JP2005115743A - Automatic authentication system for information communication terminal using cellular phone and code - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a system which guarantees higher security by transmitting issued connection information being left invisible between each media, and automatically connecting a cellular phone to an application server or a RAS server at an information communication terminal, through the use of a code capable of being transmitted locally from the cellular phone to the information communication terminal, and through constitution of an automatic authentication system with an authentication server and a RADIUS server at the center thereof by the application server or the RAS server. <P>SOLUTION: If a login user authentication part authenticates an ID and a password inputted from a cellular phone as being legitimate, mail generated by encrypting the connection information is transmitted to the cellular phone, the cellular phone transmits the code locally to the information communication terminal, after decoding, the decoded connection information is used to make a request for connection to the application server, and if it is decided that the decoded connection information is legitimate, the use of application is permitted. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to an authentication system for an information communication terminal using a mobile phone and encryption, and in particular, encrypts connection information to an application server or a LAN issued from an authentication server, and further uses a mobile phone and encryption for automatic connection. The present invention relates to an automatic authentication system for information communication terminals.

  Conventionally, in a security problem that generally occurs, as a method for authenticating a portable information terminal, a mechanism for individually managing terminal information by issuing a user ID, a password (PW), and a user-specific homepage can be considered. I came. First, the lowest level user authentication method is a method of creating a user-dedicated page and authenticating only those who have accessed the page as regular users. This is an easy-to-use method because the user can always enter the URL (Uniform Resource Locator) of the dedicated page in the bookmark, and the user can always enter it into the dedicated page with one action. It will be.

  Next, there is a method of creating a user-specific page and further protecting it with a user ID and a password. However, this method is not secure because it is possible to monitor communication or to inform a third party of all information such as URL, user ID, and password maliciously.

  In addition, there is a method of issuing a key after general login authentication and further logging in using that key, but it is monitored in subsequent transmission / reception with the server (hereinafter referred to as transmission / reception in one login). If this happens, the data will be leaked.

  Note that mobile phones use a special network to ensure high concealment, but many other information communication terminals always suffer from the above problems.

  This was a very serious problem in terms of security when using information communication terminals, leading to information leakage.

  An authentication system using a RAS server is a system that has been widely used in the past, making a call to a representative telephone number using a modem of an information communication terminal, and connecting to an in-house LAN or the like by using a user ID password. Establish. When a RAS server is used, since “calling” is performed, a dedicated line is used between the RAS server and the information communication terminal, and high concealment is obtained as compared with a public line such as the Internet.

  The following is a list of prior art references.

  The invention described in [Patent Document 1] is a computer and a computer network system in which a computer having only a legitimate user is used to identify whether or not it is a legitimate user as a system that can ensure high safety. In addition, an authentication method is described in which a disposable password is sent to a communication terminal not directly connected to the computer network system, and the user returns the disposable password by a method designated in the system.

  In the present invention, when a password previously issued to a user is input as a first password to a computer network system using a computer, and the possibility is confirmed as a legitimate user, the system is A password is issued and transmitted together with a reply method to a portable terminal such as a pager (registered trademark), a cellular phone, or a portable wireless device via a communication device such as a modem. The user who received the second password and the reply method returns the second password by the designated method, and the computer received it only by the method determined at the time of issuing the password, and was received within the time limit. Only when the password is verified by the user identification program installed on the computer.

  The invention described in [Patent Document 2] is a user authentication method for authenticating a user who makes a session request with a private area of an intranet using a mobile communication terminal.

  In the present invention, the step of authenticating the first authentication information input by the user who has accessed the public area, and the session identifier for authenticating the session between the accepted user and the private area are issued and stored. A step of transmitting the URL of the public area where the session identifier is authenticated, obtained by adding the session identifier to the user's mobile communication terminal, and a URL provided from the mobile communication terminal re-accessing the public area The user authentication method includes a step of performing authentication by checking a session identifier included in the password, thereby authenticating a session between the user and the non-public area. After the first authentication step is completed, by authenticating the session added to the issued URL as the second authentication information, it becomes possible to refer to various contents in the public area.

  The invention described in [Patent Document 3] is an authentication server, a user authentication method, and a program that eliminates illegal “spoofing” and can reliably determine the user.

  In the present invention, the Web server receives the ID and password from the user's computer, collates with the ID and password stored in the database, and performs the first authentication. When the first authentication is successful, the Web server transmits a confirmation code to a user-specified e-mail address stored in the database. The destination is a mail server. The user receives the confirmation code from the mail server using the portable terminal and inputs it to the computer. The input confirmation code is returned to the Web server as a reply code. The Web server collates the received confirmation code with the transmitted confirmation code, and determines that the second authentication is successful if they match.

JP 2001-290554 A JP 2002-7345 A JP 2002-251375 A

  However, in the invention described in [Patent Document 1], after the first user authentication is performed and the user is recognized as a regular user, the second disposable password is issued. At the same time, a reply method and a time limit are determined, and the message is transmitted to a portable terminal such as a pager or a cellular phone that can display characters that the user himself / herself always uses, using a modem installed in the computer.

  In this case, the reply is not limited to a mail address owned by a mobile phone or the like. For this reason, when the third party monitors as described above, the second password can be obtained.

