+

WO2006003725A1 - Système d'authentification de serveur web capable de réaliser une authentification du point d'accès web (wapa) - Google Patents

Système d'authentification de serveur web capable de réaliser une authentification du point d'accès web (wapa) Download PDF

Info

Publication number
WO2006003725A1
WO2006003725A1 PCT/JP2004/013973 JP2004013973W WO2006003725A1 WO 2006003725 A1 WO2006003725 A1 WO 2006003725A1 JP 2004013973 W JP2004013973 W JP 2004013973W WO 2006003725 A1 WO2006003725 A1 WO 2006003725A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
authentication
web
web server
authentication information
Prior art date
Application number
PCT/JP2004/013973
Other languages
English (en)
Japanese (ja)
Inventor
Akihiko Narita
Original Assignee
Akihiko Narita
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Akihiko Narita filed Critical Akihiko Narita
Publication of WO2006003725A1 publication Critical patent/WO2006003725A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution

Definitions

  • WAPA Web Access point authentication
  • the present invention relates to web server authentication systems.
  • Patent Document 1 Japanese Unexamined Patent Application Publication No. 2003-337797
  • Patent Document 2 Japanese Patent Application Laid-Open No. 2002-373080
  • JP 2002-140309 “Service system” data delivery between server and client is performed through a data relay device, and a system is proposed in which the server provides a service to the client.
  • the management server is connected to the relay server during data connection, and is used to
  • ATM ATM
  • FIG 1 shows an illustration of an end user operating an ATM.
  • a T M may display “Error” or “Out of Service”. Such problems are rarely reported to banks, except when ATMs do not return ATMs. However, if the ATM is not reliable, as shown in Fig. 2, after recording the card information and PIN number, the card is returned and only "Error” is displayed on the display. There is a possibility.
  • Fraud shown in Figures 2 and 3 can be prevented if the end user has access to ATM authentication technology. In fact, it is unlikely that hackers will make a fake ATM and put it well in a public place.
  • WAPA Web 'Access Point Certification
  • the purpose of the knocker is to trick the end user and let the fake website created by the hacker enter confidential information. This can be done fairly easily depending on the web application.
  • Hotspots are usually commercial services that provide high-speed wireless internet access in public places such as coffee shops, train stations, and airports.
  • mopile devices capable of wireless communication 802.l i b
  • users can check e-mails at the airport or purchase movie tickets from a coffee shop.
  • the hot-selling hotspot restricts the use of the service to only its customers by self-certification by the end user. This is done by entering a username and password on the hotspot web page that is initially displayed when you start the web browser after connecting to the hotspot.
  • the mopile equipment is configured to connect to a specific wireless network. This can be done by configuring the mopile device to connect to a specific SSID.
  • S S ID service setting identification
  • S S ID is the name of a wireless network.
  • a hacker could set up a wireless access point with higher signal strength and the same SSID as the hotspot at the same hotspot location. This setting allows all hotspot users to be forced to connect to a wireless access point set up by a hacker without the end user being aware.
  • the hacker provides a web page that mimics the hotspot authentication screen and stores all usernames and passwords. If the login name and password are entered, the user may be a bit creative, with an error message such as "Hotspot is currently unavailable. It seems to be deceived. This is similar to the ATM example of Figure 2 shown in Section 2.
  • the previous hotspot 'hacking example used to transfer end users to a hacker's website using wireless signals. It is also possible to transfer end users to another web site on the LAN.
  • Access to a particular website is achieved by entering the appropriate URL of the particular website into the browser.
  • hackers can see everything end users do on this website. This is similar to the ATM example shown in FIG.
  • hackers can use these websites' hacking methods to at least steal user names and passwords for websites that deal with confidential information. This theft could be prevented if the user could authenticate whether the web server was real.
  • WAPA Web's Access Point Authentication
  • Access point authentication is not just traditional web server authentication, but it helps the end user authenticate that the web server is authentic before sending secret information such as username and password.
  • the targeted application is a web service that initially requires the user to enter secret information such as a username and password, such as a hotspot wireless access point, a home banking 'website, etc. Includes service.
  • WAPA Web. Access Point Authentication
  • the server component resides on a web server
  • the client component is, for example, an Acti V e X (TM) control.
  • TM Acti V e X
  • This provides an easy-to-use method for end users to prove that a web server is real or fake.
  • the central authentication algorithm is implemented based on the public key cryptogram algorithm.
  • a server authentication system provided on a web server for performing web server authentication when accessing any server connected to a network through a browser
  • a browsing request receiving unit for receiving a web content browsing request and a server authentication from a client terminal accessing the web server, and a certification request;
  • the authentication information registration server which is set for each web server and stores authentication information for authenticating the web server, responds to a browse request from the client terminal and a server authentication request to authenticate the web server.
  • Authentication information query means for querying information
  • Authentication information receiving means for receiving the authentication information when there is authentication information of the web server as a result of the inquiry to the authentication information registration server;
  • Authentication information adding means for adding the received authentication information to the web content in response to the web content browsing request and the server authentication request from the client terminal, and transmitting the web content added with the authentication information to the client terminal It is characterized in that it is a web server authentication system provided with a web content transmission means.
  • the web server is provided to perform web server authentication when accessing any server connected to the network through a browser.
  • a system comprising: a server authentication system; a client terminal for accessing the web server; and an authentication information registration server configured for each web server and storing authentication information for authenticating the web server.
  • the web server is Browsing request receiving means for receiving a web content browsing request and a server authentication request from a client terminal accessing the web server;
  • the authentication information registration server which is set for each web server and stores authentication information for authenticating the web server, is queried for authentication information of the web server in response to a browse request from the client terminal and a server authentication request.
