JP2001249901A - Authentication device and method, and storage medium - Google Patents

Abstract

(57) [Summary] [Problem] To make it difficult for a third party to reuse stolen authentication information even if the authentication information is stolen by a third party using an authentication method with a simple procedure. . SOLUTION: First inspection data (value = D _n-1 ) for inspecting authentication information of a client is stored in a server in advance, and first seed data (value) for generating authentication information also for the client. = D _n-1 ). When logging in to the server, the client encrypts the first seed data (value = D _{n- 1} ) using the client's secret key Ks in response to the authentication information request sent from the server. (Value =
D _n ) and return it to the server. The server decrypts the authentication information (value = D _n ) sent from the client by using the client's public key kp to obtain the second inspection data (value
= D _n-1 ), compares the second test data with the first test data (value = D _n-1 ), and if they match, permits login and first test data storing the authentication information D _n in place. When the client login is permitted, instead of the first species data (value = D _n-1), stores the authentication information D _n as the second seed data.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an authentication device, an authentication method, and a storage medium, for example, to authentication via a network.

[0002]

2. Description of the Related Art At present, information processing systems play a central role in all aspects of social activities.
Securing information communication between individuals, between individuals and companies, or between companies via a network is an urgent issue.

In particular, due to the recent openness and generalization of network systems, transfer of confidential information and electronic commerce (E
Security features are indispensable for fields such as electronic commerce. For example, when conducting legal acts between companies, individuals, or between them, traditionally (even now), contracts and the like are created using physical paper, signed, stamped, and required. Attach a seal registration certificate or a notarized notary, and then send these documents to the other party by registered mail or certificate of contents.

[0004] Network security technology is a technology that safely replaces all such actions centered on physical documents by electronic information communication. As the information communication network of computers and networks has reached a worldwide scale, such demands are ever increasing.

[0005] The purpose of network security is to protect the security of the network, and to protect information according to the confidentiality of the network system from various threats. Generally, (1) Confidentiality
y), (2) Integrity, (3) Availability
y), (4) It is defined as maintaining non-repudiation. On the other hand, typical threats assumed to the network include wiretapping, leakage, spoofing, and tampering.
/ Forgery, Intrusion / Unauthorized access, stealing, denial of facts,
Such as destruction.

[0006] Further, as element technologies for network security, there are concealment / maintenance technology, authentication technology, key distribution technology, non-repudiation technology, third-party credit institution, access management, security audit, security evaluation standard, and the like.

When performing information communication via a network system, it is important and indispensable to confirm who has used the system and how, and to control and manage the system in order to maintain security. Most events that occur in the system must originate from specific entities involved in information and communication, and their recognition is therefore the basis of security.

[0008] Authentication refers to an entity (entity: a person, a process functioning on behalf of a person,
Software, hardware, communication data, etc.).
Generally, it can be classified as shown in FIG. 1 according to the entity to be authenticated.

Entity authentication is to confirm the validity of entities involved in information communication, for example, transmission and reception of messages, while message authentication is to confirm the validity of those transmitted and received messages. Note that entity authentication is sometimes called user authentication.

[0010] The entity authentication mechanism is divided into entity identification processing and entity authentication processing. The former is
This is to identify who the user of the system is, and the latter is a process for confirming whether or not the user is a legitimate person. For the former, a user identification name (User-id) or the like is generally used, but this is a known identifier, and the original authentication processing using information (a password, a personal identification number, etc.) that only the user has is not performed. , It is left to the latter processing.

[0011] The entity authentication mechanism described below includes:
This entity authentication process is described.

The entity authentication mechanisms can be broadly classified into four types, namely, knowledge use, encryption use, possession use, and biometric feature use, depending on the type of information used for authentication. These will be described in order.

<Knowledge Utilization> Entity authentication based on knowledge utilization means that information necessary for authenticating an entity is registered in advance, and the validity of the entity to be authenticated is determined by whether or not the entity to be authenticated knows the information. It is a method to confirm the sex. “Password”, “PIN”, or “information (address, date of birth, etc.) known only to the individual” is most often used for personal authentication.

In most systems, user authentication is performed using a "password". Entity authentication using such knowledge is relatively easy to introduce and effective,
An easy-to-remember character string is used for the password, and the password is apt to be written down in a place that is easily visible, so that there is a high risk that the password can be easily seen by another person or eavesdropped during communication.
Further, even if the password is encrypted at the time of transmission, if the password is the same every time, the password can be stolen and reused (replay attack) to perform “spoofing”. Further, the server-side password file (usually stored and encrypted using the user's password as a key) may be broken by a dictionary attack.

To counter these threats, it is necessary to devise a method such as changing the password every time. Therefore, in the knowledge-based entity authentication, for example, an advanced one-time password method using a one-way function or a random number such as a one-time password method or a challenge response method has been devised. The respective systems are described below.

● One-time password method A literal one-time password authentication method, Bellcore
It was proposed by Co. USA and has been RFCed as an Internet standard (RFC-1938). Below, the most famous S
An outline of the processing of the / Key method will be described.

In the S / Key method, when A is a client and B is an authentication server, 1: a one-way random number f is prepared. 2: A generates a secret random number R and an arbitrary number S called a public seed. 3: With Q = R + S, f (Q), f (f (Q)), f (f (f (Q))),… are calculated, and they are X ₁ , X ₂ , X ₃ ,… , X ₁₀₀ , X ₁₀₁ . 4: A keeps X ₁ ,…, X ₁₀₀ and R secret, B has X ₁₀₁
In some way (offline) and B keeps it. 5: When A logs in to B for the first time, X
Send ₁₀₀ to B. 6: B computes f (X ₁₀₀ ) and compares it with the stored X ₁₀₁ , allowing login if they match and rejecting login if they do not match. If login is allowed, B discards X ₁₀₁ and X
Hold ₁₀₀ . 7: A uses the next password X ₉₉ the next time he logs in. Subsequent processing on the B side is performed in the same manner as in 6.

The advantages of the S / Key method are as follows. -Since it is a one-time password, it cannot be reused even if a third party eavesdrops during communication.・ The password stored in the file on Server B is
This is to check the password at the next login, and if it is stolen, there is no problem. -Since the function f is a one-way function, even if _Xn is eavesdropped, _Xn-1
Cannot be calculated. Therefore, it does not matter if f is known to a third party.

