JP2012141870A - Authentication system, authentication method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an authentication system, an authentication method, and a program capable of letting an input person know wrong input of a password before the input is fixed and capable of increasing security.SOLUTION: When a user ID is input, an authentication server 10 extracts a password and a display object which are associated with the user ID and generates display object identification information that is capable of identifying a hash value of the extracted password and the extracted display object. A client terminal 20 displays a password input screen after accepting an input of the user ID, and calculates a hash value by using input characters every time when a character is input or deleted on the screen. Then, it is determined whether the hash value identified by the display object identification information and the calculated hash value are matched. When they are matched, the display object identified by the display object identification information is displayed on the password input screen. When they are not matched, a display object different from the display object identified by the display object identification information is displayed on the screen.

Description

  The present invention relates to an authentication system, an authentication method, and a program for assisting an input when a user performs an authentication process.

  In recent years, with the development of computer networks, users can receive various services on computer networks via their own terminals. In general, a user who wants to receive service needs to enter a preset user ID and password from his / her terminal and receive authentication.

  By the way, on the authentication screen, the input user ID is generally displayed as it is, but the password is not displayed as it is, and the input characters are displayed by “●●”, “**”, or the like ( Hereinafter, such display is referred to as “echo display”.) This is because if the echo display is not performed, a fatal security problem may occur in the password authentication process.

  However, when the echo display is employed, if an erroneous input due to a typo is made during an input operation, the user may not be aware of the erroneous input and may transmit an incorrect password to the authentication server. As a result, authentication failure is determined, and later, an inherently unnecessary process such as an account lock release operation occurs in the user.

  Furthermore, when the echo display is employed, the user may become anxious about whether or not the password is correctly input during the password input operation. In this case, the user performs an unnecessary process such as deleting the input character and re-entering it many times even though it is correctly input.

  Various proposals have been made in order to solve such problems caused by echo display (see, for example, Patent Documents 1 to 3). This will be specifically described below.

  Japanese Patent Laid-Open No. 2004-26883 discloses a color (or pattern) of a portion for displaying a background color corresponding to an input character string when a user inputs a password while the password is hidden by echo display processing. An apparatus for changing is disclosed. According to the apparatus disclosed in Patent Literature 1, when a color (or pattern) different from a normal color is displayed, the user can notice that an erroneous input has been performed.

  Patent Document 2 discloses a device that records a pattern and frequency of erroneous input by a user at the time of password authentication as history information, and uses this history information to support user input. Specifically, the apparatus disclosed in Patent Literature 2 first determines whether or not the user is a regular user based on history information when the user makes an erroneous input similar to a registered password. When the device disclosed in Patent Document 2 determines that the user is a regular user, there is rough information on the erroneous input location, for example, “a typo between the first character and the sixth character. ”Is displayed to reduce the burden on the user when making corrections. On the other hand, the apparatus disclosed in Patent Document 2 ensures security without displaying information on erroneously input portions when the user does not determine that the user is a regular user.

  Japanese Patent Application Laid-Open No. 2004-228561 discloses an apparatus that allows a user to select a confirmation character string in advance and sets a hash value of a password according to the confirmation character string. In the apparatus disclosed in Patent Document 3, after setting a hash value, when the user inputs and confirms the password, the hash value is calculated from the password, and the character string corresponding to the calculated hash value is confirmed. For the user. The user can confirm an erroneous input by comparing the displayed character string with the previously selected character string.

  As described above, if the apparatus disclosed in any one of Patent Documents 1 to 3 is used, it is considered that the above-described problem due to echo display is solved.

JP 2010-097374 A JP-A-2005-149388 JP 2009-205500 A

  However, in the apparatus disclosed in Patent Document 1, when an unregistered user ID is input, the background change is the same in all cases. Therefore, a malicious third party can know whether or not the input user ID is registered by inputting a random character string as the user ID. The apparatus disclosed in Patent Document 1 has a problem that security is not sufficient.

  In the device disclosed in Patent Document 2, rough information on an erroneous input location is given to a third party, and the third party has an opportunity to guess a password. For this reason, even the apparatus disclosed in Patent Document 2 has a problem that security is not sufficient.

  Furthermore, in the apparatus disclosed in Patent Document 2, even if a third party tries to authenticate many times and fails, the record at that time is registered as history information. For this reason, when the number of failures by a third party becomes enormous, there is a possibility that a situation where the authorized user is not determined as an authorized user may occur when the authorized user makes an incorrect input when entering the password. In other words, the apparatus disclosed in Patent Document 2 has a problem that it cannot be stably operated.

  On the other hand, according to the apparatus disclosed in Patent Document 3, it is considered that security is ensured as compared with the apparatuses disclosed in Patent Documents 1 and 2. However, in the apparatus disclosed in Patent Document 3, since the user cannot confirm the correctness of the password without confirming the password, as a result, the authentication process between the server and the client terminal is performed many times. And almost the same result.

  In other words, the apparatus disclosed in Patent Literature 3 cannot obtain the effect of preventing an erroneous input of a password by the user before the input is confirmed, and as a result, it is difficult to solve the problem by echo display. In addition, in the device disclosed in Patent Document 3, the cost for communication increases as compared with the devices disclosed in Patent Documents 1 and 2.

  An example of an object of the present invention is to provide an authentication system, an authentication method, and a program capable of solving the above-described problem, notifying an input person of an incorrect input of a password before confirming the input, and improving security. It is to provide.

