+

WO2002103535A1 - Procede de certification de qualification utilisant une information de certification - Google Patents

Procede de certification de qualification utilisant une information de certification Download PDF

Info

Publication number
WO2002103535A1
WO2002103535A1 PCT/JP2001/005994 JP0105994W WO02103535A1 WO 2002103535 A1 WO2002103535 A1 WO 2002103535A1 JP 0105994 W JP0105994 W JP 0105994W WO 02103535 A1 WO02103535 A1 WO 02103535A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
authentication
connection
authentication information
variable
Prior art date
Application number
PCT/JP2001/005994
Other languages
English (en)
Japanese (ja)
Inventor
Ryuji Kai
Original Assignee
Micromice Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Micromice Co., Ltd. filed Critical Micromice Co., Ltd.
Publication of WO2002103535A1 publication Critical patent/WO2002103535A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/403Solvency checks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols

Definitions

  • the present invention relates to, for example, a qualification authentication method in which a certifier authenticates a person to be authenticated in order to ensure security in a network, and in particular, certification information using variable authentication information which is different every time authentication is performed. It relates to the method. Background art
  • connection service provider authenticates the certificationee's qualification using fixed authentication information such as a password and an ID.
  • these methods are roughly classified by applying public key cryptography.
  • the password may be stolen from the connected line if the password is stored in the authentication side, and the subject may disclose his password, which is his / her confidential information. It was extremely difficult to reliably ensure the security reasons such as it is necessary to ( Therefore, for example, the prover registers the authentication information to which the one-way function is applied to the verifier, and the same one-way function is applied to the pass received by the verifier at the time of authentication, and the results are compared. Although various encryption methods have been adopted, it can not be prevented that authentication information is stolen from the connected line.
  • the qualification authentication method presented in Japanese Patent Application Laid-Open No. 2-6 5 5 4 2 is the authentication information under the authentication information that has been verified in the previous registration, and authentication information used for authentication one after another.
  • the authentication information can be successively chained to authentication while the authentication information is safely updated by transmitting three information of the validity verification information of the authentication information that has been sent last time and used for the next authentication every authentication phase. It is possible.
  • the certification party in order to receive certification from the certification party, the certification party needs to use the two previously generated certification information (random numbers), and a processing program that occupies a relatively large area is required. It is necessary to store certification information in a storage medium such as an IC card, and there is a problem that a device for reading and writing such information and a device for generating random numbers are required. Further, according to the conventional qualification authentication method presented in the above-mentioned publication, the authentication side calculates the present authentication information and the next authentication information using a one-way function based on the random number, the user ID and the password, This is further subjected to an exclusive OR operation.
  • the verification parameter and the authentication information registered in the previous verification phase are compared, and if they match, it is judged that the current authentication has been established, and the next authentication information is registered as the next authentication parameter. It can be realized with a small program size and can perform secure authentication with little concern of being stolen on the connection line.
  • the conventional qualification authentication method presented in the above-mentioned publication does not require as much as four types of accreditation information as the qualification authentication method disclosed in the above-mentioned Japanese Patent Application Laid-Open No. 2-6 5 54 2
  • it can be realized with a relatively small program size, it is still possible to use a one-way function based on random numbers, user IDs, and passwords and calculate the one using a certain exclusive OR, except for the certifier. It needs to be encrypted so that it can not be deciphered, and the expense of creating programs and storage becomes an economic burden.
  • the certification information used for qualification is originally a fixed information, which is calculated using a one-way function based on a random number, a user ID, and a password, and is encrypted using a certain exclusive OR.
  • the program itself has to be rewritten also about the part to be encrypted using exclusive OR. It also has the disadvantage of having to
  • the present invention solves the problems associated with the conventional qualification authentication method using variable authentication information, and exerts more secure security in a simple manner, economically and economically, with no human burden. Is what makes it possible. Disclosure of the invention
  • the present invention relates to a connection track that is recorded in a log file over time when connected.
  • the authentication information determined based on the history information is stored in the storage devices of the authentication side and the authentication side, respectively, and the connection is disconnected, and the authentication stored in the authentication side at the next connection.
  • the information is compared with the authentication information stored in the authentication side to perform qualification authentication.
  • the authentication information is determined based on the connection history information recorded in the log file over time at the time of connection, that is, based on the information which changes every moment, the authentication information changes in each authentication phase, and There is no regularity between certification information each time, and even if stolen at connection time, necessary certification information is selected and determined in a moment, so it is not useful.
  • the log file is a file that records the usage status and connection usage history of a system that is widely used in storage devices such as disks, and is not limited to the network application.
  • the authentication information is a collection of character strings for a plurality of items in the selected log file, the authentication information is compared with the authentication information generated based on the character string in a single item. As a result, the combination of strings becomes complicated, and the security effect can be enhanced.
  • the authentication information when the authentication information is generated, authentication is performed on fixed information such as a password, license number, etc. known only to the person being authenticated. If the connection device itself, such as a terminal to be authenticated, is stolen after the authentication information is set to be incorporated in a predetermined position of the authentication information, the authentication information to be used from the next time is the above-mentioned person to be authenticated. The part of the fixed information only known to you is missing, or you can not get the certification even with the connection device.
  • FIG. 1 is an explanatory view showing an outline when the present invention is applied to a network
  • FIG. 2 is an explanatory view showing a generation process of variable authorization information according to the present invention
  • FIG. It is a schematic block diagram of an invention. BEST MODE FOR CARRYING OUT THE INVENTION
  • the drawings show an outline of a preferred embodiment in the case where the present invention is applied to a computer network, and a WWW server 1 on the service providing side and the WWW server 1 are connected to receive services.
  • Connection history information of the connection terminal and the WWW server 1 which is stored every moment in the log file of the WWW server 1 by connecting to the connection terminal 2 on the side of the side and further the WWW server 1 necessary for practicing the present invention
  • the next authentication information is generated and stored, and the authentication information stored last time is sent from the connection terminal 2 at the time of the current connection. It comprises the authentication information issuing server 4 for authenticating the authentication information stored in the incoming connection terminal 2.