The disadvantages of the S / Key method are as follows. -In the above case, if 100 passwords are used up, it is necessary to re-initialize the server authentication program. -In an actual system, the server must always hold a random number R so that the re-initialization can be performed online. That is, at the time of reinitialization, the client sends only a different seed S 'to the server online (S' can be eavesdropped without any problem), and the server newly uses the stored R to send a new Q. '= R + S' is calculated, and a new X ' ₁₀₁ is generated from this. For this reason, if a third party invades the server in any way, or if the server administrator maliciously obtains this random number, a password can be generated and the client A can be impersonated.

[Challenge Response Method] This is a type of eavesdropping countermeasures in password authentication. A typical example is a CHAP (Challenge Authentication Protocol).
ol, RFC-1334). In this CHAP scheme, the procedure in which the authentication requester A has the authentication person B authenticate is as shown in FIG.

In the challenge-response method, since the challenge changes every time, a third party sends a message (2) shown in FIG.
Even if eavesdropping, it cannot be reused. On the other hand, B
It has been pointed out that since A's password is kept above, the administrator of B can exploit it and impersonate client A to perform fraud.

<Utilization of Cryptography> The use of cryptography for entity authentication means that authentication information that is difficult to generate by anyone other than the party is generated using encryption technology, and the parties exchange and inspect the authentication information. Is a technique for confirming the validity of

Digital signature A digital signature is a mechanism for performing identity verification using a signature or a seal in a conventional paper transaction on an electronic medium. It is considered that the function must satisfy the following three conditions. . 1: The signature cannot be forged by a third party. 2: The signature cannot be forged by the recipient. 3: The sender cannot later deny the contents of the signature and the fact that it was sent.

At present, the use of a public key cryptosystem is indispensable to satisfy the requirements 2 and 3. Public key cryptography is a concept that was announced by Stanford University's Diffie and Hellman in 1976.A pair of encryption and decryption keys differ, and only the decryption key is kept secret. The activation key may be made public. Therefore, it is said to have features such as easy key distribution, a small number of keys to be kept secret, and an authentication function (digital signature). FIG. 3 shows a general model of the public key cryptosystem.

When the relationship between the public key and the secret key is reversed, the function becomes a digital signature function. That is, the plaintext is encrypted with the secret key known only to the sender and transmitted to the receiver. Also, the receiver decrypts the message with the sender's public key to obtain a plaintext. in this case,
Since only the sender knows the encryption key, the ciphertext cannot be forged by third parties and recipients. Also, since the contents of the plaintext can be encrypted and transmitted only to the person having the encryption key, the sender cannot deny the contents of the ciphertext and the fact that it was sent later, and the above-mentioned digital signature requirement Meet.

Currently, the most powerful algorithms in the world that have realized this concept of public key cryptography are MIT's Rivest and Shah.
There are RSA ciphers developed by mir and Adleman and named after their initials. The following two digital signature schemes are being standardized internationally.・ Certifier verification method (with appendix)… ISO / IEC CD 14888
PART1 / 2/3 (Sep. 21, 1995) ・ Giving message recovery… ISO / IEC
9796: 1991 (E)

The authenticator collation method that is actually widely used is shown in FIG.

In order for the receiver to verify the sender's legitimacy using the digital signature, it is necessary to guarantee that the sender's public key belongs to the true sender. For example, a digital signature needs to be equivalent to a seal registration certificate proving that the physical seal is legitimate. For this assurance, a public key certificate system by a trusted third party is established, and the issuing agency is called CA (Certification Authority). The CA is an Internet standard (RFC 1421-1424) that issues and manages public key certificates.

The format of the certificate is an international standard (X.509
→ ISO 9594-8), the third version of X.509 has already been released, and a corresponding ISO standard will be enacted in the future. The certificate consists of items such as the user's identifier, the user's public key, the expiration date of the certificate, the serial number, the name of the issuing institution, and the digital signature of the issuing institution, followed by the digital signature of the CA. You.

In the example of FIG. 4, the sender A sends the public key certificate of A to B together with the transmission text and the digital signature of A applied to it. Recipient B first verifies the validity of A's public key certificate by checking the digital signature of this public key certificate by the CA. If this is valid, B has obtained a valid A public key.
Thereafter, B performs sender authentication by checking A's digital signature.

It has been pointed out that as an advantage of the authenticator verification method, if a strict CA exists and the sender can strictly hold its own private key, "spoofing" by a third party is generally difficult. I have. However, when a signature is used as a password for remote login in remote login via a network (that is, a digital signature is used as partner authentication information), a third party can eavesdrop on it and reuse it as it is (replay attack). ) Has the disadvantage that spoofing is possible.

Authentication token system with digital signature This can be said to have improved the strength of the system (1) against replay attacks. FIG. 5 shows an outline of the processing of the authentication token system with a digital signature.

That is, as a premise of this method, it is assumed that the client A holds the public key certificate of A digitally signed with the private key of the CA, and the server B holds the public key of the CA. In this state, the client A uses the following 1 to 4 as authentication information (hereinafter, referred to as an authentication token).
Is transferred to server B. This authentication token includes a time stamp T when the token was created. 1: A public key certificate (Ca) 2: Time stamp (T) 3: Recipient id: E-mail address of B, etc. 4: 2 + 3 digital signature (Sa)

When the server B receives the authentication token,
First, the signature is checked to confirm that the time stamp T and the like have not been tampered with, and then this T is compared with the current time. If the comparison results are almost equal, Client A
Allow login. However, if T is a predetermined time or more in the past, it is considered that this authentication token has been reused (replay attack) by a third party other than A and B, and A's login is rejected.

This token system has a strict CA,
And if the sender can strictly hold his private key, it is very difficult for a third party to "spoof". On the other hand, if within a certain period of time, the spoofed authentication token can be reused as it is (replay attack) to "spoof"
There are also disadvantages that are possible.

SSH (Secure Shell) Method The SSH method is a security package for r-type command processes such as rsh / rlogin for remote login in UNIX (registered trademark), and is being studied as an Internet draft. The part related to the authentication process is described below, and is basically a challenge-response authentication method using both a common key encryption and a public key encryption.

