WO2017006905A1 - Authentication system, authentication method, and program recording medium - Google Patents

Authentication system, authentication method, and program recording medium Download PDF

Info

Publication number
WO2017006905A1
WO2017006905A1 PCT/JP2016/069772 JP2016069772W WO2017006905A1 WO 2017006905 A1 WO2017006905 A1 WO 2017006905A1 JP 2016069772 W JP2016069772 W JP 2016069772W WO 2017006905 A1 WO2017006905 A1 WO 2017006905A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
key
authentication key
communication terminal
unit
Prior art date
Application number
PCT/JP2016/069772
Other languages
French (fr)
Japanese (ja)
Inventor
杉浦 隆幸
Original Assignee
ネットエージェント株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ネットエージェント株式会社 filed Critical ネットエージェント株式会社
Publication of WO2017006905A1 publication Critical patent/WO2017006905A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Definitions

  • the present invention relates to an authentication technique for authenticating a communication terminal connected to a communication network such as the Internet, and more particularly to a technique for rejecting an unauthorized authentication request using a mechanical login program.
  • a method called a list-type attack is known as one of methods for illegally logging in to an Internet website or the like.
  • a list-type attack is where a fraudster illegally obtains a large number of user IDs and passwords used for login authentication of a certain website, and uses those user IDs and passwords to receive login authentication for other websites. It is an unauthorized login method that tries to do so. If a legitimate user uses the same user ID and password for a plurality of websites, there is a risk of unauthorized login by this list type attack.
  • Such a list-type attack is generally performed by causing a computer to execute a mechanical login program.
  • This mechanical login program mechanically executes login authentication requests for a large number of user IDs and passwords on various websites at high speed.
  • a fraudster can automatically attempt a large number of unauthorized accesses in a short time.
  • Patent Document 1 discloses an authentication technique called capture.
  • this authentication technique an arbitrary character string is displayed on the authentication web page of the communication terminal that requested authentication, and the user of the communication terminal is prompted to manually input the character string.
  • the user of the communication terminal is prompted to manually input the character string.
  • Patent Document 2 a jigsaw puzzle is displayed on the login authentication page, and the user of the communication terminal is allowed to solve the jigsaw puzzle, thereby rejecting the mechanical authentication request by the mechanical login program (Patent Document). 2 paragraph [0077], FIG. 8 (c), etc.).
  • the authentication technique (that is, capture) of the above-mentioned Patent Document 1 has a drawback that it is difficult for legitimate users to use because the input character string may be difficult for humans to read.
  • the authentication technique of the above-mentioned Patent Document 2 has a drawback that it is inconvenient for a regular user because the jigsaw puzzle must be solved each time.
  • An object of the present invention is to provide an authentication system, an authentication method, and a program storage medium capable of rejecting a mechanical authentication request by a mechanical login program without increasing a user's operation burden.
  • An authentication system includes a key storage unit that stores a second authentication key obtained by performing a character string processing process on a first authentication key, and a display process that displays an authentication page on a display unit of a communication terminal. And a calculation process for generating a third authentication key from the first authentication key by automatically executing the character string processing process, and a return process for returning the third authentication key.
  • a transmission processing unit that transmits a display program to be executed by the browser to the communication terminal, and the third authentication key received from the communication terminal matches the second authentication key stored in the key storage unit.
  • a comparison processing unit for authenticating the communication terminal.
  • the first authentication key is transmitted to the communication terminal in a state of being embedded in the display program or in data transmitted accompanying the display program.
  • the authentication page includes an input field for a user ID and a password
  • the return processing of the display program includes the third authentication with the user ID and the password input to the input field. It is desirable to return the key.
  • the key storage unit stores time information for setting an expiration date of authentication using the second and third authentication keys in association with the second authentication key
  • the comparison processing unit desirably rejects the authentication even when the second and third authentication keys match if the time when the authentication is performed has passed the expiration date.
  • the first authentication key is obtained using a random number, and the first authentication key is subjected to the character string processing to generate the second authentication key. It is desirable to further include a key generation unit that provides the second authentication key to the key storage unit.
  • the key generation unit each time the display program transmission request is received from any of the communication terminals, the key generation unit generates the first authentication key and the newly generated first authentication
  • the key storage unit generates and stores the second authentication key from the key, and the transmission processing unit transmits the newly generated first authentication key to the communication terminal responding to the transmission request. It is desirable to send.
  • the comparison processing unit searches the one or a plurality of the second authentication keys stored in the key storage unit for a match with the third authentication key received from the communication terminal. It is desirable to authenticate the communication terminal when the second authentication key exists.
  • the comparison processing unit authenticates the communication terminal, it is preferable that the second authentication key corresponding to the authentication is deleted from the key storage unit.
  • An authentication method includes a key storage step of storing a second authentication key obtained by applying a character string processing process to the first authentication key, and displaying an authentication page on the display unit of the communication terminal.
  • a program storage medium includes a key storage unit that stores a second authentication key obtained by performing character string processing on a first authentication key, and a third authentication key received from a communication terminal.
  • a display that is transmitted from an authentication system comprising a comparison processing unit that performs an authentication process of the communication terminal by comparing the second authentication key stored in the key storage unit and received by the communication terminal
  • a return process for returning the third authentication key to the authentication system is executed by the browser of the communication terminal.
  • the authentication process is performed by comparing the second authentication key stored in the key storage unit with the third authentication key automatically calculated by the browser of the communication terminal executing the display program. Do. Therefore, a communication terminal that does not execute the display program cannot receive authentication from this authentication system.
  • the mechanical login program does not execute the display program. Therefore, according to the present invention, an unauthorized authentication request (for example, an authentication request for a list-type attack) by many mechanical login programs can be rejected.
  • the development cost of the mechanical login program is increased and the processing speed is increased. (That is, the number of times authentication can be requested within a unit time) can be reduced, thereby making it difficult to perform fraud.
  • the third authentication key is automatically calculated by the communication terminal executing the display program, so that it does not increase the operation burden on the authorized user.
  • the unauthorized mechanical login program is The first authentication key. Therefore, according to the present invention, it is possible to increase the development cost of the mechanical login program and decrease the processing speed, thereby making it difficult to perform fraud. On the other hand, since the operation for inputting the first authentication key to the communication terminal is unnecessary for the authorized user, the operation burden does not increase.
  • the authentication system receives the third authentication key together with the user ID and password entered on the authentication page, the user ID used for the mechanical authentication request by the unauthorized mechanical login program. Even if the password is a legitimate one obtained illegally, the authentication can be rejected.
  • a search is made for one that matches the third authentication key received from the communication terminal from one or more second authentication keys stored in the key storage unit, and there is a matching second authentication key Further, by authenticating the communication terminal, the burden of the authentication process by the authentication system can be reduced even when a large number of communication terminals request authentication at the same time.
  • the comparison processing unit when the comparison processing unit authenticates the communication terminal, it is possible to perform authentication with higher reliability by deleting the second authentication key corresponding to the authentication from the key storage unit. .
  • FIG. 4 is a schematic flowchart for explaining the operation of the authentication system according to the first embodiment. 4 is a schematic flowchart for explaining the operation of the authentication system according to the first embodiment. 4 is a schematic flowchart for explaining the operation of the authentication system according to the first embodiment.
  • Embodiment 1 of the Invention Embodiment 1 of the present invention will be described below with reference to FIGS.
  • FIG. 1 is a conceptual diagram showing the network configuration of the first embodiment.
  • the web server 200 and the communication terminal 300 are communicatively connected via the Internet 400.
  • the web server 200 corresponds to the “authentication system” of the present invention, and includes a web authentication unit 210 and a web page distribution unit 220.
  • the web authentication unit 210 includes a key generation unit 211, a database 212, and a comparison processing unit 213.
  • the key generation unit 211 generates a first authentication key using, for example, a pseudo random number or a random number generator.
  • the first authentication key is, for example, a character string (may include numbers and symbols).
  • the key generation unit 211 generates a second authentication key by applying a character string processing process prepared in advance to the first authentication key.
  • the content of the character string processing process is not particularly limited, and is always the same from the first authentication key regardless of whether the character string processing process is performed by the web authentication unit 210 or the browser of the communication terminal 300. Any process that can generate the second authentication key may be used.
  • the character string processing may be an arithmetic process using a cryptographic hash function such as SHA (Secure Hash Algorithm 1) or the like, and the first authentication key may be exclusive logic with a specific character string. Processing that performs a sum operation may be used.
  • the contents of the character string processing can be changed as appropriate. By making it possible to change the contents of the character string processing process, it is possible for an unauthorized person to make it difficult to develop a mechanical login program corresponding to the character string processing process. Furthermore, the contents of the character string processing process may be changed for each authentication process.
  • the generated first authentication key is sent to the web page distribution unit 220.
  • the second authentication key obtained by the above-described character string processing is sent to the database 212.
  • the database 212 corresponds to the “key storage unit” of the present invention, and temporarily stores the second authentication key received from the key generation unit 211. In addition, the database 212 receives the third authentication key from the comparison processing unit 213, and searches for a second authentication key that matches the third authentication key (described later).
  • the comparison processing unit 213 receives a third authentication key (described later) generated from the communication terminal 300 from the web page distribution unit 220. Subsequently, the database 212 is requested to search for a second authentication key that matches the third authentication key. When the second authentication key that matches the third authentication key is found from the database 212, the comparison processing unit 213 determines that the authentication is successful, and obtains the second authentication key from the database 212. At the same time, the authentication is notified to the web page distribution unit 220 (described later).
