[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2022097453A1 - Authentication proxy device, authentication proxy method, and recording medium - Google Patents

Authentication proxy device, authentication proxy method, and recording medium Download PDF

Info

Publication number
WO2022097453A1
WO2022097453A1 PCT/JP2021/038241 JP2021038241W WO2022097453A1 WO 2022097453 A1 WO2022097453 A1 WO 2022097453A1 JP 2021038241 W JP2021038241 W JP 2021038241W WO 2022097453 A1 WO2022097453 A1 WO 2022097453A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication information
authentication
server
request
client
Prior art date
Application number
PCT/JP2021/038241
Other languages
French (fr)
Japanese (ja)
Inventor
明博 寒河江
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2022560695A priority Critical patent/JP7521598B2/en
Publication of WO2022097453A1 publication Critical patent/WO2022097453A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates

Definitions

  • the present invention relates to an authentication agency device, an authentication agency method, and a recording medium.
  • the services provided on the website include services that can be used by the user entering authentication information (ID (identification), password, etc.) and logging in.
  • ID identification
  • password password
  • logging in In order to facilitate the input of the authentication information in this case, there is a method of storing the authentication information in the browser installed in the terminal.
  • the authentication information In the method of storing the authentication information in the browser, there is a possibility that the authentication information will be stored in the terminal in a situation not intended by the user due to an operation error by the user. If the authentication information is stored in the terminal, the authentication information may be used illegally if the terminal is lost or stolen, or if the terminal is used by an unspecified number of people.
  • the relay server that relays the communication between the terminal and the server stores the authentication information.
  • the terminal accepts the input of the authentication information. Therefore, the authentication information may remain on the terminal without the user being aware of it. As a result, if the terminal is lost or stolen, the authentication information remaining on the terminal may be misused. In addition, if software or hardware that monitors key input such as a keylogger is installed in the terminal, the authentication information may be eavesdropped. In particular, in the case of a terminal used by an unspecified number of people, these risks are high.
  • An object of the present invention is to provide an authentication agency device, an authentication agency method, and a recording medium that make it possible to improve the security in inputting authentication information when using a web service.
  • the authentication agency device relays communication between a server and a client, and a response from the server to a request from the client to the server includes an authentication information request for requesting authentication information.
  • a relay means that does not send the response to the client, and if the response from the server includes the authentication information request, a request process for requesting the input of the authentication information to an input source other than the client is performed. It is characterized by including an authentication information requesting means and an authentication processing means for transmitting the authentication information input from the input source to the server.
  • the authentication agency method relays communication between a server and a client, and requests authentication information in a response from the server to a request from the client to the server.
  • the request is included, the response is not sent to the client, and when the response from the server includes the authentication information request, the request processing for requesting the input of the authentication information to the input source other than the client is performed. It is characterized in that the authentication information input from the input source is transmitted to the server.
  • the authentication agency program recorded on a computer-readable recording medium relays the communication between the server and the client to the computer, and the request from the client to the server is described.
  • the relay function does not send the response to the client, and when the response from the server includes the authentication information request, the authentication information. It is characterized by realizing an authentication information request function that performs request processing that requests an input source other than the client, and an authentication processing function that transmits the authentication information input from the input source to the server. ..
  • FIG. 1 shows a configuration example of the authentication agency device 10 of the present embodiment.
  • the authentication agency device 10 of the present embodiment includes a relay unit 11, an authentication information request unit 12, and an authentication processing unit 13.
  • the relay unit 11 relays the communication between the server and the client. Further, when the response from the server to the request from the client to the server includes the authentication information request requesting the authentication information, the relay unit 11 does not send the response to the client.
  • the authentication information request unit 12 performs request processing for requesting input of authentication information to an input source other than the client.
  • the authentication processing unit 13 transmits the authentication information input from the input source to the server.
  • the authentication agent 10 By configuring the authentication agent 10 in this way, when the response from the server includes an authentication information request, the authentication agent 10 does not send the response to the client and inputs the authentication information to the input source other than the client. Performs the request processing requested by. Then, the authentication agent 10 transmits the authentication information input from the input source to the server. As a result, the authentication agent 10 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
  • FIG. 2 shows an example of the operation of the authentication agency device 10 of the present embodiment.
  • the relay unit 11 relays the communication between the server and the client. Further, when the response from the server to the request from the client to the server includes the authentication information request requesting the authentication information, the relay unit 11 does not send the response to the client.
  • the authentication information request unit 12 performs a request process for requesting the input of the authentication information to the input source other than the client (step S101).
  • the authentication processing unit 13 transmits the authentication information input from the input source to the server (step S102).
  • the authentication agent 10 does not send the response to the client and requests the input of the authentication information to the input source other than the client. I do. Then, the authentication agent 10 transmits the authentication information input from the input source to the server. As a result, the authentication agent 10 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
  • the authentication agent 10 when the response from the server includes the authentication information request, the authentication agent 10 does not send the response to the client and inputs the authentication information to the client. Performs the request processing requested from the input source that is not. Then, the authentication agent 10 transmits the authentication information input from the input source to the server. As a result, the authentication agent 10 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
  • FIG. 3 shows a configuration example of a system including the authentication agency device 20 of the present embodiment.
  • the client 50 is a device that serves as a client in a client-server system.
  • the client 50 is, for example, an information terminal such as a PC (Personal Computer), a smartphone, or a tablet terminal.
  • the client 50 is directly operated by the user.
  • the client 50 is, for example, a terminal on which a web browser (HTTP (HyperTextTransferProtocol) / HTTPS (HypertextTransferProtocolSecure) client) operates.
  • HTTP HyperTextTransferProtocol
  • HTTPS HypertextTransferProtocolSecure
  • the server 60 is a device that serves as a server in a client-server system, such as a web server.
  • the server 60 has an authentication function for authenticating whether or not the client 50 that is the access request source is the client 50 for which access is permitted.
  • the authentication agency device 20 is a proxy device that relays communication between the client 50 and the server 60.
  • the authentication agent 20 can communicate with one or more clients 50. Communication between the authentication agency device 20 and the client 50 is assumed to be communication based on TCP (Transmission Control Protocol) / IP (Internet Protocol) such as HTTP / HTTPS, but is not limited thereto. For example, the communication between the authentication agent 20 and the client 50 may be performed by a short-range wireless system or by USB (Universal Serial Bus). Further, the authentication agency device 20 can communicate with one or more two or more servers 60. Communication between the authentication agency device 20 and the server 60 is assumed to be communication based on TCP / IP such as HTTP / HTTPS, but is not limited to this.
  • the authentication agency device 20 sends the authentication information to the server 60 instead of the client 50.
  • the authentication agency device 20 can be realized as a dedicated device, a smartphone, or the like, for example.
  • the client 50 is a terminal that can be used by an unspecified number of people, and the user possesses the authentication agent 20.
  • FIG. 4 shows a configuration example of the authentication agency device 20 of the present embodiment.
  • the authentication agency device 20 of the present embodiment includes a relay unit 21, an authentication information request unit 22, and an authentication processing unit 23. Further, the authentication agency device 20 may include a qualification information storage unit 24, an authentication information storage unit 25, and a display means 26. The qualification information storage unit 24, the authentication information storage unit 25, and the display means 26 may be outside the authentication agency device 20.
  • the authentication information storage unit 25 may be on a cloud service with strong security, for example. Further, the authentication information stored in the authentication information storage unit 25 may be encrypted.
  • the authentication information storage unit 25 is outside the authentication agent device 20, it is possible to clear or restrict the use of the authentication information of the authentication information storage unit 25 from a predetermined device other than the authentication agent device 20. Therefore, it is possible to reduce the risk of unauthorized use of the authentication information when the authentication agent 20 is stolen or lost. Further, even if the authentication agent used is changed due to damage or equipment replacement, the new authentication agent uses the authentication information stored in the authentication information storage unit 25 used in the old authentication agent. Therefore, the authentication information can be easily taken over.
  • the relay unit 21 relays the communication between the client 50 and the server 60.
  • the relay unit 21 receives the request from the client 50 to the server 60
  • the relay unit 21 transfers the request to the server 60. If the response from the server 60 to the request from the client 50 to the server 60 includes an authentication information request requesting authentication information, the relay unit 21 does not send the response to the client 50. If the response from the server 60 does not include the authentication information request, the relay unit 21 transmits the response to the client 50.
  • the authentication information request unit 22 When the response from the server 60 includes an authentication information request, the authentication information request unit 22 performs request processing for requesting the input of authentication information to an input source other than the client 50.
  • the request process is a process of displaying a screen requesting input of authentication information on the display means 26.
  • the display means 26 is an internal or external display of the authentication agency device 20 or the like.
  • the authentication information request unit 22 accepts the input of authentication information. Further, the authentication information request unit 22 stores the input authentication information in the authentication information storage unit 25. The authentication information requesting unit 22 may store the authentication information in the authentication information storage unit 25 when the authentication result received from the server 60 indicates the success of the authentication. The authentication information request unit 22 stores the authentication information in the authentication information storage unit 25 in association with the identification information of the server 60 to which the authentication information is requested. Further, in the case of the present embodiment, the authentication information is input via an input device such as a keyboard included in the authentication agent device 20 or a device for reading a fingerprint image or a face image.
  • an input device such as a keyboard included in the authentication agent device 20 or a device for reading a fingerprint image or a face image.
  • FIG. 5 shows an example of an authentication information input screen that requests input of authentication information.
  • Information indicating the display contents on the authentication information input screen is transmitted from the server 60.
  • the authentication information input screen shows the URL (Uniform Resource Locator) of the access request destination, the information of the client 50 of the access request transmission source (“request transmission terminal”), and the items of the authentication information requested from the server 60. including.
  • the screen also includes screen items for prompting the user to enter authentication information.
  • the example of FIG. 5 is an example in which the authentication information is a user ID, a password, and a one-time password, but the authentication information is not limited to these.
  • FIG. 6 shows an example of authentication information stored in the authentication information storage unit 25.
  • the authentication information is an authentication user ID and an authentication password.
  • the authentication information is associated with the server ID of the server 60 of the access request destination. Further, an authentication information ID that uniquely identifies the authentication information is assigned to each of the authentication information.
  • the terminal user ID is further associated with the authentication information.
  • the terminal user ID is a user ID that can use the authentication information.
  • the terminal user ID is, for example, the ID of the user who is using the smartphone when the authentication agent 20 is a smartphone, or the ID of the user who is logged in to the PC when the authentication agent 20 is a PC. There may be.
  • the terminal user ID is used when limiting the users who can use the authentication information. By limiting the users who can use the authentication information in this way, it is possible to reduce the possibility that the authentication information is used illegally when the client 50 is shared by a plurality of people.
  • the authentication processing unit 23 transmits the input authentication information to the server 60.
  • the authentication processing unit 23 acquires the authentication information from the authentication information storage unit 25. , The acquired authentication information is transmitted to the server 60. Further, in this case, the authentication information requesting unit 22 may display the authentication information input screen including the acquired authentication information on the display means 26. Then, when the user inputs the input according to the operation of confirming the authentication information, the authentication processing unit 23 may transmit the input authentication information to the server 60.
  • the authentication processing unit 23 stores the credential information included in the authentication result in the credential information storage unit 24.
  • the authentication processing unit 23 stores the credential information in the credential information storage unit 24 in association with the identification information of the client 50 to which the response is sent.
  • the credential information is also called an access token. Credentials are information for the client 50 to access the protected resource.
  • FIG. 7 shows an example of information stored in the qualification information storage unit 24.
  • the credential information is associated with the server ID of the server 60 that is the source of the authentication result.
  • the qualification information is also associated with the client ID of the client 50 to which the authentication result is sent.
  • Each credential is given a credential ID that uniquely identifies the credential.
  • the server ID is, for example, a host name or an IP (Internet Protocol) address of the server 60.
  • the client ID is, for example, the terminal name of the client 50.
  • the relay unit 21 assigns the qualification information to the communication from the client 50 to the server 60 based on the qualification information stored in the qualification information storage unit 24.
  • the server 60 can grasp that the communication from the client 50 is the communication from the client 50 that has succeeded in authentication, that is, the client 50 that has the access authority.
  • the relay unit 21 deletes the credential information from the authentication result received from the server 60, and sends the authentication result from which the credential information is deleted to the client 50.
  • the authentication agent 20 By configuring the authentication agent 20 in this way, when the response from the server includes an authentication information request, the authentication agent 20 does not send the response to the client, and the input source of the authentication information is not the client. Performs the request processing requested by. Then, the authentication agent 20 transmits the authentication information input from the input source to the server. As a result, the authentication agent 20 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
  • FIG. 8 is an operation example of the authentication agent 20 when a request to the server 60 is received from the client 50.
  • FIG. 9 is an operation example of the authentication agency device 20 when a response is received from the server 60.
  • FIG. 10 is an operation example of the authentication agency device 20 when the authentication information is input.
  • FIG. 11 is an operation example of the authentication agency device 20 when the authentication result is received from the server 60.
  • the relay unit 21 of the authentication agency device 20 receives the request to the server 60 from the client 50 (step S201 in FIG. 8).
  • the credential information between the client 50 and the server 60 is stored in the credential information storage unit 24 (YES in step S202)
  • the relay unit 21 assigns the credential information to the received request (step S203).
  • the relay unit 21 transmits the request to the server 60 (step S204).
  • the relay unit 21 receives the response from the server 60 (step S301 in FIG. 9).
  • the response from the server 60 includes an authentication information request requesting authentication information (YES in step S302)
  • the relay unit 21 does not send the response to the client 50.
  • the authentication information request unit 22 performs request processing for requesting the input of authentication information to an input source other than the client 50.
  • the request process is a process of displaying the authentication information input screen requesting the input of the authentication information on the display means 26 (step S303).
  • the authentication information request unit 22 acquires the authentication information from the authentication information storage unit 25. .. Then, the authentication information requesting unit 22 causes the display means 26 to display the authentication information input screen including the acquired authentication information (step S305).
  • the relay unit 21 transmits the response to the client 50 (step S306). If the response includes the credential information, the relay unit 21 sends the response from which the credential information is deleted to the client 50.
  • the authentication information is input to the authentication information request unit 22 (step S401 in FIG. 10).
  • the authentication information request unit 22 accepts the input of the authentication information, and when the same authentication information as the input authentication information is not stored in the authentication information storage unit 25 (step S402), the input authentication information is stored in the authentication information storage unit. It is stored in 25 (step S403).
  • the authentication information request unit 22 stores the authentication information in the authentication information storage unit 25 in association with the identification information of the server 60 that requests the authentication information. Then, the authentication processing unit 23 transmits the input authentication information to the server 60 (step S404).
  • the relay unit 21 receives the authentication result from the server 60 (step S405 in FIG. 11). Then, when the authentication result indicates the success of the authentication (YES in step S406), the authentication processing unit 23 stores the qualification information included in the authentication result in the qualification information storage unit 24 (step S407). The authentication processing unit 23 stores the qualification information in the qualification information storage unit 24 in association with the identification information of the server 60 that is the source of the authentication result and the identification information of the client 50 that is the destination. Then, the relay unit 21 deletes the credential information from the authentication result transmitted from the server 60, and transmits the authentication result from which the credential information is deleted to the client 50 (step S408).
  • the relay unit 21 assigns the credential information to the communication from the client 50 to the server 60 based on the credential information stored in the credential information storage unit 24. More specifically, when a request is received from the client 50 (step S201 in FIG. 8), the relay unit 21 transfers the credential information between the requesting client 50 and the requesting server 60 from the credential information storage unit 24. get. Further, the relay unit 21 assigns the acquired qualification information to the request (YES in step S202, step S203). Then, the relay unit 21 transmits a request to which the qualification information is given to the server 60 (step S204).
  • the authentication agent 20 does not send the response to the client and requests the input of the authentication information to the input source other than the client. I do. Then, the authentication agent 20 transmits the authentication information input from the input source to the server. As a result, the authentication agent 20 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
  • the authentication agent 20 when the response from the server includes the authentication information request, the authentication agent 20 does not send the response to the client and inputs the authentication information to the client. Performs the request processing requested from the input source that is not. Then, the authentication agent 20 transmits the authentication information input from the input source to the server. As a result, the authentication agent 20 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
  • the authentication agent 20 of the present embodiment stores the authentication information in the authentication information storage unit 25, and transmits the authentication information stored in the authentication information storage unit 25 to the server 60. Therefore, it is possible to obtain the same convenience as when the authentication information is stored in the browser.
  • the authentication agent 20 of the present embodiment stores the credential information not in the client 50 but in the credential information storage unit 24, deletes the credential information from the authentication result received from the server 60, and the authentication result in which the credential information is deleted. To the client 50. Therefore, it becomes possible to further improve the security when using the web service.
  • FIG. 12 shows a configuration example of a system including the authentication agency device 30 of the present embodiment.
  • the system shown in FIG. 12 includes an authentication agent 30, a client 50, and a server 60.
  • the server 60 has a function of issuing authentication information.
  • the authentication agent 30 stores the authentication information issued by the server 60 in the authentication information storage unit 25.
  • the server 60 receives, for example, a unique key from the authentication agent 30.
  • the unique key is, for example, the ID of the SIM (Subscriber Identity Module) card of the client 50.
  • the server 60 confirms the validity of the authentication agent 30 based on the unique key. Then, the server 60 generates the authentication information, and inputs the generated authentication information to the authentication agent 30.
  • SIM Subscriber Identity Module
  • the server 60 can generate an ID or password having a large number of bits (for example, 100 bits or more). As a result, the server 60 can generate robust authentication information. In addition, the user can log in to the service without being aware of the authentication information.
  • FIG. 13 shows a configuration example of the authentication agency device 30 of the present embodiment.
  • the authentication agency device 30 of the present embodiment includes a relay unit 21, an authentication information request unit 32, and an authentication processing unit 33. Further, the authentication agency device 30 may include a qualification information storage unit 24 and an authentication information storage unit 25. Since the relay unit 21, the qualification information storage unit 24, and the authentication information storage unit 25 are the same as those in the second embodiment, the description thereof will be omitted. Further, the authentication information requesting unit 32 and the authentication processing unit 33 are the same as the authentication information requesting unit 22 and the authentication processing unit 23 of the second embodiment except for the items described below, and thus the description thereof will be omitted.
  • the authentication information request unit 32 When the response from the server 60 includes an authentication information request, the authentication information request unit 32 performs request processing for requesting the input of authentication information to an input source other than the client 50.
  • the request process is a process of transmitting an authentication information issuance request requesting the issuance of the authentication information to the server 60.
  • the authentication information request unit 32 performs request processing when the response includes an authentication information request and the authentication information of the server 60 is not stored in the authentication information storage unit 25.
  • the authentication processing unit 33 stores the authentication information input from the server 60 in the authentication information storage unit 25. Further, when the response includes the authentication information request and the authentication information for the server 60 is stored in the authentication information storage unit 25, the authentication processing unit 33 acquires the authentication information from the authentication information storage unit 25 and acquires the authentication. Information is transmitted to the server 60.
  • the authentication agent 30 By configuring the authentication agent 30 in this way, when the response from the server includes an authentication information request, the authentication agent 30 does not send the response to the client and inputs the authentication information to the input source other than the client. Performs the request processing requested by. Then, the authentication agent 30 transmits the authentication information input from the input source to the server. As a result, the authentication agent 30 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
  • FIG. 14 is an operation example of the authentication agency device 30 when a response is received from the server 60.
  • the relay unit 21 receives the response from the server 60 (step S501 in FIG. 14).
  • the response from the server 60 includes an authentication information request requesting authentication information (YES in step S502)
  • the relay unit 21 does not send the response to the client 50.
  • the authentication information request unit 32 performs request processing for requesting the input of authentication information to an input source other than the client 50.
  • the request process transmits an authentication information issuance request to the server 60 when the authentication information for the server 60 that is the source of the response is not stored in the authentication information storage unit 25 (NO in step S503). This is a process (step S504).
  • the authentication processing unit 33 acquires the authentication information from the authentication information storage unit 25. Then, the authentication processing unit 33 transmits the acquired authentication information to the server 60 (step S505).
  • the relay unit 21 transmits the response to the client 50 (step S506). At this time, if the response includes the credential information, the relay unit 21 transmits the response from which the credential information has been deleted to the client 50.
  • the relay unit 21 receives the authentication information from the server 60 (step S401 in FIG. 10).
  • the authentication information storage unit 25 does not store the same authentication information as the authentication information input from the server 60 (NO in step S402)
  • the authentication information request unit 32 stores the input authentication information in the authentication information storage unit 25. Store it (step S403).
  • the authentication information request unit 22 stores the authentication information in the authentication information storage unit 25 in association with the identification information of the server 60 that requests the authentication information. Then, the authentication processing unit 23 transmits the input authentication information to the server 60 (step S404).
  • the authentication agent 30 does not send the response to the client and requests the input of the authentication information to the input source other than the client. I do. Then, the authentication agent 30 transmits the authentication information input from the input source to the server. As a result, the authentication agent 30 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
  • the authentication agent 20 when the response from the server includes the authentication information request, the authentication agent 20 does not send the response to the client and inputs the authentication information to the client. Performs the request processing requested from the input source that is not. Then, the authentication agent 30 transmits the authentication information input from the input source to the server. As a result, the authentication agent 30 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
  • the authentication agent 30 of the present embodiment sends an authentication information issuance request to the server 60, and stores the authentication information transmitted from the server 60 in the authentication information storage unit 25. This makes it possible to use more robust authentication information. In addition, the user does not need to input the authentication information. Therefore, it becomes possible to further improve the security in inputting the authentication information when using the web service.
  • the authentication agency device may be realized by using at least two or more information processing devices physically or functionally. Further, the authentication agency device may be realized as a dedicated device, or a general-purpose device may be used. Further, only a part of the functions of the authentication agency device may be realized by using the information processing device.
  • FIG. 15 is a diagram schematically showing a hardware configuration example of an information processing device capable of realizing the authentication agency device of each embodiment of the present invention.
  • the information processing device 90 includes a communication interface 91, an input / output interface 92, an arithmetic unit 93, a storage device 94, a non-volatile storage device 95, and a drive device 96.
  • the relay unit 11 in FIG. 1 can be realized by the communication interface 91 and the arithmetic unit 93. Further, the authentication information request unit 12 and the authentication processing unit 13 can be realized by the arithmetic unit 93.
  • the communication interface 91 is a communication means for the authentication agent device of each embodiment to communicate with an external device at least one of wired and wireless.
  • the authentication agency device is realized by using at least two information processing devices, the devices may be connected so as to be able to communicate with each other via the communication interface 91.
  • the input / output interface 92 is a man-machine interface such as a keyboard as an example of an input device and a display as an output device.
  • the arithmetic unit 93 is realized by, for example, an arithmetic processing unit such as a CPU (Central Processing Unit) or a microprocessor, or a plurality of electric circuits.
  • the arithmetic unit 93 can, for example, read various programs stored in the non-volatile storage device 95 into the storage device 94 and execute processing according to the read programs.
  • the storage device 94 is a memory device such as a RAM (RandomAccessMemory) that can be referred from the arithmetic unit 93, and stores programs, various data, and the like.
  • the storage device 94 may be a volatile memory device.
  • the non-volatile storage device 95 is a non-volatile storage device such as a ROM (Read Only Memory), a flash memory, etc., and can store various programs, data, and the like.
  • ROM Read Only Memory
  • flash memory etc.
  • the drive device 96 is, for example, a device that processes data reading and data writing recorded on a recording medium 97, which will be described later.
  • the recording medium 97 is an arbitrary recording medium capable of recording data, such as an optical disk, a magneto-optical disk, or a semiconductor flash memory.
  • the information processing apparatus 90 illustrated in FIG. 15 constitutes an authentication agent, and the authentication agent is supplied with a program capable of realizing the functions described in each of the above embodiments. It may be realized by doing.
  • the embodiment can be realized by the arithmetic unit 93 executing the program supplied to the authentication agent. Further, it is also possible to configure some functions of the information processing apparatus 90, not all of the authentication agency apparatus.
  • the program may be recorded in the recording medium 97, and the program may be appropriately stored in the non-volatile storage device 95 at the shipping stage, the operation stage, or the like of the authentication agency device.
  • a method of installing the program in the authentication agency device by using an appropriate jig may be adopted at the manufacturing stage before shipment, the operation stage, or the like.
  • a general procedure such as a method of downloading from the outside via a communication line such as the Internet may be adopted.
  • a relay that relays communication between a server and a client and does not send the response to the client when the response from the server to a request from the client to the client includes an authentication information request requesting authentication information.
  • Means and When the response from the server includes the authentication information request an authentication information requesting means that performs request processing for requesting the input of the authentication information to an input source other than the client.
  • An authentication agent device including an authentication processing means for transmitting the authentication information input from the input source to the server.
  • the authentication processing means stores the credential information included in the authentication result in the credential information storage unit.
  • Appendix 3 The authentication agent according to Appendix 2, wherein the relay means transmits the authentication result from which the qualification information has been deleted to the client.
  • the authentication information requesting means stores the input authentication information in the authentication information storage unit, and stores the input authentication information in the authentication information storage unit.
  • the authentication processing means acquires the authentication information from the authentication information storage unit and acquires the authentication information.
  • the authentication information is transmitted to the server, and the authentication information is transmitted to the server.
  • the appendix 1 is characterized in that the authentication information requesting means performs the request processing when the response includes the authentication information request and the authentication information for the server is not stored in the authentication information storage unit.
  • the authentication information requesting means stores the input authentication information in the authentication information storage unit, the response includes the authentication information request, and the authentication information for the server is stored in the authentication information storage unit.
  • the authentication agency device according to Appendix 5, wherein the screen including the authentication information acquired from the authentication information storage unit is displayed on the display means.
  • Appendix 10 The authentication agency method according to Appendix 9, wherein the authentication result from which the qualification information has been deleted is transmitted to the client.
  • the input authentication information is stored in the authentication information storage unit, and the input is stored in the authentication information storage unit.
  • the response includes the authentication information request and the authentication information for the server is stored in the authentication information storage unit, the authentication information is acquired from the authentication information storage unit, and the acquired authentication information is used as the authentication information.
  • Send to the server The response includes the authentication information request, and the request processing is performed when the authentication information for the server is not stored in the authentication information storage unit.
  • the authentication processing function stores the credential information included in the authentication result in the credential information storage unit.
  • the relay function is a computer-readable recording medium recording the authentication agency program according to Appendix 15, characterized in that the credential information is given to the communication from the client to the server.
  • the relay function is a computer-readable recording medium recording the authentication agency program according to Appendix 16, wherein the authentication result from which the credential information has been deleted is transmitted to the client.
  • the authentication information request function stores the input authentication information in the authentication information storage unit.
  • the authentication processing function acquires the authentication information from the authentication information storage unit and acquires the authentication information.
  • the authentication information is transmitted to the server, and the authentication information is transmitted to the server.
  • the appendix 15 is characterized in that the authentication information request function performs the request processing when the response includes the authentication information request and the authentication information for the server is not stored in the authentication information storage unit.
  • the request process is a computer-readable record recording the authentication agent program according to any one of Supplementary note 15 to Supplementary note 18, characterized in that the screen for requesting the input of the authentication information is displayed on the display means. Medium.
  • the authentication information request function stores the input authentication information in the authentication information storage unit, the response includes the authentication information request, and the authentication information for the server is stored in the authentication information storage unit.
  • a computer-readable recording medium recording the authentication agency program according to Appendix 19, wherein the screen including the authentication information acquired from the authentication information storage unit is displayed on the display means.
  • the request process is a process of transmitting an authentication information issuance request requesting the issuance of the authentication information to the server. Possible recording medium.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