FIG. 6 shows a sequence when the client A logs in to the server B. In FIG. 6, phases (2) and (3) for sharing a session key for common key encryption (DES, IDEA, etc.) and a phase for performing authentication processing
It is divided into (4), (5) and (6). The processing sequence is as follows. (1) Client A sends a login request to server B. (2) Based on this login request, server B sends its own public key, random number, etc. to client A for session key sharing.
Send to (3) Client A generates a session key, encrypts it with the public key of server B, and sends it to B. When the server B receives this, it is possible to share the session key with the client A during this period. Therefore, after (4), all messages between the ABs are exchanged by encrypting with the session key. (4) Client A sends its public key and user name to server B. (5) The server B confirms that the public key and the user name of the client A are registered, generates a challenge (random number) for authentication, encrypts the challenge with the public key of A, and Send to A. (6) Client A calculates the hash value of the above challenge and sends it to server B as a challenge response. (7) Server B compares the value of the challenge response received in (6) with the stored hash value of the challenge for client A, and if the values are the same, permits login of A, and if they are different, Deny A's login.

The advantage of the SSH method is that since the challenge data changes every time, even if a third party eavesdrops on the message (6), it is impossible to “spoof” by reuse. Disadvantage: "It is possible for the administrator of Server B to maliciously rewrite the public key information of Client A to impersonate Client A and perform fraud."
It has been pointed out that.

PRC Authentication Method The PRC (Remote Procedure Call) authentication method is a remote procedure call function often used in a UNIX distributed environment system, and has a user authentication function as a security function.

The RPC authentication has a function of the server confirming who issued the RPC procedure (entity authentication function) and the authority of the issuer. The outline of the entity authentication function of the PRC authentication is shown in FIG. 7, and the outline of the procedure is described. 1: Prior to communication, the client and server first share the common key (Kab) used for DES encryption by the DH method (Diffie-Hellman type public key distribution method). In the UNIX world, public and private keys used in the DH method are referred to as NIS (Network Information Service).
ce), and each user has this N
The public key of the communication partner and the private key of the communication partner registered in advance are obtained from the IS, and then a shared key (DES key) is obtained by calculation. 2: The client creates authentication information and sends it to the server in the following procedure. (I) Generate a character string representing the sender (called a net name). For UNIX, it has the following format: unix. <user id> @ <host address> (II) Generate a session key (random number: K). (III) Use time stamp (current time: T) as session key
DES encryption with (K) (Te). (IV) DES encryption of session key (K) with shared key (Kab)
e). As authentication information, a net name of (I), an encrypted time stamp (Te) of (III), a session key (Ke) of (IV), and the like are transmitted to the server. 3: The server decrypts the encrypted time stamp (Te) in the received authentication information (T), and verifies the validity of the net name by comparing it with the current time. That is, if the difference between T and the current time is within the allowable range, the access request for the net name is permitted.

As an advantage of the RPC authentication method, if each of the client and the server strictly holds its own private key and can surely obtain the public key of a valid partner, "spoofing" by a third party is generally performed. Although it is said to be difficult in practice, it has a disadvantage that "spoofing" can be performed by reusing the eavesdropped authentication information as it is within a certain time (replay attack).

Kerberos (RFC 1510) method Kerberos is a user authentication system developed by MIT's Athena project. In 1978, R. Needham and M. Sch
It is based on a "trusted third party authentication scheme" proposed by roeder. DCE (Distributed Computing Envir), a software package for building a distributed processing environment defined by the OSF (Open Software Foundation)
Kerberos was adopted as an authentication service for onment).

In this system, all of the confidentiality of communication and user authentication are realized only by the common key encryption system (DES). Assuming that only the user and the authentication server know each user's key, a method is used in which the authentication server guarantees each other's validity.

The part corresponding to the authentication server is a Kerberos server and a TGS (Ticket Granting Server).
It is devised that the user's password and key are not stored on the user's system (low security level) for a long time. It also introduces the idea of tickets and authenticators to further enhance security. Figure 8 shows the Kerberos authentication method.

The Kerberos authentication method is as follows: each server, user
All exchanges between WS are encrypted, and the encryption key is generated by random numbers every time, so it is strong against eavesdropping. The target server does not need to manage the user ID and password of each user, only the Kerberos server It is pointed out that there is an advantage, for example. However, the following disadvantages have been pointed out.・ The eavesdropping authentication information can be reused as it is (replay attack) within a certain time. -Due to restrictions on the export of cryptographic products in the United States, Kerberos products that implement DES as a cryptographic algorithm may not be available in Japan. -Since the authentication server centrally manages the authentication information and encryption key of each user, if a malicious third party succeeds in invading this authentication server, the domain to be managed is destroyed. -All machines and applications need to support Kerberos, which requires a lot of time to install.

The Zero Knowledge Dialog Proof Scheme This scheme was proposed in 1985 by Goldwasser and Micali of MIT and Rackoff of the University of Toronto. A method of convincing the other party that he / she has certain information without showing the content to the other party, for example, it is possible to prove to the other party that he / she knows the true password without presenting the password. Fiat and Shamir proposed the Fiat-Shamir method in 1986 (US Pat. No. 4,748,
No. 668, JP-A-63-101987).

FIG. 9 shows a sequence based on the zero-knowledge interactive proof system when the client A (prover) transfers the secret information T (password or the like) to the server B (verifier).
Here, it is assumed that A completely knows Z = T ² mod n, and B knows only Z and n. Here, n is a composite number of large prime numbers p and q. In this case, it is extremely difficult for B to obtain T if n cannot be factored.

The following 1 to 4 are repeated k times (the reason for the dialogue) to verify the validity of A. 1: A selects a random number R, calculates X = R ² mod n, and sends X to B. 2: B chooses b∈ {0, 1} randomly at random, and sets b to A
Send to 3: A is Y (Y is R if b = 0, TR mod if b = 1
send n) to B. 4: B checks whether the following formulas are satisfied, and if they are satisfied, passes the inspection. X = Y ² mod n… b = 0 ZX = Y ² mod n… b = 1

Here, the case where b = 0 and b = 1 in 3 and 4 is divided is a malicious client impersonating A
This is because A 'can pass the inspection as follows without knowing the value of T. That is, if b = 1 always, then A
An appropriate Y ′ is determined as the value of Y at 1, X = (Y ′) ² / Z mod n is calculated, and this X is sent to B. Next, if the value of Y = Y 'is sent at 3, the test at 4 passes naturally. Also, in this method, X and Y satisfying the check formula can be calculated after estimating the value of b.
The spoofing probability per repetition is 1/2. Therefore, when this procedure is repeated k times, the spoofing probability can be set to 2 ^−k .