In order to achieve the above object, an authentication system according to an aspect of the present invention includes an authentication for authenticating a user based on a client terminal used by the user and a user ID and password input by the user via the client terminal. With a server,
The authentication server is
A user data storage unit that stores a user ID, a password, and a display object in association with each other in advance,
When a user ID is input from the client terminal, a password and a display object associated with the input user ID are extracted from the user data storage unit, and a hash value is calculated from the extracted password. An information creation unit that generates display object identification information that can identify the hash value and the extracted display object,
The client terminal is
An authentication screen display unit for displaying a first authentication screen for receiving an input of a user ID, and displaying a second authentication screen for receiving an input of a password after receiving an input of the user ID;
A hash value generation unit that calculates a hash value using one or more characters input on the second authentication screen each time a character is input or deleted on the second authentication screen When,
The display object specifying information is acquired from the authentication server, and it is determined whether or not the hash value specified by the acquired display object specifying information matches the hash value calculated by the hash value generation unit. If the display object specified by the display object specifying information is displayed on the second authentication screen, and the display object specifying information does not match, the display object specifying information is specified on the second authentication screen. A display object generation unit for displaying a display object different from the display object to be displayed.
It is characterized by that.

In order to achieve the above object, an authentication method according to one aspect of the present invention is an authentication method for authenticating a user based on a user ID and a password,
(A) Preliminarily storing a user ID, a password, and a display object in association with each user;
(B) displaying a first authentication screen and accepting an input of a user ID;
(C) When a user ID is input, a password and a display object associated with the input user ID are extracted from the information stored in the step (a), and a hash value is extracted from the extracted password. Generating display object identification information that can identify the calculated hash value and the extracted display object, and
(D) after receiving the input of the user ID, displaying a second authentication screen and receiving an input of a password;
(E) calculating a hash value using one or more characters input on the second authentication screen each time a character is input or deleted on the second authentication screen; When,
(F) It is determined whether or not the hash value specified by the display object specifying information generated in the step (c) matches the hash value calculated in the step (e). The display object specified by the display object specifying information is displayed on the second authentication screen when the display object specified by the display object specifying information is displayed on the second authentication screen and does not match. And displaying a different display object.
It is characterized by that.

Furthermore, in order to achieve the above object, a first program in one aspect of the present invention is a program for performing authentication of the user by a computer based on a user ID and a password input by the user via a client terminal. Because
In the computer,
(A) Preliminarily storing a user ID, a password, and a display object in association with each user;
(B) When a user ID is input from the client terminal, a password and a display object associated with the input user ID are extracted from the information stored in the step (a) and extracted. Calculating a hash value from the password, and generating display object specifying information capable of specifying the calculated hash value and the extracted display object; and
Is executed.

Further, in order to achieve the above object, the second program according to one aspect of the present invention stores in advance a user ID, a password, and a display object in association with each user, and when the user ID is input, A password and a display object associated with the input user ID are extracted, a hash value is calculated from the extracted password, and display object specifying information capable of specifying the calculated hash value and the extracted display object is generated. A program for transmitting a user ID and password entered by a user to a verification server by a computer,
In the computer,
(A) displaying a first authentication screen for accepting input of a user ID; and
(B) displaying a second authentication screen for accepting an input of a password after accepting an input of the user ID;
(C) calculating a hash value using one or more characters input on the second authentication screen each time a character is input or deleted on the second authentication screen; When,
(D) The display object specifying information is acquired from the authentication server, and whether or not the hash value specified by the acquired display object specifying information matches the hash value calculated in the step (c). When it is determined and matches, the display object specified by the display object specifying information is displayed on the second authentication screen, and when they do not match, the display object specifying is displayed on the second authentication screen. Displaying a display object different from the display object specified by the information; and
Is executed.

  With the above features, according to the authentication system, the authentication method, and the program of the present invention, it is possible to notify an input person of an incorrect password input before confirming the input, and it is possible to improve security.

FIG. 1 is a block diagram showing a configuration of an authentication system according to an embodiment of the present invention. FIG. 2 is a diagram showing an example of user data registered in the authentication server in the embodiment of the present invention. FIG. 3 is a diagram showing an example of a user ID input screen displayed on the display device of the client terminal in the embodiment of the present invention. FIG. 4 is a diagram showing an example of a password input screen displayed on the display device of the client terminal in the embodiment of the present invention. FIG. 5 is a sequence diagram showing an operation during user data registration processing of the authentication system according to the embodiment of the present invention. FIG. 6 is a sequence diagram showing an operation during authentication processing of the authentication system according to the embodiment of the present invention. FIG. 7 is a block diagram illustrating an example of a computer that realizes the authentication server and the client terminal according to the embodiment of the present invention. FIG. 8 is a block diagram showing a configuration of the authentication device according to the embodiment of the present invention.

(Embodiment)
Hereinafter, an authentication system, an authentication method, and a program according to an embodiment of the present invention will be described with reference to FIGS. Initially, the structure of the authentication system 30 in this Embodiment is demonstrated using FIG. FIG. 1 is a block diagram showing a configuration of an authentication system according to an embodiment of the present invention.

[System configuration]
As shown in FIG. 1, the authentication system 30 in this embodiment includes a client terminal 20 used by a user and an authentication server 10. When the user inputs the user ID and password via the client terminal 20, the authentication server 10 performs user authentication based on the user ID and password.

  The authentication server 10 includes an authentication execution unit 11, a user data storage unit 12, an information generation unit 13, and a user data registration unit 14. The authentication execution unit 11 communicates with the client terminal 20 and executes an authentication process based on the user ID and password input by the user.