  • the present invention establishes the authentication qualification using the history of the log file recorded at the time of connection as the authentication information, and performs qualification at the time of the first connection.
  • connection history that is the basis of authentication information for authentication. Therefore, connection is made after authentication of credentials using fixed authentication information such as a pass or ID to which conventional common key encryption is applied.
  • connection can be made securely by adopting a conventionally known encryption method, but usually, the plagiarism from the connection route is performed after the first connection, that is, after the publication. And plagiarism and detection at the time of initial connection are extremely rare, and there is almost no concern.
  • the qualification based on fixed information is switched to the qualification based on variable certification information at the same time as the initial connection is made, there is no concern about plagiarism etc. on the first connection. I can not say that.
  • connection history with the connection terminal 2 recorded every moment in the log file in the WWW server 1 is sent to the information collecting server 3.
  • connection history recorded in the log file many files exist over many items even if only text files are used. Therefore, sending all such a huge amount of connection history to the information collecting server 3 is not preferable because it causes a large burden both in terms of area and processing.
  • histories of five items including password, session log, access log date, access log, and other usage information, for example are collected. This is because the variable certification information created when there are few items to be selected is short-circuited, leaving safety concerns and creating a burden on area and processing if the number is more than necessary.
  • the certification information collected in the information collection server 3 in this manner is, for example, as shown in FIG. 2 (a), for example, among the plurality of items at any given time, Select the four character strings, edit the character string in which the selected string is gathered as shown in Fig. 2 (b) to generate the certification information, send it to the certification information issuance server 4, and issue the certification information.
  • the server 4 saves it as the next certification information and sends it to the WWW server 1. That is, unlike the case where seemingly irregular identification information is generated by calculating and encrypting necessary parameters and the like using a specific program as in the past, it is possible to be sure by merely editing the simple character string Irregular and difficult to steal variable authentication information very easily and mechanically.
  • the variable authentication information in the present invention can freely change not only the contents but also the number of digits itself each time, and can further enhance security as a random thing.
  • variable authentication information generated based on the connection history recorded in the log file in the information collection server 3 is stored in the authentication information issuance server 4 and the connection terminal 2.
  • the connection history based on the variable authentication information is constantly changing, and it becomes a problem as to when to generate authentication information by using the connection history, for example, at the time of disconnection, that is, the final
  • at least the last time, that is, certification information different from the certification information at the start of connection may be stored, and the connection history at any point in time may be considered. It is less important to use.
  • the stored authentication information is automatically sent to the authentication information issuance server 4 via the WWW server 1 and stored in the authentication information issuance server 4 by itself. If there is a match by comparing with a certain variable authorization information search, it is determined that the present authentication has been established, and the result can be sent to the WWW server 1 to advance to the next page. Also compare As a result, if they do not match, an indication to that effect is sent to the connected terminal 2 via the WWW server 1 to reject the connection.
  • the next variable certification information is generated and stored based on the connection history.
  • reference numeral 5 is a management terminal connected to the information collecting server 3 and, among the history sent to the WWW server 1, collected in the information collecting server 3 in order to generate authentication information. Editing conditions such as the number of items, the number of digits, etc., are set at a point away from the network, and while it is possible to achieve full automation, whether the entire facility functions regularly or irregularly. By changing the type and editing method of the information collected to generate variable recognition information, a higher security effect can be achieved.
  • the present invention can be applied to many other types such as a stand-alone PC or a server on a LAN.
  • a stand-alone PC or a server on a LAN.
  • client passwords managed by a network operating system on a LAN
  • network logs For example, it is easy to define client passwords managed by a network operating system on a LAN, network logs, session history of each client, mail transmission / reception history, etc.
  • the present invention issues variable authorization information for each number of clients on the LAN, there is no need to generate variable authorization information, so the increase in the number of clients does not reduce the effect of the present invention.
  • authentication information can be generated also for a portable terminal such as a mobile phone, for example, from connection history information such as a telephone number of a connected party, incoming call history, incoming time and connection time.
  • connection history information such as a telephone number of a connected party, incoming call history, incoming time and connection time.
  • an IC card or the like can be considered as one of connection terminals connected to a server via an interface, and it is likewise possible to practice the present invention.
  • connection history information such as a telephone number of a connected party, incoming call history, incoming time and connection time.
  • a storage medium such as a hard disk installed in an ordinary terminal can be considered as a storage location of variable recognition information in the connection terminal.
  • storage locations such as storage and transmission microchips It is desirable to place in By doing this, once saved, there is no fear of damage, failure or accidental loss as in the case of saving to a hard disk, and there is no need to perform the initial connection operation again.
  • a very low-capacity recording medium and program can be used, and there is no concern of economic burden even if a separate storage location is provided.
  • the user is advantage force s that can be performed comfortably connection operation without being aware of the procedure of credentials to be aware of the conventional connection at the time.
  • the present invention is determined based on the connection history information recorded in the log file over time as authentication information used for authentication of credentials required at the time of connection. It changes with each certification phase, and there is no regularity between certification information of each time, and even if stolen at connection time, necessary certification information is selected and decided within a moment, so it is not useful. It can be used as perfect security. .
  • the authentication information is determined by arbitrarily selecting a part of the character strings in each item constituting the connection history recorded in the log file. It is easy to use.
  • the authentication information is a collection of strings for a plurality of items in the selected log file
  • the authentication information may be compared to the authentication information generated based on the strings in a single item.
  • the combination is complicated and security effect can be enhanced, and when generating authentication information, authentication of fixed information such as pass number and license number etc. known only to the certified party is required after authentication information is specified.
  • the connection device itself such as a terminal to be authenticated has been stolen when it is set to be incorporated in the position
  • the authentication information to be used from the next time is fixed information known only to the person to be authenticated. It is best if you are sure to require security as parts are missing or you can not obtain certification even with the connection device.

