JP2006039997A - Password generation device, password generation method, password generation system, IC card, authentication device, authentication method, and authentication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce the burden on the user at the time of authentication by using passwords that are widely used, such as letters and numbers, and to reduce the risk of guessing the password even if a third party sees the operation at the time of authentication. The purpose is to provide a system that maintains high security by using a one-time password.
A password communication unit 107 of a one-time password generation device 101 and an authentication communication unit 118 of a server device 113 are connected via a network. The storage unit 104 holds a password array composed of characters that are password candidates, a color conversion table, a user ID, and a public key unique to the user, and the appearance setting unit 105 stores the password displayed on the password display unit 102. Set the background color. The management unit 116 stores the user password, the password color, and the private key unique to the user in association with the user ID, and the authentication random number generation unit 114 generates a 10-digit random number.
[Selection] Figure 1

Description

  The present invention relates to a password generation device, a password generation method, a password generation system, an IC card, an authentication device, an authentication method, and an authentication system.

When a user or terminal device is allowed to use a network resource, access to an internal resource of a computer system, etc., authentication using a one-time password that cannot be reused is performed. A conventional password generation device that generates a one-time password (one-time password generation device) uses a clock in the one-time password generation device synchronized with the clock of the authentication device that performs authentication, or a time-dependent value sent from the authentication device. Based on this, a one-time password is generated and used to authenticate an individual or a terminal device (for example, Patent Document 1). In addition, a random numerical value is provided from the authentication device, and a method for generating a one-time password using this numerical value is also disclosed (for example, Patent Document 2).
Japanese Patent Laid-Open No. 11-3033 (pages 14-23, FIG. 5) JP 2003-256373 A (page 1-13, FIG. 2)

  The conventional one-time password generation device disclosed in Patent Document 1 confirms that the one-time password generation device used by the user is authentic by sending the generated one-time password to the authentication device. However, it does not indicate whether the user of the one-time password generation apparatus is a legitimate user. For this reason, even when the one-time password generation device is stolen or lost and used by a third party, there is a problem that the third party is authenticated as a legitimate user. For this reason, when operating the one-time password generation device, it is possible to determine whether the user of the one-time password generation device is a legitimate user by attaching a PIN code of about four digits, By sending a four-digit password to the authentication device together with the one-time password generated by the user, it is determined that the user sending the one-time password is a legitimate user. However, since the 4-digit password is directly entered, there is a risk that it will be known to third parties.

  Regarding this problem, Patent Document 2 discloses a method for reducing the risk that information for identifying a legitimate user will be known to a third party. However, in this conventional method, the user selects a symbol located at a predetermined location in the symbol string presented on the screen according to the conversion rule to be stored, and inputs the symbol as authentication data indicating that the user is a regular user. To do. The password itself (in this case, the conversion rule itself) is not entered, but since the symbol is selected and entered from the symbol string on the screen, it is impersonated if the authentication operation is stolen even once. There is a problem in that the risk of authentication is increased and the strength of authentication is reduced.

  For example, in FIG. 2 of Patent Document 2, when the authentication data input by the user for the symbol string in FIG. 2 is 1183, there are three conversion rule candidates for the first 1, and the second There are two conversion rule candidates for 1, three conversion rule candidates for the next 8, two conversion rule candidates for the last 3, and 3 × 2 × 3 conversion rule candidates. Since x2 = 36, the probability of being impersonated by a malicious third party increases and the strength of authentication decreases.

  In the above method, the authentication information to be stored by the user when performing the authentication is different from a password that is generally widely used, such as characters and numbers, “1 row, 2 columns, 3 rows, 4 columns”. It is a conversion rule indicating a position on a presented symbol string such as “2 rows, 1 column, 2 rows, 3 columns”. For a user, storing such complicated information is a heavy burden. Furthermore, in order to maintain the strength of authentication, in a system in which authentication information such as a password is updated at regular intervals such as one month, the user needs to memorize a conversion rule indicating a new position every time the authentication information is updated. Therefore, the addition for the user is further increased.

  The present invention has been made to solve the above-described problems. By using a widely-used password with letters and numbers, the burden on the user at the time of authentication is small, and the operation at the time of authentication is performed. Password generation device, password generation method, password generation system, IC card, authentication device, authentication method that has low risk of being guessed by a third party and maintains high security by using a one-time password And to provide an authentication system.

The password generation device of the present invention is
A storage unit for storing user identification information (user ID) for identifying a user;
A password communication unit that transmits the user ID stored in the storage unit to an authentication device that determines success or failure of authentication, and receives a random number from the authentication device;
A password input unit that accepts input values;
An appearance setting unit for setting the appearance of password candidate characters based on the random number received by the password communication unit and the input value received by the password input unit;
A password display unit for displaying password candidate characters having the appearance set by the appearance setting unit;
A password generation unit configured to generate a one-time password based on an input value received by the password input unit with respect to a password candidate character displayed by the password display unit, and to output the one-time password; .

  According to the present invention, the use of passwords consisting of widely used characters and numbers reduces the burden on the user at the time of authentication, and the risk of guessing the password even if the operation at the time of authentication is viewed by a third party Therefore, it is possible to provide a password generation device, a password generation method, a password generation system, an IC card, an authentication device, an authentication method, and an authentication system that have high security by using a one-time password.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In the following first to third embodiments, the appearance of the password character used for the authentication process is a password color (character background color). The appearance of a password character is a visual feature of each character and its surroundings. In addition to using the background color of the character, for example, the font type and size, the character drawing color, It is possible to use a background pattern, a type of figure surrounding a character, or the like.

  The password generation devices according to the following first to third embodiments generate a different one-time password each time authentication is performed, and are referred to as a one-time password generation device. Further, the authentication device according to the first to third embodiments provides an authentication service to the terminal device, and this authentication device is called a server device.

Embodiment 1 FIG.
FIG. 1 is a block diagram showing a configuration of an authentication system according to the present invention.

  In this embodiment, the storage unit 104, the appearance setting unit 105, and the password generation unit 106 are mounted in an IC (integrated circuit) card 108. Specifically, the storage unit 104 is stored on a flash memory in the IC card 108. It is an area allocated to. The appearance setting unit 105 and the password generation unit 106 are realized by a program, stored in the flash memory, and executed by a CPU (Central Processing Unit) in the IC card 108. The IC card 108 can be detached from the one-time password generation apparatus 101.

  The storage unit 104 holds in advance a password array composed of characters that are password candidates, a color conversion table, a user ID, and a public key unique to the user.

  The appearance setting unit 105 sets the background color of the password displayed on the password display unit 102.

  The management unit 116 includes a hard disk device in the present embodiment, and stores a user password, a password color, and a secret key unique to the user in association with the user ID.

  The authentication random number generator 114 generates a 10-digit random number. The authentication random number generation unit 114 and the authentication determination unit 115 are specifically realized by programs in the present embodiment, and these programs are stored in a hard disk device, a non-volatile memory, a flexible disk, or the like. It is loaded on the server device 113 and executed on the CPU of the server device 113.

  The password communication unit 107 of the one-time password generation device 101 and the authentication communication unit 118 of the server device 113 are connected via a network such as a LAN (Internet) or a WAN (wide area network) such as ISDN. Further, the terminal communication unit 112 of the terminal device 109 and the server communication unit 117 of the server device 113 are also connected via the same or other similar network. The network here may be a single network or a plurality of different types of networks connected to each other. For example, as the network used here, various different networks such as a network using wireless communication and a network using wired communication, and a network connecting a private network and the Internet are interconnected. Things can be used.

  The password array P indicates a sequence of characters when characters that can be used for a password are displayed on the password display unit 102 of the one-time password generation device 101, and ASCII of characters to be displayed in i rows and j columns as shown below. The code is stored.

  The color conversion table C shows the background color when the password array P is displayed on the password display unit 102 of the one-time password generation device 101. As shown below, the background color corresponding to a numerical value from 0 to 9 is shown. The color designation code is stored as a 6-digit hexadecimal number (2 digits correspond to RGB numerical values).

  In this embodiment, the password is described as having a length of 8, but the length is not limited to this. Further, a password array of 7 rows and 10 columns is used as a password candidate character, but the size of the array is not limited to this. Furthermore, in this embodiment, seven 10-digit random numbers are used as one set in accordance with the number of elements of the password array, and one set of random numbers is used in one-time password generation.