  The user data storage unit 12 stores a user ID, a password, and a display object in association with each other in advance. The display object is a character, a character string, a symbol, an image, or the like displayed on a password input screen described later when the password is correctly input. In this embodiment, the user ID, password, and display object (hereinafter collectively referred to as “user data”) are sent to the user data storage unit 12 via the user data registration unit 14. It has been.

  When the user data registration unit 14 is instructed to register user data for a specific user, the user data registration unit 14 accepts input of user data. Further, the user data registration unit 14 sends the received user data to the user data storage unit 12 in order to additionally register the received user data as a new record. Note that user data may be input by a user who requests registration, or by an administrator of the authentication server 10.

  When a user ID is input for authentication from the client terminal 20, the information creation unit 13 first extracts a password and a display object associated with the input user ID from the user data storage unit 12. Subsequently, the information creating unit 13 calculates a hash value from the extracted password, and generates display object specifying information that can specify the calculated hash value and the extracted display object. Thereafter, the display object specifying information is transmitted to the client terminal 20 via the authentication execution unit 11.

  The client terminal 20 includes an authentication screen display unit 21, a hash value generation unit 22, and a display object generation unit 23. In FIG. 1, reference numeral 24 denotes a display device of the client terminal 20.

  The authentication screen display unit 21 first displays a first authentication screen on the display device 24 in order to accept an input of a user ID, and then accepts an input of a password after accepting an input of a user ID. Are displayed on the display device 24. Hereinafter, the first authentication screen is referred to as a “user ID input screen”, and the second authentication screen is referred to as a “password input screen”.

  Each time a character is entered or deleted on the password entry screen, the hash value generator 22 uses one or more characters entered on the password entry screen to generate a hash value. calculate. At this time, the hash value generation unit 22 calculates a hash value using the same hash function as the hash function used by the information creation unit 13. Note that the “characters” here include not only alphabets, hiragana, katakana, etc., but also anything that can be input at the client terminal 20 such as numbers and symbols.

  First, the display object generation unit 23 acquires display object specifying information from the authentication server 10. Subsequently, the display object generation unit 23 determines whether or not the hash value specified by the acquired display object specifying information matches the hash value calculated by the hash value generation unit 22. If they match, the display object generation unit 23 displays the display object specified by the display object specifying information on the password input screen. On the other hand, if they do not match, the display object generation unit 23 displays a display object different from the display object specified by the display object specifying information on the password input screen.

  Moreover, in the aspect in which the character string is used as the display object, the display object generation unit 23 creates a random character string that is different from the character string specified by the display object specifying information in the case where they do not match, Can be displayed on the password input screen. That is, in this aspect, the displayed character string changes every time a character is input or deleted.

  As described above, in this embodiment, when a password is input by the user, whether or not a correct password is configured by the currently input character or character string every time a password character is input or deleted. To be judged. The user can know in real time whether or not the password is correct with a display such as a character string every time the user inputs or deletes. Therefore, according to the authentication system 30 in the present embodiment, it is possible to notify a user who is an input person of an erroneous input of a password before the input is confirmed. As a result, the above-described problem due to echo display is also solved.

  Further, in the present embodiment, the password itself is not a mechanism to fly as a message, and the information transmitted from the authentication server 10 to the client terminal 20 is only the display object specifying information. For this reason, according to this Embodiment, the fall of a security level can also be suppressed, implement | achieving confirmation of an incorrect input.

  In addition, in this embodiment, even when a non-registered user ID is input, a different display object can be displayed each time characters constituting the password are input or performed. For this reason, unlike the above-mentioned patent document 1, according to the present embodiment, it is difficult to specify a user ID by inputting a random character string. Further, unlike the above-described Patent Document 2, in the present embodiment, information specifying an erroneous input location is not given to the input person. Therefore, also from these points, according to the present embodiment, the security can be improved.

  Here, the configuration of the authentication system 30 in this embodiment, that is, the configuration of the authentication server 10 and the client terminal 20 will be described more specifically with reference to FIGS. 2 to 4 in addition to FIG.

  FIG. 2 is a diagram showing an example of user data registered in the authentication server in the embodiment of the present invention. In the present embodiment, the user data registration unit 14 accepts input of user data shown in FIG. 2, for example. In the example of FIG. 2, a character string is adopted as the display object. In the following, it is assumed that a character string is adopted as a display object.

  FIG. 3 is a diagram showing an example of a user ID input screen displayed on the display device of the client terminal in the embodiment of the present invention. As shown in FIG. 3, the user ID input screen has an input area (hereinafter referred to as “user ID input area”) 211 for inputting a user ID.

  FIG. 4 is a diagram showing an example of a password input screen displayed on the display device of the client terminal in the embodiment of the present invention. As shown in FIG. 4, the password input screen includes an input area for inputting a password (hereinafter referred to as “password input area”) 212 and an area for displaying a display object (hereinafter referred to as “display object output area”). .) 213 and a confirm button 214 for confirming the password.

[Configuration of authentication server]
In the present embodiment, when the authentication execution unit 11 of the authentication server 10 receives an authentication request from the user via the authentication screen display unit 21 of the client terminal 20, first, the authentication screen display unit 21 displays the user ID input screen. Data for displaying (see FIG. 3) is returned.

  Subsequently, when the authentication execution unit 11 receives a user ID input by the user (hereinafter referred to as “input user ID”) from the authentication screen display unit 21 of the client terminal 20, based on the received user ID, the user data storage unit 12. Search information stored in. And the authentication execution part 11 extracts the password and display thing relevant to input user ID from the user data memory | storage part 12, and passes these to the information generation part 13. FIG. As a result, the information generation unit 13 is activated.

