JP2003233592A - Authentication server, authentication system and authentication method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an authentication server, an authentication system and an authentication method allowing the authentication of a customer in all bidirectional communications, regardless of whether the customer and a content provider join or not a communication providing company. <P>SOLUTION: An authentication server 10 has ID mask generating means 20 and ID mask storing means 30. A creator 20 has customer ID acquiring means 21 for acquiring a customer ID 1, computer time acquiring means 22 for acquiring a computer time, authentication server host ID acquiring means 23 for acquiring a host ID of the authentication server 10, service period determining means 24 for determining the customer ID 1, an ID mask storage device 25 for storing an ID mask 2c, active ID making means 26 for making an active ID 2, and active ID information making means 27 for making active ID information 3. An CPU executes these control programs to realize the functions. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an authentication server, an authentication system and an authentication method for performing an authentication process when information is provided to a customer terminal such as a mobile terminal device or a personal computer of a customer.

[0002]

2. Description of the Related Art Conventionally, various techniques have been used to authenticate a legitimate user. For example, a method of assigning or selecting a password to each user in advance and requesting the customer to present the password when providing the service, and providing the service only when the password is correct is a method. Has been taken.

In recent years, with the spread of the Internet and personal computers and mobile phones connected to the Internet, various methods have been devised for providing services to customers on communication lines. At the time of providing the services,
You may be asked to provide your password. When this password information is transmitted to the server that provides the service, the password may be leaked to a third party and a problem may occur. In order to prevent this leakage, a method of encrypting a password and increasing the degree of security is widely used. Popular encryption methods include a public key method, a secret key method, and a digital signature, and the RSA method is known as an algorithm. (Hereinafter, described as "prior art 1").

Further, even in the case of a mobile phone, when a call service, a mail service and an information providing service of a certain telephone company are received, a method of authenticating a customer who joins the telephone company is adopted. This is an authentication system that uses a user ID unique to a mobile phone to be transmitted and received between a mobile phone and a base station during a call by a customer. In this authentication system, a temporary ID for authentication is used by using the user ID or the like. Issue a static ID (hereinafter referred to as "prior art 2").

[0005]

However, in the cryptosystem of the prior art 1, a permanent unique password is uniformly given without considering the purpose of use, frequency, etc. on the side of use.
The management of the password was left to the customer. Therefore, if the password is stolen by a third party, the customer suffers damage and needs to issue a new password again.

Further, in order to avoid the above damage, in the prior art 2, the temporary ID using the user ID unique to the mobile phone is issued only during the data transmission / reception, and the authentication service using this is issued. There are also companies that offer.
However, this is a Web site that customers who subscribe to a certain telephone company have official websites (officially authorized and installed by a certain company / organization / group).
It can be used only when browsing the website), and customer authentication is not possible when customers of other telephone companies browse unofficial websites (websites launched by general users, groups, companies, etc. without permission). Met. Further, even if a customer of a certain telephone company received the information providing service on the unofficial site, it was not possible to authenticate the customer.

[0007] However, the number of Web sites is increasing year by year, and the number of official sites has increased too much, so that the merit of the official site that it is easy to attract customers has started to be lost. Along with this, the informal site is establishing a method of attracting customers by partnering with existing media and businesses, and the number thereof is rapidly increasing, and establishment of an authentication system and method therefor is desired.

The present invention has been made in view of the above problems, and authenticates the customer in all two-way communication regardless of whether the customer and the content provider are subscribed to a certain communication provider. The purpose is to provide an authentication server and all methods that can be performed.

[0009]

In order to solve the above problems, the first feature of the present invention is: (a) communication with a customer terminal based on customer ID information including a customer ID unique to the customer. Active ID generation means for generating an active ID used for authentication on a route and tracking of communication progress, and (b) an active ID for storing active ID and active ID information which is environment information of a computer when the active ID is generated. The gist is that the authentication server includes a storage unit. The first feature of the present invention is (c) Active I.
The D generation means is active by using a customer ID acquisition means for acquiring a customer ID, (d) expiration date determination means for determining whether the customer ID is within the usable expiration date, and (e) customer ID information. It is also possible to add an active ID creating means for creating an ID and (f) an active ID information creating means for creating active ID information which is environment information of the computer at the time of creating the active ID. Furthermore, (g) the active ID creation means may include having an ID mask storage device that stores an ID mask that prevents identification of the active ID.

In the present invention, the term "expiration date" means a time limit arbitrarily set by a program or the like, and data transmission / reception of 1 cool (unit of communication operation until reply to transmitted information returns) Whether or not to return within the expiration date is used as the determination criterion of the expiration date determination means.

In the present invention, the "ID mask storage device" means I
This is a table in which random numbers generated by the D-mask random means are registered, and each random number (ID mask) is
It has a mask number key associated with each random number one-to-one. This mask number key is used as a part of the active ID when transmitting / receiving data. The ID mask is used for internal processing of the computer. The "active ID" refers to an ID used when transmitting / receiving data, and the "active ID information" refers to a computer-owned active ID storage such as time when the active ID was created or updated, expiration date, and ID mask. Refers to the information registered in the means. Also, the URL of the content requested by the customer in the active ID
(Unified Resource Locator) information is added, and the one created for reply to customer terminal and re-reception is described as "runtime path".