The storage unit 104 stores a random number set, and further holds an upper limit number _RH of the stored random number set and a lower limit number _RL of the random number set for determining whether to request the random number set from the server device 113 in advance. To do. Therefore, the upper limit number _RH determines how many random number groups the storage unit 104 can hold, and the lower limit number _RL determines how many random number sets the storage unit 104 needs to hold. Further, the management unit 116 stores the password array P and the color conversion table C in advance.

  Next, the operation of the authentication system in the present embodiment will be described.

  First, the operation of the one-time password generation apparatus 101 when generating a one-time password will be described.

  FIG. 2 is a flowchart showing processing executed when the one-time password generating apparatus 101 generates a one-time password.

  When a user generates a one-time password using the one-time password generation apparatus 101, first, the elements of the arrays h [8] and v [8] for storing response values from the user are initialized to 0, and the horizontal The movement amount storage variable m, the vertical movement amount storage variable n, and the internal counter s are each initialized to 0 (S101).

Next, the number of random number pairs stored in the storage unit 104 is compared with the lower limit number _{RL of the} random number set stored in advance (S102), and the number of random number sets is smaller than the lower limit number _{RL of the} random number set. In this case, it is checked whether the password communication unit 107 can communicate with the server device 113 (S103).

When the password communication unit 107 can communicate with the server device 113, the number of random number groups that can be stored is calculated by subtracting the number of random number groups stored in the storage unit 104 from the upper limit number _RH of random number groups (S104). ).

  Next, a random number request for requesting the user ID held in the password generation unit 106 and the number of random number sets calculated in step S104 is transmitted to the server device 113 via the password communication unit 107 (S105).

  Thereafter, the random number set of the requested number is received from the server device 113 via the password communication unit 107, and the received random number set is sequentially stored after the random number set already stored in the storage unit 104 (S106). .

Next, the first set of random numbers stored in the storage unit 104 is taken out, and the appearance setting unit 105 stores it as a random number array R [i | (0 ≦ i ≦ 6)] (S107). If the number of random number pairs stored in the storage unit 104 is equal to or greater than the lower limit number R _{L of} random numbers in step S102, or if the password communication unit 107 cannot communicate with the server device 113 in step S103, The process of step S107 is performed immediately.

  Thereafter, the appearance setting unit 105 sets a color designation code for each row and column of the password array P by a predetermined calculation from the value of the random number array R, the values of the two movement amount storage variables m and n, and the color conversion table C. Ask. The password display unit 102 displays a one-time password generation screen in which password candidate characters are drawn on the background color designated by the obtained color designation code (S108). Details of the calculation for obtaining the color designation code of the background color will be described later.

  The user input key value (response value) is received from the password input unit 103 for the background color password character array displayed as characters on the password display unit 102 (S109). When the input key is received, the type of the input key is determined (S110).

  When the type of the input key is a selection key, the values of the movement amount storage variables m and n are stored as the values of the authentication data arrays h [s] and v [s], respectively, and then the value of the internal counter s 1 is added to (S111). Next, it is checked whether or not the value of the internal counter s is greater than 7 (S112). If it is 7 or less, the processing from step S108 is repeated.

  If the input key type is the left shift key (left arrow), 1 is subtracted from the horizontal shift amount storage variable m (S113). Next, it is checked whether the value of the horizontal movement amount storage variable m is smaller than 0 (S114). If the value is smaller than 0, 10 is added to m (S115), and the processing from step S108 is repeated.

  If the input key type is a rightward movement key (rightward arrow), 1 is added to the horizontal movement amount storage variable m (S116). Next, it is checked whether the value of the horizontal movement amount storage variable m is greater than 9 (S117). If the value is greater than 9, 10 is subtracted from m (S118), and the processing from step S108 is repeated.

  When the type of the input key is an upward movement key (upward arrow), 1 is subtracted from the vertical movement amount storage variable n (S119). Next, it is checked whether the value of the vertical movement amount storage variable n is smaller than 0 (S120). If the value is smaller than 0, 7 is added to n (S121), and the processing from step S108 is repeated.

  When the input key type is a downward movement key (downward arrow), 1 is added to the vertical movement amount storage variable n (S122). Next, it is checked whether the value of the vertical movement amount storage variable n is larger than 6 (S123). If the value is larger than 6, 7 is subtracted from n (S124), and the processing from step S108 is repeated.

  If the input key type is neither the selection key nor the movement key (arrow), the processing from step S108 is repeated.

  If the value of the internal counter s is greater than 7 in step S112, the value of the authentication data array v [s] is set to the upper 4 bits of the 8-bit hexadecimal number and the value of h [s] is set to the lower order of the 8-bit hexadecimal number. A numerical value obtained by converting it into an 8-digit hexadecimal number of 4 bits and encrypting it with the public key stored in the storage unit 104 is generated as a one-time password (S125).

  Finally, the one-time password generated in step S125 is displayed in decimal on the password display unit 102 (S126), and the one-time password generation process is terminated.

  Next, the detailed operation of step S108 in FIG. 2 will be described with reference to FIG.

  First, variables x and y are each initialized to 1 (S201). Next, it is checked whether the value of the variable y is 7 or less (S202). Here, if the value of the variable y is 7 or less, it is checked whether the value of the variable x is 10 or less (S203). When the value of the variable x is 10 or less, the background color specification code D (x) set to the password candidate character at the position of row y from the top of the screen and column x from the left using the following equation (1): , Y) is obtained (S204). In the equation (1), m and n respectively represent the horizontal movement amount storage variable and the vertical movement amount storage variable in FIG.

  Next, the character designated by the character code of the password array P [y-1, x-1] is displayed in the background color of the color designation code D (x, y) in the y-th row and x-th column from the upper left of the screen. (S205). Next, 1 is added to the variable x (S206), and the processing from step S203 is repeated.

  On the other hand, if the value of variable x is greater than 10 in step S203, 1 is set in variable x, 1 is added to variable y (S207), and the processing from step S202 is repeated.

  In step S202, if the value of variable y is greater than 7, the process ends.

  Next, processing executed when the server device 113 receives a user ID and a random number request from the one-time password generation device 101 will be described.

  FIG. 4 is a flowchart showing processing executed when the server device 113 receives a random number request from the one-time password generation device 101.

  First, when a user ID and a random number request are received from the one-time password generation apparatus 101 (S301), it is checked whether the received user ID is registered in the management unit 116 (S302).

  When the user ID is registered in the management unit 116, the authentication random number generation unit 114 generates a random number set of the requested number (S303). In the present embodiment, in order to display a 7-row, 10-column password array on the terminal screen, the number of random numbers composed of seven 10-digit random numbers is generated in the number requested in step S301. On the other hand, if the user ID is not registered on the management unit 116, the process ends.

  Next, the random number set generated in step S303 is sequentially stored after the random number set stored in the management unit 116 in association with the user ID (S304). Thereafter, the random number set generated in step S304 is transmitted to the one-time password generation apparatus 101 (S305), and the process ends.

  Next, the operation of the terminal device 109 when performing authentication will be described.

  FIG. 5 is a flowchart illustrating processing executed when the terminal device 109 performs authentication.

  First, when the user performs authentication using the terminal device 109, an authentication screen for prompting input of a user ID and a one-time password is displayed on the terminal display unit 111 (S401).

  Next, an input of a user ID and a one-time password is received from the terminal input unit 110 (S402).

  Thereafter, an authentication request including the user ID and the one-time password is transmitted to the server device 113 via the terminal communication unit 112 (S403). And the authentication result sent from the server apparatus 113 is received (S404), the authentication result received by step S404 is displayed on the terminal display part 111 (S405), and an authentication process is complete | finished.

  Next, processing executed when the server device 113 receives an authentication request including a user ID and a one-time password from the terminal device 109 will be described.

  FIG. 6 is a flowchart illustrating processing executed when the server device 113 receives an authentication request from the terminal device 109.

  First, when an authentication request including a user ID and a one-time password is received from the terminal device 109 (S501), the management unit 116 checks whether the user ID included in the received authentication request is registered (S502). . If the user ID is not registered in the management unit 116, an authentication failure is transmitted to the terminal device 109 (S503), and the process ends.

  Next, the password, password color, and secret key recorded in the management unit 116 in association with the user ID received in step S501 are extracted (S504).

  Next, the first random number pair recorded in the management unit 116 in association with the received user ID is selected (S505), and the password and password color extracted in step S504 are selected in step S501. It is determined whether or not the received one-time password is correct (S506). If it is determined in step S506 that the one-time password is not correct, the management unit 116 checks whether there is a next random number set stored in association with the user ID (S507). If there is a next random number set, this random number set is selected (S508), and the processing from step S506 is repeated.