  Subsequently, when receiving the display object specifying information from the information generating unit 13, the authentication executing unit 11 transmits the received display object specifying information to the authentication screen display unit 21 of the client terminal 20. At this time, the authentication execution unit 11 also returns data for displaying the password input screen (see FIG. 4) on the authentication screen display unit 21 corresponding to the user ID received from the authentication screen display unit 21. Do.

  Thereafter, when the password is confirmed, the authentication execution unit 11 performs login authentication of the user based on the password input by the user via the client terminal 20 authentication screen display unit 21.

  Further, as described above, when the information generation unit 13 of the authentication server 10 receives the password and the display object related to the input user ID from the authentication execution unit 11, the information generation unit 13 calculates a hash value and further displays the display object specifying information. Is generated.

  In the present embodiment, the information generation unit 13 can generate, for example, information including the calculated hash value and the extracted display object as the display object specifying information. The information generation unit 13 can also create a dictionary that links the calculated hash value and the display object as the display object specifying information. In the latter case, since the hash value itself is not transmitted as a message on the network, security can be further improved. Further, as the dictionary, specifically, there is a dictionary that outputs a display object extracted when the same value as the calculated hash value is input.

[Client terminal configuration]
In the present embodiment, the authentication screen display unit 21 first displays data for displaying a user ID input screen (see FIG. 3) on the authentication execution unit 11 of the authentication server 10 in response to an authentication request from the user. Request. Upon receiving the requested data, the authentication screen display unit 21 causes the display device 24 to display a user ID input screen using the received data.

  Subsequently, when the user inputs the user ID in the user ID input area 211 on the user ID input screen (see FIG. 3), the authentication screen display unit 21 displays the input user ID in the authentication execution unit of the authentication server 10. 11 And the authentication screen display part 21 requests | requires the data for displaying a password input screen (refer FIG. 4) with respect to the authentication execution part 11, and display thing specific information.

  Subsequently, when receiving data for displaying a password input screen (see FIG. 4) from the authentication execution unit 11 of the authentication server 10, the authentication screen display unit 21 uses this to display the password input screen on the display device 24. Is displayed.

  Subsequently, when the user inputs or deletes characters on the password input area 212 of the password input screen (see FIG. 4), the authentication screen display section 21 causes the hash value generation section 22 to enter the password input area at that time. The character string input to 212 and the display object specifying information received from the authentication execution unit 11 are passed. Thereby, the hash value generation unit 22 is activated.

  After that, when the password is confirmed, the authentication screen display unit 21 passes the password input on the password input screen (see FIG. 4) to the authentication execution unit 11 of the authentication server 10 and requests an authentication result.

  Moreover, in this Embodiment, the hash value production | generation part 22 receives the character string input into the password input area 212 from the authentication screen display part 21, and produces | generates a hash value based on this. Then, the hash value generation unit 22 passes the generated hash value and the display object specifying information acquired from the authentication execution unit 11 of the authentication server 10 to the display object generation unit 23. Thereby, the display object production | generation part 23 starts.

  In the present embodiment, the display object generation unit 23 first displays the display object output area 213 (based on the hash value received from the hash value generation unit 22 and the display object specifying information acquired from the authentication execution unit 11. A character string to be actually displayed is generated (see FIG. 4). Then, the display object generation unit 23 passes the character string to be displayed in the display object output area 213 to the authentication screen display unit 21.

  Further, in the present embodiment, when the display object specifying information is information including the display object and the hash value calculated from the password, the display object generating unit 23 calculates the display object specifying information from the display object specifying information. The identified hash value is compared with the hash value calculated by the hash value generation unit 22.

  If they match as a result of the comparison, the display object generation unit 23 outputs the display object specified by the display object specifying information, in this embodiment, the character string shown in FIG. It is displayed in the area 213 (see FIG. 4). On the other hand, if they do not match as a result of the comparison, the display object generation unit 23 creates a random character string different from the character string specified by the display object specifying information, and inputs the generated random character string as a password. It is displayed in the display object output area 213 of the screen.

  Furthermore, in this embodiment, when the display object specifying information is the above-described dictionary, the display object generation unit 23 uses this dictionary to display the hash value calculated by the hash value generation unit 22 as a display object (character Column). Specifically, the display object generation unit 23 inputs the hash value calculated by the hash value generation unit 22 into the dictionary. The dictionary outputs the character string extracted on the authentication server 10 side when the same value as the hash value calculated on the authentication server 10 side is input, and the authentication server when the different value is input. A random character string different from the character string extracted on the 10 side is output.

  Accordingly, when the password is correctly input, the hash value calculated by the hash value generation unit 22 is the same value as the hash value calculated on the authentication server 10 side, so the dictionary is extracted on the authentication server 10 side. The displayed object (character string shown in FIG. 2) is output.

  On the other hand, when the password is not correctly input, the hash value calculated by the hash value generation unit 22 is different from the hash value calculated on the authentication server 10 side, and thus the dictionary is a display extracted on the authentication server 10 side. A random character string different from the object (character string different from the character string shown in FIG. 2) is output.

  Thereafter, the display object generation unit 23 displays the character string output from the dictionary in the display object output area 213 of the password input screen. As described above, when the display object specifying information is used, the hash value calculated on the authentication server 10 side is matched with the hash value calculated on the client terminal 20 side by inputting the hash value into the dictionary. Is substantially performed.

[System operation]
Next, operation | movement of the authentication system 30 in embodiment of this invention is demonstrated using FIG.5 and FIG.6. In the present embodiment, the authentication method is implemented by operating the authentication system 30. Therefore, the description of the authentication method in the present embodiment is replaced with the following description of the operation of the authentication system 30.

