JP2001290554A - Method for authenticating user and access of computer and computer network - Google Patents

Abstract

PROBLEM TO BE SOLVED: To identify a regular user of a computer and a computer system by using a single-use throwaway password. SOLUTION: To identify the regular user of the computer and computer network, the system sends the single-use-only password to a communication terminal that only the regular user has and which is not connected directly to the computer and computer network and the user sends this single-use throwaway password back to the system by a specified method.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to a security system for password authentication used in computers, computer networks, and telecommunication networks.

[0002]

2. Description of the Related Art With the recent explosion of users in computers and all computer networks, security has become an issue. In a system released to these users, a user ID and a secret password are widely used as a user identifier for a user having a specific service permission and an access right. However, such an identifier alone is no longer sufficient to guarantee security for the system.

In a computer and a network system which are widely used at present, a user has to transmit a user ID and a secret password to the system at the time of login. Thereafter, the system checks the user ID and the password as the user identifier incorporated in the system in advance, and if the user ID and the password match, login is permitted and the service is started.

[Problems to be solved by the invention]

However, in these methods, the security management burden on the user himself is very large at present, and in particular, password management is extremely difficult. This means that every time you log in and log on, you will be asked to enter your user ID and secret password,
In doing this, many users
He has neglected to write down D and secret passwords and keep them confidential to others. In addition, a person who tries to perform some unauthorized access sometimes logs in by accessing as a legitimate user by using a password analysis program or the like.

[0005] Therefore, as one of the methods for establishing security, which is these problems, as a system terminal, a disposable password which the user himself does not know at the time of log-in from the computer or the computer network and the computer network system is used. Let users know without passing through,
The password can be returned by the computer or the computer network and the method required by the computer network system.

[Means for Solving the Problems]

According to the present invention, in the computer, the computer network, and the computer network system, after a user inputs and transmits a user ID and a password, the computer or the computer network and the computer network system are connected to the computer or the computer network. Using a public line or a non-public line separated from the network and the computer network system, a registered user who registered at the time of login setting, a pager capable of displaying characters, always possessed by the authorized user himself, For a mobile phone or portable radio, the disposable password and the computer or computer network and computer network The legitimate user who has sent the method of returning the disposable password to the system and received the disposable password and the method of reply, promptly sends it back to the system according to the computer or the computer network and the method required by the computer network system. I do. The disposable password returned by the authorized user within the time limit is compared with the disposable password stored in the computer or the computer network and the user identification program installed in the computer or the computer network system, and the first login is made when it is determined that the password is the same. Establish and start the service.

BEST MODE FOR CARRYING OUT THE INVENTION

According to one aspect of the present invention, when one independent computer C is used by a plurality of users, or a person other than the user who manages and operates one independent computer C can operate. If there is a computer C installed in the state, the user who becomes the authorized user U for this computer C first sets up a new user at the time of opening the installation of the computer C. Make the settings for A communication device T such as a pager, a mobile phone, or a modem that can communicate with a portable terminal P such as a portable wireless device that the user U always has is installed in the computer C. Next, several methods by which the new user U can transmit data to the user identification program of the computer C are registered and brought into a normal use state.

In the computer C, the computer C requests the user to input a user ID and a password at the time of normal startup or operation start. Upon receiving the request, the user inputs a user ID and a password. Upon receiving the input, the computer C verifies the user ID and the password by a user identification program installed in the computer, recognizes that the user is an authorized user U, and then generates a user password generation program installed in the computer C. Then, a second disposable password is generated, and the method of returning the disposable password to the computer C by the authorized user U and the time limit are determined. The newly generated disposable password and the method of returning the user U are transmitted to the authorized user U via a communication device T such as a modem installed inside the computer.
Sends a call to a portable terminal P, such as a pager, a mobile phone, or a portable wireless device, which is always set by the user and set when the computer is set up. Authorized user U who received this password and reply method
Promptly returns the password to the computer C by the specified method. The computer C receives the password only in the method determined when the password was generated, and checks the password by the user identification program installed in the computer C only when the password is received within the time limit. If the verification is successful, the user U who has returned the password is recognized as the authorized user U, and the operation of the computer C is permitted.