  • Authentication information inquiry means to
  • Authentication information receiving means for receiving the authentication information when there is authentication information of the web server as a result of the inquiry to the authentication information registration server;
  • Authentication information adding means for adding received authentication information to the web content in response to a web content browsing request and a server authentication request from the client terminal; web content with the authentication information attached to the client terminal It is equipped with a web content sending means to send,
  • the authentication information registration server is a web server authentication system that stores at least authentication information for authenticating the web server and user identification information for each user who uses the server authentication system at the client terminal. It is characterized by
  • the client terminal includes an authentication request transmitting unit that transmits a server authentication request to the web server together with a web content browsing request;
  • It is characterized in that it is a web server authentication system provided with server public key storage means for storing the public key for each web server.
  • the server authentication request transmitted from the client terminal and received by the browse request receiving means at the web server is a user of the server authentication system.
  • it is a web server authentication system according to any of claims 1 to 3, which contains identification information.
  • the server authentication request transmitted from the client terminal and received by the browse request receiving means in the web server is the web server.
  • Said server certification It is characterized in that it is the web server authentication system according to any one of claims 1 to 4, which includes a response request whether or not it has a certification system.
  • the authentication information inquiry means inquires the authentication information registration server of authentication information of the web server, the user
  • the web server authentication system according to any one of claims 1 to 5, which transmits a query request including identification information.
  • the authentication and proof information inquiry means is set for each web server, and is stored in advance corresponding to the user identification information.
  • the authentication of the web server which is set for each web server and stored in advance corresponding to the user identification information
  • the authentication information for each user generated at the client terminal is encrypted using the public key of the user, and then encrypted using the public key of the web server, and then the authentication information information is encrypted.
  • the web when a client terminal accesses any web server, the web is included in the server authentication request transmitted from the client terminal. If the web server has the server authentication system, the web server responds to the request to determine whether the server has the server authentication system or not, and the web server has the server authentication system. It is characterized in that it is a web server authentication system according to any one of claims 5 to 8, which does not respond when that is not the case.
  • the client terminal stores the public key of the web server for decrypting the authentication information added to the web content
  • the authentication added to the web content received from the web server is stored.
  • the web server authentication system according to any one of claims 1 to 9, wherein the information is decrypted using a secret key of a user who uses the client terminal to determine the legitimacy of the authentication information. It is considered special.
  • a warning is displayed in the client terminal. It is characterized in that it is the web server authentication system described in 0.
  • the client terminal stores the public key of the web server for decrypting the authentication information attached to the web content. If the web server is equipped with the server authentication system, the response is sent to the user, and the user of the client terminal is made to select whether or not to register the web server.
  • the web server authentication system according to any one of claims 1 0 or 1 1. Effect of the invention
  • WAPA Web Access Point Authentication
  • Web access point authentication is not just a conventional web server authentication, but it is used to authenticate whether the web server is genuine before transmitting secret information such as a username and password. It is intended to help the user.
  • the targeted application is a web service that initially requires the user to enter confidential information such as a username and password, which includes services such as hotspot wireless access points, home banking and websites. . This provides an easy-to-use method for end users to prove that a web server is real or fake.
  • the core authentication algorithm is realized based on the public key encryption algorithm. Brief description of the drawings
  • FIG. 1 is a diagram showing a conventional example.
  • FIG. 2 is a diagram showing a conventional example.
  • FIG. 3 is a diagram showing a conventional example.
  • FIG. 4 is a diagram showing a conventional example.
  • FIG. 5 is a system configuration diagram showing an example of the basic configuration of the system of the present invention.
  • FIG. 6 is a diagram showing a representative example of a server authentication pattern using the system of the present invention.
  • FIG. 7 is a flowchart showing an example of the basic process flow of the system of the present invention.
  • FIG. 8 is a flowchart showing an example of the basic processing flow of the system of the present invention.
  • FIG. 9 is a flowchart showing an example of the basic process flow of the system of the present invention.
  • FIG. 10 is a flowchart showing an example of the basic processing flow of the system of the present invention.
  • FIG. 11 is a flowchart showing an example of the basic processing flow of the system of the present invention.
  • FIG. 12 is a flow chart showing an example of the basic process flow of the system of the present invention.
  • FIG. 13 is a flowchart showing an example of the basic processing flow of the system of the present invention.
  • FIG. 14 is a flowchart showing an example of the basic processing flow of the system of the present invention.
  • FIG. 15 is a flowchart showing an example of the basic process flow of the system of the present invention.
  • FIG. 16 is a flowchart showing an example of the basic processing flow of the system of the present invention.
  • FIG. 17 is a flow chart showing an example of the basic process flow of the system of the present invention.
  • FIG. 18 is a flowchart showing an example of the basic process flow of the system of the present invention.
  • FIG. 19 shows a flow chart showing an example of the basic process flow of the system of the present invention.
  • FIG. 20 is a flowchart showing an example of the basic processing flow of the system of the present invention.
  • FIG. 21 is a flow chart showing an example of the basic processing flow of the system of the present invention.
  • FIG. 22 is a flow chart showing an example of the basic process flow of the system of the present invention.
  • FIG. 23 is a flowchart showing an example of the basic process flow of the system of the present invention.