In order to make it possible to improve safety for the input of authentication information when using a web service, the present invention: relays communications between a server and a client; does not transmit, to the client, a response from the server to a request from the client to the server if the response includes an authentication information request requesting authentication information; if the response from the server includes the authentication information request, performs request processing for making a request to an input source other than the client for input of the authentication information; and transmits the authentication information input from the input source to the server.

Description

認証代行装置、認証代行方法および記録媒体Authentication agency device, authentication agency method and recording medium
 本発明は、認証代行装置、認証代行方法および記録媒体に関する。 The present invention relates to an authentication agency device, an authentication agency method, and a recording medium.
 ウェブサイトで提供されるサービスには、認証情報(ID(identification)やパスワードなど)を利用者が入力してログインすることによって利用可能になるサービスがある。この場合の認証情報の入力を容易にするために、端末に搭載されているブラウザに認証情報を記憶させる方法がある。 The services provided on the website include services that can be used by the user entering authentication information (ID (identification), password, etc.) and logging in. In order to facilitate the input of the authentication information in this case, there is a method of storing the authentication information in the browser installed in the terminal.
 ブラウザに認証情報を記憶させる方法では、利用者による操作の誤りなどにより、利用者が意図しない場面で認証情報が端末に記憶されてしまう可能性がある。端末に認証情報が記憶されていると、端末の紛失や盗難の場合や、不特定多数の人物が利用する端末である場合に、認証情報を不正使用される可能性がある。 In the method of storing the authentication information in the browser, there is a possibility that the authentication information will be stored in the terminal in a situation not intended by the user due to an operation error by the user. If the authentication information is stored in the terminal, the authentication information may be used illegally if the terminal is lost or stolen, or if the terminal is used by an unspecified number of people.
 これらの問題への対策として、端末のセキュリティポリシーを、ブラウザに認証情報を記憶させないポリシーに設定することが考えられる。しかし、ブラウザに認証情報を記憶させない方法では、利便性が低下する可能性がある。 As a countermeasure against these problems, it is conceivable to set the security policy of the terminal to a policy that does not store the authentication information in the browser. However, the method of not storing the authentication information in the browser may reduce the convenience.
 たとえば、ログインのたびに認証情報の入力が必要となる。また、利用者が認証情報を管理するため、失念した場合にはログインできなくなる可能性がある。また、パスワードが複雑な場合、正規の利用者であってもパスワードの入力ミスによるアカウントロックの可能性がある。 For example, you need to enter your authentication information every time you log in. In addition, since the user manages the authentication information, if he / she forgets, he / she may not be able to log in. In addition, if the password is complicated, even a legitimate user may have an account lock due to a password input error.
 これ対し、特許文献1に記載の方法では、端末とサーバとの間の通信を中継する中継サーバが、認証情報を記憶する。これにより、この方法では、端末の紛失や盗難の場合に認証情報が不正利用されてしまう可能性を低減することができる。そのため、端末のブラウザが認証情報を記憶する場合に比べて、安全性を向上することが可能になる。 On the other hand, in the method described in Patent Document 1, the relay server that relays the communication between the terminal and the server stores the authentication information. Thereby, in this method, it is possible to reduce the possibility that the authentication information is illegally used in the case of the loss or theft of the terminal. Therefore, it is possible to improve the security as compared with the case where the browser of the terminal stores the authentication information.
特開2003-122723号公報Japanese Patent Application Laid-Open No. 2003-127233
 しかし、特許文献1に記載の方法では、端末が認証情報の入力を受け付ける。そのため、利用者が意識しないうちに端末に認証情報が残る可能性がある。その結果、端末の紛失や盗難の場合に、端末に残っている認証情報が不正利用される可能性がある。また、キーロガーなどのキー入力を監視するソフトウェアやハードウェアが端末に仕込まれていた場合に、認証情報が盗聴される可能性がある。特に、不特定多数の人物によって使用される端末の場合には、これらの危険性が高い。 However, in the method described in Patent Document 1, the terminal accepts the input of the authentication information. Therefore, the authentication information may remain on the terminal without the user being aware of it. As a result, if the terminal is lost or stolen, the authentication information remaining on the terminal may be misused. In addition, if software or hardware that monitors key input such as a keylogger is installed in the terminal, the authentication information may be eavesdropped. In particular, in the case of a terminal used by an unspecified number of people, these risks are high.
 本発明の目的は、ウェブサービスを利用する際の認証情報の入力における安全性を向上することを可能にする、認証代行装置、認証代行方法および記録媒体を提供することにある。 An object of the present invention is to provide an authentication agency device, an authentication agency method, and a recording medium that make it possible to improve the security in inputting authentication information when using a web service.
 本発明の一態様において、認証代行装置は、サーバとクライアントとの間の通信を中継し、前記クライアントから前記サーバへの要求に対する前記サーバからの応答に、認証情報を要求する認証情報要求が含まれる場合、前記応答を前記クライアントに送信しない中継手段と、前記サーバからの前記応答に前記認証情報要求が含まれる場合、前記認証情報の入力を前記クライアントではない入力元に要求する要求処理を行う認証情報要求手段と、前記入力元から入力された前記認証情報を前記サーバへ送信する認証処理手段とを備えることを特徴とする。 In one aspect of the present invention, the authentication agency device relays communication between a server and a client, and a response from the server to a request from the client to the server includes an authentication information request for requesting authentication information. In that case, a relay means that does not send the response to the client, and if the response from the server includes the authentication information request, a request process for requesting the input of the authentication information to an input source other than the client is performed. It is characterized by including an authentication information requesting means and an authentication processing means for transmitting the authentication information input from the input source to the server.
 また、本発明の他の態様において、認証代行方法は、サーバとクライアントとの間の通信を中継し、前記クライアントから前記サーバへの要求に対する前記サーバからの応答に、認証情報を要求する認証情報要求が含まれる場合、前記応答を前記クライアントに送信せず、前記サーバからの前記応答に前記認証情報要求が含まれる場合、前記認証情報の入力を前記クライアントではない入力元に要求する要求処理を行い、前記入力元から入力された前記認証情報を前記サーバへ送信することを特徴とする。 Further, in another aspect of the present invention, the authentication agency method relays communication between a server and a client, and requests authentication information in a response from the server to a request from the client to the server. When the request is included, the response is not sent to the client, and when the response from the server includes the authentication information request, the request processing for requesting the input of the authentication information to the input source other than the client is performed. It is characterized in that the authentication information input from the input source is transmitted to the server.
 また、本発明の他の態様において、コンピュータ読み取り可能な記録媒体に記録された認証代行プログラムは、コンピュータに、サーバとクライアントとの間の通信を中継し、前記クライアントから前記サーバへの要求に対する前記サーバからの応答に、認証情報を要求する認証情報要求が含まれる場合、前記応答を前記クライアントに送信しない中継機能と、前記サーバからの前記応答に前記認証情報要求が含まれる場合、前記認証情報の入力を前記クライアントではない入力元に要求する要求処理を行う認証情報要求機能と、前記入力元から入力された前記認証情報を前記サーバへ送信する認証処理機能とを実現させることを特徴とする。 Further, in another aspect of the present invention, the authentication agency program recorded on a computer-readable recording medium relays the communication between the server and the client to the computer, and the request from the client to the server is described. When the response from the server includes an authentication information request requesting authentication information, the relay function does not send the response to the client, and when the response from the server includes the authentication information request, the authentication information. It is characterized by realizing an authentication information request function that performs request processing that requests an input source other than the client, and an authentication processing function that transmits the authentication information input from the input source to the server. ..
 本発明によれば、ウェブサービスを利用する際の認証情報の入力における安全性を向上することが可能になる。 According to the present invention, it is possible to improve the security in inputting authentication information when using a web service.
本発明の第一の実施形態の認証代行装置の構成例を示す図である。It is a figure which shows the configuration example of the authentication agency apparatus of 1st Embodiment of this invention. 本発明の第一の実施形態の認証代行装置の動作例を示す図である。It is a figure which shows the operation example of the authentication agency apparatus of 1st Embodiment of this invention. 本発明の第二の実施形態の認証代行装置を含むシステムの構成例を示す図である。It is a figure which shows the configuration example of the system including the authentication agency apparatus of the 2nd Embodiment of this invention. 本発明の第二の実施形態の認証代行装置の構成例を示す図である。It is a figure which shows the configuration example of the authentication agency apparatus of the 2nd Embodiment of this invention. 本発明の第二の実施形態の認証代行装置が表示手段に表示させる認証情報入力画面の例を示す図である。It is a figure which shows the example of the authentication information input screen which the authentication agency apparatus of the 2nd Embodiment of this invention displays on a display means. 本発明の第二の実施形態の認証代行装置が認証情報記憶部に記憶させる情報の例を示す図である。It is a figure which shows the example of the information which the authentication agency apparatus of the 2nd Embodiment of this invention stores in an authentication information storage part. 本発明の第二の実施形態の認証代行装置が資格情報記憶部に記憶させる情報の例を示す図である。It is a figure which shows the example of the information which the authentication agency apparatus of the 2nd Embodiment of this invention stores in a qualification information storage part. 本発明の第二の実施形態の認証代行装置の動作例を示す図である。It is a figure which shows the operation example of the authentication agency apparatus of the 2nd Embodiment of this invention. 本発明の第二の実施形態の認証代行装置の動作例を示す図である。It is a figure which shows the operation example of the authentication agency apparatus of the 2nd Embodiment of this invention. 本発明の第二の実施形態の認証代行装置の動作例を示す図である。It is a figure which shows the operation example of the authentication agency apparatus of the 2nd Embodiment of this invention. 本発明の第二の実施形態の認証代行装置の動作例を示す図である。It is a figure which shows the operation example of the authentication agency apparatus of the 2nd Embodiment of this invention. 本発明の第三の実施形態の認証代行装置を含むシステムの構成例を示す図である。It is a figure which shows the configuration example of the system including the authentication agency apparatus of the 3rd Embodiment of this invention. 本発明の第三の実施形態の認証代行装置の構成例を示す図である。It is a figure which shows the configuration example of the authentication agency apparatus of the 3rd Embodiment of this invention. 本発明の第三の実施形態の認証代行装置の動作例を示す図である。It is a figure which shows the operation example of the authentication agency apparatus of 3rd Embodiment of this invention. 本発明の各実施形態のハードウェア構成例を示す図である。It is a figure which shows the hardware configuration example of each embodiment of this invention.
 [第一の実施形態]
 本発明の第一の実施形態について説明する。 [First Embodiment]
The first embodiment of the present invention will be described.
 図1に本実施形態の認証代行装置10の構成例を示す。本実施形態の認証代行装置10は、中継部11、認証情報要求部12および認証処理部13を含む。 FIG. 1 shows a configuration example of the authentication agency device 10 of the present embodiment. The authentication agency device 10 of the present embodiment includes a relay unit 11, an authentication information request unit 12, and an authentication processing unit 13.
 中継部11は、サーバとクライアントとの間の通信を中継する。また、中継部11は、クライアントからサーバへの要求に対するサーバからの応答に、認証情報を要求する認証情報要求が含まれる場合、応答をクライアントに送信しない。認証情報要求部12は、サーバからの応答に認証情報要求が含まれる場合、認証情報の入力をクライアントではない入力元に要求する要求処理を行う。認証処理部13は、入力元から入力された認証情報をサーバへ送信する。 The relay unit 11 relays the communication between the server and the client. Further, when the response from the server to the request from the client to the server includes the authentication information request requesting the authentication information, the relay unit 11 does not send the response to the client. When the response from the server includes an authentication information request, the authentication information request unit 12 performs request processing for requesting input of authentication information to an input source other than the client. The authentication processing unit 13 transmits the authentication information input from the input source to the server.
 このように認証代行装置10を構成することによって、認証代行装置10は、サーバからの応答に認証情報要求が含まれる場合、応答をクライアントに送信せず、認証情報の入力をクライアントではない入力元に要求する要求処理を行う。そして、認証代行装置10は、入力元から入力された認証情報をサーバへ送信する。これにより、認証代行装置10は、利用者にクライアント50に対して認証情報を入力させることなく、認証情報を入手することが可能になる。そのため、ウェブサービスを利用する際の認証情報の入力における安全性を向上することが可能になる。 By configuring the authentication agent 10 in this way, when the response from the server includes an authentication information request, the authentication agent 10 does not send the response to the client and inputs the authentication information to the input source other than the client. Performs the request processing requested by. Then, the authentication agent 10 transmits the authentication information input from the input source to the server. As a result, the authentication agent 10 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
 次に、図2に本実施形態の認証代行装置10の動作の例を示す。 Next, FIG. 2 shows an example of the operation of the authentication agency device 10 of the present embodiment.
 中継部11は、サーバとクライアントとの間の通信を中継する。また、中継部11は、クライアントからサーバへの要求に対するサーバからの応答に、認証情報を要求する認証情報要求が含まれる場合、応答をクライアントに送信しない。認証情報要求部12は、サーバからの応答に認証情報要求が含まれる場合、認証情報の入力をクライアントではない入力元に要求する要求処理を行う(ステップS101)。認証処理部13は、入力元から入力された認証情報をサーバへ送信する(ステップS102)。 The relay unit 11 relays the communication between the server and the client. Further, when the response from the server to the request from the client to the server includes the authentication information request requesting the authentication information, the relay unit 11 does not send the response to the client. When the response from the server includes the authentication information request, the authentication information request unit 12 performs a request process for requesting the input of the authentication information to the input source other than the client (step S101). The authentication processing unit 13 transmits the authentication information input from the input source to the server (step S102).
 認証代行装置10は、このように動作することによって、サーバからの応答に認証情報要求が含まれる場合、応答をクライアントに送信せず、認証情報の入力をクライアントではない入力元に要求する要求処理を行う。そして、認証代行装置10は、入力元から入力された認証情報をサーバへ送信する。これにより、認証代行装置10は、利用者にクライアント50に対して認証情報を入力させることなく、認証情報を入手することが可能になる。そのため、ウェブサービスを利用する際の認証情報の入力における安全性を向上することが可能になる。 By operating in this way, when the response from the server includes an authentication information request, the authentication agent 10 does not send the response to the client and requests the input of the authentication information to the input source other than the client. I do. Then, the authentication agent 10 transmits the authentication information input from the input source to the server. As a result, the authentication agent 10 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