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Finance (AREA)
  • Storage Device Security (AREA)

Abstract

Selon l'invention, une connexion est coupée alors qu'une information de certification, déterminée sur la base d'une information historique de connexion enregistrée chronologiquement dans un fichier journal au moment de la connexion, est stockée dans des dispositifs de stockage à la fois du côté certifié et du côté certifiant. A la connexion suivante, la qualification est certifiée par comparaison d'information de certification stockée du côté certifié et d'information de certification stockée du côté certifiant.
PCT/JP2001/005994 2001-06-13 2001-07-11 Procede de certification de qualification utilisant une information de certification WO2002103535A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2001-178156 2001-06-13
JP2001178156A JP2002366523A (ja) 2001-06-13 2001-06-13 可変認証情報を用いた資格認証方法

Publications (1)

Publication Number Publication Date
WO2002103535A1 true WO2002103535A1 (fr) 2002-12-27

Family

ID=19018901

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2001/005994 WO2002103535A1 (fr) 2001-06-13 2001-07-11 Procede de certification de qualification utilisant une information de certification

Country Status (3)

Country Link
JP (1) JP2002366523A (fr)
TW (1) TW522702B (fr)
WO (1) WO2002103535A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111246501A (zh) * 2018-11-29 2020-06-05 国基电子(上海)有限公司 网络连接方法、网络装置及计算机可读存储介质