The advantage of this method is that secret authentication information is
Since there is no need to teach T to server B, even a legitimate administrator of server B cannot impersonate client A. It is also disadvantageous in that the interaction sequence is redundant, that the authentication process is complicated and that there is a trade-off between performance and authentication accuracy.

<Utilization of Biometric Features> Next, conventional security using biometric features (personal attributes) will be described.
This technique uses the physical and behavioral characteristics of the user as authentication information, and confirms the legitimacy of the terminal user.
The physical and behavioral characteristics include the following.・ Body characteristics: fingerprint, voice spectrum, facial pattern,
Handprint, retinal pattern, ear shape ・ Behavioral features: signature, writing pattern, keystrokes

In this method, since the only personal attribute that can be possessed only by the person is used as the authentication information, the accuracy of the person identification when the authentication is successful is high. However, the recognition accuracy is 100%, such as authentication failure despite being a valid person
Rather, there is room for technical improvement. Furthermore, offline authentication (local authentication), such as authentication of a user by a terminal, is extremely effective, but authentication across a network (remote authentication) can reuse authentication information by eavesdropping (replay attack, etc.), that is, "spoofing" There are drawbacks such as becoming.

<Use of property> Security by use of property will be described. A specific object holds authentication information, and the authenticator verifies the authentication information and operates in conjunction with the person holding the object, the person authenticated on the object, or the object. Authenticate software or hardware to be used as a valid entity. Examples of possessions include:・ Keys, tokens, and batches ・ Electronic keys ・ Magnetic cards ・ IC cards ・ Non-contact type cards

For example, a person who has a key, token, or electronic key for unlocking a terminal is authenticated as a valid user of the terminal. However, in order to prevent misuse of the property due to loss or theft, in authentication via a network, the user is first identified by the property, such as a magnetic card, and then the server (host computer of the access destination, etc.) It is often used in combination with the "knowledge utilization" technique, such as verifying the validity of a user by verifying a password.

In the case of IC cards, this has been further developed.
The card itself verifies the person trying to use the IC card with the personal identification number, and the authentication operation with the server via the network is started only when this is successful. The authentication process of the IC card (that is, an entity such as a person verified by the IC card) by the server is performed by using the technique of “knowledge utilization” or “encryption utilization”.

This method is generally difficult to “spoof” by a third party if the property is strictly maintained. IC cards usually have tamper resistance (Tamper Free), and externally store data in the memory. The information cannot be read or written. This has the advantage that relatively personal information such as encryption keys and passwords can be stored and managed relatively safely, and that the security processing function itself can be embedded in an IC card to enable more secure authentication communication. is there. On the other hand, an authentication system based on the use of property requires, in most cases, a dedicated input / output device between the property and a terminal to be a client, and authentication via a network using a magnetic card, an IC card, or the like. In the case of processing, since the authentication sequence itself uses the technique of "knowledge utilization" or "encryption utilization", it has been pointed out that, as a matter of course, it has its own disadvantages.

As described above, the conventional various entity authentication methods have advantages but also disadvantages.

By the way, the direct threat assumed by the entity authentication is “spoofing” due to unauthorized acquisition of a password or the like. Once the “spoofing” succeeds and enters the system, data is tampered with or the file is destroyed. And the threat of various fraudulent activities such as generation of fraudulent data. In addition, such threats may be caused not only by unauthorized access from the outside but also by internal crimes such as system administrators. Therefore, for the system to be accessed, entity authentication, which checks the identity of the accessing entity, can be said to be the first line of defense against security threats, and its importance depends on the sensitivity of the system. growing.

FIG. 10 shows the strength of the entity authentication method described above against “spoofing” for external and internal unauthorized entities. Although each of the above methods has disadvantages, it is sufficiently practical depending on the system environment and configuration. However, as shown in Fig. 10, in most cases, it is not possible to defend against threats caused by malicious internal crimes of humans who are familiar with systems such as system administrators. There are drawbacks such as becoming.

[0060]

As described above, entity authentication is the forefront defense function against various security threats. However, in the Internet age, from the viewpoint of its wide application area and interconnectivity. It is desired that the system be simple to introduce and therefore simple in structure and sufficiently effective against threats. Therefore, considering the advantages and disadvantages of the various authentication methods described above,
The items required for the new authentication method can be summarized as follows.

(1) Authentication information stolen due to eavesdropping or the like cannot be reused by a third party. For example, a one-time password method (such as S / Key) satisfies this requirement, whereas an authentication token method with a digital signature can reuse an eavesdropping token within an allowable time of the time stamp.

(2) Authentication information is not stored in the authentication server. In other words, the authentication server does not need to store the authentication information of each user, and only needs to have a function of identifying whether the authentication information at the time of login is valid or not. As a result, even if a malicious third party can invade the authentication server, it is not possible to obtain the authentication information of each user.

(3) The authentication sequence should be as simple as possible. Thereby, the load on the system is minimized and the operation stability is obtained. Therefore, a dialog sequence such as a challenge response method or a zero knowledge dialog proof method is not used.

(4) The authentication information is different every time, and the information is infinite. As a result, the existing one-time password method (S / Key
Etc.), the periodic work of re-registering the initial information in the server again when the password is exhausted becomes unnecessary.

(5) No special external measuring equipment such as the use of biological characteristics is required. Special equipment is not used because such equipment would impair interoperability over the Internet and increase installation costs.

The present invention addresses the above problems individually or
This is a solution to the problem at once, using a simple authentication method, even if the authentication information is stolen,
The purpose is to make it difficult for a third party to reuse stolen authentication information.

[0067]

The present invention has the following configuration as one means for achieving the above object.

An authentication method according to the present invention is a method in which an authentication device authenticates the validity of a terminal device by using a public key cryptosystem, wherein the authentication device has a second function for checking authentication information of the terminal device in advance. Storing one piece of inspection information, when receiving the authentication request, the authentication device requests authentication information from a terminal device that requests authentication, and the terminal device that receives the request for authentication information generates authentication information. In the first seed information held in the terminal device, encryption using a secret key of the terminal device is performed to generate first authentication information, and the generated first authentication information is sent to the authentication device. In place of the first seed information, stored as second seed information for an authentication request, the authentication device stores the first authentication information sent from the terminal device as a public key of the terminal device. To generate the second test information When the first and second inspection information are compared and the two match, the terminal device is notified that the terminal device is to be authenticated, and the first authentication information is used for the next authentication. The inspection information is stored in place of the first inspection information.

