+

WO2003005226A1 - User authentication system and method using the same - Google Patents

User authentication system and method using the same Download PDF

Info

Publication number
WO2003005226A1
WO2003005226A1 PCT/KR2002/000293 KR0200293W WO03005226A1 WO 2003005226 A1 WO2003005226 A1 WO 2003005226A1 KR 0200293 W KR0200293 W KR 0200293W WO 03005226 A1 WO03005226 A1 WO 03005226A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
address
data
user
contents
Prior art date
Application number
PCT/KR2002/000293
Other languages
French (fr)
Inventor
Tae-Soo Ha
Joo-Heum Baek
Original Assignee
Tae-Soo Ha
Joo-Heum Baek
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tae-Soo Ha, Joo-Heum Baek filed Critical Tae-Soo Ha
Publication of WO2003005226A1 publication Critical patent/WO2003005226A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5053Lease time; Renewal aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping

Definitions

  • the present invention relates generally to a system and method for user authentication, in particular, to a system and method for authenticating whether a user of a client, who has accessed a server to request service, is an authorized user.
  • the WWW a representative service among these Internet services which provides a wide use, for example, transmission of the contents as large volume multimedia data consisted of audio, video, or a combination of the two rather than as data in form of simple text and image, is gradually increasing for more effective transmission of information.
  • Typical examples of the multimedia form contents are motion images such as cinemas, dramas, music videos, animations, as well as various sound contents including mp3 , etc .
  • the main methods for transmitting such large volume multimedia data to a client (computer) can be roughly classified into the following two:
  • the downloading method wherein the contents are generated, using a local program of -the client computer, after the data transmission from a server to a client computer is completed; and 2.
  • the streaming method wherein large volume data are divided into parts each of which having a predetermined size, and then transmitted successively part by part from a server to a client computer, while the client computer regenerates concurrently the partial data transmitted from the server. This method is advantageous in that it allows the client to regenerate the partial data even prior to the completion of data transmission, without the need to wait until the entire data is transmitted.
  • a user authentication is a process, in which a user accessing a server is determined whether he is an authorized user or not, and if the user is an authorized user, a predetermined service is provided, while such service is not provided in case the user is determined to be an unauthorized user. This is a -very critical issue, because it is directly linked with profits of the contents provider.
  • a service provider providing a high-priced multimedia data that requires heavy manufacture costs fails to effectively prevent unauthorized use (of a third party) due to its defective authentication system, it could hardly continue providing the service. Furthermore, if the number of unauthorized users increases, the network traffic will increase excessively due to the increased number of the users, leading to an overload of the server, even disabling the server to provide appropriate service to the authorized users, and the result would be decrease of credibility in the server among the authorized users.
  • HTTP Clear/PN-AUTH-BASIC Method is a basic authentication method provided by the streaming servers of the Microsoft Corp. and the Real Network Corp. According to this method, a user undergoes a separate authentication procedure by a contents server storing the contents (also called a media server) , after an authentication of the user by a web server.
  • This method although involving a security problem, because user information is transmitted in text only without encoding thereof, is advantageous in that it allows relatively simple processing of user authentication.
  • NTLM Authentication Method is one of the basic authentication methods provided by the streaming server of the Microsoft Corp. According to this method, the user name and password used for login of the Windows are automatically transmitted irrespective of the use of the web page, without requiring a separate input by the user.
  • An advantage of this method which uses a challenge/response process, not requiring actual transmission through a network of a user password, is its superiority in user security.
  • a disadvantage of this method is that it is not applicable on the Internet, where a Windows domain environment cannot be generated, and thus, its application is restricted only to intranets/extranets of corporations, or to virtual private networks.
  • PESL Authentication/PN-AUTH-DIGEST Method is an expanded authentication method of the streaming server of the Microsoft Corp. and a basic authentication method of the Real Network Corp. According to this method, the user name, password, and other media related information stored in the web server are transmitted to the streaming media server through a master key encoding method, without re-inputting the user information, so that these information are subsequently decoded by the media server, and then, compared with the corresponding values stored.
  • This method being an authentication method currently most frequently used on the Internet, is shown in Fig. 1. In spite of the advantages mentioned above, the above conventional methods have the following problems:
  • the conventional authentication methods do not allow a common authentication of a web server and a contents server, which provides the contents, due to their separation of a web server from a contents server, the absolute address of a contents ' data can easily be exposed, so that they remain open and unprotected to users accessing the contents server via a detour path without having passed a user authentication. Accordingly, once the absolute address of the contents data is leaked, the above methods are incapable of blocking an unauthorized user, and if the address of a contents data is disclosed in a so-called warez site, the number of unauthorized users increases rapidly, resulting in an overload of the network.
  • the present invention conceived in view of the foregoing, aims to provide a system and method for user authentication capable of fundamentally cutting off accesses of unauthorized users, by not disclosing the absolute address of the contents data.
  • Another objective of the present invention is to provide a system and method for user authentication capable of confirming in an easy and simple manner a user accessing a contents server as to his authentication, without a separate authentication procedure.
  • Still another objective of the present invention is to provide a system and method for user authentication capable of reducing the network traffic so that the network is loaded only by the unit of the servers, irrespective of the number of the users accessing the server, as well as reducing the time required for a user to view a data after the user has accessed the server and requested the data.
  • the present invention provides a user authentication system comprising a first server, which authenticates whether a user on the client is an authorized user while said first server is connected to said user; and a second server storing the contents data to be transmitted to said client, wherein the second server changes the address of the location in which said contents . data is stored if a predetermined condition occurs, and then, transmits said changed address to said first server, while said first server allows only those users confirmed to be an authorized user to access said changed address.
  • the second server changes the virtual address corresponding to the address of the location in which said contents data is stored, and then, transmits said changed virtual address to said first server, while said first server allows only those users confirmed to be an authorized user to access said changed virtual address.
  • both the address of the location in which said contents data is stored and the corresponding virtual address are changed at random.
  • the predetermined condition is a predetermined time interval.
  • a user authentication system comprising a first server, which authenticates whether a user on the client is an authorized user while said first server is connected to said user; and a second server storing the contents data to be transmitted to said client, wherein said second server comprises an address change module, which changes the physical address of the contents data whenever a predetermined condition occurs; and a synchronizing module, which transmits said physical address of said contents data as changed by said address change module to said first server, while said first server comprises an address updating module, which updates said physical address of said contents data of said second server stored in the same based on said updated physical address of said contents data as transmitted from said synchronizing module.
  • Still another embodiment of the present invention provides a user authentication system comprising a first server, which authenticates whether a user on the client is an authorized user while said first server is connected to said user; and a second server storing the contents data to be transmitted to said client, wherein said second server comprises an address change module, which generates a virtual address corresponding to the physical address of each contents data, changes said virtual address corresponding to said physical address of said contents data whenever a predetermined condition occurs; and a synchronizing module, which transmits said virtual address as changed by said address change module to said first server, while said first server comprises an address updating module, which updates said virtual address of said contents data of said second server stored in the same based on said updated virtual address of said contents data as transmitted from said synchronizing module .
  • the predetermined condition is a predetermined time interval .
  • the second server further comprises an encoding module, which encodes the address as changed by said second server, while said first sever further comprises a decoding module, which receives and decodes said encoded data from said encoding module.
  • the second server further comprises a log process module, which records the log data of the system such as, the changed address data, the changed time data, the error data, etc.
  • Still another embodiment of the present invention provides a user authentication method including a system consisted of a first server, which authenticates whether a user on the client is an authorized user while said first server is connected to said user; and a second server storing the contents data to be transmitted to said client, comprising the steps of confirming by said second server whether a predetermined condition has occurred changing the virtual address corresponding to the physical address where said contents data is stored by said second server if said predetermined condition has occurred transmitting said changed virtual address to said first server by said second server receiving said changed virtual address and changing said virtual address of said contents data stored by said first server and allowing only those users confirmed to be an authorized user to access said changed virtual address by said first server.
  • Still another embodiment of the present invention provides a user authentication method including a system consisted of a first server, which authenticates whether a user on the client is an authorized user while said first server is connected to said user; and a second server storing the contents data to be transmitted to said client, comprising the steps of confirming by said second server whether a predetermined condition has occurred, changing the virtual address corresponding to the physical address where said contents data is stored by said second server if said predetermined condition has occurred, transmitting said changed virtual address to said first server by said second server, receiving said changed virtual address and changing said virtual address of said contents data stored in said first server by said first server and allowing only those users confirmed to be an authorized user to access said changed virtual address by said first server.
  • the predetermined condition is a predetermined time interval.