[User data registration process]
First, user data registration processing in the authentication system 30 will be described with reference to FIG. FIG. 5 is a sequence diagram showing an operation during user data registration processing of the authentication system according to the embodiment of the present invention.

  As shown in FIG. 6, first, when a user requests registration of user data and inputs user data, in the authentication server 10, the user data registration unit 14 accepts input of user data (step S1). In the present embodiment, for example, a user inputs a user ID, a password, and a character string from a client terminal used by the user, and transmits them to the authentication server 10.

  Next, the user data registration unit 14 passes the user data that has been accepted to the user data storage unit 12. As a result, the user data storage unit 12 adds the received user data as a new record (step S2).

[Authentication process]
Subsequently, an authentication process in the authentication system 30 will be described with reference to FIG. FIG. 6 is a sequence diagram showing an operation during authentication processing of the authentication system according to the embodiment of the present invention.

  As shown in FIG. 6, when the user first makes an authentication request, the authentication screen display unit 21 of the client terminal 20 receives the user authentication request (step A1). Next, the authentication screen display unit 21 requests data for displaying a user ID input screen (see FIG. 3) from the authentication execution unit 11 of the authentication server 10 (step A2).

  Subsequently, the authentication execution unit 11 of the authentication server 10 returns data for displaying the user ID input screen (see FIG. 3) to the authentication screen display unit 21 of the client terminal 20 (step A3). When step A3 is executed, a user ID input screen is displayed on the screen of the display device 24.

  Next, when the user inputs the user ID on the user ID input screen, the authentication screen display unit 21 of the client terminal 20 receives the input of the user ID (step A4). Next, the authentication screen display unit 21 transmits the input user ID to the authentication server 10 and delivers the input user ID to the authentication execution unit 11 of the authentication server 10 (step A5). In step A5, the authentication screen display unit 21 requests the authentication server 10 for data for displaying a password input screen (see FIG. 4) and display object specifying information.

  Next, the authentication execution unit 11 of the authentication server 10 searches the information stored in the user data storage unit 12 based on the received input user ID, and data (password and character) related to the input user ID. Column) is acquired (step A6). And the authentication execution part 11 passes the data acquired from the user data memory | storage part 12 to the information generation part 13, and starts it (step A7).

  When step A7 is executed, the information generation unit 13 creates display object specifying information based on the data received from the authentication execution unit 11 (step A8), and returns it to the authentication execution unit 11 (step A9). ).

  Next, the authentication execution unit 11 returns display object specifying information and data for displaying a password input screen (see FIG. 4) to the authentication execution unit 11 of the client terminal 20 (step A10). When step A10 is executed, a password input screen is displayed on the screen of the display device 24.

  Next, the user starts to input a password. Each time the user inputs or deletes a character, the authentication screen display unit 21 authenticates the authentication server 10 with one or more characters input in the password input area 212 at that time. The display object specifying information received from the execution unit 11 is passed to the hash value generation unit 22 (step A11). By executing step A11, the hash value generation unit 22 is activated.

  Next, the hash value generation unit 22 generates a hash value of the character string input in the password input area 212 acquired from the authentication screen display unit 21 (step A12). Further, the hash value generation unit 22 passes the generated hash value and the display object specifying information acquired from the authentication execution unit 11 of the server to the display object generation unit 23, and activates them (step A13).

  Next, the display object generation unit 23 displays the password input screen (see FIG. 4) display object based on the hash value received from the hash value generation unit 22 and the display object specifying information acquired from the authentication screen display unit 21. A character string displayed in the output area 213 is generated (step A14). And the display thing production | generation part 23 returns the produced | generated character string to the authentication screen display part 21 (step A15). Thereafter, the authentication screen display unit 21 displays the character string received from the display object generation unit 23 in the display object output area 213 of the password input screen (step A16).

  Steps A11 to A16 are repeated until the user confirms the password. That is, the user refers to the display object output area 213 while the steps A11 to A16 are repeatedly executed, and confirms whether or not the password is correctly input. If it can be confirmed that the password has been correctly input, the user presses the confirm button 214 (see FIG. 4) on the password input screen to confirm the password.

  When the password is confirmed, the authentication screen display unit 21 makes an authentication request to the authentication execution unit 11 of the authentication server 10 (step A17). Thereafter, the authentication execution unit 11 of the authentication server 10 performs an authentication process based on the password received from the password input screen, and passes the authentication result to the user via the client terminal 20 (step A18).

  As described above, according to the authentication system 30 in the present embodiment, the following effects can be obtained. First, since only the user who is the input person can confirm in real time whether or not the input content is correct when entering the password, it is possible to reduce anxiety factors during the input by the user.

  In addition, it is possible to reduce the time required for notification of authentication failure due to incorrect input of password and access that occurs each time. Furthermore, the occurrence of troublesome processes for the user, such as the account lock release operation after the authentication failure determination and the resetting of a new password, which occurs due to incorrect password input, is suppressed.

  Further, in the present embodiment, when the client terminal 20 acquires the registered hash value and display object through the authentication server 10, it is not necessary to communicate with the authentication server 20 until the password is determined. In addition, an increase in communication cost can be suppressed. Furthermore, in the present embodiment, since history information is not used, it can be said that there is almost no possibility of a situation where stable operation is not possible.

  Also, in the present embodiment, the information creation unit 13 of the authentication server 10 causes the hash value to be calculated using a different hash function according to the time, and information for identifying the used hash function is displayed as the display object specifying information. It is preferable to make it an aspect included. In this aspect, the hash value generation unit 22 of the client terminal 20 specifies a hash function to be used from the display object specifying information, and calculates a hash value using the specified hash function. According to this aspect, even when the user inputs the same character string as the password on the password input screen, the hash value changes depending on the input time. For this reason, it becomes more difficult to specify a password by reverse conversion, and the accuracy of security is improved.