A second feature of the present invention is (a) an authentication server having an agent control means for controlling an agent acting on behalf of a customer when performing a customer authentication processing; and (b) a customer ID. Active ID generation that generates active ID information that is environment information when creating an active ID and active ID used for authentication and tracking of communication progress on the communication path between the authentication server and the customer terminal based on the information The gist is that the authentication system includes a means and (c) an active ID storage means for storing the active ID and the active ID information. A second feature of the present invention is that (d) the agent control means stores an ID mask that prevents identification of an active ID.
Randomize the contents of the mask storage device at regular intervals I
When the D-mask random means, (e) active ID information backup means for taking backup information of active ID information, and (f) active ID information in the active ID storage means are damaged,
It may be added that an active ID information reproducing means for reproducing the active ID information in the active ID storage means is further provided.

The "agent" is a process for autonomously performing the work of the active ID generating means and the active ID storing means independently of the authentication server according to each scene. "
There are "multi-agent" etc. "Agent"
Is equipped with a module that can grasp the environmental situation, communicate with other agents, plan one's actions, and adapt itself to the external environment to optimize its actions.

A third feature of the present invention is: (a) An active ID used for authentication on a communication path with a customer terminal and tracking of communication progress based on customer ID information including a customer ID unique to the customer. And a step of (b) storing the active ID and the active ID information, which is the environment information of the computer when the active ID is generated, in the active ID storage means. Is the gist. A third feature of the present invention is that (c) the step of generating an active ID by the active ID generation means is a step of acquiring the customer ID by the customer ID acquisition means, and (d) a usable usage of the customer ID. The expiration date determining means determines whether or not it is within the deadline based on the active ID information, (e) the active ID creating means creates the active ID using the customer ID information, and (f) the active The step of creating active ID information, which is the environment information of the computer at the time of creating the ID, by the active ID information means may be included. Also, (g) the step of creating the active ID by the active ID creating means is the active ID
The method may further include the step of storing an ID mask that prevents the identification of the above in the ID mask storage device.

The step (e) is the customer I unique to the customer.
This is a step of adding D, the computer time possessed by the OS of the computer, and the host ID of the authentication server. The addition result value added with the ID mask described in the first feature is stored in the computer. And the mask number key is added to the active ID for transmission / reception.

[0016]

BEST MODE FOR CARRYING OUT THE INVENTION Next, referring to the drawings, a first embodiment and a second embodiment of the present invention will be described. In the first embodiment, the authentication server 10 acquires the customer ID 1 from the customer terminal 6, and based on this, the active ID
The generation means (hereinafter referred to as a creator) 20 generates an active ID 2 and the active ID storage means (hereinafter referred to as a spool) 30 stores it, and a runtime path 4 is created based on the active ID 2. Authentication server 10 of runtime path 4 characterized in that it provides a runtime path 4 service to be transmitted to the customer terminal 6
And the authentication method will be described. On the other hand, in the second embodiment, the authentication server 10 performs the customer management and authentication service for each request from the customer terminal 6, creates the runtime path 4 in real time, and sends the runtime path to the customer request terminal. An authentication server, an authentication system, and an authentication method, which are characterized by returning 4 are described.

The authentication server 10, the creator 20, and the spool 30 according to the first and second embodiments.
May independently exist, or the creator 20 and the spool 30 may exist inside the authentication server 10. The creator 20 and the spool 30 are under the control of the authentication server 10. Also, in the description of the drawings, the same or similar symbols are given to the same or similar parts. However, it should be noted that the drawings are schematic.

(First Embodiment) As shown in FIG.
The authentication server 10 according to the first embodiment includes a creator 20, a spool 30, an authentication receiving unit 11 that receives an authentication service, and a runtime path creating unit that creates a runtime path 4 using information including the acquired active ID 2. 12 and communication control means 13 for controlling transmission / reception of data, signals, etc. of all communication lines 5 connected to the authentication server 10. In addition, although not shown in the figure, a CPU for performing arithmetic processing of each module and a memory incorporating a ROM and a RAM are provided. Also, the keyboard,
An input device such as a mouse, an output device such as a monitor, and a printing machine may be provided.

The authentication accepting means 11 is a module for receiving a customer-specific number from the customer terminal 6 such as the mobile phone 6b or the personal computer 6a. For example, mobile phone 6
b 15-digit identifier assigned to the user (IMT-2
000 standard (equivalent to IMUI), mobile phone number, etc.
Alternatively, a MAC address, an IP address, or the like assigned to the personal computer 6a device, or a number set by the customer himself or a number created by the authentication server 10 according to a certain order may be used. When the authentication receiving means 11 receives the customer ID 1, the authentication server 10 determines that the customer or the like has requested the authentication service, and transmits the customer ID 1 to the creator 20. The runtime path creating means 12 uses the active I created by the creator 20.
It is a module that converts D2 to runtime path 4.
Specifically, the acquired active ID 2 is embedded at a predetermined position in the character string of the URL requested by the customer for browsing,
It returns to the requesting customer terminal 6 or the like. Communication control means 13
Is a module that generates a control signal for transmitting and receiving data between the authentication server 10, the creator 20, the spool 30, and the external terminal device connected to the authentication server 10. The spool 30 is a storage device for registering the active ID 2, and registers the active ID information 3 transmitted from the active ID information creating means 27 via the active ID information registering means 31.

The creator 20 has a customer ID acquisition means 2 for acquiring the customer ID 1 transmitted from the authentication reception means 11.
1. Computer time acquisition means 22 for acquiring the computer time set inside the computer, authentication server host ID acquisition means 23 for acquiring the host ID unique to the authentication server 10, whether the customer ID 1 is within the usable period Expiration date determining means 24 for determining the ID, an ID mask storage device 25 that is the storage means for storing the ID mask 2c that prevents the identification of the active ID, and an active I for creating the active ID2.
Active ID information creating means 27 for creating the active ID information 3 stored in the D creating means 26 and the spool 30.
have.

