[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2013008352A1 - Authentication system and authentication method - Google Patents

Authentication system and authentication method Download PDF

Info

Publication number
WO2013008352A1
WO2013008352A1 PCT/JP2011/080040 JP2011080040W WO2013008352A1 WO 2013008352 A1 WO2013008352 A1 WO 2013008352A1 JP 2011080040 W JP2011080040 W JP 2011080040W WO 2013008352 A1 WO2013008352 A1 WO 2013008352A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
user
authentication
client terminal
password
Prior art date
Application number
PCT/JP2011/080040
Other languages
French (fr)
Japanese (ja)
Inventor
敏文 新谷
壮一 最首
Original Assignee
株式会社野村総合研究所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社野村総合研究所 filed Critical 株式会社野村総合研究所
Publication of WO2013008352A1 publication Critical patent/WO2013008352A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key

Definitions

  • the present invention relates to an authentication technology, and more particularly to a technology effective when applied to an authentication system and an authentication method for performing single sign-on by inputting a single user ID and password for a plurality of servers and the like.
  • the single sign-on mechanism allows users to access multiple systems and servers that require user authentication without performing individual authentication procedures by performing authentication once.
  • each server or system communicates between servers using the SAML (Security Assertion Markup Language) protocol (Non-Patent Document 1) and is performed by a specific server such as an authentication server.
  • SAML Security Assertion Markup Language
  • Non-Patent Document 1 a method of eliminating the need for a second authentication procedure by the user at each server or the like is employed.
  • the single sign-on environment based on such a mechanism is premised on the establishment of a trust relationship that allows authentication information to be taken over and accepted between servers and systems, such as an in-house system on an intranet. Therefore, when each server or system is operated by a different business operator, such a trust relationship may not be established due to a security relationship or the like.
  • JP 2010-86435 A (Patent Document 1) describes an example of the following network system. That is, the network system includes a plurality of Web servers, relay servers, and a plurality of user terminals, and the first Web server performs authentication by comparing authentication information from the terminals and authentication information in the storage unit, When authentication is established, the message includes information related to the first user ID included in the authentication information, the first URL to the first Web server, the second URL to the second Web server, and the authentication strength. Is generated and sent to the relay server.
  • the relay server acquires the second user ID corresponding to the first user ID from the table for registering the same user information, rewrites the first user ID in the message with the second user ID, Send to Web server.
  • the second Web server receives the message
  • the second Web server obtains the second user ID from the message, and when the second user ID is stored in the storage unit, the information related to the received authentication strength and the storage unit
  • the user is re-authenticated based on information related to the authentication strength.
  • SAML Security Assertion Markup Language
  • Non-Patent Document 1 As described above, it is possible to construct a single sign-on environment using a technique such as Non-Patent Document 1. However, in such an environment, it is necessary that a trust relationship is established between servers and systems. Therefore, for example, in an environment where a trust relationship is not established between servers and systems, for example, inside and outside the company or between different operators, authentication information acquired from an authentication server or the like for authentication processing on the server. It is also conceivable that unauthorized access is made to other servers using the server, and there is a problem in terms of ensuring security between servers and systems.
  • Patent Document 1 if a mechanism such as Patent Document 1 is used, it is possible to construct a single sign-on environment between servers and systems in which a trust relationship is not established.
  • the user in addition to user management at a certain server, the user usually has to manage registration and change of user IDs individually at other servers as well.
  • the response is reduced.
  • An object of the present invention is to provide an authentication system and an authentication method that enable single sign-on for a plurality of servers and systems, and that can perform authentication in parallel while ensuring security among the servers and systems. Is to provide.
  • An authentication system is an authentication system that performs single sign-on to a plurality of servers connected via a network by a single authentication process from a client terminal by a user. It has characteristics.
  • each server has an authentication processing unit that performs authentication processing for access to the server, and the client terminal receives a user ID and password from a user when executing or using the function of each server. And an authentication request unit that transmits authentication requests to the servers sequentially or in parallel.
  • the authentication processing unit of the server has a server seed which is unique information different for each server and a hash obtained by hashing the user password for each registered user ID using the server seed in a predetermined procedure.
  • User information holding account information including a password and in response to the authentication request received from the client terminal, the server seed is transmitted to the client terminal as a seed, and the client terminal
  • the authentication request unit transmits a hash value obtained by hashing a password designated by the user in a predetermined procedure using the seeds received from the server, and the authentication processing unit of the server The hash value received from the client terminal and the hash associated with the target user. Authenticate by comparing the Interview of password, and transmits the authentication result to the client terminal.
  • the present invention can also be applied to an authentication method for performing single sign-on to a plurality of servers connected via a network by a single authentication process from a client terminal by a user.
  • single sign-on for a plurality of servers and systems is possible, and authentication processing is performed by performing authentication in parallel while ensuring security between the servers and systems. It is possible to suppress a decrease in response due to.
  • An authentication system realizes single sign-on for a plurality of servers and systems (hereinafter simply referred to as “servers”) by a single authentication process from a client terminal by a user. System.
  • servers servers and systems
  • authentication can be performed independently and securely.
  • FIG. 1 is a diagram showing an outline of a configuration example of an authentication system according to an embodiment of the present invention.
  • the authentication system 1 has a configuration in which a plurality of servers 100, a master server 200, and client terminals 300 are connected to a network 400.
  • the server 100 is a computer system composed of server devices. For example, a web server, an application server, a database server, a file server, a storage system, etc., receives user access from the client terminal 300 after user authentication and provides services. Has the function to provide.
  • the server 100 includes, for example, a business processing unit 110 and an authentication processing unit 120 that are implemented by software programs.
  • the business processing unit 110 executes processing related to a service (business) provided by the server 100, and includes, for example, middleware, application programs, and the like.
  • the authentication processing unit 120 performs an authentication process for access to the server 100.
  • the authentication processing unit 120 includes user information 130 including account information for each user as information used when performing authentication processing.
  • the user information 130 is configured by, for example, a database, a file table, or the like.
  • the user seed 131 as unique information that is different for each user and the password are hashed by a predetermined procedure.
  • Account information such as hashed password 132 is included.
  • the authentication processing unit 120 has a server seed 140 as unique information that is different for each server.