An authentication device according to the present invention is an authentication device for storing authentication information for giving authentication to an authentication request from a plurality of terminal devices, and inspects the authentication information of the terminal device for each terminal device. A memory for storing inspection information for receiving the authentication request from any terminal device, an authentication information requesting unit for sending a message requesting authentication information to the terminal device, and an authentication information sent from the terminal device. The new inspection information is generated by decrypting with the public key of the terminal device, the new inspection information is compared with the inspection information stored in the memory, and when the inspection information matches, the terminal device is authenticated. Authentication means, and updating means for updating the inspection information stored in the memory with authentication information received from the terminal device when the terminal device is authenticated. To.

An authentication device for providing authentication to an authentication requester with the support of an external authentication device, comprising: a memory for storing seed information for generating authentication information for authenticating the authentication requester; Transmitting and receiving means for receiving a request for authentication information from the authentication device, and encrypting the seed information stored in the memory using a secret key for the request for authentication information, thereby obtaining the authentication information. An authentication information generating unit that generates the authentication information, and an authentication information transmitting unit that sends the generated authentication information to the authentication device and stores the authentication information in the previous memory instead of the seed information.

An authentication device that authenticates an authentication request from an authentication requester via a storage medium with the support of an external authentication device, wherein the authentication device authenticates at least the main body and the authentication requester. For receiving authentication information for generating seed information, a secret key of the authentication requester, and a storage medium for storing a program for generating authentication information, wherein the main body includes the authentication requester. Receiving means for accepting an authentication request from, sending an authentication request message to the authentication device when accepting the authentication request, transmitting and receiving means for receiving an authentication information request message from the authentication device, when receiving the authentication information request message, the interface, Command means for executing a program in the storage medium through the storage medium, and authentication information returned from the program An authentication information sending unit that sends the authentication information to the authentication device, the program generates authentication information from the seed information using the secret key, and returns the generated authentication information to the main body via the interface. , And is stored in the storage medium in place of the seed information.

[0072]

Preferred embodiments and examples of the present invention will be described below with reference to the accompanying drawings.

FIG. 11 is a diagram showing the configuration of a network to which the authentication method according to the present invention is applied.

A plurality of clients 200, 300,... Are connected to the network shown in FIG. 11 via the Internet, and an authentication server 100 is also connected. Client 200
Communicates with client 300, client 200
Becomes an authentication requester, and the client 300 becomes an authenticator. In the present embodiment, the authenticator is called a server.

The authentication server 100 has a database accessible from a plurality of clients, and performs authentication upon receiving an authentication request from the clients (see FIG. 12).
That is, when a client communicates with one, one acts as a server.

The authentication method of the present embodiment is essentially a certificate authority.
(CA) is not assumed. The transmission and reception of data between the client and the client may be performed directly without the need of the certificate authority (CA), and the authentication server 100 (for example, C
A). Both the certifier and the requester are not computers themselves, but are computers (or systems) that operate through the actions of operators or users.

FIG. 13 shows a client as an authentication requester.
12 is a diagram illustrating an example of an authentication algorithm to which the present invention is applied in a network (FIG. 11) having a simplified configuration of X and an authentication server Y as an authenticator. The example shown in FIG. 13 uses a public key encryption algorithm as a premise.
It is assumed that the client X holds its own private key Ks, and the server Y holds a public key Kp corresponding to the client's private key Ks and a certificate CKp of the public key. Se is a public key encryption algorithm encryption function,
Sd means a decryption function of the public key encryption algorithm.

In the present system, as shown in FIG. 13, the client side has an authentication information generation type data file 204,
Server-side client authentication information inspection data file 10
With 5. The authentication information generation type data file 204 is a file that stores data serving as a seed for generating authentication information. Here, "authentication information" in this system
Means information sent by the requester to the authenticator in order for the requester to request authentication from the authenticator, and is generated from the seed data on the client side. The input / output information is collated on the server side with the inspection data of the client of the server, and if the collation is obtained, the client is regarded as a genuine authentication requester.

FIG. 14 is a diagram showing the configuration of the authentication information inspection data file 105 of the server Y. That is, the server Y has “authentication information inspection data D”, “public key Kp”, and “public key certificate CKp” for each client. In the example of FIG.
It has Dx and a public key Kpx, and has inspection data Dw and a public key Kpw for the client W.

FIG. 15 is a diagram showing a processing procedure in each of the client X and the server Y and a communication procedure performed between them in order to realize the authentication of the present embodiment. The procedure of the present embodiment will be described with reference to FIGS. 13 and 15 in the case where the client X is going to be authenticated to log in to the server.

<Registration of Initial Information> In this embodiment, it is necessary for the client to set the initial seed data Ds0 and to initially register the initial inspection data Ds0 in the server Y before logging in. These registrations need only be performed once at the beginning, and once performed, subsequent registration is unnecessary. This registration work is performed by the client itself on the client side, and generally involves setting the access right of the client on the server side. Therefore, it is preferable that the registration is performed by a system administrator having appropriate authority. The initial seed data Ds0 may be anything such as a random number, an E-mail address of a client, or a user identification name. Further, if the secret key Ks is kept secret, it is not necessary to keep the initial seed data Ds0 particularly secret. After registration, the client is notified of the registration.

As described later, the seed data D is used for generating authentication information in the client. And
Once the authentication request using the authentication information is accepted, the generated authentication information is stored as seed data for generating authentication information for an authentication request for the next login. On the server side, if the received authentication information is compared with the inspection data D stored in advance and a match is obtained, the received authentication information is used for the next login from the client. Save as data.
Therefore, in the present system, the seed data stored in the authentication information generation seed data file 204 matches the test data stored in the test data file 105 on the server side as a value. , For convenience, D _n-1
It is expressed as Species data and inspection data are generally
The data is represented as _n-1 because those data were generated in the previous login.

In the example shown in FIG. 13, the initial seed data of the client X is registered as Ds0. In the authentication protocol of the present embodiment, the client X generates authentication information from the initial seed data Ds0 in the first authentication session. A major feature is that if authentication is permitted, the seed data D _n-1 stored so far is encrypted with the secret key Ks of the client X and it is stored as seed data Dn for the next authentication session. is there. The previous seed data D _n-1
Will not be used for subsequent logins,
The history may be stored for storage.