 以上で説明したように、本発明の第一の実施形態では、認証代行装置10は、サーバからの応答に認証情報要求が含まれる場合、応答をクライアントに送信せず、認証情報の入力をクライアントではない入力元に要求する要求処理を行う。そして、認証代行装置10は、入力元から入力された認証情報をサーバへ送信する。これにより、認証代行装置10は、利用者にクライアント50に対して認証情報を入力させることなく、認証情報を入手することが可能になる。そのため、ウェブサービスを利用する際の認証情報の入力における安全性を向上することが可能になる。 As described above, in the first embodiment of the present invention, when the response from the server includes the authentication information request, the authentication agent 10 does not send the response to the client and inputs the authentication information to the client. Performs the request processing requested from the input source that is not. Then, the authentication agent 10 transmits the authentication information input from the input source to the server. As a result, the authentication agent 10 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
 [第二の実施形態]
 次に、本発明の第二の実施形態について説明する。 [Second embodiment]
Next, a second embodiment of the present invention will be described.
 まず、図3に、本実施形態の認証代行装置20を含むシステムの構成例を示す。 First, FIG. 3 shows a configuration example of a system including the authentication agency device 20 of the present embodiment.
 クライアント50は、クライアントサーバシステムにおけるクライアントとなる装置である。クライアント50は、たとえば、PC(Personal Computer)、スマートフォン、タブレット端末などの情報端末である。クライアント50は、利用者によって直接操作される。クライアント50は、たとえば、ウェブブラウザ(HTTP(Hyper Text Transfer Protocol)/HTTPS(Hypertext Transfer Protocol Secure)クライアント)が動作する端末である。 The client 50 is a device that serves as a client in a client-server system. The client 50 is, for example, an information terminal such as a PC (Personal Computer), a smartphone, or a tablet terminal. The client 50 is directly operated by the user. The client 50 is, for example, a terminal on which a web browser (HTTP (HyperTextTransferProtocol) / HTTPS (HypertextTransferProtocolSecure) client) operates.
 サーバ60は、クライアントサーバシステムにおけるサーバとなる装置、たとえばウェブサーバなどである。サーバ60は、アクセス要求元のクライアント50がアクセス許可されたクライアント50であるか否かを認証する認証機能を備える。 The server 60 is a device that serves as a server in a client-server system, such as a web server. The server 60 has an authentication function for authenticating whether or not the client 50 that is the access request source is the client 50 for which access is permitted.
 認証代行装置20は、クライアント50とサーバ60との間の通信を中継するプロキシ装置である。認証代行装置20は、一または二以上の複数のクライアント50と通信が可能である。認証代行装置20とクライアント50との間の通信は、HTTP/HTTPSといったTCP(Transmission Control Protocol)/IP(Internet Protocol)に基づく通信であることが想定されるが、これに限定されない。たとえば、認証代行装置20とクライアント50との間の通信は、近距離無線方式によるものや、USB(Universal Serial Bus)によるものなどであってもよい。また、認証代行装置20は、一または二以上の複数のサーバ60と通信が可能である。認証代行装置20とサーバ60との間の通信は、HTTP/HTTPSといったTCP/IPに基づく通信であることが想定されるが、これに限定されない。 The authentication agency device 20 is a proxy device that relays communication between the client 50 and the server 60. The authentication agent 20 can communicate with one or more clients 50. Communication between the authentication agency device 20 and the client 50 is assumed to be communication based on TCP (Transmission Control Protocol) / IP (Internet Protocol) such as HTTP / HTTPS, but is not limited thereto. For example, the communication between the authentication agent 20 and the client 50 may be performed by a short-range wireless system or by USB (Universal Serial Bus). Further, the authentication agency device 20 can communicate with one or more two or more servers 60. Communication between the authentication agency device 20 and the server 60 is assumed to be communication based on TCP / IP such as HTTP / HTTPS, but is not limited to this.
 利用者の操作に応じて、クライアント50がサーバ60への要求を送信し、サーバ60が認証情報を要求した場合に、クライアント50ではなく、認証代行装置20が認証情報をサーバ60へ送信する。 When the client 50 sends a request to the server 60 and the server 60 requests the authentication information in response to the user's operation, the authentication agency device 20 sends the authentication information to the server 60 instead of the client 50.
 なお、認証代行装置20は、たとえば、専用の装置として実現することや、スマートフォンなどで実現することが可能である。たとえば、クライアント50が不特定多数の人物が利用可能な端末であり、利用者が認証代行装置20を所持する場合などが考えられる。 The authentication agency device 20 can be realized as a dedicated device, a smartphone, or the like, for example. For example, it is conceivable that the client 50 is a terminal that can be used by an unspecified number of people, and the user possesses the authentication agent 20.
 次に、図4に、本実施形態の認証代行装置20の構成例を示す。本実施形態の認証代行装置20は、中継部21、認証情報要求部22および認証処理部23を含む。また、認証代行装置20は、資格情報記憶部24、認証情報記憶部25および表示手段26を含んでいてもよい。なお、資格情報記憶部24、認証情報記憶部25および表示手段26は、認証代行装置20の外部にあってもよい。 Next, FIG. 4 shows a configuration example of the authentication agency device 20 of the present embodiment. The authentication agency device 20 of the present embodiment includes a relay unit 21, an authentication information request unit 22, and an authentication processing unit 23. Further, the authentication agency device 20 may include a qualification information storage unit 24, an authentication information storage unit 25, and a display means 26. The qualification information storage unit 24, the authentication information storage unit 25, and the display means 26 may be outside the authentication agency device 20.
 認証情報記憶部25は、たとえば、セキュリティが強固なクラウドサービス上にあってもよい。また、認証情報記憶部25に記憶される認証情報は、暗号化されていてもよい。認証情報記憶部25が認証代行装置20の外部にある場合、認証代行装置20ではない所定の装置からも認証情報記憶部25の認証情報のクリアや使用制限が可能になる。そのため、認証代行装置20の盗難や紛失の際の認証情報の不正使用などのリスクを低減することができる。また、使用される認証代行装置が破損や機器交換によって変更される場合でも、新しい認証代行装置は、古い認証代行装置で使用されていた認証情報記憶部25に記憶されていた認証情報を使用することで、認証情報を容易に引き継ぐことができる。 The authentication information storage unit 25 may be on a cloud service with strong security, for example. Further, the authentication information stored in the authentication information storage unit 25 may be encrypted. When the authentication information storage unit 25 is outside the authentication agent device 20, it is possible to clear or restrict the use of the authentication information of the authentication information storage unit 25 from a predetermined device other than the authentication agent device 20. Therefore, it is possible to reduce the risk of unauthorized use of the authentication information when the authentication agent 20 is stolen or lost. Further, even if the authentication agent used is changed due to damage or equipment replacement, the new authentication agent uses the authentication information stored in the authentication information storage unit 25 used in the old authentication agent. Therefore, the authentication information can be easily taken over.
 中継部21は、クライアント50とサーバ60との間の通信を中継する。中継部21は、クライアント50からサーバ60への要求を受信した場合に、要求をサーバ60へ転送する。中継部21は、クライアント50からサーバ60への要求に対するサーバ60からの応答に、認証情報を要求する認証情報要求が含まれる場合、応答をクライアント50に送信しない。中継部21は、サーバ60からの応答に認証情報要求が含まれない場合、応答をクライアント50に送信する。 The relay unit 21 relays the communication between the client 50 and the server 60. When the relay unit 21 receives the request from the client 50 to the server 60, the relay unit 21 transfers the request to the server 60. If the response from the server 60 to the request from the client 50 to the server 60 includes an authentication information request requesting authentication information, the relay unit 21 does not send the response to the client 50. If the response from the server 60 does not include the authentication information request, the relay unit 21 transmits the response to the client 50.
 認証情報要求部22は、サーバ60からの応答に認証情報要求が含まれる場合、認証情報の入力をクライアント50ではない入力元に要求する要求処理を行う。本実施形態の場合、要求処理は、認証情報の入力を要求する画面を表示手段26に表示させる処理である。表示手段26は、認証代行装置20の内部または外部のディスプレイなどである。 When the response from the server 60 includes an authentication information request, the authentication information request unit 22 performs request processing for requesting the input of authentication information to an input source other than the client 50. In the case of the present embodiment, the request process is a process of displaying a screen requesting input of authentication information on the display means 26. The display means 26 is an internal or external display of the authentication agency device 20 or the like.
 また、認証情報要求部22は、認証情報の入力を受け付ける。また、認証情報要求部22は、入力された認証情報を認証情報記憶部25に記憶させる。認証情報要求部22は、サーバ60から受信した認証結果が認証の成功を示す場合に、認証情報を認証情報記憶部25に記憶させてもよい。なお、認証情報要求部22は、認証情報の要求先のサーバ60の識別情報と対応付けて、認証情報を認証情報記憶部25に記憶させる。また、本実施形態の場合、認証情報は、たとえば、認証代行装置20が備えるキーボードや、指紋画像や顔画像を読み取る装置等の入力デバイスを介して入力される。 In addition, the authentication information request unit 22 accepts the input of authentication information. Further, the authentication information request unit 22 stores the input authentication information in the authentication information storage unit 25. The authentication information requesting unit 22 may store the authentication information in the authentication information storage unit 25 when the authentication result received from the server 60 indicates the success of the authentication. The authentication information request unit 22 stores the authentication information in the authentication information storage unit 25 in association with the identification information of the server 60 to which the authentication information is requested. Further, in the case of the present embodiment, the authentication information is input via an input device such as a keyboard included in the authentication agent device 20 or a device for reading a fingerprint image or a face image.
 図5に、認証情報の入力を要求する認証情報入力画面の例を示す。認証情報入力画面への表示内容を示す情報は、サーバ60から送信される。図5の例では、認証情報入力画面は、アクセス要求先のURL(Uniform Resource Locator)、アクセス要求送信元のクライアント50の情報(「リクエスト送信端末」)およびサーバ60から要求された認証情報の項目を含む。また、この画面は、認証情報を利用者に入力させるための画面アイテムを含む。図5の例は、認証情報が、ユーザID、パスワードおよびワンタイムパスワードである場合の例であるが、認証情報はこれらに限られない。 FIG. 5 shows an example of an authentication information input screen that requests input of authentication information. Information indicating the display contents on the authentication information input screen is transmitted from the server 60. In the example of FIG. 5, the authentication information input screen shows the URL (Uniform Resource Locator) of the access request destination, the information of the client 50 of the access request transmission source (“request transmission terminal”), and the items of the authentication information requested from the server 60. including. The screen also includes screen items for prompting the user to enter authentication information. The example of FIG. 5 is an example in which the authentication information is a user ID, a password, and a one-time password, but the authentication information is not limited to these.
 また、図6に、認証情報記憶部25に記憶される認証情報の例を示す。図6の例では、認証情報は、認証ユーザIDと認証パスワードである。認証情報は、アクセス要求先のサーバ60のサーバIDと対応付けられている。また、認証情報の各々に対して、認証情報を一意に特定する認証情報IDが付与されている。 Further, FIG. 6 shows an example of authentication information stored in the authentication information storage unit 25. In the example of FIG. 6, the authentication information is an authentication user ID and an authentication password. The authentication information is associated with the server ID of the server 60 of the access request destination. Further, an authentication information ID that uniquely identifies the authentication information is assigned to each of the authentication information.
 また、認証情報には、さらに、端末ユーザIDが対応付けられている。端末ユーザIDは、その認証情報を使用することができる利用者のIDである。端末ユーザIDは、たとえば、認証代行装置20がスマートフォンである場合にそのスマートフォンを利用しているユーザのIDや、認証代行装置20がPCである場合にそのPCにログインしているユーザのIDであってもよい。端末ユーザIDは、その認証情報を使用することができるユーザを限定する場合などに使用される。このように、認証情報を使用できるユーザを限定することで、クライアント50が複数人で共用される場合に、認証情報が不正に使用される可能性を低減することができる。 Further, the terminal user ID is further associated with the authentication information. The terminal user ID is a user ID that can use the authentication information. The terminal user ID is, for example, the ID of the user who is using the smartphone when the authentication agent 20 is a smartphone, or the ID of the user who is logged in to the PC when the authentication agent 20 is a PC. There may be. The terminal user ID is used when limiting the users who can use the authentication information. By limiting the users who can use the authentication information in this way, it is possible to reduce the possibility that the authentication information is used illegally when the client 50 is shared by a plurality of people.
 認証処理部23は、認証情報要求部22に認証情報が入力された場合、入力された認証情報をサーバ60へ送信する。 When the authentication information is input to the authentication information request unit 22, the authentication processing unit 23 transmits the input authentication information to the server 60.
 また、認証処理部23は、サーバ60からの応答に認証情報要求が含まれ、サーバ60に対する認証情報が認証情報記憶部25に記憶されている場合、認証情報を認証情報記憶部25から取得し、取得した認証情報をサーバ60へ送信する。また、この場合、認証情報要求部22は、取得した認証情報を含む認証情報入力画面を表示手段26に表示させてもよい。そして、利用者による、認証情報を確定する操作に応じた入力がされた場合に、入力された認証情報を認証処理部23がサーバ60へ送信してもよい。 Further, when the response from the server 60 includes the authentication information request and the authentication information for the server 60 is stored in the authentication information storage unit 25, the authentication processing unit 23 acquires the authentication information from the authentication information storage unit 25. , The acquired authentication information is transmitted to the server 60. Further, in this case, the authentication information requesting unit 22 may display the authentication information input screen including the acquired authentication information on the display means 26. Then, when the user inputs the input according to the operation of confirming the authentication information, the authentication processing unit 23 may transmit the input authentication information to the server 60.
 また、認証処理部23は、サーバ60から受信した認証結果が認証の成功を示す場合、認証結果に含まれる資格情報を資格情報記憶部24に記憶させる。認証処理部23は、応答の送信先のクライアント50の識別情報と対応付けて、資格情報を資格情報記憶部24に記憶させる。なお、資格情報は、アクセストークンとも呼ばれる。資格情報は、保護されたリソースにクライアント50がアクセスするための情報である。 Further, when the authentication result received from the server 60 indicates the success of the authentication, the authentication processing unit 23 stores the credential information included in the authentication result in the credential information storage unit 24. The authentication processing unit 23 stores the credential information in the credential information storage unit 24 in association with the identification information of the client 50 to which the response is sent. The credential information is also called an access token. Credentials are information for the client 50 to access the protected resource.
 図7に、資格情報記憶部24に記憶される情報の例を示す。図7の例では、資格情報は、認証結果の送信元のサーバ60のサーバIDと対応付けられている。また、資格情報は、認証結果の送信先のクライアント50のクライアントIDとも対応付けられている。資格情報の各々に対して、資格情報を一意に特定する資格情報IDが付与されている。サーバIDは、たとえば、サーバ60のホスト名やIP(Internet Protocol)アドレスなどである。クライアントIDは、たとえば、クライアント50の端末名などである。 FIG. 7 shows an example of information stored in the qualification information storage unit 24. In the example of FIG. 7, the credential information is associated with the server ID of the server 60 that is the source of the authentication result. The qualification information is also associated with the client ID of the client 50 to which the authentication result is sent. Each credential is given a credential ID that uniquely identifies the credential. The server ID is, for example, a host name or an IP (Internet Protocol) address of the server 60. The client ID is, for example, the terminal name of the client 50.