  On the other hand, if there is no next random number pair, an authentication failure is transmitted to the terminal device 109 (S509), and the process ends. If it is determined in step S506 that the one-time password is correct, the random number set used so far is deleted from the management unit 116 (S510).

  Thereafter, the success of authentication is transmitted to the terminal device 109 (S511), and the process is terminated.

  Next, the detailed operation of the authentication determination process in step S506 of FIG. 6 will be described with reference to FIG.

  First, the variable s is initialized to 1, and the variables m and n are initialized to 0 (S601).

  Next, the authentication data arrays v [s] and h [s] are restored from the received one-time password. Specifically, the one-time password is decrypted with the secret key extracted from the management unit 116 in step S504 to generate an 8-digit hexadecimal number, and the upper 4 bits of each digit are used as the v [s] element, and the lower 4 By setting the bit in the element of h [s], the authentication data arrays v [s] and h [s] are restored from the one-time password (S602).

  Next, the positions i and j in the password array P are obtained for the sth character of the password (S603). The position in the password array P can be obtained using the conversion table shown in FIG. Specifically, the positions i and j in the password array P are obtained using a value t uniquely obtained from the upper 4 bits and lower 4 bits of the ASCII code of a password character in the conversion table of FIG. At this time, i is a quotient when t is divided by 10, and j is a remainder when t is divided by 10.

  Next, the color designation code E selected as the background color of the s-th password character using the following equation (2) from i and j and the elements h [s] and v [s] of the authentication data array: (S) is obtained (S604).

  Next, it is checked whether E (s) and the color code of the password color match (S605). If the color codes match, it is checked whether the variable s is smaller than 8 (S606). If the variable s is smaller than 8, 1 is added to the variable s (S607), and the processing from step S603 is repeated. If s is equal to or greater than 8 in step S606, the authentication is successful (S608), and the authentication determination process is terminated.

  On the other hand, if the color codes do not match in the check in step S605, the authentication is failed (S609), and the authentication determination process is terminated.

  FIG. 9 shows an authentication screen displayed on the terminal display unit 111 when the terminal device 109 accepts an authentication request from a user.

  When performing authentication, the user inputs a user ID in the user ID input field 202 of the authentication screen 201 from the terminal input unit 110 and inputs the one-time password generated by the one-time password generation device 101 in the one-time password input field 203. When the execution button 204 is pressed, a user ID and a one-time password necessary for sending an authentication request to the server apparatus 113 in step S402 are accepted.

  FIG. 10 shows a one-time password generation screen 301 displayed on the password display unit 102 when the one-time password generation apparatus 101 receives a key input from the user in step S109.

  When generating the one-time password, the user finds the characters in the password array 302 in order from the first character of the password stored on the one-time password generation screen 301, and the background color of the password character is the password color. As described above, the one-time password generation operation is performed by repeating the operation of pressing the selection key when the background becomes a password color by operating the background with the movement key.

  In this way, since the one-time password is generated without matching the background color of the password and without entering the password itself, even if a third party can steal the one-time password generation operation, Since you do not know whether the background color of characters is matched, you can prevent impersonation and generate a correct one-time password.

  Moreover, since the password which consists of the conventional character and number etc. which are prevailing widely can be used as the data for the authentication which a user memorizes, when introducing one-time password authentication for a user, a special special There is no burden to remember the format data, and the load when updating the password to maintain security is small. Therefore, authentication with high security can be performed.

In the present embodiment, since the one-time password generation apparatus 101 can acquire and store a plurality of random numbers from the server apparatus 113, communication may not be performed when a new one-time password is generated. is there. For example, if the one-time password generating apparatus 101 is a mobile communication device such as a mobile phone, it is possible to generate a one-time password even when moving to a place where the radio wave propagation environment is bad. Furthermore, even when it is necessary to perform communication, it is possible to efficiently perform processing necessary for obtaining random numbers by optimizing the numerical values of the upper limit number _RH and the lower limit number _RL .

  In this embodiment, the password color is registered in the server device as authentication data in addition to the password character string. However, the password color is not registered, and the user first displays the password in the one-time password generation screen 301. It is also possible to use the background color of the first password character when the selection key is pressed as the password color in this authentication. In this case, the user only has to remember the color when the selection key is first pressed on the one-time password generation screen 301 during the one-time password generation operation and stores it as data for authentication. All you need is a password.

  In the present embodiment, only the password layout is displayed on the one-time password generation screen 301. However, in order to make it easy to understand how many times the selection key has been pressed, * Characters such as' may be displayed side by side.

Embodiment 2. FIG.
In the first embodiment, the user operates the arrow keys to generate a one-time password for authentication by matching the background color of the password character to a specific color. In the present embodiment, When a specific key is pressed, the background color is changed according to a predetermined change pattern, and the user adjusts the background color of the password to the specific color to generate a one-time password.

  The authentication system according to the present embodiment is configured by each device of FIG. 1 as in the first embodiment.

  The storage unit 104, the appearance setting unit 105, and the password generation unit 106 are mounted in the IC card 108 in this embodiment. Specifically, the storage unit 104 is allocated on the flash memory in the IC card 108. It is an area. The appearance setting unit 105 and the password generation unit 106 are realized by a program, stored in the flash memory, and executed by a CPU (Central Processing Unit) in the IC card 108. The IC card 108 can be detached from the one-time password generation apparatus 101.

  The storage unit 104 holds in advance a password array composed of characters that are password candidates, a color conversion table, a color change pattern, a user ID, and a secret key unique to the user. Here, the color change pattern is an appearance change pattern specialized for the background color of characters.

  The appearance setting unit 105 sets the background color of the password displayed on the password display unit 102.

  The management unit 116 includes a hard disk device in the present embodiment, and stores a user password, a password color, and a secret key unique to the user in association with the user ID.

  The authentication random number generator 114 generates a 10-digit random number. The authentication random number generation unit 114 and the authentication determination unit 115 are specifically realized by programs in the present embodiment, and these programs are stored in a hard disk device, a non-volatile memory, a flexible disk, or the like. It is loaded on the server device 113 and executed on the CPU of the server device 113.

  The password communication unit 107 of the one-time password generation device 101 and the authentication communication unit 118 of the server device 113 are connected via a network such as a LAN (Internet) or a WAN (wide area network) such as ISDN. Further, the terminal communication unit 112 of the terminal device 109 and the server communication unit 117 of the server device 113 are also connected via the same or other similar network. The network here may be a single network or a plurality of different types of networks connected to each other. For example, as the network used here, various different networks such as a network using wireless communication and a network using wired communication, and a network connecting a private network and the Internet are interconnected. Things can be used.

  The password array P indicates a sequence of characters when characters that can be used for a password are displayed on the password display unit 102 of the one-time password generation device 101, and ASCII of characters to be displayed in i rows and j columns as shown below. The code is stored.

  The color conversion table C shows the background color when the password array P is displayed on the password display unit 102 of the one-time password generation device 101. As shown below, the background color corresponding to a numerical value from 0 to 9 is shown. The color designation code is stored as a 6-digit hexadecimal number (2 digits correspond to RGB numerical values).

  The color change pattern T indicates a color change pattern when each background color of the password array P displayed on the password display unit 102 changes when the specific key of the one-time password generation device 101 is pressed. As shown, each element indicates the number of the element in the color conversion table C.

  In this embodiment, the password is described as having a length of 8, but the length is not limited to this. Further, a password array of 7 rows and 10 columns is used as a password candidate character, but the size of the array is not limited to this. Furthermore, in this embodiment, seven 10-digit random number sets are set as one set in accordance with the number of elements of the password array, and one set of random numbers is used in one-time password generation.

Storage unit 104 stores the random number sets, further prestores a random set of lower number R _L for determining whether to request a random number set to a random number of sets of upper number R _H and the server device 113 for storing To do. Therefore, the upper limit number _RH determines how many random number groups the storage unit 104 can hold, and the lower limit number _RL determines how many random number sets the storage unit 104 needs to hold. Further, the management unit 116 stores the password array P and the color conversion table C in advance.

  Next, the operation of the authentication system in the present embodiment will be described.

  First, the operation of the one-time password generation apparatus 101 when generating a one-time password will be described.

  FIG. 11 is a flowchart illustrating processing executed when the one-time password generation apparatus 101 generates a one-time password.

  When the user generates a one-time password using the one-time password generation apparatus 101, first, the element of the authentication data array a [8] for recording the number of changes for each password character is initialized to 0, and the change count storage variable b And the internal counter s are initialized to 0 (S701).