The customer ID acquisition means 21 is the authentication acceptance means 1
It is a module for receiving the customer ID 1 transmitted from The expiration date determination means 24 is the computer time acquisition means 22.
Compares the current computer time acquired by the computer with the access update time (refers to the previously acquired computer time registered in the active ID information 3. Details of the active ID information 3 will be described later), and the customer ID 1 Determine whether it is currently valid. When it is determined that the ID is valid, the active ID creating means 26 creates the active ID 2.

Next, the active ID 2 created by the active ID creating means 26 will be described in detail. The active ID 2 is the mask number key 2 as shown in FIG.
a and an active ID basic value 2b. The mask number key 2a is composed of, for example, a combination of alphanumeric characters. Specifically, as shown in FIG. 3, it is configured like "AWF0188", and this is a number (ID mask 2c) on each table of the ID mask storage device 25, for example, "209" as shown in FIG. ] To one-to-one.

The active ID basic value 2b is a result value obtained by adding the computer time acquired from the OS or the like, the server host ID acquired from the authentication server 10 and the customer ID1.
From the above, for example, the active ID basic value 2b is "10.
857813703 ”, the active ID 2 is“ A
WF018810857813703 ”.

At this time, inside the computer, as shown in FIG. 2B, the ID mask 2c "209" indexed by "AWF0188" and the active ID basic value 2b are added to obtain the calculation result of "209 + 10857813703". '1085781391
2 ”is the active ID 2 inside the computer. The active ID 2 is registered in the spool 30 as a part of the active ID information 3 and is also returned to the authentication server 10.

Next, the active ID information 3 created by the active ID information creating means 27 will be described in detail. As shown in FIG. 4, the active ID information 3 includes a time-over index, a customer ID, an access start time, a simple mask value, a host ID, an access update time, a time-over time, and a time-over time.

The time-over index is an index (flag) for checking whether or not the time when one customer ID 1 is returned is within the scheduled time limit. Specifically, in the time-over index column, if the active ID 2 is converted within the scheduled time limit, the value is left as it is, and if the active ID 2 is not converted within the scheduled time limit, for example, a minus (-) is given. input. The minus sign serves as a flag indicating that the active ID 2 and the active ID information 3 (area) are currently unused. Conversely, when this flag is not present, it indicates that the active ID 2 and the active ID information 3 (area) are currently in use. Therefore, active ID
2 and active ID information 3 are newly created, an active ID 2 and active ID information 3 are created by selecting from those with a minus (-) flag set, and a minus (-) flag is set when updating. , The update process is stopped. It is desirable that this flag be managed at regular intervals. This can be realized, for example, by temporarily saving all the active ID information 3 every few hours and inputting all the flags by minus (-).

The customer ID 1 is an ID acquired by the customer ID acquisition means 21 from the authentication reception means 11. As for the access start time, the computer time acquisition means 22 uses the API (Appl
It is the time at which the customer ID 1 is acquired via the (ication Program Interface). The ID mask 2c is a random number value registered in the ID mask storage device 25, and all IDs
The mask 2c has a mask number key 2a corresponding to one to one. The ID mask 2c and the mask number key 2a
And its association change in a constant cycle. Host ID
Is an ID that each authentication server 10 has. The access update time is the time when the authentication server 10 acquires the customer ID 1 at the end of the authentication service of this cool. The time-out time is the time limit of the time-out in the communication connection that the setter inputs in advance. For example, if the deadline is 3 minutes, 3 × 60 × 1000 = 180,00
It becomes 0 ms. The time-out time is a value obtained by adding the time-out time to the access update time. When the access is updated for the first time, the access update time is 0, and the value is only the time-over time.

The created active ID 2 is registered in the spool 30 as a part of the information of the active ID information 3, and is returned to the authentication server 10. The authentication server 10 transmits the returned active ID 2 to the customer terminal 6 or the like. The authentication server 10 repeats the above operation based on the request from the customer terminal 6 or the like.

(Authentication Method Using Authentication Server) Next,
The customer ID 1 is acquired from the customer terminal 6, the creator 20 creates the active ID 2 and the active ID information 3, and the spool 30 stores the active ID 2 and the active ID information 3.
The flow of operation of the authentication method for creating the runtime path 4 including 2 and transmitting it to the customer terminal 6 and for providing the service given to the customer will be described with reference to FIG.

(A) First, in step S101, the authentication receiving means 11 of the authentication server 10 causes the customer terminal 6
Etc. receives the customer ID 1 transmitted from the customer. Upon receiving the customer ID 1, the authentication accepting unit 11 determines that there is an authentication service start request, and transmits the received customer ID 1 to the creator 20 via the communication control unit 13.

(B) Next, in step S102, the computer time acquisition means 22 causes the OS of the authentication server 10 to operate.
The active ID creation means 26 adds the calculated computer time, the numerical value of the server host ID acquired by the authentication server host ID acquisition means 23, and the numerical value of the customer ID 1 acquired by the customer ID acquisition means 21 to obtain the active ID basic Get the value 2b. The active ID creating means 26 may, for example, calculate the computer time as “2001/08/12 13: 42: 23: 45”.
If it is "6", it is converted to "20010812134223456".
In this case, the 2 in the beginning of the year 2001 is deleted because it has no meaning for data identification, and the result "0001081213422345" is deleted.
6 ”is the computer time. Next is the host ID of the server
However, if it is "0246", for example, "108121342234"
56 + 0246 "is added and the result" 10812134802 "is obtained. Next, assuming that the customer ID 1 is “45678901”, “10812134802 + 45678901” is added, and the result “1
"0857813703" is set as the active ID basic value 2b.