 また、中継部21は、資格情報記憶部24に記憶されている資格情報に基づいて、クライアント50からサーバ60への通信に資格情報を付与する。これにより、サーバ60は、クライアント50からの通信が、認証に成功したクライアント50、すなわち、アクセス権限があるクライアント50からの通信であることを把握することができる。 Further, the relay unit 21 assigns the qualification information to the communication from the client 50 to the server 60 based on the qualification information stored in the qualification information storage unit 24. As a result, the server 60 can grasp that the communication from the client 50 is the communication from the client 50 that has succeeded in authentication, that is, the client 50 that has the access authority.
 また、中継部21は、サーバ60から受信した認証結果から資格情報を削除し、資格情報が削除された認証結果をクライアント50に送信する。 Further, the relay unit 21 deletes the credential information from the authentication result received from the server 60, and sends the authentication result from which the credential information is deleted to the client 50.
 このように認証代行装置20を構成することによって、認証代行装置20は、サーバからの応答に認証情報要求が含まれる場合、応答をクライアントに送信せず、認証情報の入力をクライアントではない入力元に要求する要求処理を行う。そして、認証代行装置20は、入力元から入力された認証情報をサーバへ送信する。これにより、認証代行装置20は、利用者にクライアント50に対して認証情報を入力させることなく、認証情報を入手することが可能になる。そのため、ウェブサービスを利用する際の認証情報の入力における安全性を向上することが可能になる。 By configuring the authentication agent 20 in this way, when the response from the server includes an authentication information request, the authentication agent 20 does not send the response to the client, and the input source of the authentication information is not the client. Performs the request processing requested by. Then, the authentication agent 20 transmits the authentication information input from the input source to the server. As a result, the authentication agent 20 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
 次に、図8から図11を用いて、本実施形態の認証代行装置20の動作例について説明する。図8は、サーバ60への要求をクライアント50から受信した場合の認証代行装置20の動作例である。また、図9は、サーバ60から応答を受信した場合の認証代行装置20の動作例である。また、図10は、認証情報が入力された場合の認証代行装置20の動作例である。また、図11は、認証結果をサーバ60から受信した場合の認証代行装置20の動作例である。 Next, an operation example of the authentication agency device 20 of the present embodiment will be described with reference to FIGS. 8 to 11. FIG. 8 is an operation example of the authentication agent 20 when a request to the server 60 is received from the client 50. Further, FIG. 9 is an operation example of the authentication agency device 20 when a response is received from the server 60. Further, FIG. 10 is an operation example of the authentication agency device 20 when the authentication information is input. Further, FIG. 11 is an operation example of the authentication agency device 20 when the authentication result is received from the server 60.
 まず、認証代行装置20の中継部21は、サーバ60への要求をクライアント50から受信する(図8のステップS201)。中継部21は、クライアント50とサーバ60との間の資格情報が資格情報記憶部24に記憶されている場合(ステップS202でYES)、受信した要求に資格情報を付与する(ステップS203)。そして、中継部21は、要求をサーバ60へ送信する(ステップS204)。 First, the relay unit 21 of the authentication agency device 20 receives the request to the server 60 from the client 50 (step S201 in FIG. 8). When the credential information between the client 50 and the server 60 is stored in the credential information storage unit 24 (YES in step S202), the relay unit 21 assigns the credential information to the received request (step S203). Then, the relay unit 21 transmits the request to the server 60 (step S204).
 中継部21は、サーバ60から応答を受信する(図9のステップS301)。中継部21は、サーバ60からの応答に、認証情報を要求する認証情報要求が含まれる場合(ステップS302でYES)、応答をクライアント50に送信しない。また、認証情報要求部22は、認証情報の入力をクライアント50ではない入力元に要求する要求処理を行う。本実施形態の場合、要求処理は、認証情報の入力を要求する認証情報入力画面を表示手段26に表示させる処理である(ステップS303)。 The relay unit 21 receives the response from the server 60 (step S301 in FIG. 9). When the response from the server 60 includes an authentication information request requesting authentication information (YES in step S302), the relay unit 21 does not send the response to the client 50. Further, the authentication information request unit 22 performs request processing for requesting the input of authentication information to an input source other than the client 50. In the case of the present embodiment, the request process is a process of displaying the authentication information input screen requesting the input of the authentication information on the display means 26 (step S303).
 また、認証情報要求部22は、応答の送信元のサーバ60に対する認証情報が認証情報記憶部25に記憶されている場合(ステップS304でYES)、当該認証情報を認証情報記憶部25から取得する。そして、認証情報要求部22は、取得した認証情報を含む認証情報入力画面を表示手段26に表示させる(ステップS305)。 Further, when the authentication information for the server 60 that is the transmission source of the response is stored in the authentication information storage unit 25 (YES in step S304), the authentication information request unit 22 acquires the authentication information from the authentication information storage unit 25. .. Then, the authentication information requesting unit 22 causes the display means 26 to display the authentication information input screen including the acquired authentication information (step S305).
 中継部21が受信した応答に、認証情報要求が含まれていない場合(ステップS302でNO)、中継部21は、クライアント50に応答を送信する(ステップS306)。なお、応答に資格情報が含まれている場合には、中継部21は、資格情報が削除された応答をクライアント50に送信する。 When the response received by the relay unit 21 does not include the authentication information request (NO in step S302), the relay unit 21 transmits the response to the client 50 (step S306). If the response includes the credential information, the relay unit 21 sends the response from which the credential information is deleted to the client 50.
 認証情報入力画面への入力内容が利用者によって確定されると、認証情報要求部22に、認証情報が入力される(図10のステップS401)。認証情報要求部22は、認証情報の入力を受け付け、入力された認証情報と同じ認証情報が認証情報記憶部25に記憶されていない場合(ステップS402)、入力された認証情報を認証情報記憶部25に記憶させる(ステップS403)。なお、認証情報要求部22は、認証情報の要求元のサーバ60の識別情報と対応付けて、認証情報を認証情報記憶部25に記憶させる。そして、認証処理部23は、入力された認証情報をサーバ60へ送信する(ステップS404)。 When the input content on the authentication information input screen is confirmed by the user, the authentication information is input to the authentication information request unit 22 (step S401 in FIG. 10). The authentication information request unit 22 accepts the input of the authentication information, and when the same authentication information as the input authentication information is not stored in the authentication information storage unit 25 (step S402), the input authentication information is stored in the authentication information storage unit. It is stored in 25 (step S403). The authentication information request unit 22 stores the authentication information in the authentication information storage unit 25 in association with the identification information of the server 60 that requests the authentication information. Then, the authentication processing unit 23 transmits the input authentication information to the server 60 (step S404).
 また、中継部21は、サーバ60から認証結果を受信する(図11のステップS405)。そして、認証処理部23は、認証結果が認証の成功を示す場合(ステップS406でYES)、認証結果に含まれる資格情報を資格情報記憶部24に記憶させる(ステップS407)。認証処理部23は、認証結果の送信元のサーバ60の識別情報や送信先のクライアント50の識別情報と対応付けて、資格情報を資格情報記憶部24に記憶させる。そして、中継部21は、サーバ60から送信された認証結果から資格情報を削除し、資格情報が削除された認証結果をクライアント50に送信する(ステップS408)。 Further, the relay unit 21 receives the authentication result from the server 60 (step S405 in FIG. 11). Then, when the authentication result indicates the success of the authentication (YES in step S406), the authentication processing unit 23 stores the qualification information included in the authentication result in the qualification information storage unit 24 (step S407). The authentication processing unit 23 stores the qualification information in the qualification information storage unit 24 in association with the identification information of the server 60 that is the source of the authentication result and the identification information of the client 50 that is the destination. Then, the relay unit 21 deletes the credential information from the authentication result transmitted from the server 60, and transmits the authentication result from which the credential information is deleted to the client 50 (step S408).
 また、認証成功後は、中継部21は、資格情報記憶部24に記憶されている資格情報に基づいて、クライアント50からサーバ60への通信に資格情報を付与する。より具体的には、クライアント50から要求を受信すると(図8のステップS201)、中継部21は、要求元のクライアント50と要求先のサーバ60との間の資格情報を資格情報記憶部24から取得する。また、中継部21は、取得した資格情報を要求に付与する(ステップS202でYES、ステップS203)。そして、中継部21は、資格情報が付与された要求をサーバ60へ送信する(ステップS204)。 Further, after the authentication is successful, the relay unit 21 assigns the credential information to the communication from the client 50 to the server 60 based on the credential information stored in the credential information storage unit 24. More specifically, when a request is received from the client 50 (step S201 in FIG. 8), the relay unit 21 transfers the credential information between the requesting client 50 and the requesting server 60 from the credential information storage unit 24. get. Further, the relay unit 21 assigns the acquired qualification information to the request (YES in step S202, step S203). Then, the relay unit 21 transmits a request to which the qualification information is given to the server 60 (step S204).
 認証代行装置20は、このように動作することによって、サーバからの応答に認証情報要求が含まれる場合、応答をクライアントに送信せず、認証情報の入力をクライアントではない入力元に要求する要求処理を行う。そして、認証代行装置20は、入力元から入力された認証情報をサーバへ送信する。これにより、認証代行装置20は、利用者にクライアント50に対して認証情報を入力させることなく、認証情報を入手することが可能になる。そのため、ウェブサービスを利用する際の認証情報の入力における安全性を向上することが可能になる。 By operating in this way, when the response from the server includes an authentication information request, the authentication agent 20 does not send the response to the client and requests the input of the authentication information to the input source other than the client. I do. Then, the authentication agent 20 transmits the authentication information input from the input source to the server. As a result, the authentication agent 20 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
 以上で説明したように、本発明の第二の実施形態では、認証代行装置20は、サーバからの応答に認証情報要求が含まれる場合、応答をクライアントに送信せず、認証情報の入力をクライアントではない入力元に要求する要求処理を行う。そして、認証代行装置20は、入力元から入力された認証情報をサーバへ送信する。これにより、認証代行装置20は、利用者にクライアント50に対して認証情報を入力させることなく、認証情報を入手することが可能になる。そのため、ウェブサービスを利用する際の認証情報の入力における安全性を向上することが可能になる。 As described above, in the second embodiment of the present invention, when the response from the server includes the authentication information request, the authentication agent 20 does not send the response to the client and inputs the authentication information to the client. Performs the request processing requested from the input source that is not. Then, the authentication agent 20 transmits the authentication information input from the input source to the server. As a result, the authentication agent 20 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
 また、本実施形態の認証代行装置20は、認証情報を認証情報記憶部25に記憶させ、認証情報記憶部25に記憶されている認証情報をサーバ60に送信する。そのため、認証情報をブラウザに記憶させる場合と同様の利便性を得ることができる。 Further, the authentication agent 20 of the present embodiment stores the authentication information in the authentication information storage unit 25, and transmits the authentication information stored in the authentication information storage unit 25 to the server 60. Therefore, it is possible to obtain the same convenience as when the authentication information is stored in the browser.
 また、本実施形態の認証代行装置20は、クライアント50ではなく資格情報記憶部24に資格情報を記憶させ、サーバ60から受信した認証結果から資格情報を削除し、資格情報が削除された認証結果をクライアント50へ送信する。そのため、ウェブサービスを利用する際の安全性をさらに向上することが可能になる。 Further, the authentication agent 20 of the present embodiment stores the credential information not in the client 50 but in the credential information storage unit 24, deletes the credential information from the authentication result received from the server 60, and the authentication result in which the credential information is deleted. To the client 50. Therefore, it becomes possible to further improve the security when using the web service.
 [第三の実施形態]
 次に、本発明の第三の実施形態について説明する。 [Third embodiment]
Next, a third embodiment of the present invention will be described.
 まず、図12に、本実施形態の認証代行装置30を含むシステムの構成例を示す。図12に示すシステムは、認証代行装置30とクライアント50とサーバ60とを含む。 First, FIG. 12 shows a configuration example of a system including the authentication agency device 30 of the present embodiment. The system shown in FIG. 12 includes an authentication agent 30, a client 50, and a server 60.
 本実施形態では、サーバ60は、認証情報を発行する機能を持つ。認証代行装置30は、サーバ60によって発行された認証情報を認証情報記憶部25に記憶させる。 In this embodiment, the server 60 has a function of issuing authentication information. The authentication agent 30 stores the authentication information issued by the server 60 in the authentication information storage unit 25.
 より具体的には、サーバ60は、たとえば、認証代行装置30からユニークなキーを受信する。ユニークなキーは、たとえば、クライアント50のSIM(Subscriber Identity Module)カードのIDなどである。サーバ60は、ユニークなキーに基づいて、認証代行装置30の正当性を確認する。そして、サーバ60は、認証情報を生成し、生成した認証情報を認証代行装置30へ入力する。 More specifically, the server 60 receives, for example, a unique key from the authentication agent 30. The unique key is, for example, the ID of the SIM (Subscriber Identity Module) card of the client 50. The server 60 confirms the validity of the authentication agent 30 based on the unique key. Then, the server 60 generates the authentication information, and inputs the generated authentication information to the authentication agent 30.
 本実施形態のように、サーバ60が生成した認証情報を認証代行装置30に入力して記憶させる方法では、利用者が認証情報を記憶する必要がない。そのため、サーバ60は、ビット数が多い(たとえば100ビット以上)のIDやパスワードを生成することができる。その結果、サーバ60は、頑健な認証情報を生成することができる。また、利用者は、認証情報を意識せずにサービスにログインすることができる。 In the method of inputting and storing the authentication information generated by the server 60 in the authentication agent device 30 as in the present embodiment, the user does not need to store the authentication information. Therefore, the server 60 can generate an ID or password having a large number of bits (for example, 100 bits or more). As a result, the server 60 can generate robust authentication information. In addition, the user can log in to the service without being aware of the authentication information.
 次に、図13に、本実施形態の認証代行装置30の構成例を示す。本実施形態の認証代行装置30は、中継部21、認証情報要求部32および認証処理部33を含む。また、認証代行装置30は、資格情報記憶部24および認証情報記憶部25を含んでいてもよい。中継部21、資格情報記憶部24および認証情報記憶部25については、第二の実施形態と同様のため、説明を省略する。また、認証情報要求部32および認証処理部33についても、以下に記載する事項の他は、第二の実施形態の認証情報要求部22や認証処理部23と同様のため、説明を省略する。 Next, FIG. 13 shows a configuration example of the authentication agency device 30 of the present embodiment. The authentication agency device 30 of the present embodiment includes a relay unit 21, an authentication information request unit 32, and an authentication processing unit 33. Further, the authentication agency device 30 may include a qualification information storage unit 24 and an authentication information storage unit 25. Since the relay unit 21, the qualification information storage unit 24, and the authentication information storage unit 25 are the same as those in the second embodiment, the description thereof will be omitted. Further, the authentication information requesting unit 32 and the authentication processing unit 33 are the same as the authentication information requesting unit 22 and the authentication processing unit 23 of the second embodiment except for the items described below, and thus the description thereof will be omitted.
