11277400B2/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2008027222A (ja) * | 2006-07-21 | 2008-02-07 | Nomura Research Institute Ltd | 認証システム、認証方法および認証プログラム |
WO2013070124A1 (en) * | 2011-11-08 | 2013-05-16 | Telefonaktiebolaget L M Ericsson (Publ) | Apparatus and methods for obtaining a password hint |
US20130312088A1 (en) * | 2012-05-18 | 2013-11-21 | Hon Hai Precision Industry Co., Ltd. | Electronic device and method for managing accounts and passwords of application systems |
Non-Patent Citations (1)
Title |
---|
See also references of EP3193273A4 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20230164112A1 (en) * | 2019-07-24 | 2023-05-25 | Lookout, Inc. | Service protecting privacy while monitoring password and username usage |
US11792158B2 (en) * | 2019-07-24 | 2023-10-17 | Lookout, Inc. | Service protecting privacy while monitoring password and username usage |
Also Published As
Publication number | Publication date |
---|---|
JP6721924B2 (ja) | 2020-07-15 |
CN107077559A (zh) | 2017-08-18 |
EP3193273A1 (en) | 2017-07-19 |
US20170279790A1 (en) | 2017-09-28 |
JP2019194897A (ja) | 2019-11-07 |
WO2016038665A1 (ja) | 2016-03-17 |
JP6549058B2 (ja) | 2019-07-24 |
US20190394185A1 (en) | 2019-12-26 |
JP5906363B1 (ja) | 2016-04-20 |
EP3193273B1 (en) | 2019-10-30 |
EP3193273A4 (en) | 2018-04-11 |
US10425404B2 (en) | 2019-09-24 |
JP2016146197A (ja) | 2016-08-12 |
CN107077559B (zh) | 2019-09-03 |
JPWO2016039309A1 (ja) | 2017-04-27 |
US11277400B2 (en) | 2022-03-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6721924B2 (ja) | リマインダ端末、その制御方法、ならびに、情報記録媒体 | |
US10574647B2 (en) | User authentication method and system for implementing same | |
CN106105138A (zh) | 使用数字证书来认证虚拟机图像 | |
JP2014529837A (ja) | 身分認証管理装置及びその方法 | |
KR102055625B1 (ko) | 인증 서버 장치, 프로그램 및 인증 방법 | |
US10375061B2 (en) | Communication apparatus, reminder apparatus, and information recording medium | |
JPWO2008029723A1 (ja) | データ利用管理システム | |
JP6118479B1 (ja) | サーバ装置、サービス方法、プログラム、ならびに、非一時的なコンピュータ読取可能な情報記録媒体 | |
WO2017115427A1 (ja) | ユーザ認証方法及びかかる方法を実現するためのシステム | |
JP4932047B1 (ja) | コンテンツ又はアプリケーションの提供システム、コンテンツ又はアプリケーションの提供システムの制御方法、端末装置、端末装置の制御方法、認証装置、認証装置の制御方法、プログラム、及び情報記憶媒体 | |
JP6184316B2 (ja) | ログイン中継サーバ装置、ログイン中継方法、及びプログラム | |
US10866711B1 (en) | Providing account information to applications | |
JP6499736B2 (ja) | ユーザ認証方法及びかかる方法を実現するためのシステム | |
US20180196929A1 (en) | Data input method, and electronic device and system for implementing the data input method | |
JP2011090589A (ja) | 端末への自動ログオン情報管理システム | |
US20120080519A1 (en) | Method and image forming apparatus to authenticate user by using smart card | |
JP2013097661A (ja) | 認証装置及び認証方法 | |
JP4623293B2 (ja) | 個人パスワード管理方法、個人パスワード連想支援装置、個人パスワード連想支援プログラム、個人パスワード管理システム | |
JP2010186380A (ja) | 情報管理システム | |
JP2004334859A (ja) | 異なる複数のオペレータによって使用される情報処理装置、その方法、及びプログラム | |
JP2015228098A (ja) | Otp生成システム、及び携帯通信端末 | |
JP6470006B2 (ja) | 共有認証情報更新システム | |
KR101479246B1 (ko) | 위치심볼을 이용한 인증시스템 및 그 방법 | |
JP2018010520A (ja) | 認証装置、端末、認証システムおよび認証方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ENP | Entry into the national phase |
Ref document number: 2015560117 Country of ref document: JP Kind code of ref document: A |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15840293 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15509459 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REEP | Request for entry into the european phase |
Ref document number: 2015840293 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2015840293 Country of ref document: EP |