The following embodiment is a closed network system NW in a network configured by a plurality of computers as shown in FIG. 2, in which there is no server computer for managing these computers, a computer in the network. When the computer NWC2 attempts to provide a service to the authorized user NU1 of the NWC1, the computer NWC1
In the setting when the authorized user NU1 newly joins the network NW, the following setting is performed in addition to the normal setting. A communication device T such as a pager, a mobile phone, or a modem that can communicate with a portable terminal P such as a portable wireless device that is always in possession of the user NU1 is installed in the computer NWC2. When it is impossible to install the communication device T in the computer NWC2, the communication device T is installed in any of the computers NWC that can be controlled by the network from the computer NWC2 on the network. Next, the new user NU1 registers several data transmission possible methods to the user identification program of the computer NWC2 which provides the service, and makes the normal use state.

When the computer NWC2 receives a service request from an authorized user NU1 of the computer NWC1, the computer NWC2
It requests U1 to transmit the user ID and password given when joining the network. The user NU1 having received the request transmits the user ID and the password to the computer NWC2 through the network. The computer NWC2 that has received this user ID and password recognizes the possibility of being an authorized user NU1 by a user identification program, generates a second disposable password by a user password generation program installed in the computer NWC2, and generates the user NU1. The transmission method of the disposable password from the computer to the computer NWC2 and the transmission time limit are set. Next, the computer NWC2 uses either the public line or the non-public line using a communication device T such as a modem installed inside any of the computers NWC in the network NW, and the user NU1 crosses the computer NWC1. The disposable password and the method of transmission from the user NU1 to the computer NWC2 are transmitted to a portable terminal P such as a pager, a mobile phone, or a portable wireless device, which can be written by the authorized user NU1 and set at the time of user subscription. The user NU1 that has received the password and the transmission method promptly transmits the password to the network computer NWC2 by the specified method. The network computer NWC2 receives the password only in the manner determined when the password was generated, and when received within the time limit, verifies the password by a user recognition program installed in the network computer NWC2. If the verification is successful, the user NU1 that transmitted the password is recognized as a legitimate network user NU1, and is permitted to receive the service of the network computer NWC2.

[0011] A further embodiment is a network system INWS, which includes a number of computers and has a server computer for managing a computer network, and a network system INWS or the like, in which the server computer of the network is separated from the network. A communication device T such as a modem using a public line or a non-public line is installed. Next, when a new or existing user INU is set up for user registration, in addition to the conventional settings, the user INU can always use and use a portable terminal P such as a pager, a mobile phone or a portable wireless device, and the user INU communicates with the server computer. Register some possible ways to communicate.

[0012] The authorized user INU of the network INWS is a server computer INW on the INWS.
When attempting to receive the SC service, the server computer INWSC requests the user INU to transmit the user ID and password given when joining the network. Upon receiving the request, the user INU sends the user ID and password to the server computer IN.
Send to WSC over network. User IN
The server computer INWSC that has received the user ID and password of U collates with the user identification program installed in the server computer INWSC, and recognizes that it is a legitimate user INU1. Next, the server computer INWSC generates a disposable password by a password generation program in the server computer INWSC, and determines a communication method from the user INU to the server computer INWSC and a time limit. The generated disposable password and the determined communication method are based on the user ID set when the user INU joins the network by a communication device T such as a modem installed in the server computer INWSC and separated from the network.
It is transmitted to a portable terminal P such as a pager, a mobile phone, or a portable wireless device that the NU always carries. Upon receiving this, the user INU enters the server computer I
The one-time password is immediately transmitted to the server computer INWSC by the method instructed by the NWSC. The server computer INWSC waits for the reception of the disposable password for a limited time only by the method instructed to the user INU. When the server computer INWSC receives the one-time password from the user INU within the time limit as instructed, the user identification is performed by the user identification program installed in the server computer INWSC. The user is recognized as an authorized user INU of the network, and is allowed to receive services in the network managed by the server computer INWSC.