  Furthermore, this embodiment is a mode in which the display object specifying information is stored in each of the hash value generation unit 22 and the display object generation unit 23 in the process of repeatedly performing steps A11 to A16 illustrated in FIG. There may be. According to this aspect, it is possible to omit the exchange of the same data in the repeated processing, so that the operation accuracy in the client terminal 20 can be improved.

  In addition, in this embodiment, a function or the like for preventing unauthorized access can be added to one or both of the authentication server 10 and the client terminal 20. In this case, since it is possible to defend against attacks by third parties on the user data registered at the time of user registration and attacks by third parties on the display object specifying information used at the time of password authentication, the security in the authentication system 30 can be further enhanced. it can.

  The first program in the embodiment of the present invention may be a program that causes a computer to execute steps S1 and S2 shown in FIG. 5 and steps A3, A6 to A10, and A18 shown in FIG. The authentication server 10 according to the present embodiment can be realized by installing and executing this first program on a computer. In this case, a CPU (Central Processing Unit) of the computer functions as an authentication execution unit 11, an information generation unit 13, and a user data registration unit 14, and performs processing. Further, a storage device such as a hard disk provided in the computer functions as the user data storage unit 12.

  Furthermore, the second program in the embodiment of the present invention may be a program that causes a computer to execute steps A1, A2, A4, A5, A11 to A17 shown in FIG. The client terminal 20 in the present embodiment can be realized by installing and executing the second program on the computer. In this case, the CPU of the computer functions as an authentication screen display unit 21, a hash value generation unit 22, and a display object generation unit 23 to perform processing.

  Here, a computer that realizes the authentication server 10 by executing the first program and a computer that realizes the client terminal 20 by executing the second program will be described with reference to FIG. FIG. 7 is a block diagram illustrating an example of a computer that realizes the authentication server and the client terminal according to the embodiment of the present invention.

  As shown in FIG. 7, the computer 110 includes a CPU 111, a main memory 112, a storage device 113, an input interface 114, a display controller 115, a data reader / writer 116, and a communication interface 117. These units are connected to each other via a bus 121 so that data communication is possible.

  The CPU 111 performs various calculations by developing the program (code) in the present embodiment stored in the storage device 113 in the main memory 112 and executing them in a predetermined order. The main memory 112 is typically a volatile storage device such as a DRAM (Dynamic Random Access Memory). Further, the program in the present embodiment is provided in a state of being stored in a computer-readable recording medium 120. Note that the program in the present embodiment may be distributed on the Internet connected via the communication interface 117.

  Specific examples of the storage device 113 include a hard disk and a semiconductor storage device such as a flash memory. The input interface 114 mediates data transmission between the CPU 111 and an input device 118 such as a keyboard and a mouse. The display controller 115 is connected to the display device 119 and controls display on the display device 119. The data reader / writer 116 mediates data transmission between the CPU 111 and the recording medium 120, and reads a program from the recording medium 120 and writes a processing result in the computer 110 to the recording medium 120. The communication interface 117 mediates data transmission between the CPU 111 and another computer.

  Specific examples of the recording medium 120 include general-purpose semiconductor storage devices such as CF (Compact Flash) and SD (Secure Digital), magnetic storage media such as a flexible disk, or CD-ROM (Compact Disk). Optical storage media such as Read Only Memory).

[Modification]
Here, a modification of the present embodiment will be described with reference to FIG. FIG. 8 is a block diagram showing a configuration of the authentication device according to the embodiment of the present invention. As shown in FIG. 8, the authentication device 40 is configured by adding the configuration of the authentication server 10 to the client terminal 20 shown in FIG.

  That is, in the authentication device 40 shown in FIG. 8, the part on the authentication server 10 is incorporated as a part on the client terminal 20, and the user is entering an incorrect password input during login authentication in the client application. Can be confirmed. The authentication device 40 shown in FIG. 8 is useful for a PC, a portable terminal, or the like that has an input area that is echoed when characters are input.

  Part or all of the above-described embodiment can be expressed by (Appendix 1) to (Appendix 15) described below, but is not limited to the following description.

(Appendix 1)
A client terminal used by a user; and an authentication server that authenticates the user based on a user ID and password input by the user via the client terminal;
The authentication server is
A user data storage unit that stores a user ID, a password, and a display object in association with each other in advance,
When a user ID is input from the client terminal, a password and a display object associated with the input user ID are extracted from the user data storage unit, and a hash value is calculated from the extracted password. An information creation unit that generates display object identification information that can identify the hash value and the extracted display object,
The client terminal is
An authentication screen display unit for displaying a first authentication screen for receiving an input of a user ID, and displaying a second authentication screen for receiving an input of a password after receiving an input of the user ID;
A hash value generation unit that calculates a hash value using one or more characters input on the second authentication screen each time a character is input or deleted on the second authentication screen When,
The display object specifying information is acquired from the authentication server, and it is determined whether or not the hash value specified by the acquired display object specifying information matches the hash value calculated by the hash value generation unit. If the display object specified by the display object specifying information is displayed on the second authentication screen, and the display object specifying information does not match, the display object specifying information is specified on the second authentication screen. A display object generation unit for displaying a display object different from the display object to be displayed.
An authentication system characterized by that.

(Appendix 2)
The display object is a character string,
When the display object generation unit of the client terminal does not match, a random character string different from the character string specified by the display object specifying information is generated, and the generated random character string is used as the second authentication. The authentication system according to claim 1, wherein the authentication system is displayed on a screen.