  • a third authentication key (described later) generated from the communication terminal 300 from the web page distribution unit 220.
  • the web page distribution unit 220 corresponds to the “transmission processing unit” of the present invention, and distributes a web display program to the communication terminal 300.
  • the web display program is a program for displaying a web page on the screen of the communication terminal 300 and is executed by the web browser 310 of the communication terminal 300. This web display program can be described using, for example, HTML (HyperText Markup Language).
  • the web page distributed by the web page distribution unit 220 includes a login authentication page.
  • the login authentication page web display program includes an input field 320 for allowing the user of the communication terminal 300 to input a user ID, an input field 330 for allowing the user to input a password, and these input fields 320 and 330.
  • the login button 340 for transmitting the input character string is displayed on the display screen of the communication terminal 300.
  • the web display program for the login authentication page includes a program code for causing the communication terminal 300 to execute a character string processing process and generating a third authentication key from the first authentication key.
  • the contents of the character string processing process are the same as the character string processing process of the key generation unit 211 described above. Therefore, when the web display program is normally executed, the third authentication key is the same character string as the second authentication key generated by the character string processing of the key generation unit 211.
  • the position where the program code is embedded may be anywhere in the web display program as long as it is a position executed when the web browser 310 of the communication terminal 300 displays the authentication page.
  • the web page distribution unit 220 embeds the first authentication key to be subjected to the character string processing in the web display program for the login authentication page or the data distributed along with the web display program.
  • the position for embedding the first authentication key may be anywhere as long as the script in the web display program can be accessed.
  • the first authentication key can be embedded in a description part that defines a document structure or a description part that defines a style.
  • the web display program for the login authentication page includes a program code for transmitting the third authentication key to the web page distribution unit 220 of the web server 200.
  • the third authentication key is displayed in the form tag for transmitting the user ID and password input in the input fields 320 and 330 to the web server 200 with the hidden data (input (type is Store as “hidden data”.
  • hidden data input (type is Store as “hidden data”.
  • the communication terminal 300 may be any communication device that can access the web server 200 via the Internet 400, such as a personal computer, a mobile phone, a smartphone, or a tablet terminal.
  • a web browser 310 is installed in the communication terminal 300 of the authorized user as application software.
  • the web browser 310 may be anything as long as it can execute the web display program as described above, and a conventional one can be used as it is.
  • the user of the communication terminal 300 operates the web browser 310 to access the web server 200. Then, a page request signal for requesting distribution of a desired web page (that is, transmission of a web display program corresponding to the web page) is transmitted to the web page distribution unit 220 of the web server 200 (step S201 in FIG. 2). reference).
  • the web page distribution unit 220 Upon receiving this page request signal, the web page distribution unit 220 transmits an authentication key request signal to the web authentication unit 210 (see step S202 in FIG. 2).
  • the key generation unit 211 of the web authentication unit 210 When receiving the authentication key request signal, the key generation unit 211 of the web authentication unit 210 performs the following processing (see FIG. 3).
  • the key generation unit 211 when receiving the authentication key request signal (see step S301 in FIG. 3), the key generation unit 211 generates a first authentication key (see step S302 in FIG. 3).
  • the first authentication key can be randomly generated using, for example, a pseudo-random number, but other methods may be used.
  • the key generation unit 211 generates a second authentication key by performing a character string processing process using the first authentication key (see step S303 in FIG. 3).
  • the key generation unit 211 determines a timeout time for authentication using the second authentication key, and stores the second authentication key and the timeout time in the database 212 (see step S304 in FIG. 3). Note that the generation time of the second authentication key may be stored in the database 212 instead of the timeout time.
  • the key generation unit 211 transmits the first authentication key to the web page distribution unit 220 (see step S305 in FIG. 3 and step S203 in FIG. 2).
  • the web page distribution unit 220 Upon receiving the first authentication key from the web authentication unit 210, the web page distribution unit 220 embeds the first authentication key in a login authentication page web display program (described above) prepared in advance. And the web page delivery part 220 transmits the web display program to the communication terminal 300 (refer step S204 of FIG. 2).
  • the communication terminal 300 causes the web browser 310 to execute this web display program. Thereby, the web browser 310 displays a login authentication page on the display screen of the communication terminal. As described above, this login authentication page includes the input field 320 for user ID, the input field 330 for password, and the login button 340 (see FIG. 1).
  • the third authentication key is generated as described above (described above).
  • the program for generating the third authentication key may be executed when the login authentication page is displayed (that is, when the input fields 320 and 330 and the login button 340 are displayed). You may perform at the timing (after-mentioned) that the user operated the login button 340. FIG.
  • the authentication information including the user ID, the password, and the third authentication key is displayed on the web. It is transmitted to the server 200 (see step S205 in FIG. 2).
  • the password input in the input field 330 may be transmitted after being encrypted using a cryptographic hash function or the like.
  • the web server 200 Upon receiving this authentication information, the web server 200 performs the following processing (see FIGS. 4 and 5). 4 shows the operation of the web page distribution unit 220, and FIG. 5 shows the operation of the comparison processing unit 213 provided in the web authentication unit 210.
  • the web page distribution unit 220 checks whether the user ID and password stored in the authentication information are correct (see step S402 in FIG. 4).
  • the web page distribution unit 220 determines that the authentication has failed and performs a process for rejecting login of the communication terminal 300 (see step S403 in FIG. 4). Through this process, the communication terminal 300 is notified that login has been refused (see step S208 in FIG. 2).
  • step S402 the web page distribution unit 220 stores the third authentication key in the authentication confirmation request and transmits it to the web authentication unit 210 (step S404 in FIG. 4, FIG. 4). 2 step S206).
  • the comparison processing unit 213 When the comparison processing unit 213 receives this authentication confirmation request (see step S501 in FIG. 5), the comparison processing unit 213 extracts a third authentication key from the acceptance confirmation request. Subsequently, the comparison processing unit 213 requests the database 212 to search for a second authentication key that matches the third authentication key (see step S502 in FIG. 5).
  • the comparison processing unit 213 informs the web page distribution unit 220 that the authentication has failed. Notification is made (see step S504 in FIG. 5 and step S207 in FIG. 2). Further, even when the second authentication key that matches the third authentication key is searched, if the search time exceeds the timeout time (described above), it is determined that the authentication has failed, The second authentication key and timeout time are deleted from the database 212. If the generation time of the second authentication key is stored in the database 212 instead of the timeout time, it may be determined that the authentication has failed when the elapsed time from the generation to the search exceeds a predetermined time. .
  • the comparison processing unit 213 When the second authentication key that matches the third authentication key is confirmed and the elapsed time since the generation of the second authentication key is within a predetermined time, the comparison processing unit 213 The second authentication key and the timeout time (or generation time) are deleted from the database 212 (see step S505 in FIG. 5), and the web page distribution unit 220 is notified that the authentication has been successful (step S506 in FIG. 5). , See step S207 in FIG. 2).
  • the web page distribution unit 220 determines the success / failure of the authentication from the notification (see step S405 in FIG. 4). When it is determined that the authentication has failed, the web page distribution unit 220 performs a process for rejecting the login of the communication terminal 300 (see step S406 in FIG. 4). Through this process, the communication terminal 300 is notified that login has been refused (see step S208 in FIG. 2).
  • step S405 when it is determined in step S405 that the authentication is successful, the web page distribution unit 220 generates a session key for the communication terminal 300 (see step S407 in FIG. 4) and transmits the session key to the communication terminal 300. Transmit (see step S408 in FIG. 4 and step S208 in FIG. 2). With this session key, login to the communication terminal 300 is permitted, and session management after login is performed.
  • Login authentication is performed by comparing with the authentication key. For this reason, the communication terminal 300 that does not execute the web display program cannot receive authentication.
  • the mechanical login program does not execute the web display program. Therefore, according to this embodiment, an unauthorized authentication request (for example, an authentication request for a list-type attack) by many mechanical login programs can be rejected.
  • the third authentication key is automatically calculated by the communication terminal 300 executing the web display program, the operation burden on the user of the communication terminal 300 is not increased. .
  • the first authentication key is transmitted to the communication terminal 300 in an embedded state in the web display program, so that the mechanical login program of the communication terminal 300 is the first authentication key. It is necessary to search for one authentication key in the web display program. For this reason, according to the first embodiment, the development cost of the mechanical login program can be increased and the processing speed can be lowered, thereby making it difficult to perform an illegal act.
  • the web server 200 receives the third authentication key together with the user ID and password input on the authentication page, so that it is used for a mechanical authentication request by the mechanical login program. Even if the obtained user ID and password are legitimate ones obtained illegally, the authentication can be rejected.
  • authentication is performed by searching for one that matches the third authentication key received from the communication terminal 300 from one or more second authentication keys stored in the database 212.
  • the authentication process is very simple. Therefore, even when a large number of communication terminals 300 request authentication simultaneously, the processing load is small.
  • other authentication methods may be used. For example, identification information such as the IP address of the communication terminal 300 is stored in the database 212 in association with the second authentication key, and is individually set for each communication terminal 300. The second and third authentication keys may be compared.
  • the authentication technique of the present invention authentication technique by comparing the second and third authentication keys
  • the authentication technique of the present invention may be used in combination with other authentication techniques, or may be used alone.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

[Problem] To provide a web authentication system capable of rejecting an authentication request by a machine-based login program without increasing an operation burden on a user. [Solution] A key storage part of this authentication system stores a second authentication key generated by applying character string processing to a first authentication key. A transmission processing unit transmits a display program in response to a request from a communication terminal. This display program causes a browser of the communication terminal to display an authentication page, to automatically execute the character string processing in order to generate a third authentication key from the first authentication key, and to return the third authentication key. When the third authentication key received from the communication terminal matches the second authentication key stored in the key storage part, a comparison processing part of the authentication system authenticates the communication terminal.