  In addition, the system sends a one-time password to a computer that has only a legitimate user and a communication terminal that is not directly connected to the computer network system, and the user returns this one-time password by the method specified in the system. There is no mention of the handling of this disposable password from when the disposable password is sent to the user until input.

  In other words, using manual input means touching the human eye, and there is a danger of being monitored and stolen.

  The invention described in [Patent Document 2] authenticates the first authentication information input by a user who has accessed a public area of an intranet using a mobile communication terminal. The URL to which the identifier is added is transmitted as second authentication information to the mobile terminal, and the user accesses the URL transmitted from the mobile terminal, thereby authenticating the session and connecting to various contents in the public area.

  In this case, since the second authentication information is not limited to the above-described mail back method, the second authentication information is obtained by a third party when monitored when a user page is used. .

  In addition, there is no problem when the URL received at the mobile terminal is used only by that terminal, but when using other mobile terminals, it is necessary to input or transfer the URL at the mobile terminal to be used. Because it was very inconvenient.

  In the invention described in [Patent Document 3], the Web server receives the ID and password from the user's computer, and when the first authentication is successful, a confirmation code is transmitted to the designated e-mail address, which is confirmed by the portable terminal. The code is received, the confirmation code is input to the computer, and the second authentication is performed by the Web server.

  In this case, when an input error occurs when inputting the confirmation code from the portable terminal to the computer, an operation of re-listening the confirmation code occurs, which is troublesome. For this reason, complex codes cannot be used.

  Also, as described in the case of Patent Document 1, with a user ID or password that is simple enough to allow manual input, there is a risk that the user ID or password is stolen when touched by the human eye.

  In the above three cited references, the ID and password are transmitted and input to the information communication terminal via the Internet or manually, and the encryption and the encryption using the public key are not performed. The possibility of eavesdropping by being monitored cannot be removed.

  On the other hand, in an authentication system using a RAS (Remote Access Service) server, a representative telephone number used when a modem of an information communication terminal makes a call is always unchanged, and it is common to make a call to that number. is there. For this reason, security cannot be ensured, for example, when the representative telephone number is stolen by being monitored and the user ID and password are also monitored.

  In recent years, regarding the security of the RAS server, the problem is that this representative telephone number is unchanged. However, since the user group is usually several hundred to several thousand people, It is impossible to make all users troublesome such as changing, notifying each user, and changing the connection dial destination on the user side, and this problem has not been solved.

  The present invention has been made for the above-described reason, and an object of the present invention is to use a cipher that can be transmitted locally from a mobile phone to an information communication terminal, and an application server or RAS server uses an authentication server and a RADIUS server. By building a centralized automatic authentication system, the issued connection information is transmitted invisible between each medium without being visible, and the information communication terminal automatically connects to the application server or RAS server for higher security. Provide a system to guarantee

  The present invention relates to an authentication system for an information communication terminal using a mobile phone and encryption, and in particular, encrypts connection information to an application server or a LAN issued from an authentication server, and further uses a mobile phone and encryption for automatic connection. An automatic authentication system for an information communication terminal, the object of the present invention is to provide a mobile phone, an information communication terminal locally connected to the mobile phone, an authentication server connected to the mobile phone via an electronic communication line, and An information communication terminal automatic authentication system comprising an application server connected to the information communication terminal and the authentication server via an electronic communication line, wherein the authentication server receives login information from the mobile phone. User information in which user identification information including at least a mail address of the mobile phone is stored. A database, a login information authenticating unit that authenticates the user identification information and the login information, and a connection information issuing unit that issues connection information for connecting to the application server after the login information is authenticated; A connection destination address storage unit that stores a connection destination address to the application server, a connection information storage unit that stores the issued connection information in the user information database, and an encryption unit that encrypts the connection information; A mail transmission unit configured to transmit the encrypted connection information and the connection destination address to a mail address of the mobile phone, and the information communication terminal transmits the encrypted connection transmitted to the mobile phone. A local receiving unit for receiving information, a decrypting unit for decrypting the encrypted connection information, and the decrypted connection A connection request unit that automatically connects to the application server based on the information and the connection destination address, and the authentication server further transmits the decrypted connection from the information communication terminal transmitted from the application server A connection information authenticating unit for authenticating information with the issued connection information stored in the user information database, wherein the application server sends the decrypted connection information received from the information communication terminal to the authentication server; And the connection authentication transmitting / receiving unit that receives the authentication result in the connection information authentication unit, and the connection permission unit that establishes the connection of the information communication terminal based on the authentication result, and the issued connection information This is achieved by connecting the information communication terminal to the application server invisible.

  Further, the object of the present invention is to provide the mobile phone with the decryption unit for decrypting the encrypted connection information, and the mobile phone locally transmits the decrypted connection information to the information communication terminal. The transmission unit encrypts the connection destination address, and the decryption unit also decrypts the connection destination address together with the encrypted connection information, or The application server includes a connection destination address providing unit that stores the connection destination address, and the connection destination address is provided from the connection destination address providing unit to the authentication server, and then provided to the mobile phone together with the connection information. Or after the authentication server includes a one-time URL issuing unit and the connection information issuing unit issues the connection information. When the time URL issuing unit issues the connection destination address and the connection information as a one-time URL included in one URL, or the authentication server includes a time measuring unit, and the time measuring unit includes the connection information. After the issuance of the connection information, the connection information authentication unit is issued after the fixed time has elapsed, or after the decrypted connection information is authenticated This is achieved more effectively by determining that authentication using connection information having the same content as the connection information is invalid.