  • FIG. 24 is a flowchart showing an example of the basic process flow of the system of the present invention. BEST MODE FOR CARRYING OUT THE INVENTION
  • FIG. 5 is a system configuration diagram showing an example of the basic configuration of the system of the present invention.
  • the system of the present invention is a server authentication system provided in a web server for performing web server authentication when accessing any server connected to a network via a browser.
  • a web browser set to use the system of the present invention It is one bar.
  • the system of the present invention includes a server authentication system provided on a web server for performing web server authentication when accessing any of the servers connected to the network via a browser, and accessing the web server.
  • the system is configured to include a client terminal and an authentication information registration server which is set for each web server and stores authentication information for authenticating the web server.
  • any web server set to use the system of the present invention is configured by any web server set to use the system of the present invention, and an authentication information registration server that operates in cooperation with this and stores authentication information for each web server.
  • a public key server that stores the public key of each web server in a usable state for the user.
  • the public key server causes the user to store the public key for each web server in the local database in the client terminal using the public key for each web server, and to register authentication information for each server in the authentication information registration server. Is for server registration processing.
  • a user terminal for connecting to the server system of the present invention a computer terminal such as a personal computer or a workstation is usually used.
  • the user terminal includes a wireless communication terminal such as a mobile phone equipped with a browser function capable of connecting to the Internet, a portable information terminal, an internet TV, a game device, a video conference system, and other network connection functions. It may include a wide range of appliances such as home appliances.
  • the computer terminal includes control means, storage means, input means, output means, display means and the like. It also has the function of connecting to a computer network represented by the Internet and sending and receiving data, and is usually equipped with a browser, e-mail software, application programs such as a word processor, and an operating system (OS). is there.
  • a computer network represented by the Internet and sending and receiving data
  • OS operating system
  • the server is connected to a network represented by the Internet.
  • the network is usually assumed to be the Internet, but a network form connected by a leased line, a corporate LAN, a corporate LAN, a WAN, etc.
  • the form of communication line used widely includes the form of wired communication and wireless communication widely, and it includes the form using satellite communication, B 1 uetooth, etc.
  • the web server authenticated in the system of the present invention stores content data and application programs for accessing from the user terminal, and the content data is displayed on the WEB such as HTMLL file and XLL file. Data files and data files displayed on mobile phones etc. that can access the WEB site such as C--H TML files. In addition, it stores character data files, audio data files, image data files, moving image data files, animation data files, and various other content data that are displayed or output by being inserted into these files. It is possible.
  • a web server using the system of the present invention includes browsing request receiving means for receiving a web content browsing request and a server authentication request from a client terminal accessing the web server.
  • a web content browsing request is a generally known browsing request that sends an HTML request by entering a URL or clicking a hyperlink using a browser.
  • a server authentication request for proving the legitimacy of the server is included.
  • the server authentication request transmitted from the client terminal and received by the browse request receiving unit at the web server includes the user identification information of the server authentication system.
  • the server authentication request can be included in the HTTP GET request sent from the client to the server authentication system compatible server, and more preferably, the server authentication request further includes the server authentication system user ID of the client. There is.
  • the server authentication request is separate from the TC GET request separately from the HTTP GET request sent from the client to the server authentication system enabled server. It can be made to be included in the data transmitted / received by the socket communication between the client and the server using P communication, and more preferably, the server authentication request further includes the server authentication system user ID of the client.
  • Socket Socket
  • Socket is an abstracted interface for creating TCPZIP application, and performs communication by the procedure of creating a socket, connecting to a server, communicating with a server, and destroying a socket.
  • a socket is used to perform data communication using a send / receive program between com- puters in the same way as an output file's input program.
  • socket O socket creation connect O socket connection, read O data reception, write O data transmission, close O socket deletion etc. on the client side
  • socket O socket creation on the server side bind () Socket registration, listenO socket connection preparation, acceptO socket connection wait, readO data reception, writeO data transmission, closeO socket erase, etc. are known.
  • both the client and server Before communication starts, both the client and server first create a socket, one side of the server waits for a communication connection request from the client, the client side sends a communication connection request to the server side, and the server socket Once a communication connection has been established between the client's sockets, data transmission and reception will begin.
  • socketO generates a socket
  • the server side uses three system calls of bindO, listenO, and acceptO to put a socket in a connection waiting state.
  • the client side creates a socket by socketO, sends a connection request to the server by connectO, and after connecting, writes data to the socket via writeO system call to each socket and sends it to the other side.
  • Reading the socket through the readO system call allows you to receive the data sent by the other party. Repeat transmission and reception of data by writeO and readO system calls until communication is completed. Communication ends when either of them executes the closeO system call and disconnects the communication connection.
  • the server authentication request transmitted from the client terminal and received by the browse request receiving means at the web server is the web server. It includes a response request as to whether or not one is equipped with the server authentication system.
  • a response request sends a web content browsing request from the user terminal, and checks whether the web server that is attempting to browse is compatible with the web 'access point certification (WA PA) which is the system of the present invention. Response request.
  • WA PA web 'access point certification