(Appendix 3)
The information creation unit of the authentication server generates information including the calculated hash value and the extracted display object as the display object specifying information.
The authentication system according to claim 1 or 2.

(Appendix 4)
The information creation unit of the authentication server generates a dictionary that outputs the extracted display object as the display object specifying information when the same value as the calculated hash value is input.
The authentication system according to claim 1 or 2.

(Appendix 5)
The information creation unit of the authentication server and the hash value generation unit of the client terminal calculate hash values using different hash functions according to time.
The authentication system in any one of Claims 1-4.

(Appendix 6)
An authentication server that authenticates the user based on a user ID and password input by a user via a client terminal,
A user data storage unit that stores a user ID, a password, and a display object in association with each other in advance,
When a user ID is input from the client terminal, a password and a display object associated with the input user ID are extracted from the user data storage unit, and a hash value is calculated from the extracted password. An information creation unit that generates display object identification information that can identify the hash value and the extracted display object;
An authentication server characterized by comprising:

(Appendix 7)
For each user, the user ID, password, and display object are stored in association with each other in advance. When the user ID is input, the password and display object associated with the input user ID are extracted and extracted. A client terminal that calculates a hash value from a password and generates display object specifying information that can specify the calculated hash value and the extracted display object. And
An authentication screen display unit for displaying a first authentication screen for receiving an input of a user ID, and displaying a second authentication screen for receiving an input of a password after receiving an input of the user ID;
A hash value generation unit that calculates a hash value using one or more characters input on the second authentication screen each time a character is input or deleted on the second authentication screen When,
The display object specifying information is acquired from the authentication server, and it is determined whether or not the hash value specified by the acquired display object specifying information matches the hash value calculated by the hash value generation unit. If the display object specified by the display object specifying information is displayed on the second authentication screen, and the display object specifying information does not match, the display object specifying information is specified on the second authentication screen. A display object generation unit for displaying a display object different from the display object to be displayed;
A client terminal characterized by comprising:

(Appendix 8)
An authentication device that authenticates the user based on a user ID and password input by the user,
A user data storage unit that stores a user ID, a password, and a display object in association with each other in advance,
An authentication screen display unit for displaying a first authentication screen for receiving an input of a user ID, and displaying a second authentication screen for receiving an input of a password after receiving an input of the user ID;
When a user ID is input from the client terminal, a password and a display object associated with the input user ID are extracted from the user data storage unit, and a hash value is calculated from the extracted password. An information creation unit that generates display object identification information that can identify the hash value and the extracted display object;
A hash value generation unit that calculates a hash value using one or more characters input on the second authentication screen each time a character is input or deleted on the second authentication screen When,
It is determined whether or not the hash value specified by the display object specifying information matches the hash value calculated by the hash value generation unit. If they match, the display object specifying is displayed on the second authentication screen. A display object generation unit that displays a display object specified by the information, and displays a display object different from the display object specified by the display object specifying information on the second authentication screen when they do not match, With
An authentication apparatus characterized by that.

(Appendix 9)
An authentication method for authenticating a user based on a user ID and a password,
(A) Preliminarily storing a user ID, a password, and a display object in association with each user;
(B) displaying a first authentication screen and accepting an input of a user ID;
(C) When a user ID is input, a password and a display object associated with the input user ID are extracted from the information stored in the step (a), and a hash value is extracted from the extracted password. Generating display object identification information that can identify the calculated hash value and the extracted display object, and
(D) after receiving the input of the user ID, displaying a second authentication screen and receiving an input of a password;
(E) calculating a hash value using one or more characters input on the second authentication screen each time a character is input or deleted on the second authentication screen; When,
(F) It is determined whether or not the hash value specified by the display object specifying information generated in the step (c) matches the hash value calculated in the step (e). The display object specified by the display object specifying information is displayed on the second authentication screen when the display object specified by the display object specifying information is displayed on the second authentication screen and does not match. And displaying a different display object.
An authentication method characterized by that.

(Appendix 10)
The display object is a character string,
In the step (f), if they do not match, a random character string different from the character string specified by the display object specifying information is created, and the created random character string is displayed on the second authentication screen. The authentication method according to claim 9, wherein the authentication method is displayed.

(Appendix 11)
In the step (c), information including the calculated hash value and the extracted display object is generated as the display object specifying information.
The authentication method according to claim 9 or 10.

(Appendix 12)
In the step (c), when the same value as the calculated hash value is input, a dictionary for outputting the extracted display object is generated as the display object specifying information.
The authentication method according to claim 9 or 10.

(Appendix 13)
In the step (c) and the step (e), a hash value is calculated using a different hash function according to time.
The authentication method according to claim 9.

(Appendix 14)
A program for performing authentication of the user by a computer based on a user ID and password input by a user via a client terminal,
In the computer,
(A) Preliminarily storing a user ID, a password, and a display object in association with each user;
(B) When a user ID is input from the client terminal, a password and a display object associated with the input user ID are extracted from the information stored in the step (a) and extracted. Calculating a hash value from the password, and generating display object specifying information capable of specifying the calculated hash value and the extracted display object; and
A program that executes

(Appendix 15)
For each user, the user ID, password, and display object are stored in association with each other in advance. When the user ID is input, the password and display object associated with the input user ID are extracted and extracted. For calculating the hash value from the password, and generating the display object specifying information that can specify the calculated hash value and the extracted display object, for transmitting the user ID and password input by the user to the authentication server by the computer A program,
In the computer,
(A) displaying a first authentication screen for accepting input of a user ID; and
(B) displaying a second authentication screen for accepting an input of a password after accepting an input of the user ID;
(C) calculating a hash value using one or more characters input on the second authentication screen each time a character is input or deleted on the second authentication screen; When,
(D) The display object specifying information is acquired from the authentication server, and whether or not the hash value specified by the acquired display object specifying information matches the hash value calculated in the step (c). When it is determined and matches, the display object specified by the display object specifying information is displayed on the second authentication screen, and when they do not match, the display object specifying is displayed on the second authentication screen. Displaying a display object different from the display object specified by the information; and
A program that executes

  According to the present invention, it is possible to notify an input person of an incorrect password input before confirming the input, and it is possible to improve security. The present invention is widely useful for authentication systems that require authentication processing.