  Furthermore, the object of the present invention is to use a mobile phone, an information communication terminal locally connected to the mobile phone, an authentication server connected to the mobile phone via an electronic communication line, and the information communication terminal and a dedicated line. A RAS server that is connected to the RAS server using an electronic communication line, and a user information database that is shared with the authentication server and the RADIUS server using an electronic communication line. An automatic authentication system for an information communication terminal using a telephone and encryption, wherein the user information database stores user identification information including at least a mail address of the mobile phone, and the authentication server is connected to the mobile phone. A login information receiving unit for receiving the login information, and authenticating the user identification information and the login information A login information authenticating unit, a connection information issuing unit for issuing connection information including a connection ID and connection password to the RAS server, a connection information storing unit for storing the connection information in the user information database, and the connection information An encryption unit that encrypts the dial, a dial destination telephone number storage unit that stores the dial destination telephone number connected to the RAS server, the encrypted connection information and the dial destination telephone number are stored in the mobile phone. A mail transmission unit that transmits a mail address mail, and the information communication terminal locally receives the encrypted connection information and the dialed telephone number transmitted from the mobile phone; and A decryption unit for decrypting the encrypted connection information, and automatically using the dialed telephone number and the decrypted connection information A connection request unit for dialing up to a server, wherein the RAS server receives the dialup from the information communication terminal and the decoded connection information, and the decoded connection information A connection authentication transmission / reception unit that transmits to the RADIUS server and receives the authentication result; and a connection permission unit that establishes a connection of the information communication terminal to the LAN according to the authentication result. The server includes a connection information authentication unit that authenticates the issued connection information stored in the user information database and the decrypted connection information transmitted from the RAS server, and the issued connection information is invisible. The information communication terminal is connected to the LAN by using a dedicated line.

  Further, the object of the present invention is to provide the mobile phone with the decryption unit that decrypts the encrypted connection information, and the mobile phone locally transmits the decrypted connection information to the information communication terminal. Or the encryption unit also encrypts the dialed phone number, and the decryption unit decrypts the dialed phone number and the encrypted connection information, or The RAS server includes a dialed telephone number providing unit that provides the dialed telephone number, and the dialed telephone number is provided from the dialed telephone number providing unit to the authentication server, and then to the mobile phone. Provided from the authentication server together with encrypted connection information, or the RADIUS server includes a time measuring unit, and the time measuring unit The connection information authenticating unit measures the elapse of a certain time after the issuance of subsequent information, and the connection information authenticating unit issues the subsequent issuance after the definite period of time elapses or after the decrypted connection information is authenticated. This is achieved more effectively by determining that the authentication using the connection information having the same content as the connection information is invalid.

  According to the mobile phone and the automatic authentication system for information communication terminals using cryptography according to the present invention, the cipher that is mailed back from the authentication server, that is, the confidentiality of the connection information is ensured by using the cellular phone mail system. it can. Furthermore, by transmitting this cipher locally from the mobile phone to the portable information terminal, it leads to avoiding connection to the Internet where an unspecified number of people connect unconditionally, that is, preventing leakage of the cipher in the Internet. Can do.

  Even if this connection information is leaked at the time of logging in to the application server from the information communication terminal, the connection information once used is discarded, so that unauthorized users are denied access with this connection information.

  On the other hand, even if encrypted connection information is leaked, the information communication terminal uses encryption for decryption, so it is necessary to obtain this key for unauthorized access, and security is maintained. Be drunk.

  On the other hand, the information communication terminal automatically connects to the application server or the RADIUS server without touching the decrypted connection information, so that the danger of the connection information itself being stolen with the naked eye can be avoided.

  Furthermore, when RAS is used, the information communication terminal and RAS server are connected using a dedicated line, so that the exchange of information between the Internet can be reduced to an extreme level, and higher security can be achieved. Can be secured.

  The present invention obtains connection information encrypted by using a mobile phone by e-mail, transmits the cipher locally to an information communication terminal, and automatically connects to an application server or a RADIUS server to avoid contact with human eyes. In addition, an automatic authentication system for an information communication terminal using a mobile phone that accesses an application server or a LAN from the information communication terminal and encryption is realized.

  Hereinafter, the present invention will be described with reference to the drawings.

  FIG. 1 is a schematic diagram of the configuration of the present invention.

  The present invention includes a mobile phone 2 owned by a user, an information communication terminal 3 also owned by the user, an authentication server 1 that performs user authentication, and an application server 4 that stores an application that the user desires to use. Consists of.

  In the mobile phone 2, the ID and password, which are login information issued to the user in advance with respect to the authentication server 1, are input / transmitted, and the encrypted information communication terminal 2 transmitted from the authentication server 1 is local. The transmission with is performed. The local transmission will be described later.