  • Still another embodiment of the present invention provides a user authentication system comprising a streaming server including an address change module, which changes the address data of the contents it stores if a predetermined condition occurs,- and a synchronizing module, which transmits said changed address data to a user or a web server and synchronizes the same; and a web server including an address updating module, which updates the address data of the contents data stored in said streaming server with the new address data received from said streaming server.
  • Still another embodiment of the present invention provides a user authentication system comprising a streaming server including an address change module, which changes the address data of the contents it stores if a predetermined condition occurs, a synchronizing module, which transmits said changed address data to a user or a web server and - synchronizes the same, and an encoding module, which encodes said changed address data and a web server including a decoding module, which decodes said encoded address data received from said streaming server and an address updating module, which updates the existing address data of said contents with said new decoded address data .
  • the streaming server further comprises a log process module, which stores the changed address data, the changed time data, etc. in the log file.
  • the predetermined condition is a predetermined time interval or the number of accessed users exceeding a predetermined figure.
  • Still another embodiment of the present invention provides a user authentication method comprising the steps of altering an address data of stored contents when a predetermined condition occurs, transmitting the altered address data to a web server and updating existing address data with the received address data at said web server.
  • Still another embodiment of the present invention provides a user authentication method comprising the steps of altering an address data of stored contents when a predetermined condition occurs, confirming whether a web server of an external network coupled with a streaming server exists, encrypting the altered address data, when the web server of an external network exists, transmitting the encrypted address data to the web server, decrypting the encrypted address data at the web server and updating existing address data with the decrypted address data at the web server.
  • the method further comprises the step of recording the changed address data and the change time data in the log file.
  • the predetermined condition in said step of changing address data of said contents stored if a predetermined condition occurs is a predetermined time interval or the number of accessed users exceeding a predetermined figure.
  • Fig. 1 is a schematic diagram for the conventional PESL Authentication/PN-AUTH-DIGEST Method.
  • Fig. 2 shows a system construction in accordance with an embodiment of the present invention.
  • Fig. 3 shows constructions of the first server (50) and the second server (60) in Fig. 2.
  • Fig. 4 is a flow chart showing the process of a user's receiving of the contents data via the first server (50) and the second server (60) .
  • Fig. 5 is a flow chart showing the processes of changing the address of the contents data and of synchronizing the second server (60) with the first server (50) .
  • Figs . 6A and 6B are block diagrams showing construction examples of the address change module (61) of the second server (60) .
  • Fig. 7 is a block diagram showing another construction of the first server (50) and the second server (60) .
  • Fig. 8 is a comparison diagram wherein the response time to the contents data of the present invention is compared with those of the conventional arts.
  • Fig. 9 is a comparison table wherein the system load of the present invention is compared with those of the conventional arts.
  • Fig. 10 is a general block diagram showing a system construction for providing a streaming service via the Internet .
  • Fig. 11 is a block diagram showing a construction of the streaming server and the web server in accordance with the present invention.
  • Fig. 12 is a flow chart showing another embodiment example of the method in accordance with the present invention.
  • Fig. 2 shows a system construction in accordance with an embodiment of the present invention.
  • the system of the present embodiment example is consisted of the first server 50 and the second server 60 with a client computer 70 being connected thereto via the above first server 50.
  • the above first server 50 is a server that functions e.g. in the WWW service as a web server.
  • the above second server 60 is a server that stores the data to be transmitted to a client computer (herein after, "contents data"), and transmits the contents data requested by a user, when the user (a client computer 70) has been authenticated by the first server 50.
  • the present system having the above construction operates in the following manner:
  • the first server 50 which functions as a web server performs the web server login procedure (authentication procedure) for a user.
  • the second server 60 changes the address of the physical memory device storing the contents data when a predetermined condition occurs, synchronizes the first server 50 by notifying the first server 50 of the changed address, and allows a user to access the second server 60 if the user requests contents data after he has properly logged in as described above, so that the contents data can be transmitted (to the user) .
  • the contents data may be provided only to the user who have properly logged in the first server 50, by the address of the contents data being altered in a predetermined time interval by the second server 60 and by the altered address, the above hyperlink that enables the client computer 70 to connect to the second server 60, being synchronized with the first server 70.
  • the contents data can be provided (to the user) rapidly without causing any load of the server, not requiring a separate authentication procedure. And even when the physical address of the contents data stored in the second server 60 is temporarily leaked, an access by an unauthorized user, to whom information on the changed physical address is not available, to the second server 60 can effectively be prevented.
  • Fig. 3 shows constructions of the first server 50 and the second server 60 in Fig. 2, designed to enable these servers to perform the above operations.
  • the second server 60 comprises an address change module 61, which changes the physical address of the contents data whenever a predetermined condition occurs, and a synchronizing module 62, which transmits the physical address of the contents data as changed by the above address change module 61 to the first server 50.
  • the first server 50 comprises an address update module 51, which updates the physical address of the contents data stored in the first server 50) based on the updated physical address of the contents data transmitted from the above synchronizing module 62.
  • the address change module 61 changes the address of the physical space where the contents data is stored, whenever a predetermined condition .occurs, wherein the predetermined condition can be established in various forms.
  • this condition can be a certain time interval , the number of accessed users exceeding a certain figure, etc.
  • This condition can be set freely in accordance with the need for system administration. In case that a certain time interval is set as the above condition, a shorter time interval may contribute to reduce the access rate by unauthorized users, On the other hand, because too short time interval would not even allow the time for updating address data, an appropriate time interval shall be.
  • Fig. 4 is a flow chart showing the process of a user's receiving of the contents data via the first server 50 and the second server 60 in a system construction described in Figs. 2 and 3.
  • the first server 50 When a user connected to the first server 50 requests contents data by selecting a text or an image on the web page via an input device such as a mouse (S100) , i.e. when the user requests the second server, via a hyperlink or the like, to transmit the contents data to him, the first server 50 confirms whether the user requesting the data is an authorized user (S110) .
  • the user who has already been authenticated is allowed to promptly access the second server via a hyperlink, etc. (S130) .
  • step S120 proceed after a successful authentication to the above step S40. If the user fails to obtain an authentication, the request is rejected and other appropriate step is taken, e.g. releasing an error message.
  • the user If, however, , the user is authenticated, he can access the second server 60, because the first server 50 stores the same address of the contents data as changed by the second server 60.
  • the correct link information to the second server 60 such as hyperlink and the like is available to the user who has been authenticated by the first server 50, which means that in case that a web page is used, fche link information displayed on the web page is accurately synchronized with the second server 60.
  • Fig. 5 is a flow chart showing the processes of changing address of the contents data and of synchronizing the second server 60 with the first server 50.
  • the predetermined condition can be set as a certain time interval, the number of accessed users exceeding a certain figure, etc. according to the needs of the system.
  • the process returns to the stand-by status if the predetermined condition did not occur; however, upon occurrence of the predetermined condition, the address change module 61 of the second server 60 changes the physical address where the contents data is stored (S220) . Then, the address change module 61 of the second server 60 notifies the synchronizing module 62 of the changed address, whereupon the synchronizing module 62 transmits the changed address to the address update module 51 of the first server 50 (S230) .
  • the address update module 51 of the first server 50 receives the changed address and changes the address of the contents data it stores (S240) , whereby the synchronization is completed.
  • Figs. 6A and 6B are block diagrams showing construction examples of the address changing module 61 of the second server 60, wherein, to explain with help of the concepts of physical address and virtual address, the contents data of the second server 60 is more effectively administered by changing the virtual address only, while the physical address remains unchanged.
  • Item a) in Fig. 6A shows the physical address as well as the virtual address at time Tl, while item b) shows the corresponding addresses at time T2.
  • condition a) the physical address where the contents data is stored at time Tl- is "c:/dirl", while the virtual address is "543nkl” .
  • condition b) the physical address where the contents data is stored at time T2 remains the same, i.e. "c:/dirl " , while the virtual address is changed to "543nk2" .
  • the physical address where the contents data is stored at time Tl is "c:/dirl", while the virtual address is "f2al3d2del32asld” .
  • the physical address where the contents data is stored at time T2 remains the same, i.e. "c:/dirl", while the virtual address is changed at random to "24e21f8gar2mlm4e” .
  • Such a virtual address changed at random is advantageous in security, in the case that the virtual address is eventually leaked (even) temporarily. Further, the longer a virtual address, the higher will be the security.
  • the address change module 61 transmits the changed virtual address to the first server
  • the present invention can prevent delay in time caused by any change of the physical address, and can more effectively administer the data by maintaining security in transmission of the data.
  • a synchronization of the addresses of the contents data between the first server 50 and the second server 60 described in Fig. 5, is performed by synchronization of the changed virtual addresses.
  • the changed address data transmitted from the second server 60 to the first server 50) is, namely, the virtual address data.
  • Fig. 7 is a block diagram showing another construction of the first server (50) and the second server 60. Compared to the block diagram in Fig. 3, the block diagram in Fig. 7 differs in that the first server 50 further comprises a decoding module 52, and the second server 60 further comprises a log process module 63 as well as a encoding module 64.
  • the log process module 63 of the second server 60 records the log data of the system such as the changed address data, the change time data, the error data, etc. in the log file.
  • the encoding module 64 encodes and transmits the data when transmitting the changed address data to the first server 50.
  • the decoding module 52 of the first server 50 receives and decodes the data encoded by the above encoding module 64.