  • the authentication processing unit 120 performs authentication processing with the client terminal 300 by a challenge / response method. That is, in response to the authentication request from the user, the server seeds 140, the user seeds 131, and a random number as a challenge are transmitted. Further, the hashed hash value is received as a response from the client terminal 300, and authentication is performed by comparing the received hash value with the hashed password 132 hashed by the random number. . Therefore, the authentication processing unit 120 has a random number generation function and a hash algorithm. In addition, various known techniques and algorithms can be used for these implementations. When security of the communication path between the server 100 and the client terminal 300 is secured, a method other than the challenge / response method may be adopted.
  • the master server 200 is a computer system composed of server devices, PCs (Personal Computers), and the like, and generates and provides user seeds 131 and server seeds 140 held in each server 100. Since it is not a so-called authentication server that performs authentication representatively, it does not have a user authentication function.
  • the master server 200 includes, for example, a seed generation unit 210 that is implemented by a software program.
  • the seeds generation unit 210 generates seeds based on an instruction from an administrator or the like or a request from each server 100, and provides the seeds as user seeds 131 or server seeds 140 to the target server 100 via the network 400.
  • the seed generation method and the seed format are not particularly limited. For example, a unique character string or binary data having a predetermined length can be generated and used as a seed.
  • the client terminal 300 is a computer system composed of a PC, a portable terminal, and the like, and has a function of accessing the server 100 via the network 400 in order to execute and use a service (business) provided by each server 100.
  • the client terminal 300 has a client application 310 implemented by, for example, a software program.
  • the client application 310 is an application program for executing and using a function (business) provided by each server 100.
  • the client application 310 has an authentication request unit 311 and may use, for example, a program that runs on a Web browser. it can.
  • the authentication request unit 311 makes an authentication request to the server 100 when the client application 310 executes and uses the function of each server 100. For example, an input of a user ID and password is accepted from a user via a login screen, and authentication processing is performed individually or in parallel with the authentication processing unit 120 of each server 100 by a challenge / response method or the like. This realizes the single sign-on function.
  • the password designated by the user is hashed according to a predetermined procedure. Is transmitted to the authentication processing unit 120 of the server 100 to perform authentication processing. Accordingly, the authentication request unit 311 has the same hash algorithm as that implemented by the authentication processing unit 120 of the server 100.
  • a public communication network such as the Internet
  • a communication network partially using a general public line such as a WAN (Wide Area Network), a VPN (Virtual Private Network), or a LAN (Local Area Network) is appropriately used.
  • WAN Wide Area Network
  • VPN Virtual Private Network
  • LAN Local Area Network
  • each server 100 holds a seed generated by the seed generation unit 210 of the master server 200 as a server seed 140 in advance. Furthermore, initial registration of account information including a user ID, a password, and the like is performed in advance by each user.
  • account information the seeds generated by the seed generation unit 210 of the master server 200 are stored as user seeds 131 for each user ID. Further, the password is stored as a hashed password 132 hashed by a predetermined hash algorithm using the user seeds 131 and the server seeds 140 as seed values.
  • hashing is performed by using a unique user seed 131 for each user as a seed value, so that, for example, even when the same password is accidentally specified by a plurality of users, the hash value may be different for each user. it can.
  • FIG. 2 is a diagram showing an outline of an example of the flow of authentication processing in the present embodiment.
  • the user requests authentication (login) via the authentication request unit 311 of the client terminal 300.
  • authentication request unit 311 transmits an authentication request including the designated user ID to the server 100 (S01).
  • the authentication processing unit 120 of the server 100 Upon receiving the user ID, the authentication processing unit 120 of the server 100 generates a random number as a challenge in the challenge / response method, acquires seeds, and transmits them to the client terminal 300 (S02).
  • the server seed 140 and the user seed 131 corresponding to the user ID held in the user information 130 are acquired.
  • the password is hashed in advance during user registration. It is necessary to use the same procedure as the hashing process when the hashed password 132 is acquired. Further, for example, when an instruction to update the password is received from the server 100 in step S02, the password (and hash) is executed before executing step S03 as necessary. Update password 132) may be updated.
  • the authentication processing unit 120 of the server 100 Upon receiving the hash value, the authentication processing unit 120 of the server 100 acquires the hashed password 132 corresponding to the target user ID from the user information 130 (S07), and the random number generated in step S02 is the acquired hashed password 132. Is hashed as a seed value (S08). Thereafter, authentication processing is performed by comparing the obtained hash value with the hash value received from the client terminal 300 in step S07, and the authentication result is transmitted to the client terminal 300 (S09). That is, if the two match as a result of the comparison, the authentication is established, and if they do not coincide, the authentication is not established. At this time, for example, information related to the location of the transmission source such as the IP address is acquired from the request message from the client terminal 300, and other conditions such as whether or not the information is within a predetermined range are successful or unsuccessful. It may be added to the judgment.
  • the authentication request unit 311 of the client terminal 300 receives the authentication result (S10), and then automatically performs the above-described series of processes sequentially for the other servers 100 as necessary, and authenticates each server 100. Process. Since the authentication processing in each server 100 is independent, the above-described series of processing can be performed simultaneously on a plurality of necessary servers 100 in parallel. The necessary information on the server 100 can be grasped by, for example, holding a setting file including a list of servers 100 on the client terminal 300.
  • the user can perform authentication processing for each necessary server 100 only by specifying the user ID and password once.
  • the value of the user's hashed password 132 in a certain server 100 is hashed by its own server seeds 140, and the user's hashed password 132 in the other server 100 is stored in the other server 100. This is because the value is different because it is hashed by 100 server seeds 140. Therefore, even if both are hashed using the same random number as a seed value, the same hash value is not obtained, and authentication is not established in step S09 in FIG. Further, even if the server seeds 140 of the other server 100 are acquired by some means, a hash value having the same value as the hashed password 132 in the other server 100 is generated unless the password of the target user is known. It is not possible.
  • single sign-on for a plurality of servers 100 can be realized by a single authentication process from the client terminal 300 by the user.
  • unique information server seeds 140
  • the present invention can be used for an authentication system and an authentication method for performing single sign-on by inputting a user ID and a password once for a plurality of servers and the like.
  • Authentication system DESCRIPTION OF SYMBOLS 100 ... Server, 110 ... Business processing part, 120 ... Authentication processing part, 130 ... User information, 131 ... User seed, 132 ... Hash password, 140 ... Server seed, 200: Master server, 210: Seeds generation unit, 300 ... Client terminal, 310 ... Client application, 311 ... Authentication request unit, 400: Network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