(C) In step S103, the active ID creating means 26 first sets the ID mask storage device 2.
5, the mask number key 2a and the corresponding ID mask 2c value are randomly acquired. For example, when the mask number key 2a is "AWF0118" as shown in FIG. 3, the ID mask 2c corresponding to it is "209".
This is added to the head of the active ID basic value 2b, and the active ID 2 "AWF0118108578137" for the runtime path 4 is added.
Get 03 ".

(D) In step S104, the active ID creating means 26 sets the mask number key 2a to "AW".
If it is “F0118”, as shown in FIG. 3, “209” of the ID mask 2c corresponding to it is acquired.

(E) In step S105, the active ID creating means 26 uses the ID mask 2c "209" acquired in step S104 and the active ID basic value 2b.
"10857813703" is added, and the result "10857813912" is set as the active ID 2 inside the computer.

(F) In step S106, the spool 3
The active ID information registration means 31 of 0 is active I
All the information such as the computer time and the customer ID 1 used for creating D2 and the ready-made information such as the time-over time are received. The received information is the active ID information 3 information (see FIG. 4).
(Reference), and is stored in the spool 30.

(G) Finally, in step S107, the active ID 2 created in step S103 is
It is transmitted to the runtime path creating means 12 via the communication control means 13. Then, the runtime path creating means 12
The active ID 2 is, for example, “http: //www.xxxx.or.j
p / loginid = AWF011810857813703 ”, the runtime path 4 is created by embedding it in the character string of the access URL requested by the customer for browsing. The runtime path 4 returns a response to the customer terminal 6 or the like in response to a request from the customer or the like, and ends this processing. The order of the steps used in this description is
It does not limit the operation of the process.

According to the first embodiment of the present invention, in the run-time path 4, the program itself moves numerical values (mov
e, load), addition (add), and comparison (compare) are mainly used for the simple calculation formula, which enables high-speed operation. Further, since it is configured by a simple calculation formula, the management side of the authentication server 10 can easily create, operate and maintain it, and can quickly perform repair when the operation of the program fails. . As a result, it is possible to increase the speed of service provision itself, and accordingly, it is possible to provide the authentication service to the customer at low cost.

(Second Embodiment) Next, the second embodiment of the present invention will be described.
In the embodiment, the personal computer 6a, the mobile phone 6b, the PD are connected via the communication line 5 such as the Internet.
An authentication server, an authentication system, and an authentication method for performing customer authentication when providing an information providing service to a customer terminal 6 such as A (personal digital assistance) will be described.

(Authentication System) As shown in FIG. 6, the authentication server 100 and related devices according to the second embodiment are as follows.
A personal computer 6a or a mobile phone 6b used by a customer to request a service such as content browsing, a customer management server 40 that permits access to the authentication server 100 and the customer terminal 6 when the customer is an authorized registrant, authentication The authentication server 100 includes an agent control unit 19 that controls the process, a creator 20 that performs the authentication process, and a spool 30 that stores the process information.

The customer management server 40 determines whether the customer is a legitimate registrant, and if the customer is a registrant, permits the access of the authentication server 100 and the customer terminal 6. When the permission is given, the customer management server 40 sends the user management ID sent from the customer terminal 6 to the authentication server 100. In addition, the active ID 2 received from the authentication server 100 is UR
It is embedded in L and returned to the customer terminal 6.

The authentication server 100 is the customer management server 40.
Then, the customer ID 1 is acquired and the creator 20 is made to create the active ID 2 and the active ID information 3. Also, the created active ID 2 is received from the creator 20 and transmitted to the customer management server 40. Also, the authentication server 1
00 includes an agent control means 19. The agent control means 19 is a module that controls each process. Since the creator 20 and the spool 30 use the same device as that of the first embodiment, the description thereof is omitted. The personal computer 6a and the mobile phone 6b are
It is a requesting terminal for requesting a URL connection service such as contents that a customer wants to browse. This is an apparatus capable of bidirectional communication lines such as Internet television and FAX, and any device capable of leaving a trace of bidirectional communication such as a session ID can be used.

Authentication server 100 according to the second embodiment
Is, as shown in FIG. 7, an input device 14, an output device 15,
Communication control device 16, main memory device 17, processing control device (C
PU) 18.

The input device 14 is composed of a keyboard, a mouse and the like. Also, input may be performed from an external device via the communication control device 16. Here, the external device is a CD-R
It refers to a storage medium such as OM, MO, ZIP, etc. and its drive device. The output device 15 includes a monitor, a printing machine, and the like. The communication control device 16 is a module that generates a control signal for transmitting / receiving data to / from another general-purpose machine, a server, or the like via the communication line 5. The main memory 17 is R
OM (rom) and RAM (ram) are incorporated.
The ROM functions as a program memory or the like that stores a program executed by the CPU 18, and the RAM functions as a data memory or the like that is used for storing data or the like used during the program execution processing in the CPU 18 or as a work area. To do.

The CPU 18 has the authentication acceptance means 18
a, a runtime path creating means 18b, a runtime path transmitting means 18c, and an agent control means 19 are provided. The authentication accepting unit 18a is created by the customer terminal 6 such as the mobile phone 6b or the personal computer 6a from the customer terminal 6, for example, a terminal device unique number, a number set by the customer himself, or the authentication server 100 according to a certain order. It is a module for receiving the number etc. This customer ID 1
When the authentication server 100 receives the request, the authentication server 100 determines that the customer or the like has requested the authentication service, and transmits the customer ID 1 to the creator 20. Runtime path creating means 18
Reference numeral b is a module for converting the active ID 2 created by the creator 20 into the runtime path 4. Specifically, the acquired active ID 2 is embedded in a predetermined position of the character string of the URL. Runtime path transmission means 1
Reference numeral 8c is a module for returning the runtime path 4 to the requesting customer terminal 6 or the like. Agent control means 19
Is the creator 20 and the spool 3 according to each scene.
It is a module that controls an agent that automatically performs work within 0, and controls the spool 30 and the creator 20 in the second embodiment. Details of this control processing will be described later.