 認証情報要求部32は、サーバ60からの応答に認証情報要求が含まれる場合、認証情報の入力をクライアント50ではない入力元に要求する要求処理を行う。本実施形態の場合、要求処理は、認証情報の発行を依頼する認証情報発行依頼をサーバ60へ送信する処理である。認証情報要求部32は、応答に認証情報要求が含まれ、サーバ60の認証情報が認証情報記憶部25に記憶されていない場合に、要求処理を行う。 When the response from the server 60 includes an authentication information request, the authentication information request unit 32 performs request processing for requesting the input of authentication information to an input source other than the client 50. In the case of the present embodiment, the request process is a process of transmitting an authentication information issuance request requesting the issuance of the authentication information to the server 60. The authentication information request unit 32 performs request processing when the response includes an authentication information request and the authentication information of the server 60 is not stored in the authentication information storage unit 25.
 認証処理部33は、サーバ60から入力された認証情報を認証情報記憶部25に記憶させる。また、認証処理部33は、応答に認証情報要求が含まれ、サーバ60に対する認証情報が認証情報記憶部25に記憶されている場合、認証情報記憶部25から認証情報を取得し、取得した認証情報をサーバ60へ送信する。 The authentication processing unit 33 stores the authentication information input from the server 60 in the authentication information storage unit 25. Further, when the response includes the authentication information request and the authentication information for the server 60 is stored in the authentication information storage unit 25, the authentication processing unit 33 acquires the authentication information from the authentication information storage unit 25 and acquires the authentication. Information is transmitted to the server 60.
 このように認証代行装置30を構成することによって、認証代行装置30は、サーバからの応答に認証情報要求が含まれる場合、応答をクライアントに送信せず、認証情報の入力をクライアントではない入力元に要求する要求処理を行う。そして、認証代行装置30は、入力元から入力された認証情報をサーバへ送信する。これにより、認証代行装置30は、利用者にクライアント50に対して認証情報を入力させることなく、認証情報を入手することが可能になる。そのため、ウェブサービスを利用する際の認証情報の入力における安全性を向上することが可能になる。 By configuring the authentication agent 30 in this way, when the response from the server includes an authentication information request, the authentication agent 30 does not send the response to the client and inputs the authentication information to the input source other than the client. Performs the request processing requested by. Then, the authentication agent 30 transmits the authentication information input from the input source to the server. As a result, the authentication agent 30 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
 次に、図14と図10とを用いて、本実施形態の認証代行装置30の動作例について説明する。サーバ60への要求をクライアント50から受信した場合の認証代行装置30の動作は、第二の実施形態(図8)と同様のため、説明を省略する。また、認証結果をサーバから受信した場合の認証代行装置30の動作例は、第二の実施形態(図11)と同様のため、説明を省略する。図14は、応答をサーバ60から受信した場合の認証代行装置30の動作例である。 Next, an operation example of the authentication agency device 30 of the present embodiment will be described with reference to FIGS. 14 and 10. Since the operation of the authentication agent 30 when the request to the server 60 is received from the client 50 is the same as that of the second embodiment (FIG. 8), the description thereof will be omitted. Further, since the operation example of the authentication agent device 30 when the authentication result is received from the server is the same as that of the second embodiment (FIG. 11), the description thereof will be omitted. FIG. 14 is an operation example of the authentication agency device 30 when a response is received from the server 60.
 中継部21は、サーバ60から応答を受信する(図14のステップS501)。中継部21は、サーバ60からの応答に、認証情報を要求する認証情報要求が含まれる場合(ステップS502でYES)、応答をクライアント50に送信しない。また、認証情報要求部32は、認証情報の入力をクライアント50ではない入力元に要求する要求処理を行う。本実施形態の場合、要求処理は、応答の送信元のサーバ60に対する認証情報が認証情報記憶部25に記憶されていない場合に(ステップS503でNO)、認証情報発行依頼をサーバ60に送信する処理である(ステップS504)。 The relay unit 21 receives the response from the server 60 (step S501 in FIG. 14). When the response from the server 60 includes an authentication information request requesting authentication information (YES in step S502), the relay unit 21 does not send the response to the client 50. Further, the authentication information request unit 32 performs request processing for requesting the input of authentication information to an input source other than the client 50. In the case of the present embodiment, the request process transmits an authentication information issuance request to the server 60 when the authentication information for the server 60 that is the source of the response is not stored in the authentication information storage unit 25 (NO in step S503). This is a process (step S504).
 また、認証処理部33は、応答の送信元のサーバ60に対する認証情報が認証情報記憶部25に記憶されている場合(ステップS503でYES)、当該認証情報を認証情報記憶部25から取得する。そして、認証処理部33は、取得した認証情報をサーバ60に送信する(ステップS505)。 Further, when the authentication information for the server 60 that is the transmission source of the response is stored in the authentication information storage unit 25 (YES in step S503), the authentication processing unit 33 acquires the authentication information from the authentication information storage unit 25. Then, the authentication processing unit 33 transmits the acquired authentication information to the server 60 (step S505).
 中継部21が受信した応答に、認証情報要求が含まれていない場合(ステップS502でNO)、中継部21は、クライアント50に応答を送信する(ステップS506)。なお、このとき、応答に資格情報が含まれている場合には、中継部21は、資格情報が削除された応答をクライアント50に送信する。 When the response received by the relay unit 21 does not include the authentication information request (NO in step S502), the relay unit 21 transmits the response to the client 50 (step S506). At this time, if the response includes the credential information, the relay unit 21 transmits the response from which the credential information has been deleted to the client 50.
 サーバ60が認証情報を発行すると、中継部21は、サーバ60から認証情報を受信する(図10のステップS401)。認証情報要求部32は、サーバ60から入力された認証情報と同じ認証情報が認証情報記憶部25に記憶されていない場合(ステップS402でNO)、入力された認証情報を認証情報記憶部25に記憶させる(ステップS403)。なお、認証情報要求部22は、認証情報の要求元のサーバ60の識別情報と対応付けて、認証情報を認証情報記憶部25に記憶させる。そして、認証処理部23は、入力された認証情報をサーバ60へ送信する(ステップS404)。 When the server 60 issues the authentication information, the relay unit 21 receives the authentication information from the server 60 (step S401 in FIG. 10). When the authentication information storage unit 25 does not store the same authentication information as the authentication information input from the server 60 (NO in step S402), the authentication information request unit 32 stores the input authentication information in the authentication information storage unit 25. Store it (step S403). The authentication information request unit 22 stores the authentication information in the authentication information storage unit 25 in association with the identification information of the server 60 that requests the authentication information. Then, the authentication processing unit 23 transmits the input authentication information to the server 60 (step S404).
 認証代行装置30は、このように動作することによって、サーバからの応答に認証情報要求が含まれる場合、応答をクライアントに送信せず、認証情報の入力をクライアントではない入力元に要求する要求処理を行う。そして、認証代行装置30は、入力元から入力された認証情報をサーバへ送信する。これにより、認証代行装置30は、利用者にクライアント50に対して認証情報を入力させることなく、認証情報を入手することが可能になる。そのため、ウェブサービスを利用する際の認証情報の入力における安全性を向上することが可能になる。 By operating in this way, when the response from the server includes an authentication information request, the authentication agent 30 does not send the response to the client and requests the input of the authentication information to the input source other than the client. I do. Then, the authentication agent 30 transmits the authentication information input from the input source to the server. As a result, the authentication agent 30 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
 以上で説明したように、本発明の第三の実施形態では、認証代行装置20は、サーバからの応答に認証情報要求が含まれる場合、応答をクライアントに送信せず、認証情報の入力をクライアントではない入力元に要求する要求処理を行う。そして、認証代行装置30は、入力元から入力された認証情報をサーバへ送信する。これにより、認証代行装置30は、利用者にクライアント50に対して認証情報を入力させることなく、認証情報を入手することが可能になる。そのため、ウェブサービスを利用する際の認証情報の入力における安全性を向上することが可能になる。 As described above, in the third embodiment of the present invention, when the response from the server includes the authentication information request, the authentication agent 20 does not send the response to the client and inputs the authentication information to the client. Performs the request processing requested from the input source that is not. Then, the authentication agent 30 transmits the authentication information input from the input source to the server. As a result, the authentication agent 30 can obtain the authentication information without having the user input the authentication information to the client 50. Therefore, it is possible to improve the security in inputting the authentication information when using the web service.
 また、本実施形態の認証代行装置30は、認証情報発行依頼をサーバ60へ送信し、サーバ60から送信された認証情報を認証情報記憶部25に記憶させる。これにより、より頑健な認証情報の利用が可能になる。また、利用者による認証情報の入力が不要になる。そのため、ウェブサービスを利用する際の認証情報の入力における安全性をより向上することが可能になる。 Further, the authentication agent 30 of the present embodiment sends an authentication information issuance request to the server 60, and stores the authentication information transmitted from the server 60 in the authentication information storage unit 25. This makes it possible to use more robust authentication information. In addition, the user does not need to input the authentication information. Therefore, it becomes possible to further improve the security in inputting the authentication information when using the web service.
 [ハードウェア構成例]
 上述した本発明の各実施形態における認証代行装置(10、20)を、一つの情報処理装置(コンピュータ)を用いて実現するハードウェア資源の構成例について説明する。なお、認証代行装置は、物理的または機能的に少なくとも二つ以上の複数の情報処理装置が用いられて実現されてもよい。また、認証代行装置は、専用の装置として実現されてもよいし、汎用の装置が用いられてもよい。また、認証代行装置の一部の機能のみを情報処理装置を用いて実現してもよい。 [Hardware configuration example]
An example of a configuration of hardware resources for realizing the authentication agency device (10, 20) in each embodiment of the present invention described above by using one information processing device (computer) will be described. The authentication agency device may be realized by using at least two or more information processing devices physically or functionally. Further, the authentication agency device may be realized as a dedicated device, or a general-purpose device may be used. Further, only a part of the functions of the authentication agency device may be realized by using the information processing device.
 図15は、本発明の各実施形態の認証代行装置を実現可能な情報処理装置のハードウェア構成例を概略的に示す図である。情報処理装置90は、通信インタフェース91、入出力インタフェース92、演算装置93、記憶装置94、不揮発性記憶装置95およびドライブ装置96を含む。 FIG. 15 is a diagram schematically showing a hardware configuration example of an information processing device capable of realizing the authentication agency device of each embodiment of the present invention. The information processing device 90 includes a communication interface 91, an input / output interface 92, an arithmetic unit 93, a storage device 94, a non-volatile storage device 95, and a drive device 96.
 たとえば、図1の中継部11は、通信インタフェース91と演算装置93とで実現することが可能である。また、認証情報要求部12や認証処理部13は、演算装置93で実現することが可能である。 For example, the relay unit 11 in FIG. 1 can be realized by the communication interface 91 and the arithmetic unit 93. Further, the authentication information request unit 12 and the authentication processing unit 13 can be realized by the arithmetic unit 93.
 通信インタフェース91は、各実施形態の認証代行装置が、有線および無線のうち少なくとも一方で外部装置と通信するための通信手段である。なお、認証代行装置を、少なくとも二つの情報処理装置を用いて実現する場合、それらの装置の間を通信インタフェース91経由で相互に通信可能なように接続してもよい。 The communication interface 91 is a communication means for the authentication agent device of each embodiment to communicate with an external device at least one of wired and wireless. When the authentication agency device is realized by using at least two information processing devices, the devices may be connected so as to be able to communicate with each other via the communication interface 91.
 入出力インタフェース92は、入力デバイスの一例であるキーボードや、出力デバイスとしてのディスプレイ等のマンマシンインタフェースである。 The input / output interface 92 is a man-machine interface such as a keyboard as an example of an input device and a display as an output device.
 演算装置93は、たとえば、CPU(Central Processing Unit)やマイクロプロセッサ等の演算処理装置や複数の電気回路によって実現される。演算装置93は、たとえば、不揮発性記憶装置95に記憶された各種プログラムを記憶装置94に読み出し、読み出したプログラムに従って処理を実行することが可能である。 The arithmetic unit 93 is realized by, for example, an arithmetic processing unit such as a CPU (Central Processing Unit) or a microprocessor, or a plurality of electric circuits. The arithmetic unit 93 can, for example, read various programs stored in the non-volatile storage device 95 into the storage device 94 and execute processing according to the read programs.
 記憶装置94は、演算装置93から参照可能な、RAM(Random Access Memory)等のメモリ装置であり、プログラムや各種データ等を記憶する。記憶装置94は、揮発性のメモリ装置であってもよい。 The storage device 94 is a memory device such as a RAM (RandomAccessMemory) that can be referred from the arithmetic unit 93, and stores programs, various data, and the like. The storage device 94 may be a volatile memory device.
 不揮発性記憶装置95は、たとえば、ROM(Read Only Memory)、フラッシュメモリ、等の、不揮発性の記憶装置であり、各種プログラムやデータ等を記憶することが可能である。 The non-volatile storage device 95 is a non-volatile storage device such as a ROM (Read Only Memory), a flash memory, etc., and can store various programs, data, and the like.
 ドライブ装置96は、たとえば、後述する記録媒体97に記録されているデータの読み込みやデータの書き込みを処理する装置である。 The drive device 96 is, for example, a device that processes data reading and data writing recorded on a recording medium 97, which will be described later.
 記録媒体97は、たとえば、光ディスク、光磁気ディスク、半導体フラッシュメモリ等、データを記録可能な任意の記録媒体である。 The recording medium 97 is an arbitrary recording medium capable of recording data, such as an optical disk, a magneto-optical disk, or a semiconductor flash memory.
 本発明の各実施形態は、たとえば、図15に例示した情報処理装置90により認証代行装置を構成し、この認証代行装置に対して、上記各実施形態において説明した機能を実現可能なプログラムを供給することにより実現してもよい。 In each embodiment of the present invention, for example, the information processing apparatus 90 illustrated in FIG. 15 constitutes an authentication agent, and the authentication agent is supplied with a program capable of realizing the functions described in each of the above embodiments. It may be realized by doing.
 この場合、認証代行装置に対して供給したプログラムを、演算装置93が実行することによって、実施形態を実現することが可能である。また、認証代行装置のすべてではなく、一部の機能を情報処理装置90で構成することも可能である。 In this case, the embodiment can be realized by the arithmetic unit 93 executing the program supplied to the authentication agent. Further, it is also possible to configure some functions of the information processing apparatus 90, not all of the authentication agency apparatus.
 さらに、上記プログラムを記録媒体97に記録しておき、認証代行装置の出荷段階、あるいは運用段階等において、適宜上記プログラムが不揮発性記憶装置95に格納されるよう構成してもよい。なお、この場合、上記プログラムの供給方法は、出荷前の製造段階、あるいは運用段階等において、適当な治具を利用して認証代行装置内にインストールする方法を採用してもよい。また、上記プログラムの供給方法は、インターネット等の通信回線を介して外部からダウンロードする方法等の一般的な手順を採用してもよい。 Further, the program may be recorded in the recording medium 97, and the program may be appropriately stored in the non-volatile storage device 95 at the shipping stage, the operation stage, or the like of the authentication agency device. In this case, as the supply method of the above program, a method of installing the program in the authentication agency device by using an appropriate jig may be adopted at the manufacturing stage before shipment, the operation stage, or the like. Further, as the method of supplying the above program, a general procedure such as a method of downloading from the outside via a communication line such as the Internet may be adopted.
 上記の実施形態の一部または全部は、以下の付記のようにも記載されうるが、以下には限られない。 A part or all of the above embodiment may be described as in the following appendix, but is not limited to the following.
  (付記1)
 サーバとクライアントとの間の通信を中継し、前記クライアントから前記サーバへの要求に対する前記サーバからの応答に、認証情報を要求する認証情報要求が含まれる場合、前記応答を前記クライアントに送信しない中継手段と、
 前記サーバからの前記応答に前記認証情報要求が含まれる場合、前記認証情報の入力を前記クライアントではない入力元に要求する要求処理を行う認証情報要求手段と、
 前記入力元から入力された前記認証情報を前記サーバへ送信する認証処理手段と
 を備えることを特徴とする認証代行装置。 (Appendix 1)