Next, the number of random number pairs stored in the storage unit 104 is compared with the lower limit number _{RL of the} random number set stored in advance (S702), and the number of random number sets is smaller than the lower limit number _{RL of the} random number set. In this case, it is checked whether the password communication unit 107 can communicate with the server device 113 (S703).

When the password communication unit 107 can communicate with the server device 113, the number of random number sets that can be stored is calculated by subtracting the number of random number sets stored in the storage unit 104 from the upper limit number _RH of random number sets (S704). ).

  Next, a random number request for requesting the user ID held in the password generation unit 106 and the number of random number sets calculated in step S704 is transmitted to the server device 113 via the password communication unit 107 (S705).

  Thereafter, the random number set of the requested number is received from the server device 113 via the password communication unit 107, and the received random number group is stored in order after the random number group already stored in the storage unit 104 (S706). .

Next, the first set of random numbers stored in the storage unit 104 is taken out, and the appearance setting unit 105 stores it as a random number array R [i | (0 ≦ i ≦ 6)] (S707). If the number of random number pairs stored in the storage unit 104 is equal to or greater than the lower limit number R _{L of} random numbers in step S702, or if the password communication unit 107 cannot communicate with the server device 113 in step S703, The process of step S707 is performed immediately.

  Thereafter, the appearance setting unit 105 obtains a color designation code for each row and column of the password array P from the value of the random number array R, the change count storage variable b, the color change pattern T, and the color conversion table C by a predetermined calculation. The password display unit 102 displays a one-time password generation screen in which password candidate characters are drawn on the background color designated by the obtained color designation code (S708). Details of the calculation for obtaining the color designation code of the background color will be described later.

  The user input key value (response value) is received from the password input unit 103 for the background color password character array displayed as characters on the password display unit 102 (S709). When the input key is received, the type of the input key is determined (S710).

  If the input key type is a selection key, the remainder obtained by dividing the value of the change count storage variable b by 10 is stored as the value of the authentication data array a [s], and then the value of the internal counter s is set to 1. Add (S711). Next, it is checked whether or not the value of the internal counter s is greater than 7 (S712). If it is 7 or less, the processing from step S708 is repeated.

  If the input key type is a rightward moving key (arrow pointing to the right), 1 is added to the change count storage variable b (S713). Next, it is checked whether or not the value of the change count storage variable b is greater than 9 (S714). If the value is greater than 9, 10 is subtracted from b (S715), and the processing from step S708 is repeated.

  When the input key type is neither the selection key nor the rightward movement key (right arrow), the processing from step S708 is repeated.

  If the value of the internal counter s is greater than 7 in step S712, it is converted to an 8-digit decimal number with each element of the authentication data array a as a numerical value of each digit, and this is converted to the public key stored in the storage unit 104. The encrypted numerical value is generated as a one-time password (S716).

  Finally, the one-time password generated in step S716 is displayed in decimal number on the password display unit 102 (S717), and the one-time password generation process is terminated.

  Next, the detailed operation of step S708 in FIG. 11 will be described with reference to FIG.

  First, variables x and y are each initialized to 1 (S801). Next, it is checked whether the value of the variable y is 7 or less (S802). Here, if the value of the variable y is 7 or less, it is checked whether the value of the variable x is 10 or less (S803). If the value of the variable x is 10 or less, the background color specification code D ′ () is set to the password candidate character at the position of row y from the top of the screen and column x from the left using the following equation (3). x, y) is obtained (S804). In the equation (3), b represents the change count storage variable in FIG.

  Next, in the y-th row and x-th column from the upper left of the screen, the character designated by the character code of the password array P [y−1, x−1] is the background color of the color designation code D ′ (x, y). It is displayed (S805). Next, the variable x is incremented by 1 (S806), and the processing from step S803 is repeated.

  On the other hand, if the value of variable x is greater than 10 in step S803, 1 is set in variable x, 1 is added to variable y (S807), and the processing from step S802 is repeated.

  If the value of variable y is greater than 7 in step S802, the process ends.

  When the server device 113 receives the user ID and the random number request from the one-time password generation device 101, the processing of FIG. 4 is executed as in the first embodiment.

  Further, when the terminal device 109 performs authentication, the processing of FIG. 5 is executed as in the first embodiment.

  Furthermore, when the server apparatus 113 receives an authentication request including a user ID and a one-time password from the terminal apparatus 109, the processing in FIG. 6 is executed as in the first embodiment. However, in the present embodiment, the authentication determination process in step S506 executes the following process.

  With reference to FIG. 13, the detailed operation of the authentication determination processing in step S506 of FIG. 6 in the present embodiment will be described.

  First, the variable s is initialized to 1 and the variable b is initialized to 0 (S901).

  Next, the authentication data array a [s] is restored from the received one-time password. Specifically, the one-time password is decrypted with the secret key extracted from the management unit 116 in step S504 to generate an 8-digit decimal number, and the value of each digit is set in the element a [s]. The authentication data array a [s] is restored from the one-time password (S902).

  Next, the positions i and j in the password array P are obtained for the sth character of the password (S903). The position in the password array P can be obtained using the conversion table shown in FIG. Specifically, the positions i and j in the password array P are obtained using a value t uniquely obtained from the upper 4 bits and lower 4 bits of the ASCII code of a password character in the conversion table of FIG. At this time, i is a quotient when t is divided by 10, and j is a remainder when t is divided by 10.

  Next, the color designation code E ′ (s) selected as the background color of the s-th password character is obtained from i and j and the element a [s] of the authentication data array using the following equation (4). (S904).

  Next, it is checked whether E ′ (s) and the color code of the password color match (S905). If the color codes match, it is checked whether the variable s is smaller than 8 (S906). If the variable s is smaller than 8, 1 is added to the variable s (S907), and the processing from step S903 is repeated. If s is equal to or greater than 8 in step S906, the authentication is successful (S908), and the authentication determination process ends.

  On the other hand, if the color codes do not match in the check in step S905, the authentication is failed (S909), and the authentication determination process is terminated.

  FIG. 9 shows an authentication screen displayed on the terminal display unit 111 when the terminal device 109 accepts an authentication request from a user.

  When performing authentication, the user inputs a user ID in the user ID input field 202 of the authentication screen 201 from the terminal input unit 110 and inputs the one-time password generated by the one-time password generation device 101 in the one-time password input field 203. When the execution button 204 is pressed, a user ID and a one-time password necessary for sending an authentication request to the server apparatus 113 in step S402 are accepted.

  FIG. 10 shows a one-time password generation screen 301 displayed on the password display unit 102 when the one-time password generation apparatus 101 receives a key input from the user in step S709.

  When generating the one-time password, the user finds the characters in the password array 302 in order from the first character of the password stored on the one-time password generation screen 301, and the background color of the password character is the password color. The one-time password generation operation is performed by repeatedly pressing the move key to the right until the background becomes the password color and repeating the operation of pressing the selection key for each character of the password.

  In this way, since the one-time password is generated without matching the background color of the password and without entering the password itself, even if a third party can steal the one-time password generation operation, Since you do not know whether the background color of characters is matched, you can prevent impersonation and generate a correct one-time password.

  Moreover, since the password which consists of the conventional character and number etc. which are prevailing widely can be used as the data for the authentication which a user memorizes, when introducing one-time password authentication for a user, a special special There is no burden to remember the format data, and the load when updating the password to maintain security is small. Therefore, authentication with high security can be performed.

In the present embodiment, since the one-time password generation apparatus 101 can acquire and store a plurality of random numbers from the server apparatus 113, communication may not be performed when a new one-time password is generated. is there. For example, if the one-time password generating apparatus 101 is a mobile communication device such as a mobile phone, it is possible to generate a one-time password even when moving to a place where the radio wave propagation environment is bad. Furthermore, even when it is necessary to perform communication, it is possible to efficiently perform processing necessary for obtaining random numbers by optimizing the numerical values of the upper limit number _RH and the lower limit number _RL .

  In this embodiment, the password color is registered in the server device as authentication data in addition to the password character string. However, the password color is not registered, and the user first displays the password in the one-time password generation screen 301. It is also possible to use the background color of the first password character when the selection key is pressed as the password color in this authentication. In this case, the user only has to remember the color when the selection key is first pressed on the one-time password generation screen 301 during the one-time password generation operation and stores it as data for authentication. All you need is a password.

  In the present embodiment, only the password layout is displayed on the one-time password generation screen 301. However, in order to make it easy to understand how many times the selection key has been pressed, * Characters such as' may be displayed side by side.