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4623938B2 (ja) * 2003-02-28 2011-02-02 Necエンジニアリング株式会社 非公開通信におけるセキュリティ確保方法および方式
JP4793628B2 (ja) * 2005-09-01 2011-10-12 横河電機株式会社 Os起動方法及びこれを用いた装置
WO2007086121A1 (fr) * 2006-01-26 2007-08-02 Fujitsu Limited Système, programme et terminal de mise à jour d’informations d’authentification
JP2007226827A (ja) * 2007-04-23 2007-09-06 Nomura Research Institute Ltd ログイン要求受付装置およびアクセス管理装置
JP5071636B2 (ja) * 2007-06-28 2012-11-14 大日本印刷株式会社 ログ情報から作成したパスワード照合システム、方法
JP5012261B2 (ja) * 2007-07-02 2012-08-29 大日本印刷株式会社 パスワード発行システム
JP5811121B2 (ja) * 2013-03-22 2015-11-11 日本電気株式会社 端末装置認証システム
KR101555195B1 (ko) 2013-07-31 2015-09-24 주식회사 씽크풀 동적 패스워드 제공방법 및 그 시스템
JP2016006656A (ja) * 2015-07-17 2016-01-14 日本電気株式会社 端末装置、端末装置認証システム、端末装置の認証情報生成方法、および端末装置の認証情報生成プログラム

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS6446152A (en) * 1987-08-14 1989-02-20 Hitachi Ltd Password switching system
JP2000029841A (ja) * 1998-07-14 2000-01-28 Ibix Kk なりすまし防止方法および装置
JP2001005781A (ja) * 1999-06-18 2001-01-12 Life Gijutsu Kenkyusho:Kk 保護された情報の通信システム

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS6446152A (en) * 1987-08-14 1989-02-20 Hitachi Ltd Password switching system
JP2000029841A (ja) * 1998-07-14 2000-01-28 Ibix Kk なりすまし防止方法および装置
JP2001005781A (ja) * 1999-06-18 2001-01-12 Life Gijutsu Kenkyusho:Kk 保護された情報の通信システム

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111246501A (zh) * 2018-11-29 2020-06-05 国基电子(上海)有限公司 网络连接方法、网络装置及计算机可读存储介质

Also Published As

Publication number Publication date
TW522702B (en) 2003-03-01
JP2002366523A (ja) 2002-12-20

Similar Documents

Publication Publication Date Title
US9338163B2 (en) Method using a single authentication device to authenticate a user to a service provider among a plurality of service providers and device for performing such a method
US6912659B2 (en) Methods and device for digitally signing data
US7596704B2 (en) Partition and recovery of a verifiable digital secret
JP4866863B2 (ja) セキュリティコード生成方法及びユーザ装置
US20150113283A1 (en) Protecting credentials against physical capture of a computing device
RU2584500C2 (ru) Криптографический способ аутентификации и идентификации с шифрованием в реальном времени
KR101753859B1 (ko) 서버 및 이에 의한 스마트홈 환경의 관리 방법, 스마트홈 환경의 가입 방법 및 스마트 기기와의 통신 세션 연결 방법
CN106488452B (zh) 一种结合指纹的移动终端安全接入认证方法
US20020031225A1 (en) User selection and authentication process over secure and nonsecure channels
KR20030074483A (ko) 서비스 제공자 장치로부터 네트워크를 통하여 서비스이용자 장치에 서비스를 제공하는 서비스 제공 시스템
JP2009510644A (ja) 安全な認証のための方法及び構成
JPH113033A (ja) クライアント−サーバ電子取引においてクライアントの本人確認を確立する方法、それに関連するスマートカードとサーバ、および、ユーザが検証者と共に操作を行うことが認可されるかどうかを決定する方法とシステム
IL137099A (en) Method and system for performing a secure digital signature
JP2004530331A (ja) 一時的(エフェメラル)モジュールを用いた暗号認証法
JP3980145B2 (ja) チップカード用暗号鍵認証方法および証明書
CN101621794A (zh) 一种无线应用服务系统的安全认证实现方法
JP3362780B2 (ja) 通信システムにおける認証方法、センタ装置、認証プログラムを記録した記録媒体
CN100514333C (zh) 一种数据库安全访问方法和系统
US20020091932A1 (en) Qualification authentication method using variable authentication information
WO2002103535A1 (fr) Procede de certification de qualification utilisant une information de certification
US20090106829A1 (en) Method and system for electronic reauthentication of a communication party
JP3872616B2 (ja) 共有鍵暗号型のicカードによるインターネット上のユーザー認証方式
US20030097559A1 (en) Qualification authentication method using variable authentication information
JP2004013560A (ja) 認証システム、通信端末及びサーバ
JP4303952B2 (ja) 多重認証システム、コンピュータプログラムおよび多重認証方法

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): CA CN KR US

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR

121 Ep: the epo has been informed by wipo that ep was designated in this application
32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: COMMUNICATION UNDER RULE 69 EPC (EPO FORM 1205A DATED 18.03.2004)

122 Ep: pct application non-entry in european phase
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载