A relay that relays communication between a server and a client and does not send the response to the client when the response from the server to a request from the client to the client includes an authentication information request requesting authentication information. Means and
When the response from the server includes the authentication information request, an authentication information requesting means that performs request processing for requesting the input of the authentication information to an input source other than the client.
An authentication agent device including an authentication processing means for transmitting the authentication information input from the input source to the server.
  (付記2)
 前記認証処理手段は、前記サーバから受信した認証結果が認証の成功を示す場合、前記認証結果に含まれる資格情報を資格情報記憶部に記憶させ、
 前記中継手段は、前記クライアントから前記サーバへの通信に前記資格情報を付与する
 ことを特徴とする付記1に記載の認証代行装置。 (Appendix 2)
When the authentication result received from the server indicates the success of the authentication, the authentication processing means stores the credential information included in the authentication result in the credential information storage unit.
The authentication agent according to Appendix 1, wherein the relay means imparts the qualification information to communication from the client to the server.
  (付記3)
 前記中継手段は、前記資格情報が削除された前記認証結果を前記クライアントに送信する
 ことを特徴とする付記2に記載の認証代行装置。 (Appendix 3)
The authentication agent according to Appendix 2, wherein the relay means transmits the authentication result from which the qualification information has been deleted to the client.
  (付記4)
 前記認証情報要求手段は、入力された前記認証情報を認証情報記憶部に記憶させ、
 前記認証処理手段は、前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されている場合、前記認証情報記憶部から前記認証情報を取得し、取得した前記認証情報を前記サーバへ送信し、
 前記認証情報要求手段は、前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されていない場合に、前記要求処理を行う
 ことを特徴とする付記1から付記3のいずれかに記載の認証代行装置。 (Appendix 4)
The authentication information requesting means stores the input authentication information in the authentication information storage unit, and stores the input authentication information in the authentication information storage unit.
When the response includes the authentication information request and the authentication information for the server is stored in the authentication information storage unit, the authentication processing means acquires the authentication information from the authentication information storage unit and acquires the authentication information. The authentication information is transmitted to the server, and the authentication information is transmitted to the server.
The appendix 1 is characterized in that the authentication information requesting means performs the request processing when the response includes the authentication information request and the authentication information for the server is not stored in the authentication information storage unit. The authentication agency device according to any one of Appendix 3.
  (付記5)
 前記要求処理は、前記認証情報の入力を要求する画面を表示手段に表示させる処理である
 ことを特徴とする付記1から付記4のいずれかに記載の認証代行装置。 (Appendix 5)
The authentication agent according to any one of Supplementary note 1 to Supplementary note 4, wherein the request process is a process of displaying a screen requesting input of the authentication information on a display means.
  (付記6)
 前記認証情報要求手段は、入力された前記認証情報を認証情報記憶部に記憶させ、前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されている場合、前記認証情報記憶部から取得した前記認証情報を含む前記画面を前記表示手段に表示させる
 ことを特徴とする付記5に記載の認証代行装置。 (Appendix 6)
The authentication information requesting means stores the input authentication information in the authentication information storage unit, the response includes the authentication information request, and the authentication information for the server is stored in the authentication information storage unit. In this case, the authentication agency device according to Appendix 5, wherein the screen including the authentication information acquired from the authentication information storage unit is displayed on the display means.
  (付記7)
 前記要求処理は、前記認証情報の発行を依頼する認証情報発行依頼を前記サーバへ送信する処理である
 ことを特徴とする付記1から付記4のいずれかに記載の認証代行装置。 (Appendix 7)
The authentication agency device according to any one of Supplementary note 1 to Supplementary note 4, wherein the request process is a process of transmitting an authentication information issuance request requesting issuance of the authentication information to the server.
  (付記8)
 サーバとクライアントとの間の通信を中継し、前記クライアントから前記サーバへの要求に対する前記サーバからの応答に、認証情報を要求する認証情報要求が含まれる場合、前記応答を前記クライアントに送信せず、
 前記サーバからの前記応答に前記認証情報要求が含まれる場合、前記認証情報の入力を前記クライアントではない入力元に要求する要求処理を行い、
 前記入力元から入力された前記認証情報を前記サーバへ送信する
 ことを特徴とする認証代行方法。 (Appendix 8)
If the response from the server to the request from the client to the server includes an authentication information request requesting authentication information, the communication between the server and the client is relayed, and the response is not sent to the client. ,
When the response from the server includes the authentication information request, a request process for requesting the input of the authentication information to an input source other than the client is performed.
An authentication agency method comprising transmitting the authentication information input from the input source to the server.
  (付記9)
 前記サーバから受信した認証結果が認証の成功を示す場合、前記認証結果に含まれる資格情報を資格情報記憶部に記憶させ、
 前記クライアントから前記サーバへの通信に前記資格情報を付与する
 ことを特徴とする付記8に記載の認証代行方法。 (Appendix 9)
When the authentication result received from the server indicates the success of the authentication, the credential information included in the authentication result is stored in the credential information storage unit.
The authentication agency method according to Appendix 8, wherein the qualification information is given to the communication from the client to the server.
  (付記10)
 前記資格情報が削除された前記認証結果を前記クライアントに送信する
 ことを特徴とする付記9に記載の認証代行方法。 (Appendix 10)
The authentication agency method according to Appendix 9, wherein the authentication result from which the qualification information has been deleted is transmitted to the client.
  (付記11)
 入力された前記認証情報を認証情報記憶部に記憶させ、
 前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されている場合、前記認証情報記憶部から前記認証情報を取得し、取得した前記認証情報を前記サーバへ送信し、
 前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されていない場合に、前記要求処理を行う
 ことを特徴とする付記8から付記10のいずれかに記載の認証代行方法。 (Appendix 11)
The input authentication information is stored in the authentication information storage unit, and the input is stored in the authentication information storage unit.
When the response includes the authentication information request and the authentication information for the server is stored in the authentication information storage unit, the authentication information is acquired from the authentication information storage unit, and the acquired authentication information is used as the authentication information. Send to the server
The response includes the authentication information request, and the request processing is performed when the authentication information for the server is not stored in the authentication information storage unit. The described authentication agency method.
  (付記12)
 前記要求処理は、前記認証情報の入力を要求する画面を表示手段に表示させる処理である
 ことを特徴とする付記8から付記11のいずれかに記載の認証代行方法。 (Appendix 12)
The authentication agency method according to any one of Supplementary note 8 to Supplementary note 11, wherein the request process is a process of displaying a screen requesting input of the authentication information on the display means.
  (付記13)
 入力された前記認証情報を認証情報記憶部に記憶させ、前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されている場合、前記認証情報記憶部から取得した前記認証情報を含む前記画面を前記表示手段に表示させる
 ことを特徴とする付記12に記載の認証代行方法。 (Appendix 13)
When the input authentication information is stored in the authentication information storage unit, the response includes the authentication information request, and the authentication information for the server is stored in the authentication information storage unit, the authentication information storage unit The authentication agency method according to Appendix 12, wherein the screen including the authentication information obtained from the above is displayed on the display means.
  (付記14)
 前記要求処理は、前記認証情報の発行を依頼する認証情報発行依頼を前記サーバへ送信する処理である
 ことを特徴とする付記8から付記11のいずれかに記載の認証代行方法。 (Appendix 14)
The authentication agency method according to any one of Supplementary note 8 to Supplementary note 11, wherein the request process is a process of transmitting an authentication information issuance request requesting issuance of the authentication information to the server.
  (付記15)
 コンピュータに、
 サーバとクライアントとの間の通信を中継し、前記クライアントから前記サーバへの要求に対する前記サーバからの応答に、認証情報を要求する認証情報要求が含まれる場合、前記応答を前記クライアントに送信しない中継機能と、
 前記サーバからの前記応答に前記認証情報要求が含まれる場合、前記認証情報の入力を前記クライアントではない入力元に要求する要求処理を行う認証情報要求機能と、
 前記入力元から入力された前記認証情報を前記サーバへ送信する認証処理機能と
 を実現させることを特徴とする認証代行プログラムを記録したコンピュータ読み取り可能な記録媒体。 (Appendix 15)
On the computer
A relay that relays communication between a server and a client and does not send the response to the client when the response from the server to a request from the client to the client includes an authentication information request requesting authentication information. Functions and
When the response from the server includes the authentication information request, an authentication information request function that performs request processing for requesting the input of the authentication information to an input source other than the client, and an authentication information request function.
A computer-readable recording medium on which an authentication agency program is recorded, which realizes an authentication processing function of transmitting the authentication information input from the input source to the server.
  (付記16)
 前記認証処理機能は、前記サーバから受信した認証結果が認証の成功を示す場合、前記認証結果に含まれる資格情報を資格情報記憶部に記憶させ、
 前記中継機能は、前記クライアントから前記サーバへの通信に前記資格情報を付与する
 ことを特徴とする付記15に記載の認証代行プログラムを記録したコンピュータ読み取り可能な記録媒体。 (Appendix 16)
When the authentication result received from the server indicates the success of the authentication, the authentication processing function stores the credential information included in the authentication result in the credential information storage unit.
The relay function is a computer-readable recording medium recording the authentication agency program according to Appendix 15, characterized in that the credential information is given to the communication from the client to the server.
  (付記17)
 前記中継機能は、前記資格情報が削除された前記認証結果を前記クライアントに送信する
 ことを特徴とする付記16に記載の認証代行プログラムを記録したコンピュータ読み取り可能な記録媒体。 (Appendix 17)
The relay function is a computer-readable recording medium recording the authentication agency program according to Appendix 16, wherein the authentication result from which the credential information has been deleted is transmitted to the client.
  (付記18)
 前記認証情報要求機能は、入力された前記認証情報を認証情報記憶部に記憶させ、
 前記認証処理機能は、前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されている場合、前記認証情報記憶部から前記認証情報を取得し、取得した前記認証情報を前記サーバへ送信し、
 前記認証情報要求機能は、前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されていない場合に、前記要求処理を行う
 ことを特徴とする付記15から付記17のいずれかに記載の認証代行プログラムを記録したコンピュータ読み取り可能な記録媒体。 (Appendix 18)
The authentication information request function stores the input authentication information in the authentication information storage unit.
When the response includes the authentication information request and the authentication information for the server is stored in the authentication information storage unit, the authentication processing function acquires the authentication information from the authentication information storage unit and acquires the authentication information. The authentication information is transmitted to the server, and the authentication information is transmitted to the server.
The appendix 15 is characterized in that the authentication information request function performs the request processing when the response includes the authentication information request and the authentication information for the server is not stored in the authentication information storage unit. A computer-readable recording medium on which the authentication agency program according to any one of Appendix 17 is recorded.
  (付記19)
 前記要求処理は、前記認証情報の入力を要求する画面を表示手段に表示させる処理である
 ことを特徴とする付記15から付記18のいずれかに記載の認証代行プログラムを記録したコンピュータ読み取り可能な記録媒体。 (Appendix 19)
The request process is a computer-readable record recording the authentication agent program according to any one of Supplementary note 15 to Supplementary note 18, characterized in that the screen for requesting the input of the authentication information is displayed on the display means. Medium.
  (付記20)
 前記認証情報要求機能は、入力された前記認証情報を認証情報記憶部に記憶させ、前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されている場合、前記認証情報記憶部から取得した前記認証情報を含む前記画面を前記表示手段に表示させる
 ことを特徴とする付記19に記載の認証代行プログラムを記録したコンピュータ読み取り可能な記録媒体。 (Appendix 20)
The authentication information request function stores the input authentication information in the authentication information storage unit, the response includes the authentication information request, and the authentication information for the server is stored in the authentication information storage unit. In this case, a computer-readable recording medium recording the authentication agency program according to Appendix 19, wherein the screen including the authentication information acquired from the authentication information storage unit is displayed on the display means.
  (付記21)
 前記要求処理は、前記認証情報の発行を依頼する認証情報発行依頼を前記サーバへ送信する処理である
 ことを特徴とする付記15から付記18のいずれかに記載の認証代行プログラムを記録したコンピュータ読み取り可能な記録媒体。 (Appendix 21)
The request process is a process of transmitting an authentication information issuance request requesting the issuance of the authentication information to the server. Possible recording medium.
 以上、実施形態を参照して本願発明を説明したが、本願発明は上記実施形態に限定されるものではない。本願発明の構成や詳細には、本願発明のスコープ内で当業者が理解し得る様々な変更をすることができる。 Although the invention of the present application has been described above with reference to the embodiment, the invention of the present application is not limited to the above embodiment. Various changes that can be understood by those skilled in the art can be made within the scope of the present invention in terms of the configuration and details of the present invention.
 この出願は、2020年11月4日に出願された日本出願特願2020-184082を基礎とする優先権を主張し、その開示の全てをここに取り込む。 This application claims priority on the basis of Japanese application Japanese Patent Application No. 2020-184082 filed on November 4, 2020, and incorporates all of its disclosures herein.
 10、20、30  認証代行装置
 11、21  中継部
 12、22、32  認証情報要求部
 13、23、33  認証処理部
 24  資格情報記憶部
 25  認証情報記憶部
 26  表示手段
 50  クライアント
 60  サーバ
 90  情報処理装置
 91  通信インタフェース
 92  入出力インタフェース
 93  演算装置
 94  記憶装置
 95  不揮発性記憶装置
 96  ドライブ装置
 97  記録媒体 10, 20, 30 Authentication agency device 11, 21 Relay unit 12, 22, 32 Authentication information request unit 13, 23, 33 Authentication processing unit 24 Authentication information storage unit 25 Authentication information storage unit 26 Display means 50 Client 60 Server 90 Information processing Device 91 Communication interface 92 Information processing interface 93 Computing device 94 Storage device 95 Non-volatile storage device 96 Drive device 97 Recording medium