  • the server authentication request included in the server authentication request sent from the client terminal is a response to the response request as to whether the web server has the server authentication system or not. If the web server is equipped with the server authentication system, the response is responded, and if the web server does not have the server authentication system, the response is not returned.
  • the web server is set for each web server, and the authentication information registration server storing authentication information for authenticating the web server is responded to the browse request from the client terminal and the server authentication request.
  • a web server is provided with authentication information inquiry means for inquiring authentication information.
  • the authentication information inquiry means transmits an inquiry request including the user identification information to the authentication information registration server, which is a database server having registered authentication information, when the authentication information of the web server is inquired.
  • the user identification information is, for example, a user ID of the system of the present invention.
  • the authentication information is preferably authentication information for each user corresponding to the user identification information of the server authentication system, which is included in the server authentication request transmitted from the client terminal.
  • the user performs server registration processing described later on the client terminal, and generates authentication information for each user using the public key for each server and, preferably, the public key for each user. It is registered.
  • necessary data can be transmitted / received by socket communication using the above-mentioned TCP communication.
  • the authentication information receiving means is provided to receive the authentication information when there is authentication information of the server.
  • the authentication information inquiring means inquires, based on the user identification information, authentication information of the web server which is set for each web server and stored in advance corresponding to the user identification information.
  • the authentication information is received by the web server.
  • the web server is provided with authentication information addition means for adding the received authentication information to the password in response to the web content browsing request and the server authentication request from the client terminal.
  • the data format of the authentication information can adopt various data formats, for example, digital certificates, and other data formats.
  • the authentication information of the web server which is set for each web server and stored in advance corresponding to the user identification information, is the authentication information for each user generated at the client terminal. It is stored by web server registration registered in the authentication information registration server after encryption using a public key, and subsequent identification using a public key of the web server.
  • the authentication information is added by adding data to the HTML file and other web contents to make the data file that the browser can interpret and display on the client terminal of the user. For example, it can be displayed as image data etc. such as a server certificate.
  • the per-user authentication information is generated by double encryption using the per-web server public key and the per-user public key, decryption is performed using the web server's secret key, Enable to enable decryption at the client terminal of the user with a secret key.
  • the web server includes web content transmitting means for transmitting the web content to which the authentication information is added to the client terminal.
  • the web content transmission unit is configured to perform authentication according to the web content browsing request.
  • the web content to which the information is added is transmitted to the client terminal of the user in the same manner as normal web content browsing.
  • appending of authentication information is not to add data to the HTM L file and other web contents, but separately from the client using TCP communication.
  • Data transmitted from the web server to the client terminal can be made to include authentication information by socket communication between the servers.
  • the authentication information registration server is an authentication information registration server that stores authentication information for each of the processing servers, which operates in cooperation with one of the web servers set to use the system of the present invention.
  • the authentication information registration server is a data base server provided for each web server using the system of the present invention.
  • the authentication information registration server stores at least authentication information for authenticating the web server, and user identification information for each user who uses the server authentication / certification system at the client terminal.
  • the client terminal is provided with an authentication request transmission means for transmitting a server authentication request to the web server together with a web content browsing request.
  • the authentication request is a request to prove the legitimacy of the server as described above, and further checks whether the system of the present invention is compatible with the Web access point certification and certification (WA PA). Includes a request for a response.
  • WA PA Web access point certification and certification
  • the authentication request transmission function for transmitting these requests may be added to, for example, a normal browser. It may be a browser dedicated to the system of the present invention.
  • the client terminal is provided with server public key storage means for storing the public key for each of the web servers.
  • the server public key storage means is a local database that allows the user to store the public key for each web server at the client terminal.
  • Web server registration from a public key server By downloading the corresponding public key and registering the authentication information for each server in the authentication information registration server, the server public key storage means, which is a local database, performs the public key when server registration processing is performed.
  • the client terminal stores the public key of the web server for decrypting the authentication information attached to the web content
  • the client terminal receives the authentication information attached to the web content received from the web server. It decrypts using the secret key of the user to use, and determines the legitimacy of the authentication information. If it is determined that the authentication information is not valid, a warning such as a warning is displayed on the client terminal is output.
  • the client terminal does not store the public key of the web server for deciphering the authentication and certification information attached to the web content, in which case the web server is the server authentication system. If the client is used, the user is made to select whether or not to register as a web server, as well as to that effect.
  • FIG. 6 is a diagram showing a representative example of a server authentication pattern using the system of the present invention.
  • FIGS. 7 to 24 are flowcharts showing an example of the basic process flow of the present invention.
  • WAP A Web access point authentication