  • a log process module 63 is not necessarily required, but rather can optionally be adopted.
  • the construction in Fig. 7 can selectively be combined with the construction in Fig.3 and Fig.6, if necessary.
  • Fig. 8 is a comparison diagram wherein the response time to the contents data of the present invention is compared with those of the conventional arts.
  • the response time comprises mainly four delay factors depending on the different authentication methods.
  • the Text_Basic, PN_AUTH_Basic Method includes an item for user input delay, which delay time is the time required for a user to input his ID as well as password and to confirm this input, after the windows for input of ID and password are displayed on the user's computer monitor, upon the user has requested the contents server for contents.
  • the third delay factor is the time needed for authenticating a user by comparing a specific value of the user database with the value generated through the hash function, the value inputted by the user, and the value obtained through the decoding process.
  • the fourth delay factor is the time needed for accessing the contents contained basically in the contents server.
  • Fig. 9 is a comparison table wherein the system load of the present invention is compared with those of the conventional arts.
  • the system is loaded by user unit, at factors such as encoding and decoding, communication between the web server and the contents server, communication with the database, question and answer with the database, etc., while in the present invention, the system is loaded by server unit at every factor.
  • server unit at every factor.
  • the present invention as described above can be applied independently to the process of transmitting contents data to the user.
  • the present invention can be applied without regard as to whether a downloading method or a streaming method is used.
  • the present invention can be applied to any method of data transmission to the user.
  • Figs. 10 through 12 show embodiment examples of the present invention in providing streaming service via the Internet .
  • Fig. 10 is a general block diagram showing a system construction for providing a streaming service via the Internet.
  • the system in accordance with the present invention comprises a streaming server 10, which changes the address data storing the streaming data corresponding to the multimedia streaming contents whenever a predetermined condition occurs, and a web server 20, which guides the multimedia streaming contents provided by the streaming server 10 through the web page and receives the changed address data of the contents from the streaming server 10.
  • a non-related server 40 which is incapable of transmitting the related data even when a user requests therefor, because it can receive the changed address data of the contents neither from a user 30, who requests address data of the contents as provided by the streaming server 10 after having accessed the above web server 20, nor from the streaming server 10.
  • the above streaming server 10 stores data related to each authenticated web server 20, such as IP address of each web server, and, if a predetermined condition, such as a certain time interval, access of users over a certain number, etc., occurs and the address data of the contents is changed, transmits the changed address data to the authenticated web server (s) 20.
  • the above streaming server 10 stores data relating to at least one authenticated web server 30.
  • the web server 20 comprises a means for intermediating the user 30 and the streaming server 10 with prior authentication of the streaming server 10, such as a web server which operates the streaming server 20, (herein after, "web server of the internal network"), a web server of the Internet service provider 20, (herein after, "web server of the external network”), etc.
  • the web server 20 updates the existing address data of the corresponding contents with the new address data received, and then, transmits the updated address data of the corresponding contents when a user 30 requests transmission of the contents by clicking a hyperlink text.
  • the address data of the corresponding contents can be transmitted to the user 30 so that the user 30 can receive the requested contents by accessing the streaming server 10, because the web server 20) stres the correct address data of the corresponding contents.
  • the user 30 requests transmission of the contents via the non-related server 40, it is almost impossible that the user 30 receives the proper contents, because it is highly probable that the non-related server 40 does not store the correct address data in itself.
  • the user 30 accesses directly the streaming server 10 after having received address data of the contents from the web page of an authenticated web server 20, the user 30 cannot receive the (changed) streaming data if the streaming server 10 has changed the address data of the contents during transmission of the above streaming data, because the address data changed by the streaming data is not transmitted to the user 30.
  • the above non-related server 40 is a means for providing the contents stored in the streaming server 10 by linking, without authorization, the address data of the contents provided by the streaming server 10, without prior authentication by the streaming server 10, examples of which include, personal homepages, warez sites where software or contents are illegally traded, search engine operating systems, etc.
  • the above non-related server 40 cannot receive the changed address data in the case that the streaming server 10 changes the address data of the contents, it is scarcely coourred that the correct address data of the contents becomes available to the non-related server 40. Thus, this server cannot transmit correct address data of the contents to a user 30, who requests this data. Accordingly, it is almost impossible that an unauthorized third person, i.e. a user 30 attempting to access the streaming server 10 via the above non-related server 40, receive the desired contents.
  • Fig. 11 is a block diagram showing a construction of the streaming server 10 and the web server 20 in accordance with the present invention. As shown in Fig.
  • the streaming server 10 comprises an address change module 11, a log process module 13, an encoding module 14, and a synchronizing module 12, while the web server 20 comprises a decoding module 21 and an address updating module 22.
  • the above address change module 11 generates a new address data of the existing multimedia streaming contents if a predetermined condition such as lapse of a predetermined time interval, accesses of users reach over a predetermined number, etc. occurs, and then, changes the address data by substituting the existing address data with the newly generated address data.
  • the above log process module 13 is a means for recording the address data, the change time data, the error data, etc. in the log file
  • the above encoding module 14 is a means for encoding the address data prior to transmission thereof to the web server 20 in order to prevent leaking of the changed address data to a third person when the streaming server 10 transmits the changed address data to the web server 20 of an external networ .
  • the above synchronizing module 12 is a means for synchronizing between the streaming server 10 and the user 30 or between the streaming server 10 and the web server 20, by transmitting the synchronized streaming data to the user 30 and the changed (or encoded) address data to the web server 20 so that no problem based on the change of the address data of the contents by the streaming server 10 arises between the streaming server 10 and the user 30 or between the streaming server 10 and the web server 20.
  • the above decoding module 21 is a means for decoding the encoded address data received from the streaming server 10, while the address updating module 11 is a means for updating the existing address data with the changed address data.
  • Fig. 12 is a flow chart showing another embodiment example of the method in accordance with the present invention having a system construction as in Figs. 10 and 11.
  • the address change module 11 of the streaming server 10 changes the address data by substituting the existing address data with newly generated address data if a predetermined condition occurs (S300) .
  • This predetermined condition comprises a predetermined time interval, the number of user accesses over a predetermined figure, etc.
  • Various methods may be adopted for generation of the address data of the contents, e ' .g. one address data from among a plenty of addresses stored in advance could be selected successively or at random if a predetermined condition occurs, or an address data could be generated in accordance with a given rule whenever a predetermined condition occurs.
  • the log process module 13 stores the necessary data, such as the changed address data, the change time data, and the error data, in the log file.
  • the streaming server 10 confirms whether any web server 20 of the external network exists making reference to data relating to the stored web server 20, e.g. IP address (S320) , and, if it is confirmed that such web server 20 of the external network exists, the encoding module 14 encodes the changed address data prior to its transmission (S330) in order to prevent a possible leakage (of the address data) to a third persqn while the changed address data is transmitted through the external network to the web server 20.
  • IP address IP address
  • the synchronizing module 12 transmits the synchronized streaming data to the user 30 and transmits the changed (or encoded) address data to the web server 20 to synchronize between the streaming server 10 and the user 30 or between the streaming server 10 and the web server 20, so that no problem based on the change of the address data of the contents arises between the streaming server 10 and the user 30 or between the streaming server 10 and the web server 20 (S340) .
  • the address updating module 11 of the web server 20 of the internal network after receiving the changed address data, updates the existing address data with the new address data received from the streaming server 10, the web server 20 transmits the changed address data to the user 30 upon request for contents transmission by the user 30, so that the user 30 can receive the contents by accessing the streaming server 10 with the address data.
  • the decoding module 21 of the web server 20 of the external network after receiving the changed address data, decodes the address data, whereupon the address updating module 22 updates the existing address data with the new address data, the web server 20 transmits the changed address data to the user 30 upon request for contents transmission by the user 30, so that the user 30 can receive the contents by accessing the streaming server 10 with the address • data.
  • the user 30, who has received the remaining synchronized streaming data receives and regenerates the streaming data, because the address data of the respective contents is changed during transmission thereof.
  • the user is a user accessed the streaming server 10 via an authorized path, an authenticated web server 20 and provided with contents from the streaming server 10.
  • the user who has arbitrarily accessed the streaming server 10 via the non-related server 40 or by using the address data of the contents obtained from the web page provided by the web server 20, may not receive the remaining streaming data, when the address data of the contents is changed during transmission thereof.
  • the present invention may equally be applied to another embodiment, wherein two or more servers are included.
  • One of the servers performs the authentication function, just as the web server and the other (s) of the servers performs the function of the service providing server (s), whereby the authentication server controls the access of the user to the service providing server.
  • the present invention is capable of fundamentally cutting off accesses of unauthorized users, by not disclosing the absolute address of a contents data.
  • the present invention provide a system and method for user authentication capable of confirming in an easy and simple manner a user accessing a contents server as to his authentication without a separate authentication procedure.
  • the present invention provides a system and method for user authentication capable of reducing the network traffic by loading the system only by server unit, irrespective of the number of the users accessing the server, as well as reducing the time required for a user to view a data after he has accessed the server and requested the data.