  The information communication terminal 2 uses the encryption received from the mobile phone 2 to log in to the application server 4 and uses the URL received from the authentication server 1 or the application server 4 via the mobile phone 2. The page is viewed. All operations in the mobile communication terminal 2 are performed automatically.

  The authentication server 1 performs authentication of the ID and password transmitted from the mobile phone 2, issue of encryption to the mobile phone 2, authentication of encryption received from the application server 4, and issue of URL using parameters. .

  In the application server 4, transmission of the decrypted connection information, which is a connection request transmitted from the information communication terminal 2, to the authentication server 1, transmission of the address of the next page used by the user to the authentication server 1, The URL received from the authentication server 1 is transmitted to the information communication terminal 2.

  Next, each component of the authentication server 1 will be described.

  FIG. 2 is a configuration diagram of the authentication server 1.

  The authentication server 1 includes a login information receiving unit 101 that receives an ID and password, which are login information issued to the user in advance from the mobile phone 2, and a login information authentication unit 102 that authenticates the received ID and password. Along with the ID and password issued in advance, the user information database 103 storing the mail address (user identification information) of the mobile phone 2 and the connection information that is the connection ID and connection password for connection to the application server 4 are issued. A connection information issuing unit 104, a connection information storage unit 105 that stores this connection information in association with user identification information in the user information database 103, a connection address storage unit 106 that stores the address of the application server 4, Once from issued connection information and connection address A one-time URL creation unit 107 that creates a one-time URL for which only authentication is permitted, an encryption unit 108 that creates a cipher from the one-time URL or connection information, and sends the created cipher to the above-mentioned mail address. A mail transmission unit 109 to be transmitted, a connection information authentication unit 111 that authenticates connection information decrypted in the information communication terminal 3 received from the application server 4, and a time measurement unit 110 that measures the time from the creation of the cipher. Is done.

  FIG. 3 shows an example of the configuration of the mobile phone 2.

  The mobile phone 2 includes a login information input unit 201 for inputting login information to the authentication server 1 given to the user in advance, a login information transmission unit 202 for transmitting login information to the authentication server 1, and an authentication server 1 The mail receiving means 203 for receiving connection information or one-time URL, which is a cipher issued from, as a mail, and the local transmitting means 204 for locally transmitting the received cipher to the information communication terminal 3.

  FIG. 4 is an example of the configuration of the information communication terminal 3.

  The information communication terminal 3 includes a local receiving unit 301 that receives a cipher from the mobile phone 2, a decrypting unit 302 that decrypts the cipher, and decryption using the decrypted connection information or one-time URL. The connection request unit 303 automatically makes a connection request to the application server 4.

  FIG. 5 is an example of the configuration of the application server 4.

  The application server 4 includes a connection address providing unit 401 that provides the connection destination address of the application server 4 to the authentication server 1 and a connection request receiving unit that receives a connection request using the decrypted connection information from the information communication terminal 3. 404, a connection authentication transmission / reception unit 403 that transmits the decrypted connection information to the authentication server 1 and receives the authentication result in order to authenticate the decrypted connection information that is a connection request, and based on the authentication result And a connection permission unit 402 that controls connection of the information communication terminal 3.

  The flow of this invention is demonstrated using a flowchart using these structures.

  6 and 7 are flowcharts showing the flow of the present invention.

  First, in order to log in to the authentication server 1, an ID and a password, which are previously issued login information input to the mobile phone 2, are transmitted to the login authentication unit 30 of the authentication server 1 (steps S <b> 1001 and S <b> 1002). ). In the authentication server 1 that has received the ID and password, the login information authentication unit 101 authenticates the ID and password (step S1003). At this time, the user ID and password are stored in the user information database 103 together with the mail address of the user's mobile phone, and are used as authentication information as user identification information.

  It is determined whether or not this authentication is authorized (step S1004). If it is authorized, the process proceeds to the next step. If it is determined not to be regular, the process ends.

  If the authentication is valid, the connection information issuing unit 104 issues a connection ID and a connection password for connecting the information communication terminal 3 to the application server 4 (step S1005). In this specification, the connection ID and the connection password are collectively described as connection information. The connection ID may be the same as the user ID used when inputting the login information, but it is desirable to issue the IDs so that they are different from each other in order to further increase security.

  It is desirable that the connection password is a single issue type that is not issued again for connection passwords that have already been issued, and the same connection password is not issued again, so the configuration for authentication of decrypted connection information described later Can be easily adjusted.

  Further, one or a plurality of connection addresses are extracted from the connection address storage unit 106 in which the connection address of the application server 4 is stored together with the connection information (step S1006).

  The connection address may be provided from the connection address providing unit 401 included in each application server 4 in response to a connection address request from the authentication server 1.

  Thereafter, the issued connection information is temporarily stored by the connection information storage unit 105 in the user information database 103 in association with user identification information of each user for authentication of connection information from the application server 4 described later. (Step S1007).

  Based on the issued connection information and the extracted or provided connection address, the one-time URL creation unit 107 creates a one-time URL here (step S1008).

  Here, an example of a one-time URL is shown.

URL is
(Connection address) / (connection ID) (connection password)
It is formed in the form.

As a specific example,
http://www.my89.com/members?ID=kuma&SC=1&DT100
In this case, http://www.my89.com/members is the connection address of the application server 4 that the user is trying to access, and ID = kuma is the connection ID.