The processing procedure of this embodiment will be described below with reference to FIGS.

Step (1) The authentication of this embodiment is for authenticating whether or not the client to log in is a genuine client. Therefore, the login to the server Y is performed prior to the authentication. In the present embodiment, the login is performed using the user identifier (Us
er-id etc.) to the server Y. This login message may be in plaintext or in the form of ciphertext.

Step (2) Upon receiving the login message, the server Y sends an authentication information request message to the client X.

Step (3): Client X that has received the authentication information request message
Encrypts the seed data D stored by itself with its own secret key Ks as authentication information to be returned to the server Y.
Send to In the example shown in FIG. 13, since the authentication session starts for the first time after the initial registration, the seed data is Ds0, and thus the data Ds0 is encrypted with the secret key Ks of the client X.
D ₁ is sent to server Y.

[0088] ● Step (4) server Y receives the authentication information D ₁ from the client X, decrypted with the public key Kp of the client X that are already obtained. As described above, the authentication information Dn of the present embodiment is encrypted according to the public key encryption algorithm. That is, if the authentication information D ₁ supposed to represent the client X is obtained by encrypting the genuine seed data Ds0 of the client X with the secret key Ks of the client X, the authentication information
D ₁ and those decoded by the public key Kp is, according to the public key encryption algorithm, should match the front of the seed data Ds0 which is encrypted by the secret key Ks of the client X.

Step (5) The server Y compares and checks the decrypted information Ds0 with the inspection data Ds0 of the client X read from the file 105.

Step (6) The server Y returns a collation result to the client. As described above, if the collation matches, it means that the client X that has requested the login is a genuine client, and a message indicating that the login is permitted is returned.
Further, provided in the login request from the next client X, it stores the authentication information D ₁ that has been encrypted received from the client X in the file 105. Updating (overwriting and saving) of the authentication information in the server Y is performed only when the comparison result in step (5) matches. File 105
Enciphered authentication information D ₁ that has been written within the Within file 105 is stored as inspection data for the next authentication.

Step (7) The client X, having received the collation result (authentication processing result) from the server Y, determines whether the collation result is login permission or rejection.

[0092] ● Step (8) The client X, the matching result may indicate a login authorization is stored in file 204 of the authentication information D ₁ sent to the server Y as seed data D ₁ of the next authentication. Discard if the verification result is show a login rejection (collation result is also a case that has not returned within a predetermined period of time), so you can not use the authentication information D ₁ as the next certification of species data. In other words, when retrying the login, client X
Again generates the authentication information D ₁ from the seed data Ds0.

The above is the processing procedure for authentication for a login request when logging in for the first time. In the next login, steps (1) to (8) are repeated. That is, as shown in FIG. 13, client X, the authentication information D relative to the second time of the authentication information request from the server Y, are generated seed data D ₁ that has been stored encrypted with the secret key Ks _Two
To server Y. Server Y sends the received authentication information D ₂
The decrypts the public key Kp to generate a D _1, is compared with the inspection data D ₁ which has been stored the D _1. If the comparison results match,
The point of allowing login is the same as the first login.

In this scheme, authentication information that is valid only once can be generated indefinitely, and is hereinafter referred to as “infinite one-time authentication scheme”. The advantages of this infinite one-time authentication scheme that must be particularly emphasized over the conventional scheme are as follows.

(1) The authentication information generated at the next login can be generated only by a valid authentication requester using the private key held by the authentication requester. In other words, even the server authentication information administrator cannot know the next authentication information. As a result, it is possible to prevent fraudulent acts by “spoofing” the user by a malicious party inside the server, that is, an internal crime.

That is, the authentication requester sends the generated seed data (the authentication information used at the previous login) encrypted with its own secret key to the authenticator as authentication information.
The certifier decrypts the authentication information received from the certifier with the public key of the certifier, compares it with the inspection data stored by the certifier, and permits login only when the comparison result matches. . Therefore, as long as one's (or all) of the authentication information, inspection data, and authentication information generation seed data is known to a third party, as long as the secret key of the user is kept strictly, Is not possible.

Further, the certifier compares the inspection data in one authentication request processing process, and does not leave the processing process until it does not match or it is confirmed that there is a match. As soon as the inspection data is updated, the time lag until the inspection data is updated is substantially zero. Therefore, the time for a third party to eavesdrop the authentication information being transmitted and reuse it as it is to impersonate the authentication requester is substantially zero.

(2) Registration of authentication information only needs to be performed once,
Once registered, the client can generate infinitely high security authentication information. However, when changing the pair of the secret key and the public key, it is necessary to register the pair with the server again.

(3) The authentication process between the client and the server does not have an interaction sequence, and only transmits one message (authentication information) at the time of login. Therefore, the programs required on the server side and the client side are extremely simple.

[0100] (4) from a client sends authentication information to the server, updates its authentication information to the next authentication information (i.e., from D _n updated D _{n + 1)} time interval between equals zero. Therefore, even if the authentication information is eavesdropped during communication, there is no time gap in which the eavesdropper can reuse it.

In a method in which a time stamp is used as a part of the existing authentication information, a predetermined time allowable range is provided on the server side. Therefore, the authentication information must be reused immediately after eavesdropping, that is, within the allowable time. For example, there may be a timing at which a user can impersonate a real client and log in to the server (replay attack), but this is not possible with the authentication method of the present embodiment.

(5) On the server side, even if an insider such as a server administrator plagiarizes the inspection data Dn and attempts false authentication, the Dn used by those persons is authentic in the authentication process. Since it is compared with D _n−1 generated by decryption using the public key of the authentication requester, the authentication does not succeed. In other words, even an insider who can know the authentication information of the server cannot impersonate a genuine authentication requester.

[0103]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS An embodiment embodying the above-described infinite one-time authentication system will be described below.

FIG. 16 is a diagram showing the configuration on the server side for this embodiment.

The server is, for example, Window 101 as the OS 101.
Use s, MacOS, UNIX or Netware. Network 1
For example, TCP / IP, OSI, Netwa
Use re.