Description

認証システム、認証方法及びプログラム記憶媒体Authentication system, authentication method, and program storage medium
 本発明は、例えばインターネット等の通信網に接続された通信端末の認証を行う認証技術に関し、より詳細には、機械的ログインプログラムを用いた不正な認証要求を拒否する技術に関する。 The present invention relates to an authentication technique for authenticating a communication terminal connected to a communication network such as the Internet, and more particularly to a technique for rejecting an unauthorized authentication request using a mechanical login program.
 従来より、インターネットのウェブサイト等に対して不正にログインする方法の一つとして、リスト型攻撃と称されるものが知られている。 Conventionally, a method called a list-type attack is known as one of methods for illegally logging in to an Internet website or the like.
 リスト型攻撃とは、不正行為者が、あるウェブサイトのログイン認証に使用するユーザID及びパスワードを大量に不正入手し、それらのユーザID及びパスワードを用いて、他のウェブサイトのログイン認証を受けようと試みる不正ログイン方法である。正規ユーザが、複数のウェブサイトについて同一のユーザIDやパスワードを使用している場合、このリスト型攻撃によって不正にログインされるおそれがある。 A list-type attack is where a fraudster illegally obtains a large number of user IDs and passwords used for login authentication of a certain website, and uses those user IDs and passwords to receive login authentication for other websites. It is an unauthorized login method that tries to do so. If a legitimate user uses the same user ID and password for a plurality of websites, there is a risk of unauthorized login by this list type attack.
 このようなリスト型攻撃は、一般に、コンピュータに機械的ログインプログラムを実行させることで、行われる。この機械的ログインプログラムは、大量のユーザIDやパスワードについてのログイン認証要求を、様々なウェブサイトに対して、機械的に高速で実行する。機械的ログインプログラムを用いることにより、不正行為者は、多数の不正アクセスを、短時間で自動的に試みることができる。 Such a list-type attack is generally performed by causing a computer to execute a mechanical login program. This mechanical login program mechanically executes login authentication requests for a large number of user IDs and passwords on various websites at high speed. By using a mechanical login program, a fraudster can automatically attempt a large number of unauthorized accesses in a short time.
 機械的ログインプログラムを用いた認証要求を拒否する技術としては、例えば、下記特許文献1や2に記載されたものが知られている。 As techniques for rejecting an authentication request using a mechanical login program, for example, those described in the following Patent Documents 1 and 2 are known.
 特許文献1には、キャプチャと称される認証技術が開示されている。この認証技術では、認証を要求した通信端末の認証用ウェブページに任意の文字列を表示するとともに、その通信端末のユーザに、その文字列を手入力するように促す。このとき、その文字列を、人間には識別できるがコンピュータの文字認識プログラムでは識別できないような形態で表示することにより、機械的ログインプログラムによる機械的な認証要求を拒否することができる(特許文献1の図1等参照)。 Patent Document 1 discloses an authentication technique called capture. In this authentication technique, an arbitrary character string is displayed on the authentication web page of the communication terminal that requested authentication, and the user of the communication terminal is prompted to manually input the character string. At this time, by displaying the character string in a form that can be identified by a human but not by a computer character recognition program, a mechanical authentication request by a mechanical login program can be rejected (Patent Literature). 1).
 また、特許文献2では、ログイン認証ページにジグソーパズルを表示して、その通信端末のユーザに、そのジグソーパズルを解かせることにより、機械的ログインプログラムによる機械的な認証要求を拒否している(特許文献2の段落[0077]、図8(c)等参照)。 Further, in Patent Document 2, a jigsaw puzzle is displayed on the login authentication page, and the user of the communication terminal is allowed to solve the jigsaw puzzle, thereby rejecting the mechanical authentication request by the mechanical login program (Patent Document). 2 paragraph [0077], FIG. 8 (c), etc.).
特表2014-515516号公報Special table 2014-515516 gazette 特開2015-109097号公報Japanese Patent Laying-Open No. 2015-109097
 しかしながら、上記特許文献1の認証技術(すなわち、キャプチャ)には、入力する文字列が人間にとっても読み難い場合があるため、正規のユーザにとって使い勝手が悪いという欠点がある。 However, the authentication technique (that is, capture) of the above-mentioned Patent Document 1 has a drawback that it is difficult for legitimate users to use because the input character string may be difficult for humans to read.
 同様に、上記特許文献2の認証技術にも、その都度ジグソーパズルを解かなければならないために、正規のユーザにとって使い勝手が悪いという欠点がある。 Similarly, the authentication technique of the above-mentioned Patent Document 2 has a drawback that it is inconvenient for a regular user because the jigsaw puzzle must be solved each time.
 本発明は、ユーザの操作負担を増すこと無しに、機械的ログインプログラムによる機械的な認証要求を拒否することができる、認証システム、認証方法及びプログラム記憶媒体を提供することを課題とする。 An object of the present invention is to provide an authentication system, an authentication method, and a program storage medium capable of rejecting a mechanical authentication request by a mechanical login program without increasing a user's operation burden.
 本発明の認証システムは、第1の認証キーに文字列加工処理を施すことで得られた第2の認証キーを保存するキー保存部と、通信端末の表示部に認証ページを表示させる表示処理と、前記文字列加工処理を自動実行することによって前記第1の認証キーから第3の認証キーを生成する演算処理と、該第3の認証キーを返送させる返送処理とを、該通信端末のブラウザに実行させる表示プログラムを、該通信端末宛に送信する送信処理部と、前記通信端末から受信した前記第3の認証キーが前記キー保存部に保存された前記第2の認証キーと一致する場合に該通信端末を認証する比較処理部と、を備えることを特徴とする。 An authentication system according to the present invention includes a key storage unit that stores a second authentication key obtained by performing a character string processing process on a first authentication key, and a display process that displays an authentication page on a display unit of a communication terminal. And a calculation process for generating a third authentication key from the first authentication key by automatically executing the character string processing process, and a return process for returning the third authentication key. A transmission processing unit that transmits a display program to be executed by the browser to the communication terminal, and the third authentication key received from the communication terminal matches the second authentication key stored in the key storage unit. And a comparison processing unit for authenticating the communication terminal.
 本発明において、前記第1の認証キーは、前記表示プログラム内又は該表示プログラムに付随して送信されるデータ内に埋め込まれた状態で、前記通信端末に送信されることが望ましい。 In the present invention, it is preferable that the first authentication key is transmitted to the communication terminal in a state of being embedded in the display program or in data transmitted accompanying the display program.
 本発明において、前記認証ページは、ユーザID及びパスワードの入力フィールドを含み、且つ、前記表示プログラムの前記返送処理は、該入力フィールドに入力された該ユーザID及び該パスワードと共に、前記第3の認証キーを返送する処理とする、ことが望ましい。 In the present invention, the authentication page includes an input field for a user ID and a password, and the return processing of the display program includes the third authentication with the user ID and the password input to the input field. It is desirable to return the key.
 本発明において、前記キー保存部は、前記第2及び第3の認証キーを用いた認証の有効期限を設定するための時刻情報を、該第2の認証キーに関連付けて保存し、且つ、前記比較処理部は、認証を実行した時刻が該有効期限を過ぎている場合は、該第2及び第3の認証キーが一致する場合であっても認証を拒否する、ことが望ましい。 In the present invention, the key storage unit stores time information for setting an expiration date of authentication using the second and third authentication keys in association with the second authentication key, and The comparison processing unit desirably rejects the authentication even when the second and third authentication keys match if the time when the authentication is performed has passed the expiration date.
 本発明においては、乱数を用いて前記第1の認証キーを取得すると共に、該第1の認証キーに前記文字列加工処理を施して前記第2の認証キーを生成し、生成された該第2の認証キーを前記キー保存部へ提供する、キー生成部を更に備えることが望ましい。 In the present invention, the first authentication key is obtained using a random number, and the first authentication key is subjected to the character string processing to generate the second authentication key. It is desirable to further include a key generation unit that provides the second authentication key to the key storage unit.
 本発明においては、何れかの前記通信端末から前記表示プログラムの送信要求を受信する度に、前記キー生成部が前記第1の認証キーを生成すると共に、新たに生成された該第1の認証キーから前記キー保存部が前記第2の認証キーを生成して保存し、前記送信処理部は、該送信要求に応答する前記通信端末に、該新たに生成された該第1の認証キーを送信する、ことが望ましい。 In the present invention, each time the display program transmission request is received from any of the communication terminals, the key generation unit generates the first authentication key and the newly generated first authentication The key storage unit generates and stores the second authentication key from the key, and the transmission processing unit transmits the newly generated first authentication key to the communication terminal responding to the transmission request. It is desirable to send.
 本発明において、前記比較処理部は、前記キー保存部に格納された1又は複数の前記第2の認証キーから、前記通信端末から受信した前記第3の認証キーと一致するものを探し、一致する該第2の認証キーが存在する場合に該通信端末を認証することが望ましい。 In the present invention, the comparison processing unit searches the one or a plurality of the second authentication keys stored in the key storage unit for a match with the third authentication key received from the communication terminal. It is desirable to authenticate the communication terminal when the second authentication key exists.
 本発明において、前記比較処理部は、前記通信端末を認証した場合に、該認証に対応する前記第2の認証キーを前記キー保存部から削除することが望ましい。 In the present invention, when the comparison processing unit authenticates the communication terminal, it is preferable that the second authentication key corresponding to the authentication is deleted from the key storage unit.
 本発明に係る認証方法は、第1の認証キーに文字列加工処理を施すことで得られた第2の認証キーを保存するキー保存ステップと、前記通信端末の表示部に認証ページを表示させる表示処理と、前記文字列加工処理を自動実行することによって前記第1の認証キーから前記第3の認証キーを生成する演算処理と、該第3の認証キーを前記認証システムに返送させる返送処理とを、該通信端末のブラウザに実行させる表示プログラムを該通信端末に送信する送信ステップと、通信端末から受信した第3の認証キーを前記キー保存ステップで保存された前記第2の認証キーとを比較することによって該通信端末の認証処理を行う比較処理ステップと、を備えることを特徴とする。 An authentication method according to the present invention includes a key storage step of storing a second authentication key obtained by applying a character string processing process to the first authentication key, and displaying an authentication page on the display unit of the communication terminal. A display process; a calculation process for generating the third authentication key from the first authentication key by automatically executing the character string processing process; and a return process for returning the third authentication key to the authentication system. Transmitting to the communication terminal a display program for causing the browser of the communication terminal to execute, and the second authentication key stored in the key storage step to receive the third authentication key received from the communication terminal; And a comparison processing step for performing authentication processing of the communication terminal by comparing.
 本発明に係るプログラム記憶媒体は、第1の認証キーに文字列加工処理を施すことで得られた第2の認証キーを保存するキー保存部と、通信端末から受信した第3の認証キーを前記キー保存部に保存された前記第2の認証キーとを比較することによって該通信端末の認証処理を行う比較処理部と、を備える認証システムから送信されて、該通信端末に受信される表示プログラムであって、前記通信端末の表示部に認証ページを表示させる表示処理と、前記文字列加工処理を自動実行することによって前記第1の認証キーから前記第3の認証キーを生成する演算処理と、該第3の認証キーを前記認証システムに返送させる返送処理とを、該通信端末のブラウザに実行させることを特徴とする。 A program storage medium according to the present invention includes a key storage unit that stores a second authentication key obtained by performing character string processing on a first authentication key, and a third authentication key received from a communication terminal. A display that is transmitted from an authentication system comprising a comparison processing unit that performs an authentication process of the communication terminal by comparing the second authentication key stored in the key storage unit and received by the communication terminal A display process for displaying an authentication page on a display unit of the communication terminal, and an arithmetic process for generating the third authentication key from the first authentication key by automatically executing the character string processing process And a return process for returning the third authentication key to the authentication system is executed by the browser of the communication terminal.