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

This invention relates generally to a system and method for authenticating a client who accesses a server and requests service, and more specifically, to a system and method for authenticating whether a client is authorized to access a server and to request service, by changing automatically the address, which corresponds to the physical space where the data requested by the client is stored, and by notifying the authorized user of this change. In this way, the present invention enables effective authentication of a user, by confirming easily whether the user is authorized to access a server and request service, and by preventing an unauthorized user from accessing the server and requesting service, without increasing loads on the server.

Description

USER AUTHENTICATION SYSTEM AND METHOD USING THE SAME
TECHNICAL FIELD
The present invention relates generally to a system and method for user authentication, in particular, to a system and method for authenticating whether a user of a client, who has accessed a server to request service, is an authorized user.
BACKGROUND ART
With rapidly expanded use of the Internet along with the development of the relevant technologies, a wide range of Internet services, including the world wide web (hereinafter, "WWW"), ftp service, electronic-mail (herein after, "e-mail") service, etc., are provided. The WWW, a representative service among these Internet services which provides a wide use, for example, transmission of the contents as large volume multimedia data consisted of audio, video, or a combination of the two rather than as data in form of simple text and image, is gradually increasing for more effective transmission of information. Typical examples of the multimedia form contents are motion images such as cinemas, dramas, music videos, animations, as well as various sound contents including mp3 , etc . The main methods for transmitting such large volume multimedia data to a client (computer) can be roughly classified into the following two:
1. The downloading method, wherein the contents are generated, using a local program of -the client computer, after the data transmission from a server to a client computer is completed; and 2. The streaming method, wherein large volume data are divided into parts each of which having a predetermined size, and then transmitted successively part by part from a server to a client computer, while the client computer regenerates concurrently the partial data transmitted from the server. This method is advantageous in that it allows the client to regenerate the partial data even prior to the completion of data transmission, without the need to wait until the entire data is transmitted.
Although these methods can be appropriately combined by the needs of the server, in order to provide large volume multimedia contents, the streaming method rather than the downloading method is generally preferred. On the other hand, the service providers providing various services using such multimedia data - the contents providers - adopt various user authentication methods to prevent unauthorized access and use by a non- entitled user. A user authentication is a process, in which a user accessing a server is determined whether he is an authorized user or not, and if the user is an authorized user, a predetermined service is provided, while such service is not provided in case the user is determined to be an unauthorized user. This is a -very critical issue, because it is directly linked with profits of the contents provider. If a service provider providing a high-priced multimedia data that requires heavy manufacture costs, fails to effectively prevent unauthorized use (of a third party) due to its defective authentication system, it could hardly continue providing the service. Furthermore, if the number of unauthorized users increases, the network traffic will increase excessively due to the increased number of the users, leading to an overload of the server, even disabling the server to provide appropriate service to the authorized users, and the result would be decrease of credibility in the server among the authorized users.
Examples of technologies applied currently for a user authentication are as follows: HTTP Clear/PN-AUTH-BASIC Method is a basic authentication method provided by the streaming servers of the Microsoft Corp. and the Real Network Corp. According to this method, a user undergoes a separate authentication procedure by a contents server storing the contents (also called a media server) , after an authentication of the user by a web server. This method, although involving a security problem, because user information is transmitted in text only without encoding thereof, is advantageous in that it allows relatively simple processing of user authentication.
NTLM Authentication Method is one of the basic authentication methods provided by the streaming server of the Microsoft Corp. According to this method, the user name and password used for login of the Windows are automatically transmitted irrespective of the use of the web page, without requiring a separate input by the user. An advantage of this method, which uses a challenge/response process, not requiring actual transmission through a network of a user password, is its superiority in user security. However, a disadvantage of this method is that it is not applicable on the Internet, where a Windows domain environment cannot be generated, and thus, its application is restricted only to intranets/extranets of corporations, or to virtual private networks.
PESL Authentication/PN-AUTH-DIGEST Method is an expanded authentication method of the streaming server of the Microsoft Corp. and a basic authentication method of the Real Network Corp. According to this method, the user name, password, and other media related information stored in the web server are transmitted to the streaming media server through a master key encoding method, without re-inputting the user information, so that these information are subsequently decoded by the media server, and then, compared with the corresponding values stored. This method, being an authentication method currently most frequently used on the Internet, is shown in Fig. 1. In spite of the advantages mentioned above, the above conventional methods have the following problems:
Since the conventional authentication methods do not allow a common authentication of a web server and a contents server, which provides the contents, due to their separation of a web server from a contents server, the absolute address of a contents' data can easily be exposed, so that they remain open and unprotected to users accessing the contents server via a detour path without having passed a user authentication. Accordingly, once the absolute address of the contents data is leaked, the above methods are incapable of blocking an unauthorized user, and if the address of a contents data is disclosed in a so-called warez site, the number of unauthorized users increases rapidly, resulting in an overload of the network.
Furthermore, in the above conventional methods, increase of the users causes increase of traffic on the network, because the database server and the contents server are loaded in proportion to users' number.
In addition, since time for inputting the user name and password in the course of the authentication process, for confirming of these data by the database server, for encoding, decoding as well as confirming of such data, and the like is required in the conventional methods, a considerable delay must occur until the user can actually view the contents data. DISCLOSURE OF THE INVENTION
The present invention, conceived in view of the foregoing, aims to provide a system and method for user authentication capable of fundamentally cutting off accesses of unauthorized users, by not disclosing the absolute address of the contents data.
Another objective of the present invention is to provide a system and method for user authentication capable of confirming in an easy and simple manner a user accessing a contents server as to his authentication, without a separate authentication procedure.
Still another objective of the present invention is to provide a system and method for user authentication capable of reducing the network traffic so that the network is loaded only by the unit of the servers, irrespective of the number of the users accessing the server, as well as reducing the time required for a user to view a data after the user has accessed the server and requested the data.
In order to achieve the above objectives, the present invention provides a user authentication system comprising a first server, which authenticates whether a user on the client is an authorized user while said first server is connected to said user; and a second server storing the contents data to be transmitted to said client, wherein the second server changes the address of the location in which said contents . data is stored if a predetermined condition occurs, and then, transmits said changed address to said first server, while said first server allows only those users confirmed to be an authorized user to access said changed address.-
The second server changes the virtual address corresponding to the address of the location in which said contents data is stored, and then, transmits said changed virtual address to said first server, while said first server allows only those users confirmed to be an authorized user to access said changed virtual address.
Here, both the address of the location in which said contents data is stored and the corresponding virtual address are changed at random.
Furthermore, the predetermined condition is a predetermined time interval.
Another embodiment of the present invention provides a user authentication system comprising a first server, which authenticates whether a user on the client is an authorized user while said first server is connected to said user; and a second server storing the contents data to be transmitted to said client, wherein said second server comprises an address change module, which changes the physical address of the contents data whenever a predetermined condition occurs; and a synchronizing module, which transmits said physical address of said contents data as changed by said address change module to said first server, while said first server comprises an address updating module, which updates said physical address of said contents data of said second server stored in the same based on said updated physical address of said contents data as transmitted from said synchronizing module. Still another embodiment of the present invention provides a user authentication system comprising a first server, which authenticates whether a user on the client is an authorized user while said first server is connected to said user; and a second server storing the contents data to be transmitted to said client, wherein said second server comprises an address change module, which generates a virtual address corresponding to the physical address of each contents data, changes said virtual address corresponding to said physical address of said contents data whenever a predetermined condition occurs; and a synchronizing module, which transmits said virtual address as changed by said address change module to said first server, while said first server comprises an address updating module, which updates said virtual address of said contents data of said second server stored in the same based on said updated virtual address of said contents data as transmitted from said synchronizing module .