Provided is an authentication system that provides a single sign-on to a plurality of servers and that enables simultaneous, parallel authentication while maintaining security between each server and system. Each server (100) has an authentication unit (120) that performs authentication; a client terminal (300) has an authentication request unit (311) that sends an authentication request to each server (100); and the authentication unit (120) has a server seed and user information (130) including a hashed password (132) being a password that has been hashed for each user ID, using the server seed. The server seed is sent in response to an authentication request to the client terminal (300), as a seed; the authentication request unit (311) sends to the server (100) a hash value being a password hashed using the seed received from the server (100); and the authentication unit (120) performs authentication by comparing the hash value received from the client terminal (300) and the hashed password (132) relating to the relevant user.

Description

認証システムおよび認証方法Authentication system and authentication method
 本発明は、認証技術に関し、特に、複数のサーバ等に対して一回のユーザIDおよびパスワードの入力によりシングルサインオンを行う認証システムおよび認証方法に適用して有効な技術に関するものである。 The present invention relates to an authentication technology, and more particularly to a technology effective when applied to an authentication system and an authentication method for performing single sign-on by inputting a single user ID and password for a plurality of servers and the like.
 近年、クラウドコンピューティングサービスなどの進展により、ユーザが保有するクライアント端末から、複数のデータセンターやサーバに連続的もしくは同時並行的にアクセスして、情報処理に係る業務等を行う形態が一般的となってきている。このようなシステム環境において、各サーバ等へのアクセスを開始する毎に、ユーザがそれぞれのサーバ等において個別にユーザ認証を行うことの煩雑さを回避するため、いわゆるシングルサインオンの仕組みが適用される場合もある。 In recent years, due to the progress of cloud computing services, etc., it is common to perform operations related to information processing by accessing multiple data centers and servers continuously or concurrently from client terminals owned by users. It has become to. In such a system environment, a so-called single sign-on mechanism is applied in order to avoid the complexity of performing user authentication individually on each server, etc., every time access to each server, etc. is started. There is also a case.
 シングルサインオンの仕組みでは、ユーザが一度の認証を行うことで、ユーザ認証が必要な複数のシステムやサーバに対して個別の認証手続きを行わずにアクセスすることを可能とする。この仕組みを実現する手法としては、例えば、各サーバやシステムがSAML(Security Assertion Markup Language)プロトコル(非特許文献1)を用いてサーバ間で通信を行って、認証サーバ等の特定のサーバで行った認証結果の情報を自動的に引き継ぐことで、各サーバ等でのユーザによる再度の認証手続きを不要とするという手法がとられる。 The single sign-on mechanism allows users to access multiple systems and servers that require user authentication without performing individual authentication procedures by performing authentication once. As a technique for realizing this mechanism, for example, each server or system communicates between servers using the SAML (Security Assertion Markup Language) protocol (Non-Patent Document 1) and is performed by a specific server such as an authentication server. By automatically taking over the authentication result information, a method of eliminating the need for a second authentication procedure by the user at each server or the like is employed.
 しかしながら、このような仕組みによるシングルサインオンの環境は、例えば、イントラネット上の社内システムなど、サーバやシステム間で認証情報の引き継ぎ・受け入れを許容する信頼関係が成立していることが前提となる。従って、各サーバやシステムが異なる事業者によって運用されている場合などでは、セキュリティ上の関係等からこのような信頼関係が成立しない場合もある。 However, the single sign-on environment based on such a mechanism is premised on the establishment of a trust relationship that allows authentication information to be taken over and accepted between servers and systems, such as an in-house system on an intranet. Therefore, when each server or system is operated by a different business operator, such a trust relationship may not be established due to a security relationship or the like.
 これに対して、例えば、特開2010-86435号公報(特許文献1)には、以下のようなネットワークシステムの例が記載されている。すなわち、当該ネットワークシステムは、複数のWebサーバと中継サーバおよび複数のユーザ端末から構成され、第一のWebサーバは、端末からの認証情報と記憶部の認証情報とを照合して認証を行い、認証が成立した場合に、認証情報に含まれる第一のユーザID、第一のWebサーバへの第一のURL、第二Webサーバへの第二のURLおよび認証強度に関連する情報を含むメッセージを生成して中継サーバに送信する。 On the other hand, for example, JP 2010-86435 A (Patent Document 1) describes an example of the following network system. That is, the network system includes a plurality of Web servers, relay servers, and a plurality of user terminals, and the first Web server performs authentication by comparing authentication information from the terminals and authentication information in the storage unit, When authentication is established, the message includes information related to the first user ID included in the authentication information, the first URL to the first Web server, the second URL to the second Web server, and the authentication strength. Is generated and sent to the relay server.
 中継サーバは、同一ユーザ情報を登録するテーブルから第一のユーザIDに対応する第二のユーザIDを取得して、メッセージ中の第一のユーザIDを第二のユーザIDに書き換えて第二のWebサーバに送信する。第二のWebサーバは、メッセージを受信すると、メッセージから第二のユーザIDを取得し、第二のユーザIDが記憶部に記憶されている場合に、受信した認証強度に関連する情報と記憶部の認証強度に関連する情報に基づいてユーザの再認証を行う。これにより、互いに信頼関係や連携関係にない複数のシステムから構成されるネットワークシステムにおいて、一回の認証情報の入力により、認証が必要な複数のアプリケーションを利用可能とする。 The relay server acquires the second user ID corresponding to the first user ID from the table for registering the same user information, rewrites the first user ID in the message with the second user ID, Send to Web server. When the second Web server receives the message, the second Web server obtains the second user ID from the message, and when the second user ID is stored in the storage unit, the information related to the received authentication strength and the storage unit The user is re-authenticated based on information related to the authentication strength. As a result, in a network system composed of a plurality of systems that are not in a trust relationship or cooperative relationship with each other, a plurality of applications requiring authentication can be used by inputting authentication information once.
特開2010-86435号公報JP 2010-86435 A
 上述したように、非特許文献1のような技術を用いればシングルサインオンの環境を構築することが可能である。しかしながら、このような環境では、サーバやシステム間で信頼関係が成立していることが必要である。従って、例えば、社内と社外や、異なる事業者間など、サーバやシステム間で信頼関係が成立していない環境では、あるサーバにおいて、当該サーバにおける認証処理のために認証サーバ等から取得した認証情報を利用して他のサーバに対して不正なアクセスを行う、ということも考えられ、サーバやシステム間でのセキュリティの確保という観点では課題を有する。 As described above, it is possible to construct a single sign-on environment using a technique such as Non-Patent Document 1. However, in such an environment, it is necessary that a trust relationship is established between servers and systems. Therefore, for example, in an environment where a trust relationship is not established between servers and systems, for example, inside and outside the company or between different operators, authentication information acquired from an authentication server or the like for authentication processing on the server. It is also conceivable that unauthorized access is made to other servers using the server, and there is a problem in terms of ensuring security between servers and systems.
 一方、特許文献1のような仕組みを用いれば、信頼関係が成立していないサーバやシステム間で、シングルサインオンの環境を構築することが可能である。しかしながら、ユーザは、あるサーバでのユーザ管理とは別に、他のサーバにおいても個別にユーザIDの登録や変更等の管理を行わなければならないのが通常である。また、例えば特許文献1での中継サーバなどのように、複数のサーバにおけるユーザIDの対応関係の管理も行う必要があり、管理が煩雑となる。また、このように複数のサーバやシステム間で連続的に認証を行っていく形態では、ユーザが多数のサーバやシステムに同時並行的にアクセスする必要がある場合には、レスポンスが低下するという課題を有する。 On the other hand, if a mechanism such as Patent Document 1 is used, it is possible to construct a single sign-on environment between servers and systems in which a trust relationship is not established. However, in addition to user management at a certain server, the user usually has to manage registration and change of user IDs individually at other servers as well. Moreover, it is necessary to manage the correspondence relationship between user IDs in a plurality of servers, such as the relay server in Patent Document 1, and the management becomes complicated. In addition, in such a form in which authentication is continuously performed between a plurality of servers and systems, when the user needs to access a large number of servers and systems at the same time, the response is reduced. Have