The test data file 105 has the file configuration described with reference to FIG. 14. Specifically, the client identification name information X, the test data D _n−1 , the public key certificate C
Kpx and memorize. The public key certificate CKpx includes a version number, a serial number, an issuing authority name, a certificate expiration date, a user identifier, a public key and related information, and the like. The public key file 107 stores the public key Kpc of the certification authority CA. The public key Kpc is used to check the digital signature attached to the client X's public key certificate. The decryption processing program 106 obtains Kpx by checking the public key certificate CKpx of the client X, and decrypts the received authentication information Dn (encrypted with the private key Ks of the client X) with the public key Kpx. To generate inspection data D _n−1 .

FIG. 17 is a diagram showing the configuration on the client side.

The client system runs as OS 201
For example, Windows, MacOS, UNIX or Netware is used.
The communication protocol uses, for example, TCP / IP, OSI, or Netrware. The communication protocol on the client side needs to match the communication protocol on the server side. But,
The client OS does not need to match the server OS.

The secret key file 206 is stored in the client X
Is a file that stores the private key Ks of This secret key Ks is preferably encrypted by a predetermined encryption procedure. The encryption and decryption of the secret key Ks and the encryption from the authentication information seed data D _{n -1} to the authentication information D _n using the secret key Ks are performed by the encryption processing program 207 with the support of the authentication processing program 202. Done by The authentication information generation seed data file 204 stores seed data for generating authentication information of the client X.

The authentication processing program 104 on the server side is shown in FIG.
Then, the client-side authentication processing program 202 executes the control procedure on the left side of FIG.

The feature of the client system shown in FIG. 17 is that the secret key Ks is encrypted and stored on the local disk of the client system. This is because the infinite one-time authentication method according to the embodiment shown in FIG.
Since it is assumed that the client X strictly stores its own secret key Ks, the client system shown in FIG. 17 achieves its management function by encrypting the secret key Ks.

Various types of encryption processing programs 207 can be used. For example, a method for requesting a password from a user using the system in FIG.
Client X using an appropriate common key cryptosystem such as S
Preferably, Ks is encrypted and stored using a passphrase known only to the user as a key. As a result, Ks is not known to a third party, and it is virtually impossible to impersonate Client X. In addition, Ks can be kept secret only by installing cryptographic software without the need for special equipment, and effects such as no need for external interface equipment can be obtained. In particular, cryptographic processing programs
By converting 207 into a plug-in program module,
Operability, expandability, and variability are dramatically improved.

Various forms can be considered for sending the client's public key Kp to the server.

In the example shown in FIG. 16, it is assumed that the server obtains the public key certificate of the client X from the client for each login. That is, for example, the client X sends its own public key certificate CKpx along with the authentication information to be sent to the server.

When the server-side authentication processing program 104 receives the login message of client X, it returns an authentication information request message to client X. Client X returns authentication information in response to this message. The authentication processing program 104 includes a certificate authority CA attached to the public key certificate CKpx of the client X sent together with the authentication information.
The digital signature of the certificate authority CA's public key Kpc (file 1
(Stored in 07). When the validity of the digital signature is confirmed by the inspection, the public key certificate is confirmed to be a valid public key certificate of the client X, and the public key certificate CKpx is stored in the file 105. . The server-side decryption program 106 accesses the file 105 and extracts the public key Kpx of the client X from the public key certificate CKpx.

[0116]

[Modifications] The present invention can be variously modified without departing from the spirit thereof.

[First Modification] For example, in the example shown in FIG. 16, the public key certificate of the client is transmitted from the client to the server every time the user logs in, but the public key of the client does not need to be kept secret. The client does not need to send a public key certificate at every login.

Therefore, if the client X attempts to log in during the log-in process of the server-side program, a procedure for checking whether or not the public key certificate CKpx is already stored in the file 105 is added. . If a client whose public key certificate is not registered tries to log in, the server sends a message requesting the public key certificate before sending a message requesting authentication information to the client. Good.

[Second Modification] The above-described embodiment has the inconvenience that the client terminal that can be used for login is limited to the terminal in which the secret key Ks is stored. If the private key Ks is stored not on the client terminal but on an IC card and the client carries the card, such inconvenience is solved.

FIG. 18 is a diagram showing a configuration of a client system using an IC card.

The system shown in FIG. 18 includes a password file 301 for storing a user's password, a file 302 for storing a public key certificate, and a file 30 for storing a private key Ks.
4, and the encryption processing program 304 is stored in the IC card 300.

When the system shown in FIG. 18 is configured on the client side, the configuration on the server side can employ the configuration shown in FIG.

FIG. 19 is a diagram for explaining the cooperative operation between the authentication processing program 308 (client host side) and the encryption processing program 303 (client card side) on the client side in FIG.

When the user logs in (for example, causes the card reader (not shown) to read the IC card), the encryption processing program 303 sends an authentication information request message (password request) to the client via the terminal authentication processing program 308. send a message. If the user is an authorized user, the correct password will be input from a keyboard (not shown) of the terminal.

When a password is input, the authentication processing program 308 sends the input password to the encryption processing program 303 via the interface. The encryption processing program 303 stores the received password in the file 307
Compare with the password stored inside. If the passwords do not match, the encryption processing program 303 returns a message to that effect to the authentication processing program 308, and the authentication processing program 308 rejects the login. If the passwords match, the encryption processing program 303 issues an IC card use permission to the client and notifies the authentication server that the authentication request is permitted.

Next, the client makes an authentication request to the authentication server. Subsequent procedures are as described in FIG.

In this case, on the client side, the encryption with the secret key Ks for generating the authentication information from the seed data D _n−1 is entirely performed by the encryption processing program 3 in the IC card 300.
It is important to be done by 03. That is, no information about the secret key Ks is transmitted to the host, and the transmitted information is the authentication information Dn. As previously mentioned,
Even if the authentication information Dn is viewed by a third party, it cannot be decrypted.

In the client system shown in FIG. 18, it is not preferable that the secret key file 304 is opened to the authentication processing program 308 because there is a risk of leakage or falsification. The host system of the client may be used by an unspecified number of users, and it is not preferable that the secret key Ks is exposed to the host system in a raw form. Therefore, it is preferable to encrypt the secret key Ks in the file 304 by using a password in the password file 307 according to an encryption algorithm such as DES. Secret key Ks
If, for example, the authentication processing program 308 in the host is tampered with and the secret key Ks is read from the file 304, since it is encrypted by DES, there is a possibility that it will be decrypted. Very few.