DESCRIPTION OF SYMBOLS 10 Authentication server 11 Authentication execution part 12 User data storage part 13 Information generation part 14 User data registration part 20 Client terminal 21 Authentication screen display part 22 Hash value generation part 23 Display thing generation part 24 Display apparatus 30 Authentication system 40 Authentication apparatus 110 Computer 111 CPU
112 Main Memory 113 Storage Device 114 Input Interface 115 Display Controller 116 Data Reader / Writer 117 Communication Interface 118 Input Device 119 Display Device 120 Recording Medium 121 Bus 211 User ID Input Area 212 Password Input Area 213 Display Object Output Area 214 Confirm Button

Claims (8)

A client terminal used by a user; and an authentication server that authenticates the user based on a user ID and password input by the user via the client terminal;
The authentication server is
A user data storage unit that stores a user ID, a password, and a display object in association with each other in advance,
When a user ID is input from the client terminal, a password and a display object associated with the input user ID are extracted from the user data storage unit, and a hash value is calculated from the extracted password. An information creation unit that generates display object identification information that can identify the hash value and the extracted display object,
The client terminal is
An authentication screen display unit for displaying a first authentication screen for receiving an input of a user ID, and displaying a second authentication screen for receiving an input of a password after receiving an input of the user ID;
A hash value generation unit that calculates a hash value using one or more characters input on the second authentication screen each time a character is input or deleted on the second authentication screen When,
The display object specifying information is acquired from the authentication server, and it is determined whether or not the hash value specified by the acquired display object specifying information matches the hash value calculated by the hash value generation unit. If the display object specified by the display object specifying information is displayed on the second authentication screen, and the display object specifying information does not match, the display object specifying information is specified on the second authentication screen. A display object generation unit for displaying a display object different from the display object to be displayed.
An authentication system characterized by that. The display object is a character string,
When the display object generation unit of the client terminal does not match, a random character string different from the character string specified by the display object specifying information is generated, and the generated random character string is used as the second authentication. The authentication system according to claim 1, wherein the authentication system is displayed on a screen. The information creation unit of the authentication server generates information including the calculated hash value and the extracted display object as the display object specifying information.
The authentication system according to claim 1 or 2. The information creation unit of the authentication server generates a dictionary that outputs the extracted display object as the display object specifying information when the same value as the calculated hash value is input.
The authentication system according to claim 1 or 2. The information creation unit of the authentication server and the hash value generation unit of the client terminal calculate hash values using different hash functions according to time.
The authentication system in any one of Claims 1-4. An authentication method for authenticating a user based on a user ID and a password,
(A) Preliminarily storing a user ID, a password, and a display object in association with each user;
(B) displaying a first authentication screen and accepting an input of a user ID;
(C) When a user ID is input, a password and a display object associated with the input user ID are extracted from the information stored in the step (a), and a hash value is extracted from the extracted password. Generating display object identification information that can identify the calculated hash value and the extracted display object, and
(D) after receiving the input of the user ID, displaying a second authentication screen and receiving an input of a password;
(E) calculating a hash value using one or more characters input on the second authentication screen each time a character is input or deleted on the second authentication screen; When,
(F) It is determined whether or not the hash value specified by the display object specifying information generated in the step (c) matches the hash value calculated in the step (e). The display object specified by the display object specifying information is displayed on the second authentication screen when the display object specified by the display object specifying information is displayed on the second authentication screen and does not match. And displaying a different display object.
An authentication method characterized by that. A program for performing authentication of the user by a computer based on a user ID and password input by a user via a client terminal,
In the computer,
(A) Preliminarily storing a user ID, a password, and a display object in association with each user;
(B) When a user ID is input from the client terminal, a password and a display object associated with the input user ID are extracted from the information stored in the step (a) and extracted. Calculating a hash value from the password, and generating display object specifying information capable of specifying the calculated hash value and the extracted display object; and
A program that executes For each user, the user ID, password, and display object are stored in association with each other in advance. When the user ID is input, the password and display object associated with the input user ID are extracted and extracted. For calculating the hash value from the password, and generating the display object specifying information that can specify the calculated hash value and the extracted display object, for transmitting the user ID and password input by the user to the authentication server by the computer A program,
In the computer,
(A) displaying a first authentication screen for accepting input of a user ID; and
(B) displaying a second authentication screen for accepting an input of a password after accepting an input of the user ID;
(C) calculating a hash value using one or more characters input on the second authentication screen each time a character is input or deleted on the second authentication screen; When,
(D) The display object specifying information is acquired from the authentication server, and whether or not the hash value specified by the acquired display object specifying information matches the hash value calculated in the step (c). When it is determined and matches, the display object specified by the display object specifying information is displayed on the second authentication screen, and when they do not match, the display object specifying is displayed on the second authentication screen. Displaying a display object different from the display object specified by the information; and
A program that executes

Images