Here, the predetermined condition is a predetermined time interval . Furthermore, the second server further comprises an encoding module, which encodes the address as changed by said second server, while said first sever further comprises a decoding module, which receives and decodes said encoded data from said encoding module. Furthermore, the second server further comprises a log process module, which records the log data of the system such as, the changed address data, the changed time data, the error data, etc.
Still another embodiment of the present invention provides a user authentication method including a system consisted of a first server, which authenticates whether a user on the client is an authorized user while said first server is connected to said user; and a second server storing the contents data to be transmitted to said client, comprising the steps of confirming by said second server whether a predetermined condition has occurred changing the virtual address corresponding to the physical address where said contents data is stored by said second server if said predetermined condition has occurred transmitting said changed virtual address to said first server by said second server receiving said changed virtual address and changing said virtual address of said contents data stored by said first server and allowing only those users confirmed to be an authorized user to access said changed virtual address by said first server. Still another embodiment of the present invention provides a user authentication method including a system consisted of a first server, which authenticates whether a user on the client is an authorized user while said first server is connected to said user; and a second server storing the contents data to be transmitted to said client, comprising the steps of confirming by said second server whether a predetermined condition has occurred, changing the virtual address corresponding to the physical address where said contents data is stored by said second server if said predetermined condition has occurred, transmitting said changed virtual address to said first server by said second server, receiving said changed virtual address and changing said virtual address of said contents data stored in said first server by said first server and allowing only those users confirmed to be an authorized user to access said changed virtual address by said first server.
Here, the predetermined condition is a predetermined time interval.
Still another embodiment of the present invention provides a user authentication system comprising a streaming server including an address change module, which changes the address data of the contents it stores if a predetermined condition occurs,- and a synchronizing module, which transmits said changed address data to a user or a web server and synchronizes the same; and a web server including an address updating module, which updates the address data of the contents data stored in said streaming server with the new address data received from said streaming server.
Still another embodiment of the present invention provides a user authentication system comprising a streaming server including an address change module, which changes the address data of the contents it stores if a predetermined condition occurs, a synchronizing module, which transmits said changed address data to a user or a web server and - synchronizes the same, and an encoding module, which encodes said changed address data and a web server including a decoding module, which decodes said encoded address data received from said streaming server and an address updating module, which updates the existing address data of said contents with said new decoded address data .
Here, the streaming server further comprises a log process module, which stores the changed address data, the changed time data, etc. in the log file.
Furthermore, the predetermined condition is a predetermined time interval or the number of accessed users exceeding a predetermined figure. Still another embodiment of the present invention provides a user authentication method comprising the steps of altering an address data of stored contents when a predetermined condition occurs, transmitting the altered address data to a web server and updating existing address data with the received address data at said web server.
Still another embodiment of the present invention provides a user authentication method comprising the steps of altering an address data of stored contents when a predetermined condition occurs, confirming whether a web server of an external network coupled with a streaming server exists, encrypting the altered address data, when the web server of an external network exists, transmitting the encrypted address data to the web server, decrypting the encrypted address data at the web server and updating existing address data with the decrypted address data at the web server.
Here, The method further comprises the step of recording the changed address data and the change time data in the log file.
Furthermore, the predetermined condition in said step of changing address data of said contents stored if a predetermined condition occurs, is a predetermined time interval or the number of accessed users exceeding a predetermined figure.
BRIEF DESCRIPTION OF THE INVENTION
Fig. 1 is a schematic diagram for the conventional PESL Authentication/PN-AUTH-DIGEST Method.
Fig. 2 shows a system construction in accordance with an embodiment of the present invention.
Fig. 3 shows constructions of the first server (50) and the second server (60) in Fig. 2. Fig. 4 is a flow chart showing the process of a user's receiving of the contents data via the first server (50) and the second server (60) .
Fig. 5 is a flow chart showing the processes of changing the address of the contents data and of synchronizing the second server (60) with the first server (50) .
Figs . 6A and 6B are block diagrams showing construction examples of the address change module (61) of the second server (60) . Fig. 7 is a block diagram showing another construction of the first server (50) and the second server (60) .
Fig. 8 is a comparison diagram wherein the response time to the contents data of the present invention is compared with those of the conventional arts.
Fig. 9 is a comparison table wherein the system load of the present invention is compared with those of the conventional arts.
Fig. 10 is a general block diagram showing a system construction for providing a streaming service via the Internet . Fig. 11 is a block diagram showing a construction of the streaming server and the web server in accordance with the present invention.
Fig. 12 is a flow chart showing another embodiment example of the method in accordance with the present invention.
BEST MODES FOR CARRYING OUT THE INVENTION
The preferred embodiments of the present invention are described below in detail, making reference to the accompanying drawings .
Fig. 2 shows a system construction in accordance with an embodiment of the present invention. As shown in Fig. 2, the system of the present embodiment example is consisted of the first server 50 and the second server 60 with a client computer 70 being connected thereto via the above first server 50. The above first server 50 is a server that functions e.g. in the WWW service as a web server. The above second server 60 is a server that stores the data to be transmitted to a client computer (herein after, "contents data"), and transmits the contents data requested by a user, when the user (a client computer 70) has been authenticated by the first server 50.
The present system having the above construction operates in the following manner: The first server 50, which functions as a web server performs the web server login procedure (authentication procedure) for a user.
The second server 60 changes the address of the physical memory device storing the contents data when a predetermined condition occurs, synchronizes the first server 50 by notifying the first server 50 of the changed address, and allows a user to access the second server 60 if the user requests contents data after he has properly logged in as described above, so that the contents data can be transmitted (to the user) .
For example, in the case that the web pages of the first server 50, as it is seen frequently, is constructed in order to be connected to the second server 60 storing the contents data via a hyperlink containing the physical address of the above contents data when the user clicks the titles or images of the contents data by using an input device such as a mouse, the contents data may be provided only to the user who have properly logged in the first server 50, by the address of the contents data being altered in a predetermined time interval by the second server 60 and by the altered address, the above hyperlink that enables the client computer 70 to connect to the second server 60, being synchronized with the first server 70. Accordingly, upon request for contents data by an authorized user, the contents data can be provided (to the user) rapidly without causing any load of the server, not requiring a separate authentication procedure. And even when the physical address of the contents data stored in the second server 60 is temporarily leaked, an access by an unauthorized user, to whom information on the changed physical address is not available, to the second server 60 can effectively be prevented.
Fig. 3 shows constructions of the first server 50 and the second server 60 in Fig. 2, designed to enable these servers to perform the above operations.
As shown in Fig. 3, the second server 60 comprises an address change module 61, which changes the physical address of the contents data whenever a predetermined condition occurs, and a synchronizing module 62, which transmits the physical address of the contents data as changed by the above address change module 61 to the first server 50. The first server 50 comprises an address update module 51, which updates the physical address of the contents data stored in the first server 50) based on the updated physical address of the contents data transmitted from the above synchronizing module 62.