Claims (21)

  1.  サーバとクライアントとの間の通信を中継し、前記クライアントから前記サーバへの要求に対する前記サーバからの応答に、認証情報を要求する認証情報要求が含まれる場合、前記応答を前記クライアントに送信せず、
     前記サーバからの前記応答に前記認証情報要求が含まれる場合、前記認証情報の入力を前記クライアントではない入力元に要求する要求処理を行い、
     前記入力元から入力された前記認証情報を前記サーバへ送信する
     ことを特徴とする認証代行方法。     If the response from the server to the request from the client to the server includes an authentication information request requesting authentication information, the communication between the server and the client is relayed, and the response is not sent to the client. ,
    When the response from the server includes the authentication information request, a request process for requesting the input of the authentication information to an input source other than the client is performed.
    An authentication agency method comprising transmitting the authentication information input from the input source to the server.
  2.  前記サーバから受信した認証結果が認証の成功を示す場合、前記認証結果に含まれる資格情報を資格情報記憶部に記憶させ、
     前記クライアントから前記サーバへの通信に前記資格情報を付与する
     ことを特徴とする請求項1に記載の認証代行方法。     When the authentication result received from the server indicates the success of the authentication, the credential information included in the authentication result is stored in the credential information storage unit.
    The authentication agency method according to claim 1, wherein the qualification information is given to the communication from the client to the server.
  3.  前記資格情報が削除された前記認証結果を前記クライアントに送信する
     ことを特徴とする請求項2に記載の認証代行方法。     The authentication agency method according to claim 2, wherein the authentication result from which the qualification information has been deleted is transmitted to the client.
  4.  入力された前記認証情報を認証情報記憶部に記憶させ、
     前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されている場合、前記認証情報記憶部から前記認証情報を取得し、取得した前記認証情報を前記サーバへ送信し、
     前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されていない場合に、前記要求処理を行う
     ことを特徴とする請求項1から請求項3のいずれかに記載の認証代行方法。     The input authentication information is stored in the authentication information storage unit, and the input is stored in the authentication information storage unit.
    When the response includes the authentication information request and the authentication information for the server is stored in the authentication information storage unit, the authentication information is acquired from the authentication information storage unit, and the acquired authentication information is used as the authentication information. Send to the server
    Any of claims 1 to 3, wherein the request processing is performed when the response includes the authentication information request and the authentication information for the server is not stored in the authentication information storage unit. The authentication agency method described in Kana.
  5.  前記要求処理は、前記認証情報の入力を要求する画面を表示手段に表示させる処理である
     ことを特徴とする請求項1から請求項4のいずれかに記載の認証代行方法。     The authentication agency method according to any one of claims 1 to 4, wherein the request process is a process of displaying a screen requesting input of the authentication information on the display means.
  6.  入力された前記認証情報を認証情報記憶部に記憶させ、前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されている場合、前記認証情報記憶部から取得した前記認証情報を含む前記画面を前記表示手段に表示させる
     ことを特徴とする請求項5に記載の認証代行方法。     When the input authentication information is stored in the authentication information storage unit, the response includes the authentication information request, and the authentication information for the server is stored in the authentication information storage unit, the authentication information storage unit The authentication agency method according to claim 5, wherein the screen including the authentication information obtained from the above is displayed on the display means.
  7.  前記要求処理は、前記認証情報の発行を依頼する認証情報発行依頼を前記サーバへ送信する処理である
     ことを特徴とする請求項1から請求項4のいずれかに記載の認証代行方法。     The authentication agency method according to any one of claims 1 to 4, wherein the request process is a process of transmitting an authentication information issuance request requesting issuance of the authentication information to the server.
  8.  コンピュータに、
     サーバとクライアントとの間の通信を中継し、前記クライアントから前記サーバへの要求に対する前記サーバからの応答に、認証情報を要求する認証情報要求が含まれる場合、前記応答を前記クライアントに送信しない中継機能と、
     前記サーバからの前記応答に前記認証情報要求が含まれる場合、前記認証情報の入力を前記クライアントではない入力元に要求する要求処理を行う認証情報要求機能と、
     前記入力元から入力された前記認証情報を前記サーバへ送信する認証処理機能と
     を実現させることを特徴とする認証代行プログラムを記録したコンピュータ読み取り可能な記録媒体。     On the computer
    A relay that relays communication between a server and a client and does not send the response to the client when the response from the server to a request from the client to the client includes an authentication information request requesting authentication information. Functions and
    When the response from the server includes the authentication information request, an authentication information request function that performs request processing for requesting the input of the authentication information to an input source other than the client, and an authentication information request function.
    A computer-readable recording medium on which an authentication agency program is recorded, which realizes an authentication processing function of transmitting the authentication information input from the input source to the server.
  9.  前記認証処理機能は、前記サーバから受信した認証結果が認証の成功を示す場合、前記認証結果に含まれる資格情報を資格情報記憶部に記憶させ、
     前記中継機能は、前記クライアントから前記サーバへの通信に前記資格情報を付与する
     ことを特徴とする請求項8に記載の認証代行プログラムを記録したコンピュータ読み取り可能な記録媒体。     When the authentication result received from the server indicates the success of the authentication, the authentication processing function stores the credential information included in the authentication result in the credential information storage unit.
    The relay function is a computer-readable recording medium recording the authentication agency program according to claim 8, wherein the credential information is given to the communication from the client to the server.
  10.  前記中継機能は、前記資格情報が削除された前記認証結果を前記クライアントに送信する
     ことを特徴とする請求項9に記載の認証代行プログラムを記録したコンピュータ読み取り可能な記録媒体。     The relay function is a computer-readable recording medium recording the authentication agency program according to claim 9, wherein the authentication result from which the credential information has been deleted is transmitted to the client.
  11.  前記認証情報要求機能は、入力された前記認証情報を認証情報記憶部に記憶させ、
     前記認証処理機能は、前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されている場合、前記認証情報記憶部から前記認証情報を取得し、取得した前記認証情報を前記サーバへ送信し、
     前記認証情報要求機能は、前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されていない場合に、前記要求処理を行う
     ことを特徴とする請求項8から請求項10のいずれかに記載の認証代行プログラムを記録したコンピュータ読み取り可能な記録媒体。     The authentication information request function stores the input authentication information in the authentication information storage unit.
    When the response includes the authentication information request and the authentication information for the server is stored in the authentication information storage unit, the authentication processing function acquires the authentication information from the authentication information storage unit and acquires the authentication information. The authentication information is transmitted to the server, and the authentication information is transmitted to the server.
    A claim characterized in that the authentication information request function performs the request processing when the response includes the authentication information request and the authentication information for the server is not stored in the authentication information storage unit. A computer-readable recording medium on which the authentication agency program according to any one of claims 8 to 10 is recorded.
  12.  前記要求処理は、前記認証情報の入力を要求する画面を表示手段に表示させる処理である
     ことを特徴とする請求項8から請求項11のいずれかに記載の認証代行プログラムを記録したコンピュータ読み取り可能な記録媒体。     The request process is a process of displaying a screen requesting input of the authentication information on the display means, and the computer can read the authentication agent program according to any one of claims 8 to 11. Recording medium.
  13.  前記認証情報要求機能は、入力された前記認証情報を認証情報記憶部に記憶させ、前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されている場合、前記認証情報記憶部から取得した前記認証情報を含む前記画面を前記表示手段に表示させる
     ことを特徴とする請求項12に記載の認証代行プログラムを記録したコンピュータ読み取り可能な記録媒体。     The authentication information request function stores the input authentication information in the authentication information storage unit, the response includes the authentication information request, and the authentication information for the server is stored in the authentication information storage unit. In this case, a computer-readable recording medium recording the authentication agency program according to claim 12, wherein the screen including the authentication information acquired from the authentication information storage unit is displayed on the display means.
  14.  前記要求処理は、前記認証情報の発行を依頼する認証情報発行依頼を前記サーバへ送信する処理である
     ことを特徴とする請求項8から請求項11のいずれかに記載の認証代行プログラムを記録したコンピュータ読み取り可能な記録媒体。     The authentication agency program according to any one of claims 8 to 11, wherein the request process is a process of transmitting an authentication information issuance request requesting issuance of the authentication information to the server. A computer-readable recording medium.
  15.  サーバとクライアントとの間の通信を中継し、前記クライアントから前記サーバへの要求に対する前記サーバからの応答に、認証情報を要求する認証情報要求が含まれる場合、前記応答を前記クライアントに送信しない中継手段と、
     前記サーバからの前記応答に前記認証情報要求が含まれる場合、前記認証情報の入力を前記クライアントではない入力元に要求する要求処理を行う認証情報要求手段と、
     前記入力元から入力された前記認証情報を前記サーバへ送信する認証処理手段と
     を備えることを特徴とする認証代行装置。     A relay that relays communication between a server and a client and does not send the response to the client when the response from the server to a request from the client to the client includes an authentication information request requesting authentication information. Means and
    When the response from the server includes the authentication information request, an authentication information requesting means that performs request processing for requesting the input of the authentication information to an input source other than the client.
    An authentication agent device including an authentication processing means for transmitting the authentication information input from the input source to the server.
  16.  前記認証処理手段は、前記サーバから受信した認証結果が認証の成功を示す場合、前記認証結果に含まれる資格情報を資格情報記憶部に記憶させ、
     前記中継手段は、前記クライアントから前記サーバへの通信に前記資格情報を付与する
     ことを特徴とする請求項15に記載の認証代行装置。     When the authentication result received from the server indicates the success of the authentication, the authentication processing means stores the credential information included in the authentication result in the credential information storage unit.
    The authentication agent according to claim 15, wherein the relay means imparts the qualification information to communication from the client to the server.
  17.  前記中継手段は、前記資格情報が削除された前記認証結果を前記クライアントに送信する
     ことを特徴とする請求項16に記載の認証代行装置。     The authentication agent according to claim 16, wherein the relay means transmits the authentication result from which the qualification information has been deleted to the client.
  18.  前記認証情報要求手段は、入力された前記認証情報を認証情報記憶部に記憶させ、
     前記認証処理手段は、前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されている場合、前記認証情報記憶部から前記認証情報を取得し、取得した前記認証情報を前記サーバへ送信し、
     前記認証情報要求手段は、前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されていない場合に、前記要求処理を行う
     ことを特徴とする請求項15から請求項17のいずれかに記載の認証代行装置。     The authentication information requesting means stores the input authentication information in the authentication information storage unit, and stores the input authentication information in the authentication information storage unit.
    When the response includes the authentication information request and the authentication information for the server is stored in the authentication information storage unit, the authentication processing means acquires the authentication information from the authentication information storage unit and acquires the authentication information. The authentication information is transmitted to the server, and the authentication information is transmitted to the server.
    A claim characterized in that the authentication information requesting means performs the request processing when the response includes the authentication information request and the authentication information for the server is not stored in the authentication information storage unit. The authentication agency device according to any one of 15 to 17.
  19.  前記要求処理は、前記認証情報の入力を要求する画面を表示手段に表示させる処理である
     ことを特徴とする請求項15から請求項18のいずれかに記載の認証代行装置。     The authentication agent according to any one of claims 15 to 18, wherein the request process is a process of displaying a screen requesting input of the authentication information on the display means.
  20.  前記認証情報要求手段は、入力された前記認証情報を認証情報記憶部に記憶させ、前記応答に前記認証情報要求が含まれ、前記サーバに対する前記認証情報が前記認証情報記憶部に記憶されている場合、前記認証情報記憶部から取得した前記認証情報を含む前記画面を前記表示手段に表示させる
     ことを特徴とする請求項19に記載の認証代行装置。     The authentication information requesting means stores the input authentication information in the authentication information storage unit, the response includes the authentication information request, and the authentication information for the server is stored in the authentication information storage unit. The authentication agent according to claim 19, wherein the display means displays the screen including the authentication information acquired from the authentication information storage unit.
  21.  前記要求処理は、前記認証情報の発行を依頼する認証情報発行依頼を前記サーバへ送信する処理である
     ことを特徴とする請求項15から請求項18のいずれかに記載の認証代行装置。     The authentication agency device according to any one of claims 15 to 18, wherein the request process is a process of transmitting an authentication information issuance request requesting the issuance of the authentication information to the server.
PCT/JP2021/038241 2020-11-04 2021-10-15 Authentication proxy device, authentication proxy method, and recording medium WO2022097453A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2022560695A JP7521598B2 (en) 2020-11-04 2021-10-15 Authentication agent device, authentication agent method, and authentication agent program