  Furthermore, in this embodiment, the one-time password generation apparatus 101 holds the color change pattern in the storage unit 104 in advance, but the server apparatus 113 generates the color change pattern and generates the one-time password in the same manner as the random number set. You may make it provide to the apparatus 101. FIG.

Embodiment 3 FIG.
In the first embodiment and the second embodiment, a one-time password is generated using a movement key (arrow key) and a selection key. In this embodiment, a one-time password is generated using a numeric key. .

  In this embodiment, a set of a random number for selection (random number for display) and a random number for background (random number for additional elements) is used for each password digit, and a random number for selection is used as a challenge value on the one-time password generation screen. An example is shown in which the background color (random number background color for selection) is displayed, the background color of each password candidate character is determined from the background random number, and the password candidate character is displayed on each background color. Here, the random number for selection displayed on the screen is a kind of selection interface for the user to select the appearance (additional elements) such as the background color and background pattern of each password candidate character.

  The authentication system according to the present embodiment is configured by each device of FIG. 1 as in the first embodiment.

  The storage unit 104, the appearance setting unit 105, and the password generation unit 106 are mounted in the IC card 108 in this embodiment. Specifically, the storage unit 104 is allocated on the flash memory in the IC card 108. It is an area. The appearance setting unit 105 and the password generation unit 106 are realized by a program, stored in the flash memory, and executed by a CPU (Central Processing Unit) in the IC card 108. The IC card 108 can be detached from the one-time password generation apparatus 101.

  The storage unit 104 holds in advance a password array composed of characters that are password candidates, a color conversion table, a random number background color for selection, a user ID, and a secret key unique to the user.

  The appearance setting unit 105 sets password candidate characters (reference symbol group) to be displayed on the password display unit 102 using background random numbers (additional element random numbers). In addition, the appearance setting unit 505 sets the background color (additional element) of the selection random number using the selection random number background color.

  The management unit 116 includes a hard disk device in the present embodiment, and stores a user password and a public key unique to the user in association with the user ID. In addition, the management unit 116 stores a random number background color for selection.

  The authentication random number generation unit 114 is a random number of 10 digits as a background random number and 7 random numbers with no overlapping numbers and a random number of 10 digits as a selection random number with no overlapping numbers. Is set as one set, and a random number set is generated with a set corresponding to the number of characters of the password as one set. The authentication random number generation unit 114 and the authentication determination unit 115 are specifically realized by programs in the present embodiment, and these programs are stored in a hard disk device, a non-volatile memory, a flexible disk, or the like. It is loaded on the server device 113 and executed on the CPU of the server device 113.

  The password communication unit 107 of the one-time password generation device 101 and the authentication communication unit 118 of the server device 113 are connected via a network such as a LAN (Internet) or a WAN (wide area network) such as ISDN. Further, the terminal communication unit 112 of the terminal device 109 and the server communication unit 117 of the server device 113 are also connected via the same or other similar network. The network here may be a single network or a plurality of different types of networks connected to each other. For example, as the network used here, various different networks such as a network using wireless communication and a network using wired communication, and a network connecting a private network and the Internet are interconnected. Things can be used.

  The password array P indicates a sequence of characters when characters that can be used for a password are displayed on the password display unit 102 of the one-time password generation device 101, and ASCII of characters to be displayed in i rows and j columns as shown below. The code is stored.

  The color conversion table C shows the background color when the password array P is displayed on the password display unit 102 of the one-time password generation device 101. As shown below, the background color corresponding to a numerical value from 0 to 9 is shown. The color designation code is stored as a 6-digit hexadecimal number (2 digits correspond to RGB numerical values).

  The selection random number background color RB indicates the background color of each digit of the selection random number when displaying the selection random number on the password display unit 102. For example, as shown below, each element is in the color conversion table C. Indicates the element number.

  In this embodiment, the password is described as having a length of 8, but the length is not limited to this. Further, a password array of 7 rows and 10 columns is used as a password candidate character, but the size of the array is not limited to this. Furthermore, in this embodiment, seven background random numbers and one selection random number are set according to the number of elements of the password array, and eight sets are set as one set according to the number of characters of the password. In the one-time password generation, one set of random numbers is used.

The storage unit 104 stores a random number set, and further holds an upper limit number _RH of the stored random number set and a lower limit number _RL of the random number set for determining whether to request the random number set from the server device 113 in advance. To do. Therefore, the upper limit number _RH determines how many random number groups the storage unit 104 can hold, and the lower limit number _RL determines how many random number sets the storage unit 104 needs to hold. Further, the management unit 116 stores the password array P and the color conversion table C in advance.

  Next, the operation of the authentication system in the present embodiment will be described.

  First, the operation of the one-time password generation apparatus 101 when generating a one-time password will be described.

  FIG. 14 is a flowchart illustrating processing executed when the one-time password generation apparatus 101 generates a one-time password.

  When a user generates a one-time password using the one-time password generation apparatus 101, first, an element of the authentication data array a [8] for recording a number input for each password character is initialized to 0, and an internal counter s Is initialized to 0 (S1001).

Then, comparing the random number sets the limit number R _L where the number of random sets stored in the storage unit 104 stores in advance (S1002), random number sets the number of the random number sets the smaller lower number R _L In this case, it is checked whether the password communication unit 107 can communicate with the server device 113 (S1003).

When the password communication unit 107 can communicate with the server device 113, the number of random number sets that can be stored is calculated by subtracting the number of random number groups stored in the storage unit 104 from the upper limit number _RH of random number sets (S1004). ).

  Next, a random number request for requesting the user ID held in the password generation unit 106 and the number of random number sets calculated in step S104 is transmitted to the server device 113 via the password communication unit 107 (S1005).

  Thereafter, the random number set of the requested number is received from the server device 113 via the password communication unit 107, and the received random number set is stored in order after the random number set already stored in the storage unit 104 (S1006). .

Next, the first set of random numbers stored in the storage unit 104 is taken out, and the appearance setting unit 105 selects the random number array for background R1 [8] [i | (0 ≦ i ≦ 6)] for selection. This is stored as a random number R2 [8] (S1007). In step S1002, if the number of random number pairs stored in the storage unit 104 is equal to or greater than the lower limit number _{RL of} random numbers, or if the password communication unit 107 cannot communicate with the server device 113 in step S1003, The process of step S1007 is performed immediately.

  Thereafter, the appearance setting unit 105 performs color calculation for each row and column of the password array P by a predetermined calculation from the value of the background random number array R1 [s] [i | (0 ≦ i ≦ 6)] and the color conversion table C. Find the specified code. The appearance setting unit 105 obtains a color designation code for each digit by a predetermined calculation from the value of the selection random background color RB [10] and the color conversion table C for each digit of the selection random number R2 [s]. . The password display unit 102 displays a one-time password generation screen in which the password candidate characters and the selection random number R2 [s] are drawn together on the background color specified by the obtained color specification code (S1008). Details of the calculation for obtaining the color designation code of the background color will be described later.

  In response to the one-time password generation screen displayed on the password display unit 102, the user input key value (response value) is received from the password input unit 103 (S1009). When the input key is received, it is determined whether or not the type of the input key is a numeric key (S1010).

  When the type of the input key is a numeric key, the input number is stored as the value of the authentication data array a [s], and then 1 is added to the value of the internal counter s (S1011). Next, it is checked whether or not the value of the internal counter s is greater than 7 (S1012). If it is 7 or less, the processing from step S1008 is repeated.

  If the input key is a key other than a numeric key, the processing from step S1008 is repeated.

  If the value of the internal counter s is greater than 7 in step S1012, the element is converted into an 8-digit decimal number having each element of the authentication data array a as a numeric value, and this is converted to the public key stored in the storage unit 104. The encrypted numerical value is generated as a one-time password (S1013).

  Finally, the one-time password generated in step S1013 is displayed in decimal on the password display unit 102 (S1014), and the one-time password generation process is terminated.

  Next, detailed operation of step S1008 in FIG. 14 will be described with reference to FIG.

  First, variables x and y are each initialized to 1 (S1101). Next, it is checked whether the value of the variable y is 7 or less (S1102). Here, if the value of the variable y is 7 or less, it is checked whether the value of the variable x is 10 or less (S1103). When the value of the variable x is 10 or less, the background color specification code D ″ () is set to the password candidate character at the position of row y from the top of the screen and column x from the left using the following equation (5). x, y) is obtained (S1104).