The address change module 61 changes the address of the physical space where the contents data is stored, whenever a predetermined condition .occurs, wherein the predetermined condition can be established in various forms. For example, this condition can be a certain time interval , the number of accessed users exceeding a certain figure, etc. This condition can be set freely in accordance with the need for system administration. In case that a certain time interval is set as the above condition, a shorter time interval may contribute to reduce the access rate by unauthorized users, On the other hand, because too short time interval would not even allow the time for updating address data, an appropriate time interval shall be.
Fig. 4 is a flow chart showing the process of a user's receiving of the contents data via the first server 50 and the second server 60 in a system construction described in Figs. 2 and 3.
When a user connected to the first server 50 requests contents data by selecting a text or an image on the web page via an input device such as a mouse (S100) , i.e. when the user requests the second server, via a hyperlink or the like, to transmit the contents data to him, the first server 50 confirms whether the user requesting the data is an authorized user (S110) .
The user who has already been authenticated, is allowed to promptly access the second server via a hyperlink, etc. (S130) .
If the user has not yet been authenticated, the process proceeds to the step of user authentication
(S120) , and proceed after a successful authentication to the above step S40. If the user fails to obtain an authentication, the request is rejected and other appropriate step is taken, e.g. releasing an error message.
If, however, , the user is authenticated, he can access the second server 60, because the first server 50 stores the same address of the contents data as changed by the second server 60. In other words, the correct link information to the second server 60 such as hyperlink and the like is available to the user who has been authenticated by the first server 50, which means that in case that a web page is used, fche link information displayed on the web page is accurately synchronized with the second server 60.
Subsequently, the second server 60 transmits the contents data to the authenticated user (S140) . Fig. 5 is a flow chart showing the processes of changing address of the contents data and of synchronizing the second server 60 with the first server 50.
First, in stand-by status (S200) it is confirmed whether the predetermined condition has occurred (S210) . As described above, this condition can be set as a certain time interval, the number of accessed users exceeding a certain figure, etc. according to the needs of the system. The process returns to the stand-by status if the predetermined condition did not occur; however, upon occurrence of the predetermined condition, the address change module 61 of the second server 60 changes the physical address where the contents data is stored (S220) . Then, the address change module 61 of the second server 60 notifies the synchronizing module 62 of the changed address, whereupon the synchronizing module 62 transmits the changed address to the address update module 51 of the first server 50 (S230) . The address update module 51 of the first server 50 receives the changed address and changes the address of the contents data it stores (S240) , whereby the synchronization is completed.
Figs. 6A and 6B are block diagrams showing construction examples of the address changing module 61 of the second server 60, wherein, to explain with help of the concepts of physical address and virtual address, the contents data of the second server 60 is more effectively administered by changing the virtual address only, while the physical address remains unchanged. Item a) in Fig. 6A shows the physical address as well as the virtual address at time Tl, while item b) shows the corresponding addresses at time T2.
Under condition a) , the physical address where the contents data is stored at time Tl- is "c:/dirl", while the virtual address is "543nkl" . Under condition b) , the physical address where the contents data is stored at time T2 remains the same, i.e. "c:/dirl " , while the virtual address is changed to "543nk2" .
For change of the virtual address various methods can be adopted. Although the virtual addresses in the drawing have been changed apparently in a successive manner, a change random is preferable for a better security.
The random change of the virtual address is shown. in Fig. 6B.
As shown in Fig. 6B under condition a) , the physical address where the contents data is stored at time Tl is "c:/dirl", while the virtual address is "f2al3d2del32asld" . Under condition b) , the physical address where the contents data is stored at time T2 remains the same, i.e. "c:/dirl", while the virtual address is changed at random to "24e21f8gar2mlm4e" .
Such a virtual address changed at random is advantageous in security, in the case that the virtual address is eventually leaked (even) temporarily. Further, the longer a virtual address, the higher will be the security.
In this manner, the address change module 61 transmits the changed virtual address to the first server
50 via the synchronizing module 62 so that the data on the changed address becomes available to the first server
50.
Since the above construction allows the physical address to remain unchanged, the present invention can prevent delay in time caused by any change of the physical address, and can more effectively administer the data by maintaining security in transmission of the data.
In a construction as in Figs. 6A and 6B, a synchronization of the addresses of the contents data between the first server 50 and the second server 60 described in Fig. 5, is performed by synchronization of the changed virtual addresses. The changed address data transmitted from the second server 60 to the first server 50) is, namely, the virtual address data.
Fig. 7 is a block diagram showing another construction of the first server (50) and the second server 60. Compared to the block diagram in Fig. 3, the block diagram in Fig. 7 differs in that the first server 50 further comprises a decoding module 52, and the second server 60 further comprises a log process module 63 as well as a encoding module 64.
The log process module 63 of the second server 60 records the log data of the system such as the changed address data, the change time data, the error data, etc. in the log file. The encoding module 64 encodes and transmits the data when transmitting the changed address data to the first server 50. The decoding module 52 of the first server 50 receives and decodes the data encoded by the above encoding module 64.
Since the above construction allows encoding as well as decoding of the address as changed by the second server 60, the risk of possible data leakage during data transmission can effectively be prevented.
In such a construction a log process module 63 is not necessarily required, but rather can optionally be adopted. In addition, the construction in Fig. 7 can selectively be combined with the construction in Fig.3 and Fig.6, if necessary.
Fig. 8 is a comparison diagram wherein the response time to the contents data of the present invention is compared with those of the conventional arts. The response time comprises mainly four delay factors depending on the different authentication methods.
First, the Text_Basic, PN_AUTH_Basic Method includes an item for user input delay, which delay time is the time required for a user to input his ID as well as password and to confirm this input, after the windows for input of ID and password are displayed on the user's computer monitor, upon the user has requested the contents server for contents.
Second, in the NTML, PESL, PN_AUTH_DIGEST Method the time for decoding and generating a hash function value is required, which time, being required for decoding the information encoded by a specific key on the network or for generating a specific value through the hash function, increases with the number of the simultaneous users.
The third delay factor is the time needed for authenticating a user by comparing a specific value of the user database with the value generated through the hash function, the value inputted by the user, and the value obtained through the decoding process.
Finally, the fourth delay factor is the time needed for accessing the contents contained basically in the contents server.
These delay factors are all described in Fig. 8, from which it can be seen that the present invention does not comprise any of the above first through third delay factors. In other words, if no contents access time is required in the contents server, the response time for accessing the contents will be 0.
Fig. 9 is a comparison table wherein the system load of the present invention is compared with those of the conventional arts.
As shown in Fig. 9, in the conventional arts, the system is loaded by user unit, at factors such as encoding and decoding, communication between the web server and the contents server, communication with the database, question and answer with the database, etc., while in the present invention, the system is loaded by server unit at every factor. Thus, in the present invention, even when the number of simultaneous users increases, because only a constant level of server resource is used, so that stability and reliability of the system superior to those of the conventional arts can be achieved.
However, the present invention as described above can be applied independently to the process of transmitting contents data to the user. In other words, the present invention can be applied without regard as to whether a downloading method or a streaming method is used. To summarize, once a user is duly authenticated, the present invention can be applied to any method of data transmission to the user.
Application of the present invention to a streaming service is described below, referring to the relevant drawings . Figs. 10 through 12 show embodiment examples of the present invention in providing streaming service via the Internet .
Fig. 10 is a general block diagram showing a system construction for providing a streaming service via the Internet. As shown in Fig. 10, the system in accordance with the present invention comprises a streaming server 10, which changes the address data storing the streaming data corresponding to the multimedia streaming contents whenever a predetermined condition occurs, and a web server 20, which guides the multimedia streaming contents provided by the streaming server 10 through the web page and receives the changed address data of the contents from the streaming server 10. Also in the drawing is shown, for a more detailed explanation, a non-related server 40, which is incapable of transmitting the related data even when a user requests therefor, because it can receive the changed address data of the contents neither from a user 30, who requests address data of the contents as provided by the streaming server 10 after having accessed the above web server 20, nor from the streaming server 10.