  SC = 1 & DT100 is a connection password and is a single issue type as described above.

  The one-time URL as described above is created for each connection address, whereby the connection address and the connection information can be issued in association with each other. Of course, the present invention can be implemented by separately managing the connection address and the connection information without creating a one-time URL.

  Next, the encryption unit 108 encrypts each created one-time URL (step S1009). As will be described later, the encrypted one-time URL (connection information) is transmitted from the authentication server 1 to the mobile phone 2 and the information communication terminal 3. For this reason, it is desirable that it is so complex that others cannot steal and impersonate. Furthermore, it is more effective to conceal the encryption created in the drawings and texts prepared in advance, and to analyze and decrypt using software etc. provided in advance to the information communication terminal 3.

  Note that it is possible to encrypt only the connection information or the connection address without creating a one-time URL in step S1008.

  The created cipher is transmitted from the mail transmitting unit 109 to the mobile phone 2 that transmitted the login information using the mail address stored in the user information database 103 (step S1010). Further, when the one-time URL is not created or when the extracted connection address is not encrypted as an encryption, the connection address is also transmitted. The mail receiving unit 202 of the mobile phone 2 receives the transmitted mail.

  Unlike the mail system used on the Internet, the mail of the mobile phone 2 is a system that is received only by the mobile phone 2. For this reason, it is difficult to receive with a device other than the cellular phone 2, and the transmitted mail is prevented from being stolen to the maximum.

  The transmitted encryption is locally transmitted from the mobile phone 2 to the information communication terminal 3 using the local transmission unit 204 (step S1011).

  Local means to use communication methods that do not use the Internet such as infrared, optical communication, wireless, bluetooth, wired, etc., thereby avoiding transmission / reception via an unspecified number of connectable Internets. To prevent leakage to unauthorized users.

  At this time, if the connection address is not included in the encryption, the connection address is also transmitted locally to the information communication terminal 3.

  In the information communication terminal 3 to which the cipher is transmitted, the local receiving unit 301 is used to receive the cipher, the decryption unit 302 decrypts the cipher, and the connection request unit 303 uses the decrypted connection information to A connection request is made to the server 4 (step S1012).

  The information communication terminal 3 decrypts the cipher received by the decryption unit 302 using software or the like. If the decrypted cipher is a one-time URL, the connection is automatically made to the connection address included in the one-time URL, and a connection request is made using the connection ID and connection password. If the decrypted cipher is not a one-time URL but a connection address, a connection ID, and a connection password, the connection request unit 303 connects to the application server 4 having the decrypted connection address, and the decrypted connection ID And a connection request using the connection password. When the connection address is transmitted from the mobile phone 2 locally separately from the encryption, the information communication terminal 3 is connected to the application server 4 having the connection address, and the connection is made using the decrypted connection ID and connection password. Make a request.

  Among them, the encrypted and decrypted connection information is invisible, and everything is automatically performed in the information communication terminal 2 from local reception to connection request, triggered by local reception of the encryption. Note that encryption and decryption can be appropriately selected from a secret key encryption method and a public key encryption method, and can be set according to the environment to be used.

  The application server 4 that has received the connection request by the connection request receiving unit 404 transmits the connection request to the authentication server 1 by the connection authentication transmission / reception unit 403, and the connection information authentication unit 111 performs authentication (step S1013). The authentication server 1 includes a time measuring unit 110 that measures the time since the connection information is issued by the connection information issuing unit 104, and the connection request transmitted from the application server 4 by the connection information authenticating unit 111. Can be used to invalidate the connection request after a certain period of time. The time measurement start timing may be the time stored in the user information database 105.

  The connection information authenticating unit 111 authenticates the connection request transmitted from the application server 4 using this elapsed time and the connection information stored in the user information database 103 (step S1014).

  If the authentication determines that it is not legitimate, the process ends.

  When it is determined that the authentication is normal, the connection information authentication unit 111 transmits an authentication result indicating that the authentication is normal to the connection authentication transmission / reception unit 403. The connection permission unit 402 establishes connection to the application server 4 of the information communication terminal 3 (step S1015).

  Next, a case where RAS is used will be described.

  In the above-described invention, the connection between the information communication terminal 3 and the application server 4 is constructed with higher security.

  However, since a connection request is made between the information communication terminal 3 and the application server 4 via the Internet, the possibility that the connection request is stolen cannot be denied.

  Therefore, when connecting the information communication terminal 3 to the LAN (which stores the application), it is possible to prevent connection request information from flowing between the Internet by using a RAS (Remote Access Service) server. This uses the dedicated line using the dial-in method between the information communication terminal 3 and the RAS server to ensure higher security.

  The system when RAS is used will be described in detail below.

  FIG. 8 is an example of an overall configuration diagram when RAS is used.

  An automatic authentication system for a mobile phone using RAS and an information communication terminal using encryption includes a mobile phone 2 owned by a user, an authentication server 1 for authenticating login information transmitted from the mobile phone 2, and a mobile phone 2. Information communication terminal 3 that is encrypted and connected to the RAS server, RAS server 5 that manages the connection of the LAN such as an in-house network, and RADIUS server 6 that authenticates the connection request from the RAS server 5 and at least a login The identification information of the user about information and a mail address is memorize | stored, and it is comprised from the user information database 6 shared with the authentication server 1 and the RADIUS server 6. FIG.