  Next, in the y-th row and x-th column from the upper left of the screen, the character designated by the character code of the password array P [x−1, y−1] is the background color of the color designation code D ″ (x, y). Then, the variable x is incremented by 1 (S1106), and the processing from step S1103 is repeated.

  On the other hand, if the value of the variable x is larger than 10 in step S1103, 1 is set in the variable x, 1 is added to the variable y (S1107), and the processing from step S1102 is repeated.

  If the value of variable y is greater than 7 in step S1102, the process ends.

  On the other hand, the color designation code RD (i) of the background color of the i-th digit from the left of the selection random number is obtained by the following equation (6).

  When the server device 113 receives the user ID and the random number request from the one-time password generation device 101, the processing of FIG. 4 is executed as in the first embodiment.

  Further, when the terminal device 109 performs authentication, the processing of FIG. 5 is executed as in the first embodiment.

  Furthermore, when the server apparatus 113 receives an authentication request including a user ID and a one-time password from the terminal apparatus 109, the processing in FIG. 6 is executed as in the first embodiment. However, in the present embodiment, it is not necessary to extract the password color from the management unit 116 in step S504, and the authentication determination process in step S506 executes the following process.

  With reference to FIG. 16, the detailed operation of the authentication determination process in step S506 of FIG. 6 in the present embodiment will be described.

  First, the variable s is initialized to 1 (S1201).

  Next, the authentication data array a [s] is restored from the received one-time password. Specifically, the one-time password is decrypted with the secret key extracted from the management unit 116 in step S504 to generate an 8-digit decimal number, and the value of each digit is set in the element a [s]. The authentication data array a [s] is restored from the one-time password (S1202).

  Next, the positions i and j in the password array P are obtained for the sth character of the password (S1203). The position in the password array P can be obtained using the conversion table shown in FIG. Specifically, the positions i and j in the password array P are obtained using a value t uniquely obtained from the upper 4 bits and lower 4 bits of the ASCII code of a password character in the conversion table of FIG. At this time, i is a quotient when t is divided by 10, and j is a remainder when t is divided by 10.

  Next, the background of the s-th password character from the i, j, and s-th background random number array R1 [s−1] [i | (0 ≦ i ≦ 6)] using the following equation (7): The color designation code E1 (s) selected as the color is obtained (S1204).

  Next, from the elements of the array a [8] of the authentication data, the background color designation code having the same numerical value as the sth element a [s-1] in the sth selection random number R2 [s-1]. E2 (s) is obtained (S1205).

  Thereafter, it is checked whether E1 (s) obtained in step S1203 matches E2 (s) obtained in step S1205 (S1206). If these color codes match, it is checked whether the variable s is smaller than 8 (S1207). If the variable s is smaller than 8, 1 is added to the variable s (S1208), and the processing from step S1203 is repeated. If s is equal to or greater than 8 in step S1206, the authentication is successful (S1209), and the authentication determination process ends.

  On the other hand, if the color codes do not match in the check in step S1206, the authentication is failed (S1210), and the authentication determination process is terminated.

  In FIG. 17, the color designation code E2 (s) of the background color having the same value as the sth element a [s−1] of the authentication data array in the sth selection random number R2 [s−1] in step S1205. Detailed operation of the process for obtaining

  First, the internal counter i is initialized to 0 (S1301).

Next, a quotient q obtained by dividing the sth selection random number R [s-1] by 10 ^9-i is obtained (S1302).

  Thereafter, a remainder r obtained by dividing the quotient q by 10 is obtained (S1303).

  Next, it is checked whether the remainder r is equal to a [s−1] (S1304). If the remainder r is not equal to a [s−1], 1 is added to i (S1305), and the processing from step S1302 is repeated.

  On the other hand, if the remainder r is equal to a [s−1], E2 (s) is set to C [RB [i]] (S1306), and the process ends.

  FIG. 9 shows an authentication screen displayed on the terminal display unit 111 when the terminal device 109 accepts an authentication request from a user.

  When performing authentication, the user inputs a user ID in the user ID input field 202 of the authentication screen 201 from the terminal input unit 110 and inputs the one-time password generated by the one-time password generation device 101 in the one-time password input field 203. When the execution button 204 is pressed, a user ID and a one-time password necessary for sending an authentication request to the server apparatus 113 in step S402 are accepted.

  FIG. 18 shows a one-time password generation screen 401 displayed on the password display unit 102 when the one-time password generation apparatus 101 accepts a key input from the user in step S1009.

  When the user generates a one-time password, the user finds the characters in the password array 402 in order from the first character of the password stored on the one-time password generation screen 401, and further, the same as the background color of this password A one-time password generation operation is performed by finding a numeric value of the background color from the selection random number 403 and pressing and inputting a numeric key that matches the numeric value.

  As described above, in the present embodiment, among the random numbers displayed on the one-time password generation screen 401, a password stored by the user and a background color or a background pattern or an additional element such as a pictograph are selected to have the same numerical value. Generate a one-time password. Therefore, even if the input value at the time of generating the one-time password can be seen by a third party, the risk of using the password for authentication by analogy is reduced. For the user, the same password can be used as the conventional one, and even with a random number that changes with each authentication, the conventional authentication is performed by simply matching the background color or background pattern or background symbol based on the password. An authentication scheme with higher security than the scheme can be used.

  In this embodiment, when a one-time password is generated, the user is allowed to select a numerical value from a selection random number 403 that is a selection interface, but the condition that a password candidate character appearance such as a password color can be selected is satisfied. Any means can be used. As such means, for example, a field for inputting a password color name is displayed on the one-time password generation screen 401 and text input such as “red”, “blue”, “yellow”, etc. is received from the user, Examples include a method of selecting a color displayed on the screen using a mouse such as a computer.

  In the first to third embodiments, in the one-time password generation apparatus 101, when the password generation unit 106 generates a one-time password, the one-time password is displayed on the password display unit 102. This is to notify the user of the terminal device 109 of the one-time password generated by the one-time password generation device 101. If this purpose is fulfilled, other means such as printing the one-time password on paper can be used instead. It is also possible to do.

  In the first to third embodiments, the one-time password used is the one-time password generation apparatus 101 encrypted with the public key. However, the one-time password is not encrypted or the common key shared with the server apparatus 113 is used. You may use what was used and encrypted.

In each embodiment described above, the one-time password generation device 101, the terminal device 109, and the server device 113 can be realized by a computer.
Although not shown, the one-time password generation device 101, the terminal device 109, and the server device 113 include a CPU that executes a program.

For example, a CPU is connected to a ROM (Read Only Memory), a RAM (Random Access Memory), a communication board, a display device, a K / B (keyboard), a mouse, an FDD (Flexible Disk Drive), and a CDD (Compact Disc) via a bus. Drive), magnetic disk device, optical disk device, printer device, scanner device and the like.
The RAM is an example of a volatile memory. ROM, FDD, CDD, magnetic disk device, and optical disk device are examples of nonvolatile memory. These are examples of a storage device or a storage unit.
Data and information handled by the one-time password generation device 101, the terminal device 109, and the server device 113 according to each embodiment described above are stored in a storage device or a storage unit, and the one-time password generation device 101, the terminal device 109, and the server device are stored. The information is recorded and read by each unit 113.

  Moreover, the communication board is connected to WAN, such as LAN, the internet, or ISDN, for example.

The magnetic disk device stores an operating system (OS), a window system, a program group, and a file group (database).
The program group is executed by a CPU, OS, and window system.

  Each part of the one-time password generation device 101, the terminal device 109, and the server device 113 may be configured by a program that can be operated by a computer partially or entirely. Alternatively, it may be realized by firmware stored in the ROM. Alternatively, software, hardware, or a combination of software, hardware, and firmware may be used.

  The program group stores a program that causes the CPU to execute the processing described as “˜unit” in the description of the embodiment. These programs are created by computer languages, such as C language, HTML, SGML, and XML, for example.

  The program is stored in another recording medium such as a magnetic disk device, FD (Flexible Disk), optical disk, CD (compact disk), MD (mini disk), DVD (Digital Versatile Disk), and read by the CPU. And executed.