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2020184082 2020-11-04
JP2020-184082 2020-11-04

Publications (1)

Publication Number Publication Date
WO2022097453A1 true WO2022097453A1 (en) 2022-05-12

Family

ID=81457093

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/038241 WO2022097453A1 (en) 2020-11-04 2021-10-15 Authentication proxy device, authentication proxy method, and recording medium

Country Status (2)

Country Link
JP (1) JP7521598B2 (en)
WO (1) WO2022097453A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008234606A (en) * 2007-03-23 2008-10-02 Nec Corp Authentication cooperation system, repeating installation, authentication cooperation method and authentication cooperation program
JP2009122921A (en) * 2007-11-14 2009-06-04 Nec Corp Authentication information transmission system, remote access management device, authentication information relay method and authentication information relay program
JP2010128876A (en) * 2008-11-28 2010-06-10 Nec Corp Authentication system, authentication server, authentication method, and program
JP2013206005A (en) * 2012-03-27 2013-10-07 Nakayo Telecommun Inc Portable gateway having access restriction function

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008234606A (en) * 2007-03-23 2008-10-02 Nec Corp Authentication cooperation system, repeating installation, authentication cooperation method and authentication cooperation program
JP2009122921A (en) * 2007-11-14 2009-06-04 Nec Corp Authentication information transmission system, remote access management device, authentication information relay method and authentication information relay program
JP2010128876A (en) * 2008-11-28 2010-06-10 Nec Corp Authentication system, authentication server, authentication method, and program
JP2013206005A (en) * 2012-03-27 2013-10-07 Nakayo Telecommun Inc Portable gateway having access restriction function

Also Published As

Publication number Publication date
JP7521598B2 (en) 2024-07-24
JPWO2022097453A1 (en) 2022-05-12

Similar Documents

Publication Publication Date Title
JP6904857B2 (en) Delegation system, control method, and program
JP6643373B2 (en) Information processing system, control method and program therefor
KR102313859B1 (en) Authority transfer system, control method therefor, and client
EP3385873B1 (en) Delegating authorization to applications on a client device in a networked environment
US10397008B2 (en) Management of secret data items used for server authentication
JP6929181B2 (en) Devices and their control methods and programs
JP6609788B1 (en) Information communication device, authentication program for information communication device, and authentication method
JP6572750B2 (en) Authentication control program, authentication control device, and authentication control method
JP5193787B2 (en) Information processing method, relay server, and network system
CN109428725B (en) Information processing apparatus, control method, and storage medium
JP5991817B2 (en) Network system
JP2015194879A (en) Authentication system, method, and provision device
US20140250499A1 (en) Password based security method, systems and devices
JP6240102B2 (en) Authentication system, authentication key management device, authentication key management method, and authentication key management program
JP7395938B2 (en) Information processing device, information processing system and program
KR101619928B1 (en) Remote control system of mobile
WO2022097453A1 (en) Authentication proxy device, authentication proxy method, and recording medium
KR102062851B1 (en) Single sign on service authentication method and system using token management demon
KR102053993B1 (en) Method for Authenticating by using Certificate
CN112653676B (en) Identity authentication method and equipment crossing authentication system
JP2009122921A (en) Authentication information transmission system, remote access management device, authentication information relay method and authentication information relay program
JP2020053100A (en) Information processing system, control method thereof and program
JP4937070B2 (en) Document data management method, document data creation method, server, and computer program
WO2022070406A1 (en) Control method, information processing device, information processing system, and control program
JP6398308B2 (en) Information processing system, information processing method, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21889006

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2022560695

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21889006

Country of ref document: EP

Kind code of ref document: A1