  • WAP A Web access point authentication
  • WA P A Web' Access Point Certification
  • the client terminal queries the server public key storage means (oral database) to find out that the web server is unregistered.
  • server public key storage means oral database
  • the client terminal sends a request for browsing, which is a request for browsing, to the web server.
  • This request includes a response request whether the web server has a server authentication system.
  • a response message indicating that the web server is compatible with the server authentication system is included in the requested HTML file.
  • the web server sends the HTML page to the client terminal compatible with the server authentication system.
  • the user is given the option of registering a web server compatible with the server authentication system via the browser. Note that no alert is generated because it is a valid server.
  • FIG. 8 is a flow chart showing an example in which data necessary for server authentication is transmitted / received by TCP communication using a socket in communication between a client and a server as described above.
  • the server corresponding to the registered WA PA is supported. Explanation of processing when accessed from client terminal Do.
  • the client provides the server with the user ID of the system of the invention to initiate an authentication transaction.
  • the user At the server, the user
  • the client terminal decrypts the authentication information package using the user's private key to prove that it is sent from a real server.
  • the client terminal searches for the appropriate server authentication system user ID in the local database.
  • the client terminal sends an HTML request, which is a browsing request, to the server authentication / certification compatible web server.
  • This request further includes the server authentication system user ID of the user at the client terminal.
  • the web server compatible with the system of the present invention verifies the server authentication system user ID of the client.
  • the server queries the credential registration server for the user ID of the client user.
  • the authentication information registration server searches for appropriate authentication information based on the user ID of the client.
  • the authentication information registration server sends the extracted authentication information to the server authentication system compatible web server.
  • H Include the authentication information in the TML page. From the web server, send an HTML page to the server authentication system compatible client.
  • the client terminal in order to determine the legitimacy of the web server corresponding to the server authentication system, uses the secret key to decrypt the authentication information, and the legitimacy of the web server. Prove. This process is performed by comparing the decrypted information with its local copy to see if there is a match. If the decrypted information matches, the server authentication system compliant server is authenticated by the client and its related information is displayed on the browser.
  • FIG. 10 is a flow chart showing an example in which the above processing is performed to transmit and receive data necessary for server authentication by TCP communication using a socket in communication between a client and a server, as described above.
  • WAPA Web 'Access Point Authentication
  • WAPA Web' Access Point Authentication
  • WAPA Supported client terminal
  • WAPA Web 'Access Point Authentication
  • the client terminal Since the Web server can not authenticate because it does not use Web Access Point Authentication (WAPA), the client terminal does not perform any authentication, and does not issue an alert or generate any warning.
  • WAPA Web Access Point Authentication
  • the client terminal queries the local database to find out that the web server has not been registered.
  • This request further includes a server authentication system response request whether the web server has a server authentication system. Since the web server does not have a server authentication system, it simply ignores this server authentication system compliance request.
  • the web server returns the requested HTML file without responding to the server authentication system support request. Since there is no signature package, authentication of the web server is not possible, and no warning is generated because the web server is not registered with the client.
  • FIG. 12 is a flow chart showing an example in which the above processing is performed to transmit and receive data necessary for server authentication by TCP communication using a socket in communication between a client and a server as described above.
  • the user ID of the appropriate server authentication system is searched in the local database.
  • the client sends an HTTP GET request, which is a browsing request, to the web server.
  • This request also includes the user ID of the client's server authentication system.
  • the web server does not have the server authentication system of the present invention, the user ID of the client server authentication system is simply ignored.
  • the web server makes a request without responding to any server authentication system Send the HTML page
  • the client displays a fraud alert because the registered web server could not send back the appropriate server authentication system authentication information.
  • FIG. 14 is a flowchart showing an example of data transmission / reception required for server authentication by TCP communication using a socket in communication between a client and a server as described above. .
  • the web 'access point authentication not registered in the server of the present invention is performed on the impersonation server equipped with the web' access point authentication (WAPA).
  • WAPA web' access point authentication
  • a Web. Access Point Authentication (WAPA) -enabled client gives the user the option of registering the web server. When the user approves this, the client terminal performs registration processing of the Web 'access point authentication (WA PA) -enabled web server. The detailed transaction regarding registration of server information to the 'AP' access point authentication (W APA) client will be described later. When the registration procedure is completed, the Web 'Access Point Authentication (W APA) compliant client terminal will be able to authenticate the Web' Access Point Certification (WA A PA) compliant Web server in the subsequent transactions.
  • WA PA Web' Access Point Certification
  • the client terminal queries the local database, and finds that the corresponding web server is unregistered.
  • HTTP GET request which is a browsing request
  • server authentication system corresponding response for checking whether the web server has the server authentication / certification system of the present invention or not.
  • the request is included.
  • the web server constructs a fake server acknowledgment, certificate system acknowledgment message and incorporates it into the requested HTML file. Then, the Web server sends an HTML page to the server authentication system compatible client.
  • the user is given the option of registering the web server.
  • FIG. 16 is a flow chart showing an example in which the above processing is performed to transmit and receive data necessary for server authentication by TCP communication using a socket in communication between a client and a server, as described above.
  • the server WA has not been registered with the server.
  • the process in the case of access from a PA compatible client terminal will be described.