  FIG. 9 is a configuration diagram of the authentication server 1 when using RAS.

  The authentication server 1 is a login information receiving unit 101 that receives login information from a user, a login information authentication unit 102 that authenticates login information, and a connection that issues a connection ID and connection password to the RAS server 5. An information issuing unit 104, a connection information storage unit 105 that stores connection information issued to the user information database 7 in association with user information, and a dial destination that stores a dial destination telephone number that the information communication terminal 3 dials A telephone number storage unit 112, an encryption unit 108 that encrypts the issued connection information to create a cipher, and a mail transmission unit 109 that transmits a mail to the mail address of the mobile phone 1 stored in the user identification information It consists of and.

  FIG. 10 is a configuration diagram of the RAS server 5.

  The RAS server 5 includes a dial-in unit 501 that receives a dial-in from the information communication terminal 3, a connection authentication transmission / reception unit 502 that performs transmission / reception with the RADIUS server 6 related to a connection request transmitted from the information communication terminal 3, and an information communication terminal 3 includes a connection permission unit 503 that manages permission for connection to the LAN.

  FIG. 11 is a configuration diagram of the RADIUS server 6.

  The RADISU server 6 receives the connection authentication receiving unit 601 that receives the decrypted connection information that is the connection request transmitted from the RAS server 5, and the decrypted connection information stored in the user information database 7. The connection information authenticating unit 602 authenticates the decrypted connection information, and the time measuring unit 603 performs time measurement from the issuance of the connection information stored in the user information database 7.

  Hereinafter, the flow of this system will be described using a flowchart.

  12 and 13 are flowcharts of an automatic authentication system for a mobile phone using RAS and an information communication terminal using encryption.

  First, in order to log in to the authentication server 1, an ID and a password, which are previously issued login information input to the mobile phone 2, are transmitted to the login authentication unit 30 of the authentication server 1 (steps S 2001 and S 2002). ). In the authentication server 1 that has received the ID and password, the login information authentication unit 101 authenticates the ID and password (step S2003). At this time, the user ID and password are stored in the user information database 7 together with the address of the user's mobile phone, and are used as user identification information for authentication.

  It is determined whether or not this authentication is authorized (step S2004). If it is authorized, the process proceeds to the next step. If it is determined not to be regular, the process ends.

  If the authentication is valid, the connection information issuing unit 104 issues a connection ID and a connection password for connecting the information communication terminal 3 to the RAS server 5 (step S2005). In this specification, the connection ID and the connection password are collectively described as connection information. The connection ID may be the same as the user ID used when inputting the login information, but it is desirable to issue the IDs so that they are different from each other in order to further increase security.

  It is desirable that the connection password be a single-issue type that is never issued for connection passwords that have already been issued. This prevents the same connection password from being issued again, thereby facilitating the configuration for authentication of connection information described later. be able to.

  Further, one or a plurality of dial destination telephone numbers are extracted from the dial destination telephone number storage unit 112 in which the dial destination telephone number of the RAS server 5 is stored together with the connection information (step S1006).

  The dial destination telephone number may be obtained by requesting a dial destination telephone number providing unit (not shown) included in each RAS server 5 upon request.

  This dialed telephone number is a representative telephone number when connecting to the RAS server 5. As described above, since the representative telephone number is also transmitted to the mobile phone 2 each time, it is not necessary to always use a fixed telephone number. That is, it is possible to change every fixed period and transmit it to each mobile phone 2 as a dialed telephone number.

  Thereafter, the connection information issued by the connection information storage unit 105 is associated with the user information of each user in the user information database 7 to authenticate a connection request from the RAS server 5 to the RADIUS server 6 to be described later. The information is temporarily stored in association with the information (step S2007).

  Next, the encryption unit 108 encrypts the issued connection information and creates a cipher (step S2008). As will be described later, this cipher is transmitted from the authentication server 1 to the mobile phone 2 and the information communication terminal 3. For this reason, it is desirable that it is so complex that others cannot steal and steal. Furthermore, it is more effective to conceal the encryption created in the drawings and texts prepared in advance, and to analyze and decrypt using software etc. provided in advance to the information communication terminal 3.

  The created encryption is transmitted from the mail transmitting unit 109 to the mobile phone 2 that transmitted the login information using the mail address of the user identification information stored in the user information database 7 (step S2009). If the dialed telephone number is not encrypted, the dialed telephone number is also transmitted together with the encryption. The mail receiving unit 202 of the mobile phone 2 receives the transmitted mail.

  Unlike the mail system used on the Internet, the mobile phone 2 is a system that can be received only by the mobile phone 2. For this reason, it is difficult to receive with a device other than the cellular phone 2, and the transmitted mail is prevented from being stolen to the maximum.

  The transmitted encryption is locally transmitted from the mobile phone 2 to the information communication terminal 3 using the local transmission unit 204 (step S2010).

  Local means to use a communication method that does not use the Internet, such as wireless, bluetooth, infrared, wired, etc., thereby avoiding transmission / reception via an unspecified number of connectable Internets. Prevent leakage to unauthorized users.