 そこで本発明の目的は、複数のサーバやシステムに対するシングルサインオンを可能とし、各サーバやシステム間でのセキュリティを確保しつつ、同時並行的に認証を行うことを可能とする認証システムおよび認証方法を提供することにある。本発明の前記ならびにその他の目的と新規な特徴は、本明細書の記述および添付図面から明らかになるであろう。 SUMMARY OF THE INVENTION An object of the present invention is to provide an authentication system and an authentication method that enable single sign-on for a plurality of servers and systems, and that can perform authentication in parallel while ensuring security among the servers and systems. Is to provide. The above and other objects and novel features of the present invention will be apparent from the description of this specification and the accompanying drawings.
 本願において開示される発明のうち、代表的なものの概要を簡単に説明すれば、以下のとおりである。 Of the inventions disclosed in this application, the outline of typical ones will be briefly described as follows.
 本発明の代表的な実施の形態による認証システムは、ユーザによるクライアント端末からの一度の認証処理によって、ネットワークを介して接続された複数のサーバに対するシングルサインオンを行う認証システムであって、以下の特徴を有するものである。 An authentication system according to a representative embodiment of the present invention is an authentication system that performs single sign-on to a plurality of servers connected via a network by a single authentication process from a client terminal by a user. It has characteristics.
 すなわち、前記各サーバは、前記サーバへのアクセスに対しての認証処理を行う認証処理部を有し、前記クライアント端末は、前記各サーバの機能を実行もしくは利用するに際して、ユーザからユーザIDおよびパスワードの指定を受けて前記各サーバに対して順次もしくは並行的に認証の要求を送信する認証要求部を有する。 That is, each server has an authentication processing unit that performs authentication processing for access to the server, and the client terminal receives a user ID and password from a user when executing or using the function of each server. And an authentication request unit that transmits authentication requests to the servers sequentially or in parallel.
 前記サーバの前記認証処理部は、前記サーバ毎に異なる固有情報であるサーバシーズと、登録されたユーザのユーザID毎に前記ユーザのパスワードを前記サーバシーズを用いて所定の手順でハッシュ化したハッシュ化パスワードを含むアカウント情報を保持するユーザ情報とを有し、前記クライアント端末から受信した前記認証の要求に対して、シーズとして前記サーバシーズを前記クライアント端末に対して送信し、前記クライアント端末の前記認証要求部は、前記ユーザから指定されたパスワードを、前記サーバから受信した前記シーズを用いて所定の手順でハッシュ化したハッシュ値を前記サーバに送信し、前記サーバの前記認証処理部は、前記クライアント端末から受信した前記ハッシュ値と、対象の前記ユーザに係る前記ハッシュ化パスワードとを比較して認証を行い、認証結果を前記クライアント端末に送信する。 The authentication processing unit of the server has a server seed which is unique information different for each server and a hash obtained by hashing the user password for each registered user ID using the server seed in a predetermined procedure. User information holding account information including a password, and in response to the authentication request received from the client terminal, the server seed is transmitted to the client terminal as a seed, and the client terminal The authentication request unit transmits a hash value obtained by hashing a password designated by the user in a predetermined procedure using the seeds received from the server, and the authentication processing unit of the server The hash value received from the client terminal and the hash associated with the target user. Authenticate by comparing the Interview of password, and transmits the authentication result to the client terminal.
 また、本発明は、ユーザによるクライアント端末からの一度の認証処理によって、ネットワークを介して接続された複数のサーバに対するシングルサインオンを行う認証方法にも適用することができる。 The present invention can also be applied to an authentication method for performing single sign-on to a plurality of servers connected via a network by a single authentication process from a client terminal by a user.
 本願において開示される発明のうち、代表的なものによって得られる効果を簡単に説明すれば以下のとおりである。 Among the inventions disclosed in the present application, effects obtained by typical ones will be briefly described as follows.
 本発明の代表的な実施の形態によれば、複数のサーバやシステムに対するシングルサインオンを可能とし、各サーバやシステム間でのセキュリティを確保しつつ、同時並行的に認証を行うことで認証処理によるレスポンスの低下を抑止することが可能となる。 According to a typical embodiment of the present invention, single sign-on for a plurality of servers and systems is possible, and authentication processing is performed by performing authentication in parallel while ensuring security between the servers and systems. It is possible to suppress a decrease in response due to.
本発明の一実施の形態である認証システムの構成例について概要を示した図である。It is the figure which showed the outline | summary about the structural example of the authentication system which is one embodiment of this invention. 本発明の一実施の形態における認証処理の流れの例について概要を示した図である。It is the figure which showed the outline | summary about the example of the flow of the authentication process in one embodiment of this invention.
 以下、本発明の実施の形態を図面に基づいて詳細に説明する。なお、実施の形態を説明するための全図において、同一部には原則として同一の符号を付し、その繰り返しの説明は省略する。 Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. Note that components having the same function are denoted by the same reference symbols throughout the drawings for describing the embodiment, and the repetitive description thereof will be omitted.
 本発明の一実施の形態である認証システムは、ユーザによるクライアント端末からの一度の認証処理によって複数のサーバやシステム(以下では単に“サーバ”と記載する場合がある)に対するシングルサインオンを実現するシステムである。このとき、サーバ毎に異なる鍵(サーバ固有情報)を用いて認証を行うことで、各サーバに対するアクセスを独立してセキュアに行うことを可能とする。また、各サーバでの認証を同時並行的に行うことを可能とし、多数のサーバに同時並行的にアクセスする必要がある場合などにおいて認証に要する時間を削減してレスポンスの低下を抑止することが可能である。 An authentication system according to an embodiment of the present invention realizes single sign-on for a plurality of servers and systems (hereinafter simply referred to as “servers”) by a single authentication process from a client terminal by a user. System. At this time, by using a different key (server specific information) for each server, authentication can be performed independently and securely. In addition, it is possible to perform authentication on each server simultaneously, reducing the time required for authentication when there is a need to access many servers in parallel, and suppressing a decrease in response. Is possible.
 <システム構成>
 以下では、本実施の形態の認証システムのシステム構成について説明する。図1は、本発明の一実施の形態である認証システムの構成例について概要を示した図である。認証システム1は、ネットワーク400に対して、複数のサーバ100、マスタサーバ200、およびクライアント端末300が接続された構成を有する。
<System configuration>
Below, the system configuration | structure of the authentication system of this Embodiment is demonstrated. FIG. 1 is a diagram showing an outline of a configuration example of an authentication system according to an embodiment of the present invention. The authentication system 1 has a configuration in which a plurality of servers 100, a master server 200, and client terminals 300 are connected to a network 400.
 サーバ100は、サーバ機器によって構成されるコンピュータシステムであり、例えば、Webサーバやアプリケーションサーバ、データベースサーバ、ファイルサーバ、ストレージシステムなど、ユーザ認証を経た後にクライアント端末300等からのアクセスを受け付けてサービスを提供する機能を有する。サーバ100は、例えば、ソフトウェアプログラムにより実装される業務処理部110および認証処理部120を有する。業務処理部110は、サーバ100が提供するサービス(業務)に係る処理を実行するものであり、例えば、ミドルウェアやアプリケーションプログラム等から構成される。 The server 100 is a computer system composed of server devices. For example, a web server, an application server, a database server, a file server, a storage system, etc., receives user access from the client terminal 300 after user authentication and provides services. Has the function to provide. The server 100 includes, for example, a business processing unit 110 and an authentication processing unit 120 that are implemented by software programs. The business processing unit 110 executes processing related to a service (business) provided by the server 100, and includes, for example, middleware, application programs, and the like.
 認証処理部120は、サーバ100へのアクセスに対しての認証処理を行う。認証処理部120は、認証処理を行う際に利用する情報として、ユーザ毎のアカウント情報からなるユーザ情報130を有する。ユーザ情報130は、例えば、データベースやファイルテーブル等によって構成され、例えば、登録されたユーザのユーザID毎に、ユーザ毎に異なる固有情報としてのユーザシーズ131、およびパスワードを所定の手順によりハッシュ化したハッシュ化パスワード132などのアカウント情報を有する。また、認証処理部120は、サーバ毎に異なる固有情報としてのサーバシーズ140を有する。 The authentication processing unit 120 performs an authentication process for access to the server 100. The authentication processing unit 120 includes user information 130 including account information for each user as information used when performing authentication processing. The user information 130 is configured by, for example, a database, a file table, or the like. For example, for each registered user ID of the registered user, the user seed 131 as unique information that is different for each user and the password are hashed by a predetermined procedure. Account information such as hashed password 132 is included. In addition, the authentication processing unit 120 has a server seed 140 as unique information that is different for each server.