  • the spoofed web server may return an error to the client terminal or may try to return a bad authentication package. In either case, the client terminal displays a fraud alert.
  • the client terminal searches for the appropriate server authentication and certification system user ID in the local database.
  • This request also includes the user ID of the client's server authentication system.
  • the impersonation server corresponding to the server authentication system of the present invention confirms the user ID of the client, constructs a false authentication package, and requests the false authentication information. In the HTML page.
  • HTML page is sent to the server authentication system corresponding client.
  • the client terminal receives the web content and decrypts the authentication information using the client's secret key to determine the legitimacy of the web server compatible with the server authentication system. Prove the legitimacy of the site. This is done by comparing the decrypted information with its local copy to see if there is a match.
  • the web server Since the decrypted information does not match, at the client terminal, the web server is classified as a disguised website.
  • the client terminal issues a fraud alert to the user and displays relevant information in the browser.
  • FIG. 18 is a flowchart showing an example of data transmission / reception required for server authentication by TCP communication using a socket in communication between a client and a server as described above.
  • web 'access not certified as a server is not registered to the disguised server not equipped with web access point authentication (WAPA). Describes the process when accessing from a point authentication (WAPA) compatible client terminal.
  • WAPA point authentication
  • Web' Access Point Authentication (WAPA) compatible client corresponds to Web 'Access Point Acknowledgment, Certificate (WAPA).
  • WAPA Web' Access Point Acknowledgment, Certificate
  • the web server can not be authenticated because it does not support web access point authentication (WAPA). Therefore, the client terminal does not perform any authentication and does not generate an alert.
  • WAPA web access point authentication
  • the client terminal queries the local database. In any case, know that the web server is unregistered.
  • a browsing request is sent from the client terminal, but an HTTP GET request is sent to the relevant web server.
  • This request further includes a response request corresponding to a server authentication system for checking whether the web server is equipped with the server-one authentication system of the present invention.
  • the spoofed web server does not have the server authentication system of the present invention, it simply ignores the response request corresponding to the server authentication system.
  • the spoofed web server does not respond to the server authentication system response request and returns the requested HTML file.
  • server authentication is not possible.
  • the alert is not generated because the web server is not registered with the client and the web server does not have a server authentication system.
  • FIG. 20 is a flow chart showing an example in which the above processing is performed to transmit and receive data necessary for server authentication by TCP communication using a socket in communication between a client and a server, as described above.
  • the user ID of the appropriate server authentication system is searched in the local database.
  • HTTP GET request which is a browsing request, from the client terminal to the relevant web server.
  • This request also includes the user ID of the client's server authentication system.
  • the spoofed web server simply ignores the client's user ID since it does not have the server authentication system of the present invention.
  • the spoofed web server Since the spoofed web server does not have the server authentication system of the present invention, it simply sends the requested HTML page.
  • the client displays a fraud alert because the registered web server can not send back the appropriate authentication information.
  • FIG. 22 is a flow chart showing an example in which the above processing is performed to transmit and receive data necessary for server authentication and authentication by TCP communication using a socket in communication between a client and a server, as described above.
  • the real server with the Web 'Access Point Authentication (WAPA) is registered with the Web' Access Point Authentication (WAPA) compatible client terminal to the browser. Describe the server registration process to be performed.
  • WAPA Web Access Point Authentication
  • W APA Web 'Access Point Authentication
  • WAPA Web' Access Point Authentication
  • This procedure is designed to allow clients to use the web's access point authentication (WAP A) enabled web server's public key and a web's access point authentication (WAPA) enabled web browser with a dedicated web server that can authenticate by default.
  • WAP A web's access point authentication
  • WAPA web's access point authentication
  • the It can be done securely by downloading it from a Cesspoint certification (WA PA) public key server.
  • a web server supporting server authentication system is registered in the client terminal.
  • the client terminal requests a signed public key of the server authentication system compatible web server from the public key server.
  • the public key server searches for the appropriate signed public key of the server authentication system compatible web server.
  • the public key server then sends the signed server public key of the server authentication system Web server to the client terminal.
  • the authentication information of the user is generated, and this information is encrypted using the client's public key, and then this encrypted information is stored in the server server supporting the server authentication system. Use your public key to sign again.
  • the client terminal sends this doubly encrypted authentication information to the corresponding web server compatible with the server authentication system.
  • the web server receives the authentication information of the user transmitted from the client terminal, transmits it to the database server which is a server for uniform authentication, and stores it in association with the user ID.
  • WAP A Web. Access Point Authentication
  • WAPA Web' Access Point Authentication
  • the web server generates a combination of public key and private key. Then, the web server sends the public key to the third party certification authority holder's system.
  • the certification authority owner's system which is a third party organization, prove the legitimacy of the web server and sign the public key of the web server.
  • the signed public key is directly transmitted from the third party certification authority holder's system to the public key server of the system of the present invention.
  • the public key server receives the signed public key and stores it in association with the identification information identifying the web server so that it can be used by the server authentication system compatible client.
  • the public key server notify the owner of the web server that the public key is available at the client terminal.
  • the web server is regarded as a web server compatible with the server authentication system, and the user can register the web server using the browser of the client terminal.
  • WAA web access point authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