 本発明によれば、キー保存部に保存された第2の認証キーと、通信端末のブラウザが表示プログラムを実行することによって自動演算された第3の認証キーとを比較することで認証処理を行う。そのため、表示プログラムを実行しない通信端末は、この認証システムから認証を受けることができない。ここで、通常、機械的ログインプログラムは、表示プログラムを実行しない。従って、本発明によれば、多くの機械的ログインプログラムによる不正な認証要求(例えばリスト型攻撃の認証要求)を拒否できる。 According to the present invention, the authentication process is performed by comparing the second authentication key stored in the key storage unit with the third authentication key automatically calculated by the browser of the communication terminal executing the display program. Do. Therefore, a communication terminal that does not execute the display program cannot receive authentication from this authentication system. Here, usually, the mechanical login program does not execute the display program. Therefore, according to the present invention, an unauthorized authentication request (for example, an authentication request for a list-type attack) by many mechanical login programs can be rejected.
 また、不正行為者が、表示プログラムを実行できる機械的ログインプログラムを開発して使用することも考えられるが、その場合でも、本発明によれば、機械的ログインプログラムの開発コストの高騰や処理速度(すなわち、単位時間内に認証要求できる回数)の低下を図ることができ、これにより、不正行為を行い難くすることができる。 Further, it is conceivable that an unauthorized person develops and uses a mechanical login program that can execute a display program. However, according to the present invention, the development cost of the mechanical login program is increased and the processing speed is increased. (That is, the number of times authentication can be requested within a unit time) can be reduced, thereby making it difficult to perform fraud.
 更に、本発明によれば、第3の認証キーは、通信端末が表示プログラムを実行することによって自動演算されるので、正規ユーザの操作負担を増大させることが無い。 Furthermore, according to the present invention, the third authentication key is automatically calculated by the communication terminal executing the display program, so that it does not increase the operation burden on the authorized user.
 本発明において、第1の認証キーを、表示プログラム内又は該表示プログラムに付随して送信されるデータ内に埋め込まれた状態で通信端末に送信することとすれば、不正な機械的ログインプログラムは、その第1の認証キーを、その表示プログラムの中から探し出さなければならなくなる。このため、本発明によれば、機械的ログインプログラムの開発コストの高騰や処理速度の低下を図ることができ、これにより、不正行為を行い難くすることができる。その一方で、正規ユーザにとっては、第1の認証キーを通信端末に入力する操作が不要なので、操作負担が増大することがない。 In the present invention, if the first authentication key is transmitted to the communication terminal in a state embedded in the display program or data transmitted accompanying the display program, the unauthorized mechanical login program is The first authentication key must be searched for in the display program. Therefore, according to the present invention, it is possible to increase the development cost of the mechanical login program and decrease the processing speed, thereby making it difficult to perform fraud. On the other hand, since the operation for inputting the first authentication key to the communication terminal is unnecessary for the authorized user, the operation burden does not increase.
 本発明において、認証システムが、認証ページで入力されたユーザID及びパスワードと共に、第3の認証キーを受け取ることとすれば、不正な機械的ログインプログラムによる機械的な認証要求に使用されたユーザID及びパスワードが不正取得された正規のものであっても、その認証を拒否することができる。 In the present invention, if the authentication system receives the third authentication key together with the user ID and password entered on the authentication page, the user ID used for the mechanical authentication request by the unauthorized mechanical login program. Even if the password is a legitimate one obtained illegally, the authentication can be rejected.
 本発明において、認証の有効期限を設定することにより、より信頼性の高い認証を行うことが可能となる。 In the present invention, it is possible to perform authentication with higher reliability by setting an expiration date of authentication.
 本発明において、キー生成部を用いて認証キーをランダムに生成することで、より信頼性の高い認証を行うことが可能となる。 In the present invention, it is possible to perform more reliable authentication by randomly generating an authentication key using the key generation unit.
 本発明において、通信端末から表示プログラムの送信要求を受け取る度に、新たな第1の認証キーを生成して使用することにより、より信頼性の高い認証を行うことが可能となる。 In the present invention, it is possible to perform authentication with higher reliability by generating and using a new first authentication key each time a display program transmission request is received from a communication terminal.
 本発明において、キー保存部に格納された1又は複数の第2の認証キーから、通信端末から受信した第3の認証キーと一致するものを探し、一致する第2の認証キーが存在する場合に該通信端末を認証することにより、多数の通信端末から同時に認証を求められたような場合でも、認証システムによる認証処理の負担を小さくできる。 In the present invention, a search is made for one that matches the third authentication key received from the communication terminal from one or more second authentication keys stored in the key storage unit, and there is a matching second authentication key Further, by authenticating the communication terminal, the burden of the authentication process by the authentication system can be reduced even when a large number of communication terminals request authentication at the same time.
 本発明において、比較処理部が、通信端末を認証した場合に、該認証に対応する第2の認証キーをキー保存部から削除することにより、より信頼性の高い認証を行うことが可能となる。 In the present invention, when the comparison processing unit authenticates the communication terminal, it is possible to perform authentication with higher reliability by deleting the second authentication key corresponding to the authentication from the key storage unit. .
本発明の実施の形態1に係るネットワーク構成を示す概念図である。It is a conceptual diagram which shows the network structure which concerns on Embodiment 1 of this invention. 同実施の形態1に係る認証システムの動作を説明するための概念図である。It is a conceptual diagram for demonstrating operation | movement of the authentication system which concerns on the same Embodiment 1. FIG. 同実施の形態1に係る認証システムの動作を説明するための概略フローチャートである。4 is a schematic flowchart for explaining the operation of the authentication system according to the first embodiment. 同実施の形態1に係る認証システムの動作を説明するための概略フローチャートである。4 is a schematic flowchart for explaining the operation of the authentication system according to the first embodiment. 同実施の形態1に係る認証システムの動作を説明するための概略フローチャートである。4 is a schematic flowchart for explaining the operation of the authentication system according to the first embodiment.
[発明の実施の形態1]
 以下、本発明の実施の形態1について、図1乃至図5を用いて説明する。 Embodiment 1 of the Invention
Embodiment 1 of the present invention will be described below with reference to FIGS.
 図1は、この実施の形態1のネットワーク構成を示す概念図である。 FIG. 1 is a conceptual diagram showing the network configuration of the first embodiment.
 図1に示したように、この実施の形態1に係るネットワーク100では、ウェブサーバ200と通信端末300とが、インターネット400を介して通信接続されている。 As shown in FIG. 1, in the network 100 according to the first embodiment, the web server 200 and the communication terminal 300 are communicatively connected via the Internet 400.
 ウェブサーバ200は、本発明の「認証システム」に対応し、ウェブ認証部210と、ウェブページ配信部220とを備えている。 The web server 200 corresponds to the “authentication system” of the present invention, and includes a web authentication unit 210 and a web page distribution unit 220.
 ウェブ認証部210は、キー生成部211と、データベース212と、比較処理部213とを備えている。 The web authentication unit 210 includes a key generation unit 211, a database 212, and a comparison processing unit 213.
 キー生成部211は、例えば疑似乱数や乱数生成器等を用いて、第1の認証キーを生成する。第1の認証キーは、例えば、文字列(数字や記号等を含んでもよい)である。 The key generation unit 211 generates a first authentication key using, for example, a pseudo random number or a random number generator. The first authentication key is, for example, a character string (may include numbers and symbols).
 そして、キー生成部211は、この第1の認証キーに、予め用意された文字列加工処理を施すことで、第2の認証キーを生成する。 Then, the key generation unit 211 generates a second authentication key by applying a character string processing process prepared in advance to the first authentication key.
 文字列加工処理の内容は特に限定されず、その文字列加工処理を行うのがウェブ認証部210であるか通信端末300のブラウザであるかに拘わらず、常に、同じ第1の認証キーから同じ第2の認証キーを生成できる処理であれば良い。例えば、この文字列加工処理は、SHA(Secure Hash Algorithm)-1 等の暗号学的ハッシュ関数を用いた演算処理であってもよいし、第1の認証キーを特定の文字列で排他的論理和演算する処理であってもよい。 The content of the character string processing process is not particularly limited, and is always the same from the first authentication key regardless of whether the character string processing process is performed by the web authentication unit 210 or the browser of the communication terminal 300. Any process that can generate the second authentication key may be used. For example, the character string processing may be an arithmetic process using a cryptographic hash function such as SHA (Secure Hash Algorithm 1) or the like, and the first authentication key may be exclusive logic with a specific character string. Processing that performs a sum operation may be used.
 文字列加工処理の内容は、適宜変更することが可能である。文字列加工処理の内容を変更可能にすることで、不正行為者が、この文字列加工処理に対応した機械的ログインプログラムを開発し難くすることができる。更には、1回の認証処理毎に、文字列加工処理の内容を変更できるようにしてもよい。 The contents of the character string processing can be changed as appropriate. By making it possible to change the contents of the character string processing process, it is possible for an unauthorized person to make it difficult to develop a mechanical login program corresponding to the character string processing process. Furthermore, the contents of the character string processing process may be changed for each authentication process.
 生成された第1の認証キーは、ウェブページ配信部220に送られる。一方、上述の文字列加工処理で得られた第2の認証キーは、データベース212に送られる。 The generated first authentication key is sent to the web page distribution unit 220. On the other hand, the second authentication key obtained by the above-described character string processing is sent to the database 212.
 データベース212は、本発明の「キー保存部」に対応し、キー生成部211から受け取った第2の認証キーを一時保存する。加えて、データベース212は、比較処理部213から第3の認証キーを受け取って、この第3の認証キーと一致する第2の認証キーを検索する(後述)。 The database 212 corresponds to the “key storage unit” of the present invention, and temporarily stores the second authentication key received from the key generation unit 211. In addition, the database 212 receives the third authentication key from the comparison processing unit 213, and searches for a second authentication key that matches the third authentication key (described later).
 比較処理部213は、通信端末300からで生成された第3の認証キー(後述)を、ウェブページ配信部220から受け取る。続いて、データベース212に、この第3の認証キーと一致する第2の認証キーの検索を要求する。そして、比較処理部213は、その第3の認証キーと一致する第2の認証キーがデータベース212から発見された場合には、認証成功と判断して、その第2の認証キーをデータベース212から削除させると共に、認証成功をウェブページ配信部220に通知する(後述)。 The comparison processing unit 213 receives a third authentication key (described later) generated from the communication terminal 300 from the web page distribution unit 220. Subsequently, the database 212 is requested to search for a second authentication key that matches the third authentication key. When the second authentication key that matches the third authentication key is found from the database 212, the comparison processing unit 213 determines that the authentication is successful, and obtains the second authentication key from the database 212. At the same time, the authentication is notified to the web page distribution unit 220 (described later).