 本実施の形態では、認証処理部120は、後述するように、クライアント端末300との間でチャレンジ/レスポンス方式により認証処理を行う。すなわち、ユーザからの認証要求に対して、サーバシーズ140、ユーザシーズ131、およびチャレンジとしての乱数等を送信する。さらに、これらによってハッシュ化されたパスワード(ハッシュ値)をクライアント端末300からレスポンスとして受信して、受信したハッシュ値と、ハッシュ化パスワード132を上記乱数によってハッシュ化したものとを比較して認証を行う。従って、認証処理部120は、乱数生成の機能やハッシュアルゴリズムを実装している。なお、これらの実装には公知の各種技術やアルゴリズムを利用することができる。サーバ100とクライアント端末300との間の通信経路のセキュリティが確保されるなどの場合には、チャレンジ/レスポンス方式以外の他の方式を採用するなどしてもよい。 In this embodiment, as will be described later, the authentication processing unit 120 performs authentication processing with the client terminal 300 by a challenge / response method. That is, in response to the authentication request from the user, the server seeds 140, the user seeds 131, and a random number as a challenge are transmitted. Further, the hashed hash value is received as a response from the client terminal 300, and authentication is performed by comparing the received hash value with the hashed password 132 hashed by the random number. . Therefore, the authentication processing unit 120 has a random number generation function and a hash algorithm. In addition, various known techniques and algorithms can be used for these implementations. When security of the communication path between the server 100 and the client terminal 300 is secured, a method other than the challenge / response method may be adopted.
 マスタサーバ200は、サーバ機器やPC(Personal Computer)等によって構成されるコンピュータシステムであり、各サーバ100に保持するユーザシーズ131およびサーバシーズ140を生成して提供する。認証を代表的に行ういわゆる認証サーバではないため、ユーザ認証の機能は有さない。マスタサーバ200は、例えば、ソフトウェアプログラムにより実装されるシーズ生成部210を有する。 The master server 200 is a computer system composed of server devices, PCs (Personal Computers), and the like, and generates and provides user seeds 131 and server seeds 140 held in each server 100. Since it is not a so-called authentication server that performs authentication representatively, it does not have a user authentication function. The master server 200 includes, for example, a seed generation unit 210 that is implemented by a software program.
 シーズ生成部210は、管理者等からの指示もしくは各サーバ100からの要求等に基づいてシーズを生成し、ユーザシーズ131もしくはサーバシーズ140として、対象のサーバ100にネットワーク400を介して提供する。なお、シーズの生成方法やシーズのフォーマット等については特に限定されないが、例えば、所定の長さのユニークな文字列やバイナリデータを生成してシーズとすることができる。 The seeds generation unit 210 generates seeds based on an instruction from an administrator or the like or a request from each server 100, and provides the seeds as user seeds 131 or server seeds 140 to the target server 100 via the network 400. The seed generation method and the seed format are not particularly limited. For example, a unique character string or binary data having a predetermined length can be generated and used as a seed.
 クライアント端末300は、PCや携帯端末等によって構成されるコンピュータシステムであり、各サーバ100が提供するサービス(業務)を実行・利用するためにネットワーク400を介してサーバ100にアクセスする機能を有する。クライアント端末300は、例えば、ソフトウェアプログラムにより実装されるクライアントアプリケーション310を有する。クライアントアプリケーション310は、各サーバ100が提供する機能(業務)を実行・利用するためのアプリケーションプログラムであり、認証要求部311を有し、例えば、Webブラウザ上で稼働するプログラム等を利用することもできる。 The client terminal 300 is a computer system composed of a PC, a portable terminal, and the like, and has a function of accessing the server 100 via the network 400 in order to execute and use a service (business) provided by each server 100. The client terminal 300 has a client application 310 implemented by, for example, a software program. The client application 310 is an application program for executing and using a function (business) provided by each server 100. The client application 310 has an authentication request unit 311 and may use, for example, a program that runs on a Web browser. it can.
 認証要求部311は、クライアントアプリケーション310が各サーバ100の機能を実行・利用するに際しての、サーバ100に対する認証の要求を行う。例えば、ログイン画面を介してユーザからユーザIDおよびパスワードの入力を受け付け、チャレンジ/レスポンス方式等により、各サーバ100の認証処理部120との間で順次もしくは並行的にそれぞれ個別に認証処理を行うことで、シングルサインオンの機能を実現する。 The authentication request unit 311 makes an authentication request to the server 100 when the client application 310 executes and uses the function of each server 100. For example, an input of a user ID and password is accepted from a user via a login screen, and authentication processing is performed individually or in parallel with the authentication processing unit 120 of each server 100 by a challenge / response method or the like. This realizes the single sign-on function.
 ここでは、認証要求の送信に対してサーバ100の認証処理部120から送信されたサーバシーズ140、ユーザシーズ131、および乱数に基づいて、ユーザから指定されたパスワードを所定の手順によりハッシュ化し、これをサーバ100の認証処理部120に送信することで認証処理を行う。従って、認証要求部311は、サーバ100の認証処理部120が実装しているものと同一のハッシュアルゴリズムを実装している。 Here, based on the server seeds 140, the user seeds 131, and the random numbers transmitted from the authentication processing unit 120 of the server 100 in response to the transmission of the authentication request, the password designated by the user is hashed according to a predetermined procedure. Is transmitted to the authentication processing unit 120 of the server 100 to perform authentication processing. Accordingly, the authentication request unit 311 has the same hash algorithm as that implemented by the authentication processing unit 120 of the server 100.
 ネットワーク400は、例えば、インターネット等の公衆通信網や、WAN(Wide Area Network)、VPN(Virtual Private Network)等の一般公衆回線を一部に用いた通信網、LAN(Local Area Network)などを適宜利用することができる。 As the network 400, for example, a public communication network such as the Internet, a communication network partially using a general public line such as a WAN (Wide Area Network), a VPN (Virtual Private Network), or a LAN (Local Area Network) is appropriately used. Can be used.
 <認証処理>
 以下では、本実施の形態の認証システム1における認証処理の内容について説明する。認証処理を行うに当たっての初期状態として、各サーバ100では、予め、マスタサーバ200のシーズ生成部210によって生成されたシーズをそれぞれサーバシーズ140として保持しているものとする。さらに、各ユーザによって、ユーザID、パスワード等を含むアカウント情報の初期登録が事前に行われているものとする。このとき、アカウント情報として、ユーザID毎にそれぞれマスタサーバ200のシーズ生成部210によって生成されたシーズをユーザシーズ131として保持しておく。さらに、パスワードについては、当該ユーザシーズ131およびサーバシーズ140をシード値として、所定のハッシュアルゴリズムによりハッシュ化したハッシュ化パスワード132として保持しておく。
<Authentication process>
Below, the content of the authentication process in the authentication system 1 of this Embodiment is demonstrated. As an initial state for performing the authentication process, it is assumed that each server 100 holds a seed generated by the seed generation unit 210 of the master server 200 as a server seed 140 in advance. Furthermore, initial registration of account information including a user ID, a password, and the like is performed in advance by each user. At this time, as account information, the seeds generated by the seed generation unit 210 of the master server 200 are stored as user seeds 131 for each user ID. Further, the password is stored as a hashed password 132 hashed by a predetermined hash algorithm using the user seeds 131 and the server seeds 140 as seed values.
 パスワードを直接保持しないことで、パスワードの漏洩を防止することができる。また、ユーザ毎にユニークなユーザシーズ131をシード値としてハッシュ化を行うことで、例えば、複数のユーザによって偶然同一のパスワードが指定された場合でも、ユーザ毎にハッシュ値が異なるようにすることができる。  By not holding the password directly, it is possible to prevent password leakage. In addition, hashing is performed by using a unique user seed 131 for each user as a seed value, so that, for example, even when the same password is accidentally specified by a plurality of users, the hash value may be different for each user. it can.
 図2は、本実施の形態における認証処理の流れの例について概要を示した図である。まず、ユーザはクライアント端末300の認証要求部311を介して、認証(ログイン)の要求を行う。このとき、例えば、ユーザIDおよびパスワードの情報をログイン画面等を介して指定する。認証要求部311は、指定されたユーザIDを含む認証の要求をサーバ100へ送信する(S01)。 FIG. 2 is a diagram showing an outline of an example of the flow of authentication processing in the present embodiment. First, the user requests authentication (login) via the authentication request unit 311 of the client terminal 300. At this time, for example, user ID and password information are specified via a login screen or the like. The authentication request unit 311 transmits an authentication request including the designated user ID to the server 100 (S01).
 ユーザIDを受信したサーバ100の認証処理部120は、チャレンジ/レスポンス方式におけるチャレンジとしての乱数を生成し、さらにシーズを取得して、これらをクライアント端末300に送信する(S02)。ここでは、乱数に加えて、サーバシーズ140と、ユーザ情報130に保持されたユーザIDに対応するユーザシーズ131を取得する。 Upon receiving the user ID, the authentication processing unit 120 of the server 100 generates a random number as a challenge in the challenge / response method, acquires seeds, and transmits them to the client terminal 300 (S02). Here, in addition to the random number, the server seed 140 and the user seed 131 corresponding to the user ID held in the user information 130 are acquired.