  At this time, if the dialed telephone number is not included in the encryption, the dialed telephone number is also transmitted to the information communication terminal 3 locally.

  In the information communication terminal 3 to which the encryption is transmitted, the local reception unit 301 is used to receive the encryption, the decryption unit 302 decrypts the encryption, and the connection request unit 303 uses the decrypted connection information to perform the RAS. A connection request is made to the server 5 (step S2011).

  The information communication terminal 3 decrypts the cipher received by the decryption unit 302 using software or the like. The connection request unit 303 automatically dials the dialed telephone number, and a connection request is transmitted using the connection ID and the connection password after dialing in the RAS server. When the dialed telephone number is transmitted locally from the mobile phone 2 separately from the encryption, the connection request unit 303 dials the RAS server 5 having the dialed telephone number, and the RAS server 5 dials in and decrypts it. The connection request is made using the connection ID and the connection password.

  Among them, the encrypted and decrypted connection information is invisible, and everything is automatically performed in the information communication terminal 2 from local reception to connection request, triggered by local reception of the encryption. Note that encryption and decryption can be appropriately selected from a secret key encryption method and a public key encryption method, and can be set according to the environment to be used.

  The RAS server 5 that has received the connection request at the dial-in unit 501 transmits the connection request to the RADIUS server 6 at the connection authentication transmission / reception unit 502, and the connection authentication unit reception unit 601 receives the connection request, and the connection information authentication unit 602 performs authentication (step S2012). The RADIUS server 6 includes a time measuring unit 603 that measures the time after the connection information is issued by the connection information issuing unit 104 in the authentication server 1, and the connection information authenticating unit 602 uses the RAS server 5. When authenticating the connection request transmitted from the server, the elapsed time is provided, and the connection request can be invalidated after a certain period of time has elapsed. The time measurement start timing may be the time when the connection information issued to the user information database 7 is stored.

  The connection information authentication unit 602 authenticates the connection request transmitted from the RAS server 5 using the elapsed time and the connection information stored in the user information database 7 (step S2013).

  If the authentication determines that it is not legitimate, the process ends.

  When it is determined that the authentication is normal, the connection information authenticating unit 602 transmits an authentication result indicating that the authentication is normal to the connection authentication transmitting / receiving unit 502, and the RAS server 5 that has received the authentication result The connection permission unit 503 establishes a connection of the information communication terminal 3 to the RAS server 5 (step S1015).

It is an example of the outline of the whole structure based on this invention. It is an example of a structure of the authentication server based on this invention. It is an example of a structure of the mobile phone based on this invention. It is an example of a structure of the information communication terminal based on this invention. It is an example of a structure of the application server based on this invention. It is an example of the flowchart which shows the flow of this system based on this invention. It is an example of the flowchart which shows the flow of this system based on this invention. It is an example of the whole structure of the system using RAS based on this invention. It is an example of the structure of the authentication server of the system using RAS based on this invention. It is an example of the structure of the RAS server of the system using RAS based on this invention. It is an example of the structure of the RADIUS server of the system using RAS based on this invention. It is an example of the flowchart which shows the flow of the system using RAS based on this invention. It is an example of the flowchart which shows the flow of the system using RAS based on this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Authentication server 2 Mobile phone 3 Information communication terminal 4 Application server 5 RAS server 6 RADIUS server 7 User information database 101 Login information receiving part 102 Login information authentication part 103 User information database 104 Connection information issuing part 105 Connection information storage part 106 Connection address Storage unit 107 One-time URL issuing unit 108 Encryption unit 109 Mail transmission unit 110 Time measurement unit 111 Connection information authentication unit 112 Dialed telephone number storage unit 201 Login information input unit 202 Login information transmission unit 203 Mail reception unit 204 Local transmission unit 301 Local Reception Unit 302 Decoding Unit 303 Connection Request Unit 401 Connection Address Providing Unit 402 Connection Permitting Unit 403 Connection Authentication Transmission / Reception Unit 404 Connection Request Reception Unit 501 Dial-in Unit 502 Connection Authentication Transmission / Reception Unit 03 connection permission unit 601 connection authentication receiving unit 602 the connection information authentication portion 603 hours measuring unit

Claims (11)