Next, the internal structure of the customer management server 40 will be described with reference to FIG. The customer management server 40
An input device 41, an output device 42, a communication control device 43, a main storage device 44, a processing control device (CPU) 45, a customer management storage device 46, and a content storage device 47 are provided.

The processing control device 45 of the customer management server 40
Is a customer registration means 45a, a customer authentication means 45b, a runtime path reception means 45c, a runtime path transmission means 45.
d and content control means 45e. The customer registration means 45a is means for registering a customer authentication service for a new customer, displays a screen as shown in FIG. 13 (a) on the customer terminal 6, and displays the login name, password, and password acquired from the display screen. Register your email address. The customer registration means 45a obtains new customer information using the communication line 5 or the like, and updates the customer management storage device 46. At this time, the customer authenticating means 45b refers to the customer management storage device 46 for a necessary item, which is any one of the login name, the password, and the e-mail address, which the customer who has already registered as the customer inputs when requesting the content browsing. Is a means for authenticating. The runtime path receiving means 45c receives the content browsing request (access UR) first transmitted from the customer terminal 6.
L) is a means for receiving data, and the runtime path transmitting means 45d is means for returning the runtime path 4 transmitted from the authentication server 100 to the customer terminal 6. The content control means 45e is a means for controlling transmission / reception of content data to be browsed by the customer on the Web. The content storage device 47 records information such as a content code, a content name, and a content URL to be browsed by the customer.

In the customer management storage device 46, as shown in FIG. 9, a customer identifier, a password, a login name, a mail address, a registration date, an information update date, a password expiration date, and a customer recognition flag are registered. . The customer identifier indicates a customer ID number, and specifically refers to a user ID number unique to the customer terminal 6 device, a number set by the customer himself, a number created by the customer management server 40 by a random number or the like. What is your password, login name and email address?
It indicates the password, login name, and mail address acquired by the customer registration means 45a from the screen of FIG. 13 (a) displayed on the customer terminal 6. The date of registration means the date of registration in the customer management server 40, that is, the date of using the active ID 2 through the authentication server 100 for the first time. The date when the information is updated refers to the date when the authentication service was last received using the active ID 2. The password expiry date is the expiry date of the password acquired by the customer registration means 45a. For example, the expiry date of one month or six months from the registration date is set by the customer terminal 6 or the customer management server 40. The customer recognition flag is a flag for identifying the service provided to the customer. For example, the service may be used when the type of service provided is divided into charges such as A, B, and C, or may be divided into regions such as Kanto A, Kansai B, and other regions C for use.

Next, the internal structure of the agent control means 19 will be described with reference to FIG. The agent control means 19 is an active process having a judgment function and capable of autonomously operating from the authentication server. Second
In the embodiment, the agent control means 19 is installed in the authentication server 100 or connected to the periphery thereof,
Provides control assistance. Also, the agent control means 19 is an ID mask random means 19a which is set as an auxiliary of the active ID creation means 26 and the active ID information creation means 27 and which generates a random number of the ID mask 2c on the ID mask storage device 25 at a predetermined cycle. , Active ID information reproducing means (hereinafter referred to as spool reproducing means) 19b for updating the spool 30 all at once in a set cycle, and active ID information for backing up the information described in the active ID information 3 in a set cycle. Backup means 19
c and a backup storage device 32 for storing the information acquired by the active ID information backup means 19c. The ID mask random means 19a is a module that generates a random number at a cycle set in the authentication server 100, for example, every hour, and updates and registers the value of the ID mask 2c.

As shown in FIG. 3, the ID mask 2c is associated with the mask number key 2a on a one-to-one basis, but the association also changes due to the generation of random numbers. For example, in FIG. 3, “AWF0188” and “209” are associated with each other, but after the random number is generated, “AWF0188” is associated with a completely unrelated number, for example, “6527”. It becomes impossible for a third party to decipher or plagiarize. Spool reproducing means 19
Reference numeral b is a module that is started by the authentication server 100 and creates the main memory of the spool 30 as the first process when the computer is started when communication is interrupted during the service due to a time-out or the like. Specifically, the previous storage status in the spool 30 is called from the backup storage device 32 and restored on the spool 30. After the main memory is restored, the expiration date determination means 2 of the creator 20 according to the computer time
4 checks the expiration date of the active ID information 3, and when the expiration date has expired, the active ID 2 expires and a minus flag is set in the time-out index. The time-over index is a kind of shared flag, and the synchronization module pays attention to this flag and updates the active ID 2 and the active ID information 3 according to the change of the flag. The active ID information backup means 19c is a module that backs up the active ID information 3 in the spool 30 at regular intervals. All the backed up information is saved in the backup storage device 32 and used for the work of restoring the spool 30. The tasks and processes described above may be performed while using a plurality of agents and allowing the agents to communicate with each other.

(Authentication Method Using Authentication System) Next, the operation of the authentication method using the authentication system according to the second embodiment when registering a new customer will be described with reference to FIG.

First, in step S201, the customer requests the customer management server 40 from the customer terminal 6 such as a mobile terminal or a personal computer 6a via the communication line 5. The customer registration means 45a of the customer management server 40 receives the customer registration request in step S202.