As described above, the authentication system described in the first to third embodiments is
When a user authenticates with an authentication device from a terminal device via a network, authentication is performed using a one-time password generation device that generates a different one-time password each time authentication is performed,
The one-time password generator is
A communication unit that transmits a user ID to the authentication device and receives a random number from the authentication device;
An input unit for receiving an input value from a key;
An appearance setting unit that sets the appearance of password candidate characters based on the random number received by the communication unit and the input value input from the input unit;
A password generation unit that generates a one-time password based on an input value input from the input unit;
A display unit that displays the password candidate characters of the appearance set by the appearance setting unit and the one-time password generated by the password generation unit;
The terminal device
A terminal display for displaying an authentication request screen;
A terminal input unit that accepts input from a key;
A terminal communication unit that transmits a user ID and a one-time password input from the terminal input unit to the authentication device;
The authentication device
An authentication random number generator for generating random numbers;
An authentication device that receives a user ID from the one-time password generation device, transmits a random number generated by the authentication random number generation unit to the terminal device, and receives a user ID and a one-time password from the terminal device A communication department;
A management unit that stores a user's regular password character string together with the user ID, and a random number generated by the authentication random number generation unit when the authentication device communication unit receives a user ID from the terminal device;
For the user ID and one-time password received from the terminal device by the authentication device communication unit, a predetermined calculation is performed using the user's regular password character string and the random number stored together with the user ID in the management unit. And an authentication judgment unit for judging success or failure of user authentication.

The password generation device further includes:
A storage unit for storing an appearance change pattern indicating a rule for changing the appearance of the password candidate character;
The appearance setting unit further includes:
Set the appearance of password candidate characters based on the appearance change pattern stored in the storage unit,
The management unit further includes:
Memorize the appearance change pattern,
The authentication determination unit further includes:
A predetermined calculation is performed using the appearance change pattern stored in the management unit, and the success or failure of user authentication is determined.

The authentication system described in the first to third embodiments is
When a user authenticates with an authentication device from a terminal device via a network, authentication is performed using a one-time password generation device that generates a different one-time password each time authentication is performed,
The one-time password generator is
A communication unit that transmits a user ID to the authentication device and receives a random number from the authentication device;
An input unit for receiving an input value from a key;
An appearance setting unit that sets the appearance of password candidate characters and selection random numbers based on the random number received by the communication unit and the input value input from the input unit;
A password generation unit that generates a one-time password based on an input value input from the input unit;
A display unit that displays password candidate characters and a random number for selection set by the appearance setting unit and the one-time password generated by the password generation unit;
The terminal device
A terminal display for displaying an authentication request screen;
A terminal input unit that accepts input from a key;
A terminal communication unit that transmits a user ID and a one-time password input from the terminal input unit to the authentication device;
The authentication device
An authentication random number generator for generating random numbers;
An authentication device that receives a user ID from the one-time password generation device, transmits a random number generated by the authentication random number generation unit to the terminal device, and receives a user ID and a one-time password from the terminal device A communication department;
A management unit that stores a user's regular password character string together with the user ID, and a random number generated by the authentication random number generation unit when the authentication device communication unit receives a user ID from the terminal device;
For the user ID and one-time password received from the terminal device by the authentication device communication unit, a predetermined calculation is performed using the user's regular password character string and the random number stored together with the user ID in the management unit. And an authentication judgment unit for judging success or failure of user authentication.

The storage unit further includes:
Store random numbers up to a predetermined upper limit number,
The communication unit transmits the requested random number calculated from the predetermined upper limit number and the number of random numbers stored in the storage unit together with a user ID to the authentication device, and from the authentication device, Receive random numbers and store them in the order received in the storage unit,
The appearance setting unit takes out the first random number stored in the storage unit, sets the appearance of password candidate characters based on the random number and the input value input from the input unit,
The authentication device communication unit further includes:
The number of random numbers requested from the one-time password generator is received together with the user ID, and the requested number of random numbers generated by the authentication random number generator is sent to the terminal device.
The management unit further includes:
When the authentication device communication unit receives a user ID from the terminal device, one or more random numbers generated by the authentication random number generation unit are stored together with the user ID and the user's regular password character string. ,
The authentication determination unit further includes:
For the user ID and one-time password received by the authentication device communication unit from the terminal device, a random number is stored using the user's regular password character string and random number stored together with the user ID in the management unit. A predetermined calculation is performed in the order in which the user authentication is performed, and the success / failure determination of the user authentication is repeated. When the authentication is successful, the random number used so far is deleted from the management unit.

The one-time password generation device further includes:
A storage unit for storing random numbers up to a predetermined upper limit number;
The communication unit further includes:
The number of requested random numbers calculated from the predetermined upper limit number and the number of random numbers stored in the storage unit is transmitted to the authentication device together with the user ID, and a random number is received from the authentication device. Store in the order received in the storage unit,
The appearance setting unit further includes:
Taking out the first one of the random numbers stored in the storage unit, and setting the appearance of the selection random number together with the appearance of the password candidate character based on the random number and the input value input from the input unit,
The authentication device communication unit further includes:
The number of random numbers requested from the one-time password generator is received together with the user ID, and the requested number of random numbers generated by the authentication random number generator is sent to the terminal device.
The management unit further includes:
When the authentication device communication unit receives a user ID from the terminal device, one or more random numbers generated by the authentication random number generation unit are stored together with the user ID and the user's regular password character string. ,
The authentication determination unit further includes:
For the user ID and one-time password received from the terminal device by the authentication device communication unit, a random number is stored using the user's regular password character string and random number stored together with the user ID in the management unit. It is characterized in that a predetermined calculation is performed in the order in which the user authentication is performed and the success / failure determination of the user authentication is repeated, and when the authentication is successful, the random number used so far is deleted from the management unit.

  In addition, the communication unit requests the authentication device for a random number only when the random number stored in the storage unit is smaller than a predetermined lower limit number.

The communication unit further includes:
Only when communication with the authentication apparatus is possible, a request for a random number is made to the authentication apparatus.

The storage unit further includes:
Remember the common key,
The password generation unit further includes:
A one-time password is generated by encrypting a value generated based on an input value input from the input unit using the common key,
The management unit further includes:
In addition to storing the common key together with the user ID,
The authentication determination unit further includes:
About the one-time password received together with the user ID received from the terminal device by the authentication device communication unit, the value decrypted by using the common key stored together with the user ID in the management unit and the normal password character of the user A predetermined calculation is performed using the sequence and the random number, and the success or failure of user authentication is determined.

The storage unit further includes:
Remember the public key,
The password generation unit
A one-time password is generated by encrypting a value generated based on an input value input from the input unit using the public key,
The management unit further stores a secret key corresponding to the public key together with a user ID,
The authentication determination unit is a value obtained by decrypting the one-time password received together with the user ID received from the terminal device by the authentication device communication unit using a secret key stored together with the user ID in the management unit; A predetermined calculation is performed using the user's regular password character string and the random number, and the success or failure of the user authentication is determined.

The authentication device described in the first to third embodiments is
Authenticate the user by communicating with the terminal device and the one-time password generator used by the user,
An authentication random number generator for generating random numbers;
An authentication device that receives a user ID from the one-time password generation device, transmits a random number generated by the authentication random number generation unit to the terminal device, and receives a user ID and a one-time password from the terminal device A communication department;
A management unit that stores a user's regular password character string together with the user ID, and a random number generated by the authentication random number generation unit when the authentication device communication unit receives a user ID from the terminal device;
For the user ID and one-time password received from the terminal device by the authentication device communication unit, a predetermined calculation is performed using the user's regular password character string and the random number stored together with the user ID in the management unit. And an authentication judgment unit for judging success or failure of user authentication.

The management unit further includes:
Memorize the appearance change pattern,
The authentication determination unit further includes:
A predetermined calculation is performed using the appearance change pattern stored in the management unit, and the success or failure of user authentication is determined.

The authentication device communication unit further includes:
The number of random numbers requested from the one-time password generator is received together with the user ID, and the requested number of random numbers generated by the authentication random number generator is sent to the terminal device.
The management unit further includes:
When the authentication device communication unit receives a user ID from the terminal device, one or more random numbers generated by the authentication random number generation unit are stored together with the user ID and the user's regular password character string. ,
The authentication determination unit further includes:
For the user ID and one-time password received by the authentication device communication unit from the terminal device, a random number is stored using the user's regular password character string and random number stored together with the user ID in the management unit. A predetermined calculation is performed in the order in which the user authentication is performed, and the success / failure determination of the user authentication is repeated. When the authentication is successful, the random number used so far is deleted from the management unit.

The management unit further includes:
A common key is stored together with the user ID,
The authentication determination unit further includes:
About the one-time password received together with the user ID received from the terminal device by the authentication device communication unit, the value decrypted by using the common key stored together with the user ID in the management unit and the normal password character of the user A predetermined calculation is performed using the sequence and the random number, and the success or failure of user authentication is determined.