[0013] When each of the legitimate users needs to reconfirm that they are legitimate users while continuing to use the service, the user identification program in the system is renewed each time. Determine the password, its transmission method and the time limit for transmission, stop the service, and let the user know that it is necessary. In the system, the data is transmitted to the user through a communication device T such as a modem capable of communicating with the user's portable terminal P installed in the system.
The user receiving the disposable password promptly transmits the password to the system according to the designated method.
The system that receives the one-time password within the time limit determines this by the user recognition program in the system, and if the password matches, confirms that the user is an authorized user of the system, and continues the service.

In each of the above systems, if the user identification program fails to identify a disposable password or the system, the failure is determined by an attack from a user other than a legitimate user, and the system determines the failure. Disconnect all user access and record any information about this unauthorized user. Thereafter, the user is warned promptly of the unauthorized use of the user ID and the password for the respective authorized users.

The invention described herein merely discloses the principles of the invention and, if implemented in practice,
Various modifications and additions can be made without departing from the spirit and scope of the invention. For example, consider the case where the user returns a password or a password to the system. The system first installs two communication devices such as a modem in the system, transmits a password from the modem 1 to the user's portable terminal P and a telephone number connected to the modem 2 in the system, and transmits the password. To the user. The user who receives the password and the transmission method calls the telephone number connected to the modem 2 in the system as specified, and transmits the password through the telephone. Of course, the system is waiting for the transmission of the password from the user only by the modem 2 in the system. Input from other keyboards and mice is not accepted. Thus, various applications in accordance with the spirit of the present invention are possible and can result in a more secure system.

[0016]

As described above, according to the present invention,
By using computers and computer networks, you can at least protect yourself from the violence of password cracking by unauthorized users.

[Brief description of the drawings]

FIG. 1 is a diagram simply showing the concept of the present invention and briefly explaining a series of flows thereof. (Example 2)

Claims (3)

[Claims] 1. A computer having an unspecified user, a computer having a specified authorized access right in the network and the network system, and a computer requiring the management of the authorized user; and In a method for determining whether or not access to the network and the network system is authorized access right, after performing authentication by inputting a user ID and a password in the related art, the computer and the computer A computer that manages access to the network and the network system generates a second disposable password,
Determine the user's reply method and the time limit for reply. This is a pager capable of displaying characters which are always possessed by a user who has an authorized access to the system by using the computer, the network, a public line or a non-public line separately configured from the network system. Transmitting the second disposable password and the transmission method on the user side to a mobile terminal such as a mobile phone or a portable wireless device. After requesting input from the user and receiving the second one-time password and the transmission method, the authorized user of the system transmits the second one-time password to the system according to the specified method, and then transmits this password to the system. Computers or computers in the above system received within the time limit Pewter how network and computer network system initiates a service grants access to the user who sent the 此. 2. The computer and the network when the access permission is continued in the computer and the network or the system when a random time elapses or when it is necessary to confirm that the user is an authorized user. In order to confirm that the user currently receiving the service is a legitimate user, the user identification program of the system generates a new next disposable password, and stores the password in the mobile terminal used by the legitimate user at the time of login. A new one-time password and a method of returning the user's one-time password to the computer, the network and the system are transmitted, and the system requests input of the one-time password within a time limit. The user who has received this promptly returns a one-time password to the system within the time limit according to the specified method, and the system waits for reception only according to the specified method and suspends the service. The method according to claim 1, wherein the system that has received the disposable password authenticates the disposable password, and only when the password matches, the system continues the access permission and restarts the service. 3. In the method according to claim 1 or 2, if the user identification fails by these methods and there is an access from a user who does not have an authorized access right, Alerts users who have the authorized access to the system and system administrators in a way that is registered in the system in advance, and immediately disconnects users who do not have the authorized access, A method of recording user information individually.