The above streaming server 10 stores data related to each authenticated web server 20, such as IP address of each web server, and, if a predetermined condition, such as a certain time interval, access of users over a certain number, etc., occurs and the address data of the contents is changed, transmits the changed address data to the authenticated web server (s) 20. The above streaming server 10 stores data relating to at least one authenticated web server 30. The web server 20 comprises a means for intermediating the user 30 and the streaming server 10 with prior authentication of the streaming server 10, such as a web server which operates the streaming server 20, (herein after, "web server of the internal network"), a web server of the Internet service provider 20, (herein after, "web server of the external network"), etc. If the above streaming server 10 changes the location information storing the multimedia streaming contents, i.e. the address data of the contents and transmits the same to the web server 20, the web server 20 updates the existing address data of the corresponding contents with the new address data received, and then, transmits the updated address data of the corresponding contents when a user 30 requests transmission of the contents by clicking a hyperlink text. If the above user 30, who is a client desiring to be provided with the contents supplied by the streaming server 10 via the web server 20 or the non-related server 40, requests transmission of the contents via the web server 20, the address data of the corresponding contents can be transmitted to the user 30 so that the user 30 can receive the requested contents by accessing the streaming server 10, because the web server 20) stres the correct address data of the corresponding contents. However, if the user 30 requests transmission of the contents via the non-related server 40, it is almost impossible that the user 30 receives the proper contents, because it is highly probable that the non-related server 40 does not store the correct address data in itself.
Further, in the case that the user 30 accesses directly the streaming server 10 after having received address data of the contents from the web page of an authenticated web server 20, the user 30 cannot receive the (changed) streaming data if the streaming server 10 has changed the address data of the contents during transmission of the above streaming data, because the address data changed by the streaming data is not transmitted to the user 30.
The above non-related server 40 is a means for providing the contents stored in the streaming server 10 by linking, without authorization, the address data of the contents provided by the streaming server 10, without prior authentication by the streaming server 10, examples of which include, personal homepages, warez sites where software or contents are illegally traded, search engine operating systems, etc.
Since the above non-related server 40) cannot receive the changed address data in the case that the streaming server 10 changes the address data of the contents, it is scarcely coourred that the correct address data of the contents becomes available to the non-related server 40. Thus, this server cannot transmit correct address data of the contents to a user 30, who requests this data. Accordingly, it is almost impossible that an unauthorized third person, i.e. a user 30 attempting to access the streaming server 10 via the above non-related server 40, receive the desired contents.
Fig. 11 is a block diagram showing a construction of the streaming server 10 and the web server 20 in accordance with the present invention. As shown in Fig.
11, the streaming server 10 comprises an address change module 11, a log process module 13, an encoding module 14, and a synchronizing module 12, while the web server 20 comprises a decoding module 21 and an address updating module 22.
The above address change module 11 generates a new address data of the existing multimedia streaming contents if a predetermined condition such as lapse of a predetermined time interval, accesses of users reach over a predetermined number, etc. occurs, and then, changes the address data by substituting the existing address data with the newly generated address data.
The above log process module 13 is a means for recording the address data, the change time data, the error data, etc. in the log file, while the above encoding module 14 is a means for encoding the address data prior to transmission thereof to the web server 20 in order to prevent leaking of the changed address data to a third person when the streaming server 10 transmits the changed address data to the web server 20 of an external networ . The above synchronizing module 12 is a means for synchronizing between the streaming server 10 and the user 30 or between the streaming server 10 and the web server 20, by transmitting the synchronized streaming data to the user 30 and the changed (or encoded) address data to the web server 20 so that no problem based on the change of the address data of the contents by the streaming server 10 arises between the streaming server 10 and the user 30 or between the streaming server 10 and the web server 20.
The above decoding module 21 is a means for decoding the encoded address data received from the streaming server 10, while the address updating module 11 is a means for updating the existing address data with the changed address data.
Fig. 12 is a flow chart showing another embodiment example of the method in accordance with the present invention having a system construction as in Figs. 10 and 11.
The address change module 11 of the streaming server 10 changes the address data by substituting the existing address data with newly generated address data if a predetermined condition occurs (S300) . This predetermined condition comprises a predetermined time interval, the number of user accesses over a predetermined figure, etc. Various methods may be adopted for generation of the address data of the contents, e'.g. one address data from among a plenty of addresses stored in advance could be selected successively or at random if a predetermined condition occurs, or an address data could be generated in accordance with a given rule whenever a predetermined condition occurs.
Then, the log process module 13 stores the necessary data, such as the changed address data, the change time data, and the error data, in the log file. Subsequently, the streaming server 10 confirms whether any web server 20 of the external network exists making reference to data relating to the stored web server 20, e.g. IP address (S320) , and, if it is confirmed that such web server 20 of the external network exists, the encoding module 14 encodes the changed address data prior to its transmission (S330) in order to prevent a possible leakage (of the address data) to a third persqn while the changed address data is transmitted through the external network to the web server 20. Then, the synchronizing module 12 transmits the synchronized streaming data to the user 30 and transmits the changed (or encoded) address data to the web server 20 to synchronize between the streaming server 10 and the user 30 or between the streaming server 10 and the web server 20, so that no problem based on the change of the address data of the contents arises between the streaming server 10 and the user 30 or between the streaming server 10 and the web server 20 (S340) .
When the address updating module 11 of the web server 20 of the internal network, after receiving the changed address data, updates the existing address data with the new address data received from the streaming server 10, the web server 20 transmits the changed address data to the user 30 upon request for contents transmission by the user 30, so that the user 30 can receive the contents by accessing the streaming server 10 with the address data.
On the one hand, the decoding module 21 of the web server 20 of the external network, after receiving the changed address data, decodes the address data, whereupon the address updating module 22 updates the existing address data with the new address data, the web server 20 transmits the changed address data to the user 30 upon request for contents transmission by the user 30, so that the user 30 can receive the contents by accessing the streaming server 10 with the address data. On the other hand, the user 30, who has received the remaining synchronized streaming data, receives and regenerates the streaming data, because the address data of the respective contents is changed during transmission thereof. The user is a user accessed the streaming server 10 via an authorized path, an authenticated web server 20 and provided with contents from the streaming server 10. Accordingly, the user who has arbitrarily accessed the streaming server 10 via the non-related server 40 or by using the address data of the contents obtained from the web page provided by the web server 20, may not receive the remaining streaming data, when the address data of the contents is changed during transmission thereof.
Although the construction and performance of the present invention have been described above, referring to the preferred embodiment related to the web server and the streaming server, it is not intended that the invention be limited to these embodiments. Modification within the spirit of the invention will be apparent to those skilled in the art. For example, the present invention may equally be applied to another embodiment, wherein two or more servers are included. One of the servers performs the authentication function, just as the web server and the other (s) of the servers performs the function of the service providing server (s), whereby the authentication server controls the access of the user to the service providing server.
INDUSTRIAL APLICABILITY
As described above, the present invention is capable of fundamentally cutting off accesses of unauthorized users, by not disclosing the absolute address of a contents data.
Further, the present invention provide a system and method for user authentication capable of confirming in an easy and simple manner a user accessing a contents server as to his authentication without a separate authentication procedure. In addition, the present invention provides a system and method for user authentication capable of reducing the network traffic by loading the system only by server unit, irrespective of the number of the users accessing the server, as well as reducing the time required for a user to view a data after he has accessed the server and requested the data.