 サーバシーズ140とユーザシーズ131、および乱数を受信したクライアント端末300の認証要求部311では、ステップS01において指定されたパスワードを所定のハッシュアルゴリズムによりハッシュ化する(S03)。さらに、ステップS03で得られたハッシュ値を、ユーザシーズ131をシード値としてハッシュ化する(S04)。さらに、ステップS04で得られたハッシュ値を、サーバシーズ140をシード値としてハッシュ化する(S05)。さらに、ステップS05で得られたハッシュ値を、乱数をシード値としてハッシュ化することでワンタイム化し、得られたハッシュ値をサーバ100へ送信する(S06)。 The server seed 140, the user seed 131, and the authentication request unit 311 of the client terminal 300 that has received the random number hash the password specified in step S01 with a predetermined hash algorithm (S03). Further, the hash value obtained in step S03 is hashed using the user seeds 131 as a seed value (S04). Furthermore, the hash value obtained in step S04 is hashed using the server seeds 140 as a seed value (S05). Further, the hash value obtained in step S05 is made one-time by hashing using a random number as a seed value, and the obtained hash value is transmitted to the server 100 (S06).
 なお、上記のステップS03~S05の一連のハッシュ化処理手順は、一例であり、同等の結果が得られる他の手順とすることも当然可能であるが、事前のユーザ登録の際にパスワードをハッシュ化してハッシュ化パスワード132を取得する際のハッシュ化処理と同一の手順である必要がある。また、例えば、ステップS02において、サーバ100からパスワードの有効期限が経過しているためパスワードを更新する旨の指示を受信した場合など、必要に応じて、ステップS03を実行する前にパスワード(およびハッシュ化パスワード132)の更新を行えるようにしてもよい。 Note that the series of hashing procedures in steps S03 to S05 described above is merely an example, and other procedures that can obtain equivalent results are naturally possible. However, the password is hashed in advance during user registration. It is necessary to use the same procedure as the hashing process when the hashed password 132 is acquired. Further, for example, when an instruction to update the password is received from the server 100 in step S02, the password (and hash) is executed before executing step S03 as necessary. Update password 132) may be updated.
 ハッシュ値を受信したサーバ100の認証処理部120は、ユーザ情報130から対象のユーザIDに対応するハッシュ化パスワード132を取得し(S07)、取得したハッシュ化パスワード132を、ステップS02で生成した乱数をシード値としてハッシュ化する(S08)。その後、得られたハッシュ値と、ステップS07でクライアント端末300から受信したハッシュ値とを比較することで認証処理を行い、認証結果をクライアント端末300に送信する(S09)。すなわち、比較の結果両者が一致すれば認証は成立し、不一致であれば認証は不成立となる。なお、このとき例えば、クライアント端末300からの要求電文からIPアドレス等の発信元の所在に係る情報を取得し、当該情報が所定の範囲内にあるか否か等の他の条件を認証の成否の判断に加えてもよい。 Upon receiving the hash value, the authentication processing unit 120 of the server 100 acquires the hashed password 132 corresponding to the target user ID from the user information 130 (S07), and the random number generated in step S02 is the acquired hashed password 132. Is hashed as a seed value (S08). Thereafter, authentication processing is performed by comparing the obtained hash value with the hash value received from the client terminal 300 in step S07, and the authentication result is transmitted to the client terminal 300 (S09). That is, if the two match as a result of the comparison, the authentication is established, and if they do not coincide, the authentication is not established. At this time, for example, information related to the location of the transmission source such as the IP address is acquired from the request message from the client terminal 300, and other conditions such as whether or not the information is within a predetermined range are successful or unsuccessful. It may be added to the judgment.
 クライアント端末300の認証要求部311は、認証結果を受領し(S10)、その後、必要に応じて他のサーバ100に対しても順次上記の一連の処理を自動的に行い、各サーバ100に対する認証処理を行う。各サーバ100での認証処理は独立していることから、必要な複数のサーバ100に対して上記の一連の処理を同時並行的に行うことも可能である。なお、必要なサーバ100の情報については、例えば、クライアント端末300上にサーバ100のリストからなる設定ファイル等を保持することで把握することができる。 The authentication request unit 311 of the client terminal 300 receives the authentication result (S10), and then automatically performs the above-described series of processes sequentially for the other servers 100 as necessary, and authenticates each server 100. Process. Since the authentication processing in each server 100 is independent, the above-described series of processing can be performed simultaneously on a plurality of necessary servers 100 in parallel. The necessary information on the server 100 can be grasped by, for example, holding a setting file including a list of servers 100 on the client terminal 300.
 以上の処理により、ユーザは、ユーザIDおよびパスワードの指定を1回行うだけで、必要な各サーバ100に対して認証処理を行うことができる。 Through the above processing, the user can perform authentication processing for each necessary server 100 only by specifying the user ID and password once.
 上述したような手法をとることにより、例えば、あるサーバ100の管理者等が、対象のユーザのユーザシーズ131やハッシュ化パスワード132などのアカウント情報を自身のユーザ情報130から取得したとしても、これらの情報を利用して他のサーバ100に対してなりすましによる認証を行うことはできず、サーバ100間でのセキュリティは確保される。 Even if the administrator of a certain server 100 obtains account information such as the user's seeds 131 and the hashed password 132 of the target user from his / her user information 130 by taking the above-described method, This information cannot be used to authenticate other servers 100 by impersonation, and security between the servers 100 is ensured.
 これは、あるサーバ100でのユーザのハッシュ化パスワード132の値は、自身のサーバシーズ140によってハッシュ化されたものであり、他のサーバ100における当該ユーザのハッシュ化パスワード132は、当該他のサーバ100のサーバシーズ140によってハッシュ化されたものであるため値が異なるからである。従って、両者を同じ乱数をシード値としてハッシュ化しても同一のハッシュ値とはならず、図2のステップS09において認証は不成立となる。また、当該他のサーバ100のサーバシーズ140を何らかの手段で取得してきたとしても、対象のユーザのパスワードを知らない限り、当該他のサーバ100におけるハッシュ化パスワード132と同じ値のハッシュ値を生成することはできない。 This is because the value of the user's hashed password 132 in a certain server 100 is hashed by its own server seeds 140, and the user's hashed password 132 in the other server 100 is stored in the other server 100. This is because the value is different because it is hashed by 100 server seeds 140. Therefore, even if both are hashed using the same random number as a seed value, the same hash value is not obtained, and authentication is not established in step S09 in FIG. Further, even if the server seeds 140 of the other server 100 are acquired by some means, a hash value having the same value as the hashed password 132 in the other server 100 is generated unless the password of the target user is known. It is not possible.
 以上に説明したように、本発明の一実施の形態である認証システム1によれば、ユーザによるクライアント端末300からの一度の認証処理によって複数のサーバ100に対するシングルサインオンを実現することができる。このとき、サーバ100毎に異なる固有情報(サーバシーズ140)を用いて認証を行うことで、各サーバ100に対するアクセスを独立してセキュアに行うことが可能となる。また、各サーバ100での認証を同時並行的に行うことを可能とし、多数のサーバに同時並行的にアクセスする必要がある場合などにおいて認証に要する時間を削減してレスポンスの低下を抑止することが可能となる。 As described above, according to the authentication system 1 according to an embodiment of the present invention, single sign-on for a plurality of servers 100 can be realized by a single authentication process from the client terminal 300 by the user. At this time, by performing authentication using unique information (server seeds 140) different for each server 100, it is possible to independently and securely access each server 100. In addition, it is possible to perform authentication in each server 100 in parallel and reduce the time required for authentication in cases where it is necessary to access a large number of servers in parallel to suppress a decrease in response. Is possible.
 以上、本発明者によってなされた発明を実施の形態に基づき具体的に説明したが、本発明は前記実施の形態に限定されるものではなく、その要旨を逸脱しない範囲で種々変更可能であることはいうまでもない。 As mentioned above, the invention made by the present inventor has been specifically described based on the embodiment. However, the present invention is not limited to the embodiment, and various modifications can be made without departing from the scope of the invention. Needless to say.
 本発明は、複数のサーバ等に対して一回のユーザIDおよびパスワードの入力によりシングルサインオンを行う認証システムおよび認証方法に利用可能である。 The present invention can be used for an authentication system and an authentication method for performing single sign-on by inputting a user ID and a password once for a plurality of servers and the like.
 1…認証システム、
 100…サーバ、110…業務処理部、120…認証処理部、130…ユーザ情報、131…ユーザシーズ、132…ハッシュ化パスワード、140…サーバシーズ、
 200…マスタサーバ、210…シーズ生成部、
 300…クライアント端末、310…クライアントアプリケーション、311…認証要求部、
 400…ネットワーク。
1 ... Authentication system,
DESCRIPTION OF SYMBOLS 100 ... Server, 110 ... Business processing part, 120 ... Authentication processing part, 130 ... User information, 131 ... User seed, 132 ... Hash password, 140 ... Server seed,
200: Master server, 210: Seeds generation unit,
300 ... Client terminal, 310 ... Client application, 311 ... Authentication request unit,
400: Network.