 ウェブページ配信部220は、本発明の「送信処理部」に対応し、通信端末300に対して、ウェブ表示プログラムを配信する。ウェブ表示プログラムとは、通信端末300の画面へのウェブページの表示等を行わせるためのプログラムであり、この通信端末300のウェブブラウザ310によって実行される。このウェブ表示プログラムは、例えばHTML(HyperText Markup Language)等を用いて記述することができる。ウェブページ配信部220が配信するウェブページには、ログイン認証ページが含まれる。 The web page distribution unit 220 corresponds to the “transmission processing unit” of the present invention, and distributes a web display program to the communication terminal 300. The web display program is a program for displaying a web page on the screen of the communication terminal 300 and is executed by the web browser 310 of the communication terminal 300. This web display program can be described using, for example, HTML (HyperText Markup Language). The web page distributed by the web page distribution unit 220 includes a login authentication page.
 ログイン認証ページ用のウェブ表示プログラムは、通信端末300の使用者にユーザIDを入力させるための入力フィールド320と、該使用者にパスワードを入力させるための入力フィールド330と、これら入力フィールド320,330の入力文字列を送信するためのログインボタン340とを、その通信端末300の表示画面に表示させる。 The login authentication page web display program includes an input field 320 for allowing the user of the communication terminal 300 to input a user ID, an input field 330 for allowing the user to input a password, and these input fields 320 and 330. The login button 340 for transmitting the input character string is displayed on the display screen of the communication terminal 300.
 更に、ログイン認証ページ用のウェブ表示プログラムは、通信端末300に文字列加工処理を実行させて第1の認証キーから第3の認証キーを生成するための、プログラムコードを含んでいる。この文字列加工処理の内容は、上述したキー生成部211の文字列加工処理と同一である。従って、このウェブ表示プログラムが正常に実行された場合、この第3の認証キーは、キー生成部211の文字列加工処理で生成される第2の認証キーと、同一の文字列となる。このプログラムコードが埋め込まれる位置は、通信端末300のウェブブラウザ310が認証ページを表示する際に実行される位置でありさえすれば、ウェブ表示プログラム内の何処でも良い。 Further, the web display program for the login authentication page includes a program code for causing the communication terminal 300 to execute a character string processing process and generating a third authentication key from the first authentication key. The contents of the character string processing process are the same as the character string processing process of the key generation unit 211 described above. Therefore, when the web display program is normally executed, the third authentication key is the same character string as the second authentication key generated by the character string processing of the key generation unit 211. The position where the program code is embedded may be anywhere in the web display program as long as it is a position executed when the web browser 310 of the communication terminal 300 displays the authentication page.
 加えて、ウェブページ配信部220は、ログイン認証ページ用のウェブ表示プログラム或いはそのウェブ表示プログラムに付随して配信するデータ内に、この文字列加工処理の対象となる第1の認証キーを埋め込む。この第1の認証キーを埋め込む位置は、そのウェブ表示プログラム内のスクリプトがアクセスできる位置であれば、何処でも良い。例えば、文書構造を定義する記述部分や、スタイルを定義する記述部分に、第1の認証キーを埋め込むことができる。 In addition, the web page distribution unit 220 embeds the first authentication key to be subjected to the character string processing in the web display program for the login authentication page or the data distributed along with the web display program. The position for embedding the first authentication key may be anywhere as long as the script in the web display program can be accessed. For example, the first authentication key can be embedded in a description part that defines a document structure or a description part that defines a style.
 加えて、ログイン認証ページ用のウェブ表示プログラムは、ウェブサーバ200のウェブページ配信部220に第3の認証キーを送信するためのプログラムコードを含んでいる。この実施の形態1では、入力フィールド320,330に入力されたユーザID及びパスワードをウェブサーバ200に送信するためのフォーム・タグ内に、この第3の認証キーを、非表示データ(input typeが”hidden”のデータ)として格納する。このフォーム・タグの記述の一例を、以下に示す。 In addition, the web display program for the login authentication page includes a program code for transmitting the third authentication key to the web page distribution unit 220 of the web server 200. In the first embodiment, the third authentication key is displayed in the form tag for transmitting the user ID and password input in the input fields 320 and 330 to the web server 200 with the hidden data (input (type is Store as “hidden data”. An example of this form tag description is shown below.
 <form action="/login" mehtod="post" name="loginForm">
  <input type="hidden" name="_token" value="fF7eg6CSD3d636d" />
  <input type="text" name="user_id" />
  <input type="password" name="password" />
  <input id="submit" type="image" src="img/img/login.gif" value="ログイン" />
 </form>
 また、ウェブページ配信部220は、ユーザID、パスワード及び第3の認証キーを通信端末300から受け取って、後述のような認証処理を行う。 <form action = "/ login" mehtod = "post" name = "loginForm">
<input type = "hidden" name = "_ token" value = "fF7eg6CSD3d636d"/>
<input type = "text" name = "user_id"/>
<input type = "password" name = "password"/>
<input id = "submit" type = "image" src = "img / img / login.gif" value = "login"/>
</ form>
In addition, the web page distribution unit 220 receives the user ID, password, and third authentication key from the communication terminal 300, and performs an authentication process as described below.
 通信端末300は、インターネット400を介してウェブサーバ200にアクセスできる通信装置であれば何でもよく、例えば、パーソナルコンピュータ、携帯電話機、スマートフォン、タブレット端末等である。正規ユーザの通信端末300には、例えばアプリケーションソフトウエアとして、ウェブブラウザ310がインストールされている。このウェブブラウザ310は、上述のようなウェブ表示プログラムを実行できるものであれば何でもよく、従来のものをそのまま使用できる。 The communication terminal 300 may be any communication device that can access the web server 200 via the Internet 400, such as a personal computer, a mobile phone, a smartphone, or a tablet terminal. For example, a web browser 310 is installed in the communication terminal 300 of the authorized user as application software. The web browser 310 may be anything as long as it can execute the web display program as described above, and a conventional one can be used as it is.
 次に、この実施の形態1に係るネットワークの全体動作について、図2乃至図5を用いて説明する。 Next, the overall operation of the network according to the first embodiment will be described with reference to FIGS.
 まず、通信端末300の使用者が、ウェブブラウザ310を操作して、ウェブサーバ200にアクセスする。そして、このウェブサーバ200のウェブページ配信部220に、所望のウェブページの配信(すなわち、そのウェブページに対応するウェブ表示プログラムの送信)を要求するページ要求信号を送信する(図2のステップS201参照)。 First, the user of the communication terminal 300 operates the web browser 310 to access the web server 200. Then, a page request signal for requesting distribution of a desired web page (that is, transmission of a web display program corresponding to the web page) is transmitted to the web page distribution unit 220 of the web server 200 (step S201 in FIG. 2). reference).
 ウェブページ配信部220は、このページ要求信号を受信すると、ウェブ認証部210に、認証キー要求信号を送信する(図2のステップS202参照)。 Upon receiving this page request signal, the web page distribution unit 220 transmits an authentication key request signal to the web authentication unit 210 (see step S202 in FIG. 2).
 ウェブ認証部210のキー生成部211は、この認証キー要求信号を受信すると、以下のような処理を行う(図3参照)。 When receiving the authentication key request signal, the key generation unit 211 of the web authentication unit 210 performs the following processing (see FIG. 3).
 まず、キー生成部211は、この認証キー要求信号を受信すると(図3のステップS301参照)、第1の認証キーを生成する(図3のステップS302参照)。上述のように、第1の認証キーは、例えば疑似乱数を用いてランダムに生成できるが、他の方法であっても良い。 First, when receiving the authentication key request signal (see step S301 in FIG. 3), the key generation unit 211 generates a first authentication key (see step S302 in FIG. 3). As described above, the first authentication key can be randomly generated using, for example, a pseudo-random number, but other methods may be used.
 続いて、キー生成部211は、この第1の認証キーを用いた文字列加工処理を行うことで、第2の認証キーを生成する(図3のステップS303参照)。 Subsequently, the key generation unit 211 generates a second authentication key by performing a character string processing process using the first authentication key (see step S303 in FIG. 3).
 更に、キー生成部211は、この第2の認証キーを用いた認証のタイムアウト時刻を決定し、これら第2の認証キー及びタイムアウト時刻をデータベース212に保存する(図3のステップS304参照)。なお、タイムアウト時刻に代えて、第2の認証キーの生成時刻を、データベース212に保存してもよい。 Furthermore, the key generation unit 211 determines a timeout time for authentication using the second authentication key, and stores the second authentication key and the timeout time in the database 212 (see step S304 in FIG. 3). Note that the generation time of the second authentication key may be stored in the database 212 instead of the timeout time.
 その後、キー生成部211は、第1の認証キーを、ウェブページ配信部220へ送信する(図3のステップS305及び図2のステップS203参照)。 After that, the key generation unit 211 transmits the first authentication key to the web page distribution unit 220 (see step S305 in FIG. 3 and step S203 in FIG. 2).
 ウェブページ配信部220は、ウェブ認証部210から第1の認証キーを受け取ると、その第1の認証キーを、予め用意されたログイン認証ページ用ウェブ表示プログラム(上述)に埋め込む。そして、ウェブページ配信部220は、そのウェブ表示プログラムを、通信端末300へ送信する(図2のステップS204参照)。 Upon receiving the first authentication key from the web authentication unit 210, the web page distribution unit 220 embeds the first authentication key in a login authentication page web display program (described above) prepared in advance. And the web page delivery part 220 transmits the web display program to the communication terminal 300 (refer step S204 of FIG. 2).
 通信端末300は、このウェブ表示プログラムを、ウェブブラウザ310に実行させる。これにより、ウェブブラウザ310は、通信端末の表示画面に、ログイン認証ページを表示する。上述のように、このログイン認証ページは、ユーザID用の入力フィールド320と、パスワード用の入力フィールド330と、ログインボタン340とを含んでいる(図1参照)。 The communication terminal 300 causes the web browser 310 to execute this web display program. Thereby, the web browser 310 displays a login authentication page on the display screen of the communication terminal. As described above, this login authentication page includes the input field 320 for user ID, the input field 330 for password, and the login button 340 (see FIG. 1).
 加えて、ウェブブラウザ310がウェブ表示プログラムを実行することで、上述のようにして、第3の認証キーが生成される(上述)。なお、第3の認証キーを生成するプログラムは、ログイン認証ページの画面表示を行う際(すなわち、入力フィールド320,330及びログインボタン340を表示する際)に実行してもよいが、通信端末のユーザがログインボタン340を操作したタイミング(後述)で実行してもよい。 In addition, when the web browser 310 executes the web display program, the third authentication key is generated as described above (described above). The program for generating the third authentication key may be executed when the login authentication page is displayed (that is, when the input fields 320 and 330 and the login button 340 are displayed). You may perform at the timing (after-mentioned) that the user operated the login button 340. FIG.
 その後、通信端末300のユーザが、入力フィールド320,330にユーザID及びパスワードを入力した後で、ログインボタン340を操作すると、これらユーザID、パスワードおよび第3の認証キーを含む認証情報が、ウェブサーバ200に送信される(図2のステップS205参照)。なお、入力フィールド330に入力されたパスワードは、暗号的ハッシュ関数等を用いて暗号化して、送信してもよい。 Thereafter, when the user of the communication terminal 300 operates the login button 340 after inputting the user ID and password in the input fields 320 and 330, the authentication information including the user ID, the password, and the third authentication key is displayed on the web. It is transmitted to the server 200 (see step S205 in FIG. 2). Note that the password input in the input field 330 may be transmitted after being encrypted using a cryptographic hash function or the like.