According to this modification, since the secret key Ks is stored in the IC card, it is impossible for a third party to impersonate the client X using the client terminal. In other words, the client system may be a general-purpose personal computer, and this personal computer can be used by anyone other than the client X. In addition, any terminal that can interface with an IC card can be used as the client-side main unit. Accordingly, for example, remote login from outside the company using a portable terminal is also possible. Furthermore, prior to the execution of the login process, the IC card authenticates the client X (user) with a password, etc., so even if the IC card is lost,
It is difficult for an IC card acquirer (third party) to impersonate Client X.

[Third Modification] In the above-described embodiments, examples, and modifications, it is assumed that the public key of the client is stored in advance by the server itself, or that the server obtains the public key from the client. However, as described above, the public key once sent from the client may be stored on the server side, and in the subsequent login, the stored public key may be used together with the certificate. This is because the public key may be known to others. However, since the validity period of the certificate (and therefore the public key) is set, it is preferable to have the public key certificate resent by the above-described method for login after the validity period has elapsed.

[Fourth Modification] In the above-described embodiments, examples, and modifications, it is assumed that a network exists, but the present invention does not require a network. In general, if authentication is necessary, the present invention can be applied, for example, between a host and an input / output device.

[Fifth Modification] In the above embodiment, the problem of authentication when data is exchanged via a communication line (whether wired or wireless) has been dealt with.
For example, the present invention can be applied to a door opening / closing device using a card. That is, in this case, the lock mechanism acts as an authentication server.

[0133]

As described above, according to the present invention,
Even if the authentication information or the like is stolen by a third party, it is possible to make it difficult for the third party to reuse the stolen authentication information or the like, even if the authentication information is stolen by a third party. For example, inspection information and seed data are changed each time, so they are resistant to repeat attacks, and even if the authentication information being transmitted is stolen, there is little time for a third party to reuse it as it is, so security Is kept. In addition, even if seed information, authentication information or test data is stolen,
As long as the private key of the client is managed, it is extremely difficult for a third party to reuse the stolen authentication information.

[Brief description of the drawings]

FIG. 1 is a diagram for explaining classification of authentication;

FIG. 2 is a diagram illustrating an overview of a challenge response method,

FIG. 3 is a diagram illustrating a general model of a public key cryptosystem,

FIG. 4 is a view for explaining an authenticator collation method;

FIG. 5 is a diagram illustrating an authentication token system with a digital certificate.

FIG. 6 is a diagram for explaining the SSH method;

FIG. 7 is a diagram for explaining an outline of RPC authentication,

FIG. 8 is a diagram for explaining an outline of an authentication method of Kerberos;

FIG. 9 is a diagram for explaining the outline of a zero-knowledge dialogue proofing system;

FIG. 10 is a diagram summarizing disadvantages of various security methods,

FIG. 11 is a diagram illustrating a configuration of a network to which the authentication method according to the embodiment is applied;

FIG. 12 is a diagram illustrating the authentication of the embodiment in principle;

FIG. 13 is a flowchart illustrating an authentication procedure according to the embodiment;

FIG. 14 is a diagram showing a configuration of an authentication information inspection data file possessed by the server;

FIG. 15 is a diagram showing a processing procedure in each of a client and a server, and a communication procedure performed between them.

FIG. 16 is a diagram showing a configuration of a server according to the embodiment;

FIG. 17 is a diagram illustrating a configuration of a client according to the embodiment;

FIG. 18 is a diagram showing a configuration on a client side of a modification;

FIG. 19 is a flowchart illustrating a processing procedure on the client side according to a modified example.

Claims (6)

[Claims] 1. A method in which an authentication device authenticates the validity of a terminal device by a public key cryptosystem, wherein the authentication device stores first inspection information for checking authentication information of the terminal device in advance. When the authentication device receives the authentication request, the authentication device requests authentication information from the terminal device that requests authentication, and the terminal device that receives the request for authentication information holds the first authentication information to generate the authentication information. The seed information is subjected to encryption using a secret key of the terminal device to generate first authentication information, and the generated first authentication information is sent to the authentication device, and the second authentication request for the next authentication request is sent. The second seed information is stored in place of the first seed information, and the authentication device decrypts the first authentication information sent from the terminal device with a public key of the terminal device, and Generate inspection information of the first and second If the two match each other, the terminal device is notified that the terminal device is to be authenticated, and the first authentication information is used as the inspection information for the next authentication. An authentication method characterized by storing information instead of information. 2. An authentication device for storing authentication information for giving authentication to an authentication request from a plurality of terminal devices, wherein inspection information for checking the authentication information of the terminal device is stored for each terminal device. A memory to be authenticated, an authentication information requesting means for sending a message requesting authentication information to the terminal device when an authentication request is received from any terminal device, and a public key of the terminal device Generating new test information by decrypting the test information, comparing the new test information with the test information stored in the memory, and when the test information matches, an authentication unit that authenticates the terminal device; Updating means for updating the inspection information stored in the memory with the authentication information received from the terminal device when the device is authenticated. 3. An authentication device for providing authentication to an authentication requester with the support of an external authentication device, comprising: memory for storing seed information for generating authentication information for authenticating the authentication requester; Transmitting and receiving means for receiving a request for authentication information from the authentication device, and encrypting the seed information stored in the memory using a secret key for the request for authentication information, and Generating authentication information generating means, and transmitting the generated authentication information to the authentication device,
An authentication information sending unit that stores the seed information in a previous memory instead of the seed information. 4. An authentication device that authenticates an authentication request from an authentication requester via a storage medium with the support of an external authentication device, wherein the authentication device authenticates at least the main body and the authentication requester. For receiving authentication information for generating seed information, a secret key of the authentication requester, and a storage medium for storing a program for generating authentication information, wherein the main body includes the authentication requester. Receiving means for accepting an authentication request from, sending an authentication request message to the authentication device when accepting the authentication request, transmitting and receiving means for receiving an authentication information request message from the authentication device, when receiving the authentication information request message, the interface, Through,
Command means for executing a program in the storage medium; and authentication information sending means for sending authentication information returned from the program to the authentication device, wherein the program authenticates the seed information using the secret key. An authentication device, wherein information is generated, and the generated authentication information is returned to the main body via the interface, and is stored in the storage medium instead of the seed information. 5. A program for realizing the authentication method according to claim 1. 6. A storage medium on which a program for realizing the authentication method according to claim 5 is recorded.