Claims (5)

  1.  ユーザによるクライアント端末からの一度の認証処理によって、ネットワークを介して接続された複数のサーバに対するシングルサインオンを行う認証システムであって、
     前記各サーバは、前記サーバへのアクセスに対しての認証処理を行う認証処理部を有し、
     前記クライアント端末は、前記各サーバの機能を実行もしくは利用するに際して、ユーザからユーザIDおよびパスワードの指定を受けて前記各サーバに対して順次もしくは並行的に認証の要求を送信する認証要求部を有し、
     前記サーバの前記認証処理部は、前記サーバ毎に異なる固有情報であるサーバシーズと、登録されたユーザのユーザID毎に前記ユーザのパスワードを前記サーバシーズを用いて所定の手順でハッシュ化したハッシュ化パスワードを含むアカウント情報を保持するユーザ情報とを有し、前記クライアント端末から受信した前記認証の要求に対して、シーズとして前記サーバシーズを前記クライアント端末に対して送信し、
     前記クライアント端末の前記認証要求部は、前記ユーザから指定されたパスワードを、前記サーバから受信した前記シーズを用いて所定の手順でハッシュ化したハッシュ値を前記サーバに送信し、
     前記サーバの前記認証処理部は、前記クライアント端末から受信した前記ハッシュ値と、対象の前記ユーザに係る前記ハッシュ化パスワードとを比較して認証を行い、認証結果を前記クライアント端末に送信することを特徴とする認証システム。
    An authentication system that performs single sign-on to a plurality of servers connected via a network by a single authentication process from a client terminal by a user,
    Each of the servers has an authentication processing unit that performs an authentication process for access to the server,
    The client terminal has an authentication request unit that receives a user ID and password designation from a user and sequentially or concurrently sends authentication requests to the servers when executing or using the functions of the servers. And
    The authentication processing unit of the server has a server seed which is unique information different for each server and a hash obtained by hashing the user password for each registered user ID using the server seed in a predetermined procedure. User information holding account information including a password, and in response to the authentication request received from the client terminal, the server seed as a seed is transmitted to the client terminal,
    The authentication request unit of the client terminal transmits a hash value obtained by hashing a password designated by the user in a predetermined procedure using the seeds received from the server to the server,
    The authentication processing unit of the server performs authentication by comparing the hash value received from the client terminal with the hashed password relating to the target user, and transmits an authentication result to the client terminal. A featured authentication system.
  2.  請求項1に記載の認証システムにおいて、
     前記サーバの前記認証処理部は、前記ユーザ情報に保持する前記ユーザ毎の前記アカウント情報として、さらに、前記ユーザ毎に異なる固有情報であるユーザシーズを有し、また、前記ユーザのパスワードを前記サーバシーズおよび前記ユーザシーズを用いて所定の手順でハッシュ化したものを前記ハッシュ化パスワードとして有し、前記クライアント端末から受信した前記認証の要求に対して、前記シーズとして前記サーバシーズおよび対象の前記ユーザに係る前記ユーザシーズを前記クライアント端末に対して送信することを特徴とする認証システム。
    The authentication system according to claim 1,
    The authentication processing unit of the server further includes, as the account information for each user held in the user information, user seeds that are unique information different for each user, and the user password is stored in the server A hashed password that has been hashed in a predetermined procedure using the seeds and the user seeds, and in response to the authentication request received from the client terminal, the server seeds and the target user as the seeds The authentication system according to claim 1, wherein the user seeds are transmitted to the client terminal.
  3.  請求項1または2に記載の認証システムにおいて、
     前記サーバの前記認証処理部は、前記クライアント端末から受信した前記認証の要求に対して、前記シーズおよび生成した乱数を前記クライアント端末に対して送信し、
     前記クライアント端末の前記認証要求部は、前記ユーザから指定されたパスワードを、前記サーバから受信した前記シーズを用いて所定の手順でハッシュ化し、さらに前記サーバから受信した前記乱数を用いてハッシュ化したハッシュ値を前記サーバに送信し、
     前記サーバの前記認証処理部は、前記クライアント端末から受信した前記ハッシュ値と、対象の前記ユーザに係る前記ハッシュ化パスワードを前記乱数を用いてハッシュ化した値とを比較して認証を行うことを特徴とする認証システム。
    The authentication system according to claim 1 or 2,
    The authentication processing unit of the server transmits the seeds and the generated random number to the client terminal in response to the authentication request received from the client terminal,
    The authentication request unit of the client terminal hashes the password designated by the user using a predetermined procedure using the seeds received from the server, and further hashed using the random number received from the server Sending a hash value to the server;
    The authentication processing unit of the server performs authentication by comparing the hash value received from the client terminal with a value obtained by hashing the hashed password related to the target user using the random number. A featured authentication system.
  4.  請求項1~3のいずれか1項に記載の認証システムにおいて、
     さらに、前記ネットワークに接続され、前記各サーバからの要求に基づいて、前記各サーバに対して前記シーズとなるシード値を生成して提供するマスタサーバを有することを特徴とする認証システム。
    The authentication system according to any one of claims 1 to 3,
    The authentication system further comprises a master server connected to the network and generating and providing a seed value as the seed for each server based on a request from each server.
  5.  ユーザによるクライアント端末からの一度の認証処理によって、ネットワークを介して接続された複数のサーバに対するシングルサインオンを行う認証方法であって、
     前記各サーバは、前記サーバ毎に異なる固有情報であるサーバシーズと、登録されたユーザのユーザID毎に、前記ユーザ毎に異なる固有情報であるユーザシーズと、前記ユーザのパスワードを前記サーバシーズおよび前記ユーザシーズを用いて所定の手順でハッシュ化したハッシュ化パスワードとを含むアカウント情報を有しており、
     前記クライアント端末が、前記各サーバの機能を実行もしくは利用するに際して、前記サーバに対して、前記ユーザから指定されたユーザIDを含む認証の要求を送信する第1のステップと、
     前記認証の要求を受信した前記サーバが、前記サーバシーズと対象の前記ユーザに係る前記ユーザシーズ、および生成した乱数を、前記クライアント端末に対して送信する第2のステップと、
     前記クライアント端末が、前記ユーザから指定されたパスワードを、前記サーバから受信した前記サーバシーズおよび前記ユーザシーズを用いて所定の手順でハッシュ化し、さらに前記乱数を用いてハッシュ化したハッシュ値を前記サーバに送信する第3のステップと、
     前記ハッシュ値を受信した前記サーバが、前記ハッシュ値と、対象の前記ユーザに係る前記ハッシュ化パスワードを前記乱数を用いてハッシュ化した値とを比較して認証を行い、認証結果を前記クライアント端末に送信する第4のステップとを有し、
     前記第1~第4のステップを前記各サーバに対して順次もしくは並行的に実行することを特徴とする認証方法。
    An authentication method for performing single sign-on to a plurality of servers connected via a network by a single authentication process from a client terminal by a user,
    Each server includes server seeds that are unique information different for each server, user seeds that are unique information different for each user for each registered user ID, and a password for the user. Having account information including a hashed password hashed in a predetermined procedure using the user seeds,
    A first step of transmitting an authentication request including a user ID designated by the user to the server when the client terminal executes or uses the function of each server;
    A second step in which the server receiving the authentication request transmits the server seed and the user seed related to the target user and the generated random number to the client terminal;
    The client terminal hashes the password designated by the user with a predetermined procedure using the server seeds and the user seeds received from the server, and further hashes the hash value hashed with the random numbers. A third step of sending to
    The server that has received the hash value performs authentication by comparing the hash value with a value obtained by hashing the hashed password associated with the target user using the random number, and the authentication result is the client terminal. And a fourth step of transmitting to
    An authentication method, wherein the first to fourth steps are executed sequentially or in parallel on the servers.
PCT/JP2011/080040 2011-07-08 2011-12-26 Authentication system and authentication method WO2013008352A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2011-151336 2011-07-08
JP2011151336A JP4820928B1 (en) 2011-07-08 2011-07-08 Authentication system and authentication method