Next, in step S203, the customer registration means 45a causes the application screen HTML, C-, shown in FIG.
Image data such as HTML is transmitted to the customer terminal 6 via the communication line 5. Upon receiving the above data, the customer terminal 6 displays it on the screen through browser software or the like in step S204.

In step S205, the customer is made to input necessary items for registration of a login name, password, mail address and the like according to the application screen displayed on the screen of the customer terminal 6. The items necessary for registration are not limited to the above items, and may be added or changed as appropriate. On the completed application screen with the necessary registration information, enter the required information,
It is retransmitted to the authentication server 100 in step S206.

In step S207, when the customer registration means 45a receives the completed application screen, the customer identifier, the registered date, the password expiration date, and the customer are added to the information on the screen, the login name, the password and the mail address. An identification flag and the like are added as necessary items, and a customer management table is created for each customer. Finally, the created customer management table is stored in the customer management storage device 46, and is referred to when the customer is authenticated next time.

Next, the operation when the runtime path 4 is first issued (at the time of customer authentication) will be described with reference to FIG.

First, in step S301, a connection request for receiving a content browsing providing service is transmitted from the customer terminal 6 such as the mobile phone 6b or the personal computer 6a to the customer management server 40. This connection request causes the customer to input the application screen of FIG. 14A or a part of the application screen. Alternatively, the customer terminal 6 itself may use the mobile phone 6b user's identifier, the mobile phone 6b number, the MAC address, the IP address, etc. to allow the customer to make a connection request without performing any special procedure. .

Next, in step S302, the customer authentication means 45b of the customer management server 40 receives the connection request and the above-mentioned customer confirmation items. The customer authentication unit 45b determines whether the customer confirmation items held in the customer management storage device 46 match (step S303). If they match, the customer authentication unit 45b permits access to the authentication server 100, and the customer ID 1
Is added and the process proceeds to step S306. If they do not match, the connection with the customer terminal 6 is disconnected in step S304, and the screen for notifying the connection disconnection is transmitted to the customer terminal 6 in step S305, and the customer terminal 6 displays it.
Display on the screen as in (b). It should be noted that the box in FIG. 14B is preferably rewritten depending on the type of cause of disconnection such as radio wave abnormality or password not registered.

In step S306, the authentication receiving means 18a in the authentication server 100 receives the customer ID 1 assigned in step S303 via the communication control means 13. The authentication accepting means 18a uses the customer I
D1 is transmitted to the creator 20. In the creator 20, the active ID 2 and active I shown in FIG.
Creation of D information 3 (steps S101 to S10
6), and transmits the created active ID 2 to the authentication server 100 in step S107.

In step S307, the runtime path creating means 18b acquires the active ID 2 and sets the active ID 2 as "http://www.xxxx.or.jp/loginid=
AWF011810857813703 ”is embedded in the URL.
The embedded URL is the runtime path 4,
The runtime path transmitting means 18c transmits the access URL receiving means of the customer management server 40.

In step S308, access U
The RL transmitting means transmits the access URL created in step S307 to the customer terminal 6 via the communication line 5. The customer terminal 6 receives the access URL in step S309. The above operation is performed only for the first communication.

Next, the operation after the first time of the runtime path 4 (communication between terminals of the runtime path 4) will be described with reference to FIG.
Will be explained.

First, in step S309, when the customer receives the access URL, the service provision content as shown in FIG. 14C is presented on the screen of the customer terminal 6.

In step S401, when the customer terminal 6 receives a request from the customer who wants to receive the service by key input or the like, the customer terminal 6 again manages the access URL to receive the service. It is transmitted to the server 40. For example, when a customer issues a request to connect to the content of “Today's weather” in FIG. 14C, the customer management server 40 that receives the request holds the active ID 2 as the access URL from the second time. Therefore, the customer request is immediately transmitted to the authentication server 100.

At step S402, the active I
Access update time of D information 3 (previous authentication server 1
00) and the computer time acquisition means 22 acquires the computer time.

Next, in step S403, the expiration date determination means 24 compares the access update time with the current time to determine whether the active ID 2 is within the expiration date. For example, the last access update time is
It is "1:00" and the time-over time is 180 seconds (3
Minutes), the time-out time is "1:03"
If the next access update does not come back by "1:03", the connected communication will time out. When it is determined that the time is over, the process proceeds to step S407 and the time over screen is transmitted to the customer terminal 6. The customer terminal 6 having received this displays the screen of FIG. 14B, and ends the processing executed by this connection. On this occasion,
When the customer presses the send button and requests to start the connection again, the customer terminal 6 tries to reconnect. At the time of this reconnection, since the history up to the time when the connection was previously disconnected is saved in the spool 30, the customer can immediately disconnect and receive the continuation of the subsequent services.

If the time is not over at step S403, the active ID information 3 is rewritten at step S404. For example, if the last access update time is “1:00” and the time-over time is 180 seconds (3 minutes), the time-out time is “1:03” and the current access update is “1”. : 0
2 ”. In this case, the latest access update time is rewritten to "1:02", and "1:05" obtained by adding the time-out time of 180 seconds to the time is put in the time-out time. That is, the next data reply (Active I
When D2) returns by "1:05", the data reply is further continued, and conversely, the data reply is "1: 0".
If you do not come back by 5 ”, this Active I
D2 becomes unusable.