Claims

1. A user authentication system comprising a first server, which authenticates whether a user on the client is an authorized user while said first server is connected to said user; and a second server storing the contents data to be transmitted to said client, wherein the second server changes the address of the location in which said contents data is stored if a predetermined condition occurs, and then, transmits said changed address to said first server, while said first server allows only those users confirmed to be an authorized user to access said changed address.
2. The user authentication system as set forth in Claim 1, wherein said second server changes the virtual address corresponding to the address of the location in which said contents data is stored, and then, transmits said changed virtual address to said first server, while said first server allows only those users confirmed to be an authorized user to access said changed virtual address.
3. The user authentication system as set forth in Claim 1 or Claim 2, wherein both the address of the location in which said contents data is stored and the corresponding virtual address are changed at random.
4. The user authentication system as set forth in Claim 1 or Claim 2, wherein said predetermined condition is a predetermined time interval .
5. A user authentication system comprising a first server, which authenticates whether a user on the client is an authorized user while said first server is connected to said user; and a second server storing the contents data to be transmitted to said client, wherein said second server comprises an address change module, which changes the physical address of the contents data whenever a predetermined condition occurs; and a synchronizing module, which transmits said physical address of said contents data as changed by said address change module to said first server, while said first server comprises an address updating module, which updates said physical address of said contents data of said second server stored in the same based on said updated physical address of said contents data as transmitted from said synchronizing module.
6. A user authentication system comprising a first server, which authenticates whether a user on the client is an authorized user while said first server is connected to said user; and a second server storing the contents data to be transmitted to said client, wherein said second server comprises an address change module, which generates a virtual address corresponding to the physical address of each contents data, changes said virtual address corresponding to said physical address of said contents data whenever a predetermined condition occurs; and a synchronizing module, which transmits said virtual address as changed by said address change module to said first server, while said first server comprises an address updating module, which updates said virtual address of said contents data of said second server stored in the same based on said updated virtual address of said, contents data as transmitted from said synchronizing module.
7. The user authentication system as set forth in Claim 5 or Claim 6, wherein said predetermined condition is a predetermined time interval .
8. The user authentication system as set forth in Claim 7, wherein said second server further comprises an encoding module, which encodes the address as changed by said second server, while said first sever further comprises a decoding module, which receives and decodes said encoded data from said encoding module.
9. The user authentication system as set forth in Claim 7, wherein said second server further comprises a log process module, which records the log data of the system such as, the changed address data, the changed time data, the error data, etc.
10. A user authentication method including a system consisted of a first server, which authenticates whether a user on the client is an authorized user while said first server is connected to said user; and a second server storing the contents data to be transmitted to said client, comprising the steps of: confirming by said second server whether a predetermined condition has occurred; changing the virtual address corresponding to the physical address where said contents data is stored by said second server if said predetermined condition has occurred; transmitting said changed virtual address to said first server by said second server; receiving said changed virtual address and changing said virtual address of said contents data stored by said first server; and allowing only those users confirmed to be an authorized user to access said changed virtual address by said first server.
11. A user authentication method including a system consisted of a first server, which authenticates whether a user on the client is an authorized user while said first server is connected to said user; and a second server storing the contents data to be transmitted to said client, comprising the steps of: confirming by said second server whether a predetermined condition has occurred; changing the virtual address corresponding to the physical address where said contents data is stored by said second server if said predetermined condition has occurred; transmitting said changed virtual address to said first server by said second server; receiving said changed virtual address and changing said virtual address of said contents data stored in said first server by said first server; and allowing only those users confirmed to be an authorized user to access said changed virtual address by said first server.
12. The user authentication method as set forth in Claim 10 or Claim 11, wherein said predetermined condition is a predetermined time interval .
13. A user authentication system comprising a streaming server including an address change module, which changes the address data of the contents it stores if a predetermined condition occurs, and a synchronizing module, which transmits said changed address data to a user or a web server and synchronizes the same; and a web server including an address updating module, which updates the address data of the 'contents data stored in said streaming server with the new address data received from said streaming server.
14. A user authentication system comprising a streaming server including an address change module, which changes the address data of the contents it stores if a predetermined condition occurs, a synchronizing module, which transmits said changed address data to a user or a web server and synchronizes the same, and an encoding module, which encodes said changed address data; and a web server including a decoding module, which decodes said encoded address data received from said streaming server and an address updating module, which updates the existing address data of said contents with said new decoded address data.
15. The user authentication system as set forth in Claim 13 or Claim 14, wherein said streaming server further comprises a log process module, which stores the changed address data, the changed time data, etc. in the log file.
16. The user authentication system as set forth in Claim 13 or Claim 14, wherein said predetermined condition is a predetermined time interval or the number of accessed users exceeding a predetermined figure.
17. A user authentication method comprising the steps of: altering an address data of stored contents when a predetermined condition occurs; transmitting the altered address data to a web server; and updating existing address data with the received address data at said web server..
18. A user authentication method comprising the steps of: altering an address data of stored contents when a predetermined condition occurs; confirming whether a web server of an external network coupled with a streaming server exists; encrypting the altered address data, when the web server of an external network exists; transmitting the encrypted address data to the web server; decrypting the encrypted address data at the web server; and updating existing address data with the decrypted address data at the web server.
19. The user authentication method as set forth in Claim 17 or Claim 18, further comprising the step of recording the changed address data and the change time data in the log file.
20. The user authentication method as set forth in Claim 17 or Claim 18, wherein said predetermined condition in said step of changing address data of said contents stored if a predetermined condition occurs, is a predetermined time interval or the number of accessed users exceeding a predetermined figure.
PCT/KR2002/000293 2001-06-27 2002-02-22 User authentication system and method using the same WO2003005226A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020010036949A KR20010079245A (en) 2001-06-27 2001-06-27 System and method for maintaining security in providing a streaming service
KR2001/36949 2001-06-27

Publications (1)

Publication Number Publication Date
WO2003005226A1 true WO2003005226A1 (en) 2003-01-16

Family

ID=19711392

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2002/000293 WO2003005226A1 (en) 2001-06-27 2002-02-22 User authentication system and method using the same

Country Status (2)

Country Link
KR (1) KR20010079245A (en)
WO (1) WO2003005226A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006044052A3 (en) * 2004-10-18 2006-06-15 Akimbo Systems Inc Method and apparatus for content download

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100955725B1 (en) * 2007-12-28 2010-05-03 엔에이치엔비즈니스플랫폼 주식회사 Method and system to block memory hack

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20000030758A (en) * 2000-03-15 2000-06-05 윤형로 Information Marketing Business Model and Technical Implementating Methology includes its system which providing information utilizing its unique authentificatiry agent on Internet.
KR20000033213A (en) * 1998-11-20 2000-06-15 이계철 Method for transfering multimedia contents using meta data
KR20010029337A (en) * 1999-09-30 2001-04-06 정준민 Method of the operation for the Internet online certification system which were interactively in a knowledge-information website
KR20010050111A (en) * 1999-08-17 2001-06-15 포만 제프리 엘 Secure electronic content distribution on cds and dvds

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5636216A (en) * 1994-04-08 1997-06-03 Metricom, Inc. Method for translating internet protocol addresses to other distributed network addressing schemes
JP3965722B2 (en) * 1997-05-28 2007-08-29 ブラザー工業株式会社 MPEG stream data scrambling apparatus and scrambling method
US6530021B1 (en) * 1998-07-20 2003-03-04 Koninklijke Philips Electronics N.V. Method and system for preventing unauthorized playback of broadcasted digital data streams
KR100567022B1 (en) * 1999-12-29 2006-04-04 매그나칩 반도체 유한회사 Device isolation film formation method using trench of semiconductor device
KR20000050106A (en) * 2000-05-16 2000-08-05 김의경 multimedia streaming service method, and system for the same

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20000033213A (en) * 1998-11-20 2000-06-15 이계철 Method for transfering multimedia contents using meta data
KR20010050111A (en) * 1999-08-17 2001-06-15 포만 제프리 엘 Secure electronic content distribution on cds and dvds
KR20010029337A (en) * 1999-09-30 2001-04-06 정준민 Method of the operation for the Internet online certification system which were interactively in a knowledge-information website
KR20000030758A (en) * 2000-03-15 2000-06-05 윤형로 Information Marketing Business Model and Technical Implementating Methology includes its system which providing information utilizing its unique authentificatiry agent on Internet.

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006044052A3 (en) * 2004-10-18 2006-06-15 Akimbo Systems Inc Method and apparatus for content download

Also Published As

Publication number Publication date
KR20010079245A (en) 2001-08-22

Similar Documents

Publication Publication Date Title
US7827318B2 (en) User enrollment in an e-community
EP1645971B1 (en) Database access control method, database access controller, agent processing server, database access control program, and medium recording the program
US7721339B2 (en) Method for controlling access to digital content and streaming media
US7506055B2 (en) System and method for filtering of web-based content stored on a proxy cache server
US7350231B2 (en) System and method for controlling access to digital content, including streaming media
US8578462B2 (en) Method and system for secure session management in a web farm
US7356838B2 (en) System and method for controlling access to digital content, including streaming media
US7249369B2 (en) Post data processing
US7594003B2 (en) Client/server web application architectures for offline usage, data structures, and related methods
JP4887315B2 (en) Method and system for account management
US20070033155A1 (en) Client/server web application architectures for offline usage, data structures, and related methods
US20060080546A1 (en) System and method for regulating access to objects in a content repository
US20090172132A1 (en) Method and system for providing image rich web pages from a computer system over a network
WO2003005226A1 (en) User authentication system and method using the same
KR20020040696A (en) User authentication system and method using the same
JP4308549B2 (en) Authentication information management method and authentication information management apparatus

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: COMMUNICATION PURSUANT TO RULE 69 EPC (EPO FORM 1205A OF 240504)

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载