 ウェブサーバ200は、この認証情報を受信すると、以下のような処理を行う(図4及び図5参照)。なお、図4はウェブページ配信部220の動作を示しており、図5はウェブ認証部210に設けられた比較処理部213の動作を示している。 Upon receiving this authentication information, the web server 200 performs the following processing (see FIGS. 4 and 5). 4 shows the operation of the web page distribution unit 220, and FIG. 5 shows the operation of the comparison processing unit 213 provided in the web authentication unit 210.
 ウェブページ配信部220は、認証情報を受信すると(図4のステップS401参照)、その認証情報に格納されたユーザID及びパスワードの正誤をチェックする(図4のステップS402参照)。 When receiving the authentication information (see step S401 in FIG. 4), the web page distribution unit 220 checks whether the user ID and password stored in the authentication information are correct (see step S402 in FIG. 4).
 そして、ユーザID及びパスワードが誤りである場合、ウェブページ配信部220は、認証失敗と判断して、通信端末300のログインを拒否するための処理を行う(図4のステップS403参照)。この処理により、通信端末300には、ログインを拒否したことが通知される(図2のステップS208参照)。 If the user ID and password are incorrect, the web page distribution unit 220 determines that the authentication has failed and performs a process for rejecting login of the communication terminal 300 (see step S403 in FIG. 4). Through this process, the communication terminal 300 is notified that login has been refused (see step S208 in FIG. 2).
 一方、ステップS402においてユーザID及びパスワードが正しかった場合、ウェブページ配信部220は、認証確認要求に第3の認証キーを格納して、ウェブ認証部210へ送信する(図4のステップS404、図2のステップS206参照)。 On the other hand, if the user ID and password are correct in step S402, the web page distribution unit 220 stores the third authentication key in the authentication confirmation request and transmits it to the web authentication unit 210 (step S404 in FIG. 4, FIG. 4). 2 step S206).
 比較処理部213は、この認証確認要求を受信すると(図5のステップS501参照)、その認容確認要求から第3の認証キーを取り出す。続いて、比較処理部213は、データベース212に、その第3の認証キーと一致する第2の認証キーを探すように要求する(図5のステップS502参照)。 When the comparison processing unit 213 receives this authentication confirmation request (see step S501 in FIG. 5), the comparison processing unit 213 extracts a third authentication key from the acceptance confirmation request. Subsequently, the comparison processing unit 213 requests the database 212 to search for a second authentication key that matches the third authentication key (see step S502 in FIG. 5).
 ここで、第3の認証キーと一致する第2の認証キーが存在しなかった場合(図5のステップS503参照)、比較処理部213は、ウェブページ配信部220に、認証に失敗した旨を通知する(図5のステップS504、図2のステップS207参照)。また、第3の認証キーと一致する第2の認証キーが検索された場合であっても、その検索の時刻がタイムアウト時刻(上述)を超えている場合には、認証失敗と判断すると共に、それら第2の認証キー及びタイムアウト時刻がデータベース212から削除される。なお、タイムアウト時刻に代えて第2の認証キーの生成時刻をデータベース212に保存する場合には、その生成から検索までの経過時間が所定時間を超えている場合に、認証失敗と判断すればよい。 If the second authentication key that matches the third authentication key does not exist (see step S503 in FIG. 5), the comparison processing unit 213 informs the web page distribution unit 220 that the authentication has failed. Notification is made (see step S504 in FIG. 5 and step S207 in FIG. 2). Further, even when the second authentication key that matches the third authentication key is searched, if the search time exceeds the timeout time (described above), it is determined that the authentication has failed, The second authentication key and timeout time are deleted from the database 212. If the generation time of the second authentication key is stored in the database 212 instead of the timeout time, it may be determined that the authentication has failed when the elapsed time from the generation to the search exceeds a predetermined time. .
 一方、第3の認証キーと一致する第2の認証キーが確認され、且つ、その第2の認証キーが生成されてからの経過時間が所定時間内である場合、比較処理部213は、それら第2の認証キー及びタイムアウト時刻(又は生成時刻)をデータベース212から削除すると共に(図5のステップS505参照)、ウェブページ配信部220に、認証が成功した旨を通知する(図5のステップS506、図2のステップS207参照)。 On the other hand, when the second authentication key that matches the third authentication key is confirmed and the elapsed time since the generation of the second authentication key is within a predetermined time, the comparison processing unit 213 The second authentication key and the timeout time (or generation time) are deleted from the database 212 (see step S505 in FIG. 5), and the web page distribution unit 220 is notified that the authentication has been successful (step S506 in FIG. 5). , See step S207 in FIG. 2).
 ウェブページ配信部220は、ウェブ認証部210から通知を受信すると、その通知から、認証の成功/失敗を判断する(図4のステップS405参照)。そして、認証に失敗したと判断した場合、ウェブページ配信部220は、通信端末300のログインを拒否するための処理を行う(図4のステップS406参照)。この処理により、通信端末300には、ログインを拒否したことが通知される(図2のステップS208参照)。 When the web page distribution unit 220 receives the notification from the web authentication unit 210, the web page distribution unit 220 determines the success / failure of the authentication from the notification (see step S405 in FIG. 4). When it is determined that the authentication has failed, the web page distribution unit 220 performs a process for rejecting the login of the communication terminal 300 (see step S406 in FIG. 4). Through this process, the communication terminal 300 is notified that login has been refused (see step S208 in FIG. 2).
 一方、ステップS405で認証に成功したと判断した場合、ウェブページ配信部220は、通信端末300のためのセッションキーを生成すると共に(図4のステップS407参照)、そのセッションキーを通信端末300へ送信する(図4のステップS408、図2のステップS208参照)。このセッションキーにより、通信端末300にログインが許可されると共に、ログインしたあとのセッション管理が行われる。 On the other hand, when it is determined in step S405 that the authentication is successful, the web page distribution unit 220 generates a session key for the communication terminal 300 (see step S407 in FIG. 4) and transmits the session key to the communication terminal 300. Transmit (see step S408 in FIG. 4 and step S208 in FIG. 2). With this session key, login to the communication terminal 300 is permitted, and session management after login is performed.
 以上説明したように、この実施の形態1では、キー生成部211に保存された第2の認証キーと、通信端末300のウェブブラウザ310がウェブ表示プログラムを実行することによって自動演算された第3の認証キーとを比較することで、ログイン認証を行う。このため、ウェブ表示プログラムを実行しない通信端末300は、認証を受けることができない。ここで、通常、機械的ログインプログラムは、ウェブ表示プログラムを実行しない。従って、この実施の形態によれば、多くの機械的ログインプログラムによる不正な認証要求(例えばリスト型攻撃の認証要求)を拒否できる。 As described above, in the first embodiment, the second authentication key stored in the key generation unit 211 and the third computation automatically calculated by the web browser 310 of the communication terminal 300 executing the web display program. Login authentication is performed by comparing with the authentication key. For this reason, the communication terminal 300 that does not execute the web display program cannot receive authentication. Here, usually, the mechanical login program does not execute the web display program. Therefore, according to this embodiment, an unauthorized authentication request (for example, an authentication request for a list-type attack) by many mechanical login programs can be rejected.
 また、不正行為者が、ウェブ表示プログラムを実行できる機械的ログインプログラムを開発して使用することも考えられるが、その場合でも、機械的ログインプログラムの開発コストの高騰や処理速度(すなわち、単位時間内に認証要求できる回数)の低下を図ることができ、これにより、不正行為を行い難くすることができる。 It is also conceivable for fraudsters to develop and use a mechanical login program that can execute a web display program. Even in this case, however, the development cost of the mechanical login program and the processing speed (that is, unit time) The number of times authentication requests can be made is reduced, thereby making it difficult to perform fraudulent acts.
 更に、この実施の形態1によれば、第3の認証キーは、通信端末300がウェブ表示プログラムを実行することによって自動演算されるので、通信端末300のユーザの操作負担を増大させることが無い。 Furthermore, according to the first embodiment, since the third authentication key is automatically calculated by the communication terminal 300 executing the web display program, the operation burden on the user of the communication terminal 300 is not increased. .
 また、この実施の形態1によれば、第1の認証キーは、ウェブ表示プログラム内に埋め込まれた状態で通信端末300に送信されるので、その通信端末300の機械的ログインプログラムは、その第1の認証キーを、そのウェブ表示プログラムの中から探し出す必要がある。このため、この実施の形態1によれば、機械的ログインプログラムの開発コストの高騰や処理速度の低下を図ることができ、これにより、不正行為を行い難くすることができる。 Further, according to the first embodiment, the first authentication key is transmitted to the communication terminal 300 in an embedded state in the web display program, so that the mechanical login program of the communication terminal 300 is the first authentication key. It is necessary to search for one authentication key in the web display program. For this reason, according to the first embodiment, the development cost of the mechanical login program can be increased and the processing speed can be lowered, thereby making it difficult to perform an illegal act.
 その一方で、正規ユーザにとっては、第1の認証キーを通信端末に入力等する操作が不要なので、操作負担が増大することがない。 On the other hand, since the operation for inputting the first authentication key to the communication terminal is unnecessary for the authorized user, the operation burden does not increase.
 加えて、この実施の形態1によれば、ウェブサーバ200は、認証ページで入力されたユーザID及びパスワードと共に、第3の認証キーを受け取るので、機械的ログインプログラムによる機械的な認証要求に使用されたユーザID及びパスワードが不正取得された正規のものであっても、その認証を拒否することができる。 In addition, according to the first embodiment, the web server 200 receives the third authentication key together with the user ID and password input on the authentication page, so that it is used for a mechanical authentication request by the mechanical login program. Even if the obtained user ID and password are legitimate ones obtained illegally, the authentication can be rejected.
 また、この実施の形態1では、データベース212に格納された1又は複数の第2の認証キーから、通信端末300から受信した第3の認証キーと一致するものを探すことで認証を行うので、認証の処理が非常に簡単であり、従って、多数の通信端末300から同時に認証を求められたような場合でも、処理の負担が小さい。但し、認証方法は、他の方法でも良く、例えば、通信端末300のIPアドレス等の識別情報を第2の認証キーに関連付けてデータベース212に保存しておいて、各通信端末300毎に個別に第2、第3の認証キーの比較を行っても良い。 In the first embodiment, authentication is performed by searching for one that matches the third authentication key received from the communication terminal 300 from one or more second authentication keys stored in the database 212. The authentication process is very simple. Therefore, even when a large number of communication terminals 300 request authentication simultaneously, the processing load is small. However, other authentication methods may be used. For example, identification information such as the IP address of the communication terminal 300 is stored in the database 212 in association with the second authentication key, and is individually set for each communication terminal 300. The second and third authentication keys may be compared.
 なお、この実施の形態1では、本発明の認証技術(第2及び第3の認証キーを比較することによる認証技術)をユーザID及びパスワードによる認証技術と併用する場合を例に採って説明したが、本発明の認証技術を他の認証技術と併用してもよく、更には、単独で使用してもよい。 In the first embodiment, the case where the authentication technique of the present invention (authentication technique by comparing the second and third authentication keys) is used together with the authentication technique based on the user ID and password has been described as an example. However, the authentication technique of the present invention may be used in combination with other authentication techniques, or may be used alone.
 100 ネットワーク
 200 ウェブサーバ
 210 ウェブ認証部
 211 キー生成部
 212 データベース
 213 比較処理部
 220 ウェブページ配信部
 300 通信端末
 310 ウェブブラウザ
 320,330 入力フィールド
 340 ログインボタン
 400 インターネット DESCRIPTION OF SYMBOLS 100 Network 200 Web server 210 Web authentication part 211 Key production | generation part 212 Database 213 Comparison processing part 220 Web page delivery part 300 Communication terminal 310 Web browser 320,330 Input field 340 Login button 400 Internet