In step S405, the content control means 45e which has received the content browsing request searches the content storage device 47 for the content. For example, when the request from the customer is “Today's weather”, the access URL is, for example, “http: //www.kyounotennki.
or.jp/loginid=AWF011810857813703 "is embedded in the content code and transmitted to the customer terminal 6 together with the active ID 2 in step S306. The customer terminal 6 having received this starts the process again from step S309. This process ends when the time is over or the customer disconnects himself. The order of steps used in this description does not limit the operation of the process.

According to the second embodiment, the disposable run-time path 4, which has little meaning in the content itself, is used by the creator 2.
By simply creating 0 and using it at the time of authentication, it is possible to create the runtime path 4 with high reliability and confidentiality that is not easily stolen by a third party.

Further, by having the agent monitor and automatically control the function of the creator 20 and the function of the spool 30 used in the above-mentioned authentication work, and by having the customer management server 40 carry out the registration status of the customer, Higher-speed authentication processing becomes possible. As a result, it is possible to reduce the waiting time for the customer to reply from the server, and it is possible to prevent the customer's willingness to receive the content browsing service from decreasing during the waiting time, which in turn can increase the number of repeater customers. It will be possible.

(Modification) When the communication is interrupted during the service due to the connection time being over, the active ID information 3 information registered in the spool 30 is restored to the spool 30 from the backup storage device 32 again. To be done. This restoration work is preferably set by the service providing side so that the service provision can be restarted without making the customer aware.

The function of this authentication server is the CD
-The product may be fixed in a medium such as a ROM and packaged for sale, or only the authentication function may be provided by ASP distribution, download, or the like.

Mask number key 2a and ID mask storage device 2
The correspondence of 5 corresponds to, for example, 6 in the ID mask storage device 25.
The random numbers are generated at regular intervals such as 0 minute intervals, but it is preferable to generate the random numbers within a shorter time in order to improve the degree of security.

The ID mask storage device 25 randomly corresponds to the mask number key 2a. Further, at that time, it is more preferable that the mask number keys 2a are also randomly created. As a specific example, if 1000 ID masks 2c are prepared, individual numbers from 1 to 1000 are randomly present in any of the ID mask storage devices 25. In this case, the individual numbers are randomly associated with the mask number key 2a only until the time-over time. As an example, the mask number key 2a is created by randomly combining three letters and four letters.

In this chaotic manner, the mask number keys 2a and I
A high security effect can be obtained by combining the D masks 2c, randomly creating the mask number keys 2a, and allowing both to exist for a certain period of time. That is,
Even if a malicious third party such as a cracker tries to decrypt the runtime path 4, since the meaning of the active ID 2 in the path is weak and exists only for a certain period of time, the malicious third party can decrypt the runtime path 4. Already, the following runtime path 4 has already been issued and used. Therefore, it is impossible for a malicious third party to decipher, and it is possible to create and operate the runtime path 4 with higher reliability and confidentiality.

[0075]

As described above, regardless of whether or not the customer and the content provider subscribe to a certain communication provider,
It is possible to provide an authentication server, an authentication system and an authentication method capable of authenticating a customer in all two-way communication.

[Brief description of drawings]

FIG. 1 is a structural diagram showing an overall structure of an authentication server according to a first embodiment of the present invention.

FIG. 2 is a structural diagram showing an internal structure of active ID data.

FIG. 3 is a structural diagram showing a data structure of a mask number key and an ID mask storage device.

FIG. 4 is a structural diagram showing a data structure of active ID information registered in a spool.

FIG. 5 is a flowchart showing an operation of creating an active ID and active ID information.

FIG. 6 is a schematic diagram showing the overall structure of an authentication system according to a second embodiment of the present invention.

FIG. 7 is a block diagram showing a structure of an authentication server according to a second embodiment of the present invention.

FIG. 8 is a block diagram showing an internal structure of a customer management server according to a second embodiment of the present invention.

FIG. 9 is a structural diagram showing a data internal structure of a customer management storage device.

FIG. 10 is a block diagram showing a structure of an agent function according to the second embodiment of the present invention.

FIG. 11 is a flowchart showing an operation of initial registration of a customer in the authentication method according to the second embodiment of the present invention.

FIG. 12 is a flowchart showing an operation of determining a registered customer and initially creating an active ID in the authentication method.

FIG. 13 is a diagram showing an authentication method in which active I is performed after the first time.
It is a flowchart which shows the operation | movement which updates D.

FIG. 14 is an example of image data transmitted to a customer terminal device.

[Explanation of symbols]

1 Customer ID 2 Active ID 2a Mask number key 2b Active ID basic value 2c ID mask 3 Active ID information 4 runtime path 5 communication lines 6 Customer terminal 6a personal computer 6b mobile phone 10 Authentication server 11 Authentication acceptance means 12 Runtime path creation means 13 Communication control means 14 Input device 15 Output device 16 Communication control device 17 main memory 18 CPU 18a Authentication acceptance means 18b Runtime path creation means 18c runtime path transmission means 19 Agent control means 19a ID mask random means 19b spool reproducing means 19c Active ID information backup means 20 Creator 21 Customer ID acquisition means 22 Computer time acquisition means 23 Authentication Server Host ID Acquisition Means 24 Expiration date determination means 25 ID mask storage device 26 Active ID creation means 27 Active ID information creation means 30 spools 31 Active ID information registration means 32 backup storage 40 Customer management server 41 Input device 42 Output device 43 Communication control device 44 main memory 45 CPU 45a Customer registration means 45b Customer authentication means 45c runtime path receiving means 45d runtime path transmission means 45e content control means 46 Customer management storage device 47 content storage device 100 authentication server

Claims (20)