Sont fournis un système d'authentification de serveur inclus dans un serveur Web, un terminal client et un serveur d'enregistrement des informations d'authentification pour conserver les informations d'authentification. Le serveur Web comprend un moyen de réception des requêtes de navigation pour recevoir une requête de navigation et une requête d'authentification du terminal client, un moyen de vérifier les informations d'authentification pour vérifier les informations d'authentification du serveur Web pour le serveur d'enregistrement des informations d'authentification, un moyen de recevoir les informations d'authentification pour recevoir les informations d'authentification qui ont été vérifiées, un moyen d'ajouter des informations d'authentification pour ajouter les informations d'authentification au contenu Web et un moyen de transmission du contenu Web pour transmettre le contenu Web au terminal client. Le serveur d'enregistrement des informations d'authentification conserve les informations d'authentification et les informations d'identification de l'utilisateur.
PCT/JP2004/013973 2004-07-01 2004-09-15 Système d'authentification de serveur web capable de réaliser une authentification du point d'accès web (wapa) WO2006003725A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2004195208A JP2007279775A (ja) 2004-07-01 2004-07-01 ウェブ・アクセスポイント認証(wapa)が可能なウェブサーバー認証システム
JP2004-195208 2004-07-01

Publications (1)

Publication Number Publication Date
WO2006003725A1 true WO2006003725A1 (fr) 2006-01-12