Claims (10)

  1.  第1の認証キーに文字列加工処理を施すことで生成された第2の認証キーを保存するキー保存部と、
     通信端末の表示部に認証ページを表示させる表示処理と、前記文字列加工処理を自動実行することによって前記第1の認証キーから第3の認証キーを生成する演算処理と、該第3の認証キーを返送させる返送処理とを、該通信端末のブラウザに実行させる表示プログラムを、該通信端末宛に送信する送信処理部と、
     前記通信端末から受信した前記第3の認証キーが前記キー保存部に保存された前記第2の認証キーと一致する場合に該通信端末を認証する比較処理部と、
     を備えることを特徴とする認証システム。     A key storage unit for storing the second authentication key generated by performing the character string processing on the first authentication key;
    A display process for displaying an authentication page on a display unit of a communication terminal; an arithmetic process for generating a third authentication key from the first authentication key by automatically executing the character string processing process; and the third authentication. A transmission processing unit that transmits a display program that causes the browser of the communication terminal to execute a return process for returning the key to the communication terminal;
    A comparison processing unit that authenticates the communication terminal when the third authentication key received from the communication terminal matches the second authentication key stored in the key storage unit;
    An authentication system comprising:
  2.  前記第1の認証キーは、前記表示プログラム内又は該表示プログラムに付随して送信されるデータ内に埋め込まれた状態で、前記通信端末に送信されることを特徴とする請求項1に記載の認証システム。 The first authentication key is transmitted to the communication terminal in a state of being embedded in the display program or in data transmitted accompanying the display program. Authentication system.
  3.  前記認証ページは、ユーザID及びパスワードの入力フィールドを含み、且つ、
     前記表示プログラムの前記返送処理は、該入力フィールドに入力された該ユーザID及び該パスワードと共に、前記第3の認証キーを返送する処理である、
     ことを特徴とする請求項1又は2に記載の認証システム。     The authentication page includes input fields for user ID and password, and
    The return process of the display program is a process of returning the third authentication key together with the user ID and the password input in the input field.
    The authentication system according to claim 1 or 2, characterized in that.
  4.  前記キー保存部は、前記第2及び第3の認証キーを用いた認証の有効期限を設定するための時刻情報を、該第2の認証キーに関連付けて保存し、且つ、
     前記比較処理部は、認証を実行した時刻が該有効期限を過ぎている場合は、該第2及び第3の認証キーが一致する場合であっても認証を拒否する、
     ことを特徴とする請求項1乃至3の何れかに記載の認証システム。     The key storage unit stores time information for setting an expiration date of authentication using the second and third authentication keys in association with the second authentication key; and
    The comparison processing unit rejects authentication even when the second and third authentication keys match if the time when the authentication is performed has passed the expiration date.
    The authentication system according to any one of claims 1 to 3, wherein:
  5.  乱数を用いて前記第1の認証キーを取得すると共に、
     該第1の認証キーに前記文字列加工処理を施して前記第2の認証キーを生成し、
     生成された該第2の認証キーを前記キー保存部へ提供する、
     キー生成部を更に備えることを特徴とする請求項1乃至4の何れかに記載の認証システム。     Obtaining the first authentication key using a random number;
    Performing the character string processing on the first authentication key to generate the second authentication key;
    Providing the generated second authentication key to the key storage unit;
    The authentication system according to claim 1, further comprising a key generation unit.
  6.  何れかの前記通信端末から前記表示プログラムの送信要求を受信する度に、前記キー生成部が前記第1の認証キーを生成すると共に、新たに生成された該第1の認証キーから前記キー保存部が前記第2の認証キーを生成して保存し、
     前記送信処理部は、該送信要求に応答する前記通信端末に、該新たに生成された該第1の認証キーを送信する、
     ことを特徴とする請求項5に記載の認証システム。     Each time the display program transmission request is received from any one of the communication terminals, the key generation unit generates the first authentication key and stores the key from the newly generated first authentication key. Generating and storing the second authentication key,
    The transmission processing unit transmits the newly generated first authentication key to the communication terminal responding to the transmission request;
    The authentication system according to claim 5.
  7.  前記比較処理部は、前記キー保存部に格納された1又は複数の前記第2の認証キーから、前記通信端末から受信した前記第3の認証キーと一致するものを探し、一致する該第2の認証キーが存在する場合に該通信端末を認証することを特徴とする請求項5又は6に記載の認証システム。 The comparison processing unit searches the one or more second authentication keys stored in the key storage unit for a match with the third authentication key received from the communication terminal, and matches the second authentication key. The authentication system according to claim 5 or 6, wherein the communication terminal is authenticated when the authentication key is present.
  8.  前記比較処理部は、前記通信端末を認証した場合に、該認証に対応する前記第2の認証キーを前記キー保存部から削除することを特徴とする請求項7に記載の認証システム。 The authentication system according to claim 7, wherein, when the communication processing unit authenticates the communication terminal, the comparison processing unit deletes the second authentication key corresponding to the authentication from the key storage unit.
  9.  第1の認証キーに文字列加工処理を施すことで得られた第2の認証キーを保存するキー保存ステップと、
     前記通信端末の表示部に認証ページを表示させる表示処理と、前記文字列加工処理を自動実行することによって前記第1の認証キーから前記第3の認証キーを生成する演算処理と、該第3の認証キーを前記認証システムに返送させる返送処理とを、該通信端末のブラウザに実行させる表示プログラムを該通信端末に送信する送信ステップと、
     通信端末から受信した第3の認証キーを前記キー保存ステップで保存された前記第2の認証キーとを比較することによって該通信端末の認証処理を行う比較処理ステップと、
     を備えることを特徴とする認証方法。     A key storage step for storing a second authentication key obtained by applying a character string processing to the first authentication key;
    A display process for displaying an authentication page on the display unit of the communication terminal; an arithmetic process for generating the third authentication key from the first authentication key by automatically executing the character string processing process; Sending a display program for causing the communication terminal to execute a return process for returning the authentication key to the authentication system;
    A comparison processing step for performing authentication processing of the communication terminal by comparing the third authentication key received from the communication terminal with the second authentication key stored in the key storage step;
    An authentication method comprising:
  10.  第1の認証キーに文字列加工処理を施すことで得られた第2の認証キーを保存するキー保存部と、
     通信端末から受信した第3の認証キーを前記キー保存部に保存された前記第2の認証キーとを比較することによって該通信端末の認証処理を行う比較処理部と、
     を備える認証システムから送信されて、該通信端末に受信される表示プログラムであって、
     前記通信端末の表示部に認証ページを表示させる表示処理と、
     前記文字列加工処理を自動実行することによって前記第1の認証キーから前記第3の認証キーを生成する演算処理と、
     該第3の認証キーを前記認証システムに返送させる返送処理とを、該通信端末のブラウザに実行させる、
     ことを特徴とする、コンピュータ実行可能な表示プログラムを記憶するプログラム記憶媒体。     A key storage unit for storing the second authentication key obtained by performing the character string processing on the first authentication key;
    A comparison processing unit that performs authentication processing of the communication terminal by comparing the third authentication key received from the communication terminal with the second authentication key stored in the key storage unit;
    A display program transmitted from an authentication system and received by the communication terminal,
    Display processing for displaying an authentication page on the display unit of the communication terminal;
    A calculation process for generating the third authentication key from the first authentication key by automatically executing the character string processing process;
    A return process for returning the third authentication key to the authentication system is executed by the browser of the communication terminal;
    A program storage medium for storing a computer-executable display program.
PCT/JP2016/069772 2015-07-07 2016-07-04 Authentication system, authentication method, and program recording medium WO2017006905A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2015-135893 2015-07-07
JP2015135893A JP6084258B2 (en) 2015-07-07 2015-07-07 Authentication system and display program