Publications (1)

Publication Number Publication Date
WO2013008352A1 true WO2013008352A1 (en) 2013-01-17

Family

ID=45327076

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2011/080040 WO2013008352A1 (en) 2011-07-08 2011-12-26 Authentication system and authentication method

Country Status (2)

Country Link
JP (1) JP4820928B1 (en)
WO (1) WO2013008352A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015108903A (en) * 2013-12-03 2015-06-11 日本電信電話株式会社 Distributed information cooperation system and data operation method therefor and program
WO2017104674A1 (en) * 2014-12-22 2017-06-22 日本電産株式会社 Motor module and motor authentication method
JPWO2017104674A1 (en) * 2015-12-18 2018-09-27 日本電産株式会社 Motor module and motor authentication method

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014035610A (en) * 2012-08-08 2014-02-24 Hitachi Ltd Authentication system and authentication method
JP2014068140A (en) 2012-09-25 2014-04-17 Sony Corp Information processor, information processing method and program
US8949960B2 (en) * 2013-03-15 2015-02-03 Google Inc. Privacy preserving knowledge and factor possession tests for persistent authentication
CA3008705C (en) 2015-12-14 2020-03-10 Coinplug, Inc. System for issuing public certificate on basis of block chain, and method for issuing public certificate on basis of block chain by using same
KR101680260B1 (en) 2015-12-14 2016-11-29 주식회사 코인플러그 Certificate issuance system and method based on block chain
KR101723405B1 (en) * 2016-07-04 2017-04-06 주식회사 코인플러그 Certificate authentication system and method based on block chain
JP6545404B1 (en) * 2018-07-23 2019-07-17 三菱電機株式会社 Server apparatus, attack determination method and attack determination program
JP6910748B1 (en) * 2020-03-16 2021-07-28 木戸 啓介 Password authentication system
JP2023167724A (en) * 2022-05-13 2023-11-24 浩志 渡辺 On-line authentication technique

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003132022A (en) * 2001-10-22 2003-05-09 Nec Corp User authentication system and method
JP2005209118A (en) * 2004-01-26 2005-08-04 Nippon Telegr & Teleph Corp <Ntt> Information distributed storage system, overall authentication server device used therefor, authentication server device, distributed storage server device, and information distributed storage method
JP2008040644A (en) * 2006-08-03 2008-02-21 Fujitsu Ltd Login management method and server

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11282982A (en) * 1998-03-31 1999-10-15 Oki Electric Ind Co Ltd User card, communication terminal equipment, communication server, communication system and user authentication method for communication system
WO2001082117A1 (en) * 2000-04-27 2001-11-01 Webfeat, Inc. Method and system for retrieving search results from multiple disparate databases
JP2002324049A (en) * 2001-04-25 2002-11-08 Nippon Telegr & Teleph Corp <Ntt> Access control method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003132022A (en) * 2001-10-22 2003-05-09 Nec Corp User authentication system and method
JP2005209118A (en) * 2004-01-26 2005-08-04 Nippon Telegr & Teleph Corp <Ntt> Information distributed storage system, overall authentication server device used therefor, authentication server device, distributed storage server device, and information distributed storage method
JP2008040644A (en) * 2006-08-03 2008-02-21 Fujitsu Ltd Login management method and server

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015108903A (en) * 2013-12-03 2015-06-11 日本電信電話株式会社 Distributed information cooperation system and data operation method therefor and program
WO2017104674A1 (en) * 2014-12-22 2017-06-22 日本電産株式会社 Motor module and motor authentication method
JP2020018168A (en) * 2014-12-22 2020-01-30 日本電産株式会社 Motor module and motor authentication method
US11860002B2 (en) 2014-12-22 2024-01-02 Nidec Corporation Position estimation method and position control device
JPWO2017104674A1 (en) * 2015-12-18 2018-09-27 日本電産株式会社 Motor module and motor authentication method
CN109874402A (en) * 2015-12-18 2019-06-11 日本电产株式会社 Motor module and motor authentication method

Also Published As

Publication number Publication date
JP4820928B1 (en) 2011-11-24
JP2013020312A (en) 2013-01-31

Similar Documents

Publication Publication Date Title
JP4820928B1 (en) Authentication system and authentication method
JP5375976B2 (en) Authentication method, authentication system, and authentication program
US11394703B2 (en) Methods for facilitating federated single sign-on (SSO) for internal web applications and devices thereof
JP6255091B2 (en) Secure proxy to protect private data
EP3537689B1 (en) Using credentials stored in different directories to access a common endpoint
US9356928B2 (en) Mechanisms to use network session identifiers for software-as-a-service authentication
EP2702726B1 (en) System and method for data interception and authentication with reverse proxy
US9398001B1 (en) System for and method of providing single sign-on (SSO) capability in an application publishing environment
US9276869B2 (en) Dynamically selecting an identity provider for a single sign-on request
US20100077208A1 (en) Certificate based authentication for online services
US20090089870A1 (en) System and method for validating interactions in an identity metasystem
US8136144B2 (en) Apparatus and method for controlling communication through firewall, and computer program product
EP3117578B1 (en) Disposition engine for single sign on (sso) requests
WO2017016252A1 (en) Token generation and authentication method, and authentication server
US10972453B1 (en) Methods for token refreshment based on single sign-on (SSO) for federated identity environments and devices thereof
JP2004173285A (en) Secure processing of client credentials used for web-based access to resource
WO2014128343A1 (en) Method and apparatus for providing account-less access via an account connector platform
US9479490B2 (en) Methods and systems for single sign-on while protecting user privacy
JP2007310512A (en) Communication system, service providing server, and user authentication server
JP5342020B2 (en) Group definition management system
US11784993B2 (en) Cross site request forgery (CSRF) protection for web browsers
JP2017523508A (en) Secure integrated cloud storage
US10791119B1 (en) Methods for temporal password injection and devices thereof
JP2016115260A (en) Authority transfer system, authorization server used for authority transfer system, resource server, client, mediation device, authority transfer method and program
US10931662B1 (en) Methods for ephemeral authentication screening and devices thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11869481

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11869481

Country of ref document: EP

Kind code of ref document: A1