A mobile phone, an information communication terminal locally connected to the mobile phone, an authentication server connected to the mobile phone via an electronic communication line, and an information communication terminal connected to the authentication server via an electronic communication line An automatic authentication system for information communication terminals comprising an application server,
The authentication server is
A login information receiving unit for receiving login information from the mobile phone;
A user information database storing user identification information including at least an email address of the mobile phone;
A login information authenticating unit that authenticates the user identification information and the login information, and a connection information issuing unit that issues connection information for connecting to the application server after the login information is authenticated;
A connection destination address storage unit storing a connection destination address to the application server;
A connection information storage unit for storing the issued connection information in the user information database;
An encryption unit for encrypting the connection information;
A mail transmission unit that transmits the encrypted connection information and the connection destination address to a mail address of the mobile phone;
The information communication terminal is
A local receiver for receiving the encrypted connection information transmitted to the mobile phone;
A decryption unit for decrypting the encrypted connection information;
A connection request unit that automatically connects to the application server based on the decrypted connection information and the connection destination address;
The authentication server further comprises:
A connection information authenticating unit for authenticating the decrypted connection information transmitted from the information communication terminal from the application server with the issued connection information stored in the user information database;
The application server is
A connection authentication transmission / reception unit that transmits the decrypted connection information received from the information communication terminal to the authentication server, and receives an authentication result in the connection information authentication unit;
A connection permission unit for establishing connection of the information communication terminal based on the authentication result,
An automatic authentication system for an information communication terminal using a mobile phone and a personal identification number, wherein the information communication terminal connects to the application server while the connection information issued is invisible. The mobile phone includes the decryption unit for decrypting the encrypted connection information,
The automatic authentication system for an information communication terminal using the mobile phone and encryption according to claim 1, wherein the mobile phone locally transmits the decrypted connection information to the information communication terminal. The mobile phone according to claim 1 or 2, wherein the encryption unit also encrypts the connection destination address, and the decryption unit also decrypts the connection destination address together with the encrypted connection information. An automatic authentication system for information communication terminals using cryptography. The application server includes a connection destination address providing unit that stores the connection destination address,
The stored mobile phone and encryption are used in any one of claims 1 to 3, wherein the connection destination address is provided from the connection destination address providing unit to the authentication server and then provided to the mobile phone together with the connection information. Automatic authentication system for information communication terminals. The authentication server includes a one-time URL generation unit, and after the connection information issuing unit issues the connection information, the one-time URL generation unit includes the connection destination address and the connection information in one URL. 5. The automatic authentication system for an information communication terminal using the mobile phone and encryption according to claim 1, wherein the information is generated as a time URL. The authentication server includes a time measurement unit,
The time measuring unit measures the passage of a certain time after issuing the connection information,
After the connection information authenticating unit elapses the predetermined time or after the decrypted connection information is authenticated, the connection information authenticating unit displays connection information having the same contents as the connection information issued thereafter. 6. The automatic authentication system for an information communication terminal using a mobile phone and encryption according to claim 1, wherein the used authentication is determined to be invalid. A mobile phone, an information communication terminal locally connected to the mobile phone, an authentication server connected to the mobile phone via an electronic communication line, a RAS server connected to the information communication terminal using a dedicated line, the RAS An information communication terminal using encryption and a mobile phone including a RADIUS server connected to the server using an electronic communication line, and a user information database shared by the authentication server and the RADIUS server using an electronic communication line Automatic authentication system of
The user information database stores user identification information including at least an email address of the mobile phone;
The authentication server is
A login information receiving unit for receiving login information from the mobile phone;
A login information authentication unit that authenticates the user identification information and the login information;
A connection information issuing unit for generating connection information including a connection ID to the RAS server and a connection password;
A connection information storage unit for storing the connection information in the user information database;
An encryption unit for encrypting the connection information;
A dialed telephone number storage unit storing a dialed telephone number to be connected to the RAS server;
A mail transmission unit that transmits the encrypted connection information and the dialed telephone number to a mail address of the mobile phone;
The information communication terminal is
A local receiving unit for locally receiving the encrypted connection information and the dialed telephone number transmitted from the mobile phone;
A decryption unit for decrypting the encrypted connection information;
A connection request unit that automatically dials up to the RAS server using the dialed telephone number and the decrypted connection information;
The RAS server is
A dial-in unit for receiving the dial-up from the information communication terminal and the decrypted connection information;
A connection authentication transmission / reception unit for transmitting the decrypted connection information to the RADIUS server and receiving the authentication result;
A connection permission unit for establishing a connection to the LAN of the information communication terminal according to the authentication result,
The RADIUS server is
A connection information authenticating unit for authenticating the issued connection information stored in the user information database and the decrypted connection information transmitted from the RAS server;
An automatic authentication system for an information communication terminal using a mobile phone and encryption, wherein the information communication terminal is connected to the LAN using a dedicated line while the issued connection information is invisible. The mobile phone includes the decryption unit for decrypting the encrypted connection information,
The automatic authentication system for an information communication terminal using the mobile phone and encryption according to claim 7, wherein the mobile phone locally transmits the decrypted connection information to the information communication terminal. The mobile phone according to claim 7 or 8, wherein the encryption unit also encrypts the dialed telephone number, and the decryption unit decrypts the dialed telephone number and the encrypted connection information. An automatic authentication system for information communication terminals using cryptography. The RAS server includes a dial destination telephone number providing unit that provides the dial destination telephone number;
The dial-destination telephone number is provided from the dial-destination telephone number providing unit to the authentication server, and then provided to the mobile phone from the authentication server together with the encrypted connection information. An automatic authentication system for information communication terminals using the mobile phone described in Crab and encryption. The RADIUS server includes a time measuring unit;
The time measuring unit measures the passage of a certain time after issuing the connection information,
After the connection information authenticating unit elapses the predetermined time or after the decrypted connection information is authenticated, the connection information authenticating unit displays connection information having the same contents as the connection information issued thereafter. The automatic authentication system for an information communication terminal using a mobile phone and encryption according to any one of claims 7 to 10, wherein the used authentication is determined to be invalid.

Images