Publications (1)

Publication Number Publication Date
WO2017006905A1 true WO2017006905A1 (en) 2017-01-12

Family

ID=57685165

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2016/069772 WO2017006905A1 (en) 2015-07-07 2016-07-04 Authentication system, authentication method, and program recording medium

Country Status (2)

Country Link
JP (1) JP6084258B2 (en)
WO (1) WO2017006905A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009003877A (en) * 2007-06-25 2009-01-08 Nippon Telegr & Teleph Corp <Ntt> Authentication method, registration value generation method, server device, client device, and program
JP2010061211A (en) * 2008-09-01 2010-03-18 Ricoh Co Ltd Information processor, image forming apparatus, authentication method, program, storage medium, and system
JP2014239522A (en) * 2014-08-07 2014-12-18 株式会社東芝 Information operation device, information output device, and information operation program

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7552476B2 (en) * 2004-06-25 2009-06-23 Canon Kabushiki Kaisha Security against replay attacks of messages
CN104025106B (en) * 2012-01-06 2017-05-10 卡皮公司 Captcha provision method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009003877A (en) * 2007-06-25 2009-01-08 Nippon Telegr & Teleph Corp <Ntt> Authentication method, registration value generation method, server device, client device, and program
JP2010061211A (en) * 2008-09-01 2010-03-18 Ricoh Co Ltd Information processor, image forming apparatus, authentication method, program, storage medium, and system
JP2014239522A (en) * 2014-08-07 2014-12-18 株式会社東芝 Information operation device, information output device, and information operation program

Also Published As

Publication number Publication date
JP6084258B2 (en) 2017-02-22
JP2017021396A (en) 2017-01-26

Similar Documents

Publication Publication Date Title
US9923876B2 (en) Secure randomized input
US10313881B2 (en) System and method of authentication by leveraging mobile devices for expediting user login and registration processes online
US9641521B2 (en) Systems and methods for network connected authentication
US10225260B2 (en) Enhanced authentication security
US8918853B2 (en) Method and system for automatic recovery from lost security token on embedded device
CN112425114B (en) Password manager protected by public key-private key pair
US11831680B2 (en) Electronic authentication infrastructure
US9787689B2 (en) Network authentication of multiple profile accesses from a single remote device
US9124571B1 (en) Network authentication method for secure user identity verification
JP4960738B2 (en) Authentication system, authentication method, and authentication program
KR102482104B1 (en) Identification and/or authentication system and method
JP2018502410A (en) Common identification data replacement system and method
WO2014161259A1 (en) Verification code processing method, device, terminal and server
TW201544983A (en) Data communication method and system, client terminal and server
JP6378870B2 (en) Authentication system, authentication method, and authentication program
JP6178112B2 (en) Authentication server, authentication system and program
WO2017006905A1 (en) Authentication system, authentication method, and program recording medium
US10701105B2 (en) Method for website authentication and for securing access to a website
JP6451498B2 (en) Program, information processing terminal, information processing method, and information processing system
KR20150104667A (en) Authentication method
JP7403430B2 (en) Authentication device, authentication method and authentication program
TWI704795B (en) Login authentication method
US20220417020A1 (en) Information processing device, information processing method, and non-transitory computer readable storage medium
JP2017224311A (en) Authentication server, authentication system, and program
JP6398308B2 (en) Information processing system, information processing method, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16821374

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16821374

Country of ref document: EP

Kind code of ref document: A1