Family

ID=35782540

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2004/013973 WO2006003725A1 (fr) 2004-07-01 2004-09-15 Système d'authentification de serveur web capable de réaliser une authentification du point d'accès web (wapa)

Country Status (2)

Country Link
JP (1) JP2007279775A (fr)
WO (1) WO2006003725A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112751844A (zh) * 2020-12-28 2021-05-04 杭州迪普科技股份有限公司 一种Portal认证方法、装置及电子设备

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004159159A (ja) * 2002-11-07 2004-06-03 Nippon Telegr & Teleph Corp <Ntt> 名前解決方法、名前解決システム、名前解決ディレクトリ、通信端末装置、プログラム及び記録媒体

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004159159A (ja) * 2002-11-07 2004-06-03 Nippon Telegr & Teleph Corp <Ntt> 名前解決方法、名前解決システム、名前解決ディレクトリ、通信端末装置、プログラム及び記録媒体

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
NOBORI F.: "Kiso kara Wakaru SSH o Tsukatta Secure Server Kochiku Nyumon Dai 3 Kai SSH no Kokai Kagi Ninsho Kino o Tsukatte Miyo", NETWORK MAGAZINE, ASCII CORP., vol. 6, no. 11, 1 November 2001 (2001-11-01), pages 114 - 117, XP002995661 *
SAITO T. ET AL: "Kokai Kagi o Mochiita Ninsho Protocol ni Tsuite", TRANSACTIONS OF INFORMATION PROCESSING SOCIETY OF JAPAN, vol. 42, no. 8, 15 August 2001 (2001-08-15), pages 2040 - 2048, XP002995662 *
SATO S.: "Jibun de Dekiru Security Taisaku Dai 1 Kai Internet no Anzen Taisaku", NIKKEI PERSONAL COMPUTING, no. 353, 24 January 2000 (2000-01-24), pages 286 - 289, XP002995663 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112751844A (zh) * 2020-12-28 2021-05-04 杭州迪普科技股份有限公司 一种Portal认证方法、装置及电子设备

Also Published As

Publication number Publication date
JP2007279775A (ja) 2007-10-25

Similar Documents

Publication Publication Date Title
US10025920B2 (en) Enterprise triggered 2CHK association
US9716691B2 (en) Enhanced 2CHK authentication security with query transactions
CN101331731B (zh) 由身份提供商对联盟内的客户进行定制认证的方法、装置和程序产品
EP2213044B1 (fr) Procédé pour fournir des transactions assurées en utilisant un appareil de transactions sécurisées et une vérification de filigrane
US8452961B2 (en) Method and system for authentication between electronic devices with minimal user intervention
KR20010085380A (ko) 인터넷을 통해 행해진 상업형 트랜잭션을 방호하기 위해장치들을 연관시키는 방법 및 시스템
CN102577301A (zh) 用于可信认证和登录的方法和装置
CN102739664A (zh) 提高网络身份认证安全性的方法和装置
WO2014154073A1 (fr) Système permettant un accès sûr à une adresse réseau et dispositif et procédé associés
CA2381108A1 (fr) Systeme d&#39;authentification mutuelle securise
JP2001186122A (ja) 認証システム及び認証方法
US8423782B2 (en) Method for authenticating a user accessing a remote server from a computer
WO2022033350A1 (fr) Procédé et dispositif d&#39;enregistrement de service
Tatly et al. Security challenges of location-aware mobile business
KR20080083418A (ko) 챕 챌린지 메시지를 이용한 네트워크 액세스 인증 방법 및시스템.
GB2401445A (en) Web site security model
WO2006003725A1 (fr) Système d&#39;authentification de serveur web capable de réaliser une authentification du point d&#39;accès web (wapa)
JP2002007355A (ja) パスワードを用いた通信方法
KR20060094453A (ko) Eap 를 이용한 시간제 서비스에 대한 인증 방법 및 그시스템
JP4630187B2 (ja) 認証方法
KR101510473B1 (ko) 컨텐츠 제공자에 제공되는 회원 정보의 보안을 강화한 인증방법 및 시스템
KR100358927B1 (ko) 안전한 도메인 네임 시스템에서의 네이밍 정보 인증방법및 네임 서버
TW200412109A (en) Method for protecting copyright of an electronic document in a wireless communication system

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载