[Claims] 1. A customer ID including a customer ID unique to the customer
Active ID generation means for generating an active ID used for authentication and tracking of communication progress on a communication path with a customer terminal based on the information; and environmental information of a computer when the active ID and the active ID are generated. And an active ID storage means for storing the active ID information. 2. The active ID generation means, customer ID acquisition means for acquiring the customer ID, expiration date determination means for determining whether or not the customer ID is within the usable expiration date, and the customer ID information. 2. An active ID creating means for creating an active ID by using the active ID, and an active ID information creating means for creating active ID information which is environment information of the computer at the time of creating the active ID. The listed authentication server. 3. The active ID creating means includes an ID mask storage device that stores an ID mask that prevents identification of the active ID.
Authentication server described in. 4. The active ID generation means acquires a host ID unique to a computer time acquisition means and an authentication server, which is connected to the active ID generation means and acquires the computer time set inside the computer. An authentication server host ID acquisition means is further provided, and the customer ID information is the computer time, the host ID.
And at least one of the ID masks, and further comprising an active ID creating means for creating an active ID using the customer ID information. Authentication server. 5. The active ID information includes at least one of the active ID, the time at which the active ID was created, the expiration date of the active ID, a display flag indicating whether or not the active ID is used, and the ID mask. The authentication server according to any one of claims 1 to 4, which is characterized in that. 6. The active ID generation means is the active ID created by the active ID creation means.
The authentication server according to any one of claims 1 to 5, further comprising: a runtime path creating unit that creates a runtime path in which information on a URL requested by the customer is added. 7. The active ID storage means is an active ID for recording and updating the active ID information.
The information processing device further comprises information registration means, wherein the expiration date determination means receives the active ID transmission time included in the active ID information recorded in the active ID storage means, and the active ID information updated by the active ID information registration means thereafter. The authentication server according to any one of claims 1 to 6, wherein the expiration date of the active ID is determined by comparing with the time. 8. An authentication server having an agent control means for controlling an agent acting on behalf of the customer when performing the authentication processing of the customer, and the authentication server and the customer terminal based on the customer ID information. An active ID used for authentication and tracking of communication progress in a communication path between the active ID and active ID generation means for generating active ID information that is environment information when the active ID is generated; An authentication system comprising: an active ID storage unit that stores active ID information. 9. The ID for randomizing the contents of an ID mask storage device, which stores an ID mask for preventing the identification of the active ID, by the agent control means at regular intervals.
9. A mask random means is provided.
The authentication system described in. 10. The agent control means is an active ID information backup means for taking backup information of the active ID information, and an active ID information backup means based on the backup information when the active ID information in the active ID storage means is damaged. 10. The authentication system according to claim 8, further comprising an active ID information reproducing means for reproducing the active ID information in the ID storage means. 11. A customer I including a customer ID unique to the customer.
A step in which the active ID generation means generates an active ID used for authentication on the communication path with the customer terminal and tracking of the communication progress based on the D information; and a computer for generating the active ID and the active ID. And a step of storing active ID information, which is environment information of the active ID storage means, in the authentication method. 12. The step of generating the active ID by the active ID generating means includes a step of acquiring the customer ID by a customer ID acquiring means, and a step of using whether or not the customer ID is within a usable expiration date. Deadline determining means makes a determination based on the active ID information; active ID creating means creates the active ID using the customer ID information; environment of the computer at the time of creating the active ID 12. The authentication method according to claim 11, further comprising a step of creating active ID information, which is information, by active ID information means. 13. The ID mask storage device stores an ID mask for preventing the identification of the active ID in the step of creating the active ID by the active ID creating means.
Alternatively, the authentication method according to claim 12. 14. The step of creating the active ID includes a step of acquiring a computer time set inside the computer by a computer time acquisition means, and a host ID unique to the authentication server as an authentication server host I.
D acquisition means obtains the active ID, and the active ID is created from information including at least one of the customer ID, the ID mask, the computer time, and the host ID.
To the authentication method according to claim 13. 15. The step of creating the active ID information includes at least one of the active ID, a time at which the active ID is created, an expiration date of the active ID, a display flag indicating whether or not the active ID is used, and the ID mask. 15. The authentication method according to claim 11, wherein the active ID information is created using information including one piece. 16. The step of creating the active ID includes the step of creating a runtime path in which the runtime path creating means adds the information of the URL requested by the customer to the active ID. To the authentication method according to claim 15. 17. A step of registering the active ID information in the active ID storage means, wherein the active ID information registration means stores the active ID information.
A step of recording and updating the active ID information in a storage means, wherein the step of determining the expiration date of the customer ID by the expiration date determining means includes the step of determining the active ID information recorded by the active ID storage means. 17. The method according to claim 11, wherein the transmission time of the active ID included in the above is compared with the reception time of the active ID updated in the recording and updating step. Authentication method described in. 18. A step for an authentication server to control an agent acting on behalf of the customer during the authentication processing for the customer, and information for the communication path authentication and communication based on information including the customer ID unique to the customer. Active I used to track progress
D and a step in which active ID generation means creates active ID information which is environment information when creating the active ID; and active ID information which is environment information when creating the active ID and the active ID.
D storing means stores the step. 19. The step of controlling an agent by an authentication server, wherein the ID mask random means randomizes the contents of an ID mask storage device that stores an ID mask for preventing the identification of the active ID, at every fixed cycle. The authentication method according to claim 18, further comprising: 20. In the step of controlling the agent by the authentication server, a step of the active ID information backup means obtaining backup information of the active ID information; and a case where the active ID information in the active ID storage means is damaged. 20. The authentication method according to claim 18, further comprising: a step of reproducing the active ID information in the active ID storage means by the active ID information reproducing means using the backup information. .