The management unit further includes:
A secret key is stored together with the user ID,
The authentication determination unit further includes:
About the one-time password received together with the user ID received from the terminal device by the authentication device communication unit, the value decrypted by using the secret key stored together with the user ID in the management unit and the normal password character of the user A predetermined calculation is performed using the sequence and the random number, and the success or failure of user authentication is determined.

In addition, the one-time password generation device described in the first to third embodiments is
Generate a one-time password to be used when the user authenticates with the authentication device using the terminal device,
A communication unit that transmits a user ID to the authentication device and receives a random number from the authentication device;
An input unit for receiving an input value from a key;
An appearance setting unit that sets the appearance of password candidate characters based on the random number received by the communication unit and the input value input from the input unit;
A password generation unit that generates a one-time password based on an input value input from the input unit;
It has a display part which displays the password candidate character of the appearance set by the appearance setting part, and the one-time password generated by the password generation part.

The password generation device further includes:
A storage unit for storing an appearance change pattern indicating a rule for changing an appearance of a password candidate character;
The appearance setting unit further includes:
The appearance of the password candidate character is set based on the appearance change pattern stored in the storage unit.

In addition, the one-time password generation device described in the first to third embodiments is
Generate a one-time password to be used when the user authenticates with the authentication device using the terminal device,
A communication unit that transmits a user ID to the authentication device and receives a random number from the authentication device;
An input unit for receiving an input value from a key;
An appearance setting unit that sets the appearance of password candidate characters and selection random numbers based on the random number received by the communication unit and the input value input from the input unit;
A password generation unit that generates a one-time password based on an input value input from the input unit;
It has a display part which displays a password candidate character of appearance set by the appearance setting part, a random number for selection, and a one-time password generated by the password generation part.

The storage unit further includes:
Store random numbers up to a predetermined upper limit number,
The communication unit transmits the requested random number calculated from the predetermined upper limit number and the number of random numbers stored in the storage unit together with a user ID to the authentication device, and from the authentication device, Receive random numbers and store them in the order received in the storage unit,
The appearance setting unit extracts the first random number stored in the storage unit, and sets the appearance of a password candidate character based on the random number and an input value input from the input unit. .

The storage unit further includes:
Store random numbers up to a predetermined upper limit number,
The communication unit transmits the requested random number calculated from the predetermined upper limit number and the number of random numbers stored in the storage unit together with a user ID to the authentication device, and from the authentication device, Receive random numbers and store them in the order received in the storage unit,
The appearance setting unit takes out the first one of the random numbers stored in the storage unit, and sets the appearance of the password candidate character and the selection random number based on the random number and the input value input from the input unit. It is characterized by doing.

The communication unit further includes:
Only when the number of random numbers stored in the storage unit is smaller than a predetermined lower limit number, a request for random numbers is made to the authentication device.

The communication unit further includes:
Only when communication with the authentication apparatus is possible, a request for a random number is made to the authentication apparatus.

The storage unit further includes:
Remember the common key,
The password generation unit further includes:
A value generated based on the input value input from the input unit is encrypted using the common key to generate a one-time password.

The storage unit further includes:
Remember the public key,
The password generation unit
A value generated based on the input value input from the input unit is encrypted using the public key to generate a one-time password.

In addition, the IC card described in the first to third embodiments is
When a user authenticates with an authentication device from a terminal device via a network, the one-time password generation device is used by being inserted into a one-time password generation device that generates a different one-time password each time authentication is performed. Exchange data with
An appearance setting unit that sets the appearance of password candidate characters based on a random number and an input value given from the one-time password generation device and provides them to the one-time password generation device;
And a password generation unit that generates a one-time password based on an input value given from the one-time password generation device and provides the generated one-time password to the one-time password generation device.

The IC card further includes:
A storage unit for storing an appearance change pattern indicating a rule for changing an appearance of a password candidate character;
Have
The appearance setting unit further includes:
The appearance of the password candidate character is set based on the appearance change pattern stored in the storage unit.

The storage unit further includes:
Store random numbers up to a predetermined upper limit number,
The appearance setting unit takes out the first one of the random numbers stored in the storage unit, and sets the appearance of password candidate characters based on the random number and the input value provided from the one-time password generation device. It is characterized by that.

In addition, the IC card described in the first to third embodiments is
When a user authenticates with an authentication device from a terminal device via a network, the one-time password generation device is used by being inserted into a one-time password generation device that generates a different one-time password each time authentication is performed. Exchange data with
An appearance setting unit that sets the appearance of a password candidate character and a random number for selection based on a random number and an input value given from the one-time password generation device and provides the random number for selection to the one-time password generation device;
And a password generation unit that generates a one-time password based on an input value given from the one-time password generation device and provides the generated one-time password to the one-time password generation device.

The IC card further includes:
A storage unit for storing random numbers up to a predetermined upper limit number;
The appearance setting unit further includes:
Taking out the first one of the random numbers stored in the storage unit, and setting the appearance of the password candidate character and the selection random number based on this random number and the input value provided by the one-time password generation device Features.

The authentication method described in the first to third embodiments is as follows.
A terminal device used by a user, a one-time password generation device that generates a different one-time password each time during authentication, and an authentication device that communicates with the terminal device and the one-time password generation device to authenticate the user Use
The one-time password generator is
A random number request transmission process for transmitting a random number generation request including a user ID to the authentication device;
A random number response reception process for receiving a random number generation response including a random number from the authentication device;
An input process that accepts an input value from the key;
Appearance setting process for setting the appearance of password candidate characters based on the random number received by the random number generation response reception process and the input value input by the input process;
Password candidate character display processing for displaying the password candidate characters of the appearance set by the appearance setting processing;
One-time password generation processing for generating a one-time password based on the input value input by the input processing;
A one-time password display process for displaying the one-time password generated by the one-time password generation process;
The terminal device
An authentication screen display process for displaying an authentication request screen;
An authentication input process for accepting a user ID and a one-time password input from the user to the authentication request screen;
An authentication request transmission process is performed for transmitting an authentication request including the user ID and the one-time password received in the input process to the authentication apparatus,
The authentication device
A random number request reception process for receiving the random number generation request transmitted from the one-time password generation device;
A random number generation process for generating a random number;
A random number storage process for storing a random number generated by the random number generation process together with a user ID and a user's regular password character string;
A random number response transmission process for transmitting the random number generation response including the random number generated by the random number generation process to the one-time password generation device;
An authentication request receiving process for receiving the authentication request transmitted from the terminal device;
For the user ID and one-time password included in the authentication request received from the terminal device by the authentication request reception process, the user's regular password character string and random number stored together with the user ID in the random number storage process And performing a predetermined calculation to perform an authentication determination process for determining whether the user authentication is successful.

The appearance setting process further includes:
The appearance of the password candidate character is set based on an appearance change pattern indicating a rule for changing the appearance of the password candidate.

The appearance setting process further includes:
Set the appearance of the selection random number based on the random number received by the random number generation response reception process and the input value input by the input process,
The password candidate character display process further includes:
The random number for selecting the appearance set by the appearance setting process is displayed.

The block diagram which shows the structure of the authentication system which concerns on this invention. 5 is a flowchart showing an operation of password generation processing of the password generation device according to the first embodiment. 3 is a flowchart showing a detailed operation of S108 in FIG. 2 in the first embodiment. The flowchart which shows operation | movement of the random number generation process of the authentication apparatus which concerns on this invention. The flowchart which shows operation | movement of the authentication process of the terminal device which concerns on this invention. The flowchart which shows operation | movement of the authentication process of the authentication apparatus which concerns on this invention. 7 is a flowchart showing a detailed operation of S506 in FIG. 6 in the first embodiment. Code conversion table. The authentication screen displayed on the terminal device which concerns on this invention. A password generation screen displayed on the password generation device according to the first and second embodiments. 9 is a flowchart showing an operation of password generation processing of the password generation device according to the second embodiment. 12 is a flowchart showing a detailed operation of S708 in FIG. 11 in the second embodiment. 7 is a flowchart showing a detailed operation of S506 in FIG. 6 in the second embodiment. 10 is a flowchart showing an operation of password generation processing of the password generation device according to the third embodiment. 15 is a flowchart showing a detailed operation of S1008 in FIG. 14 in the third embodiment. 7 is a flowchart showing a detailed operation of S506 in FIG. 6 in the third embodiment. FIG. 17 is a flowchart showing a detailed operation of S1205 in FIG. 16 in the third embodiment. 14 is a password generation screen displayed on the password generation device according to the third embodiment.

Explanation of symbols

  101 one-time password generation device, 102 password display unit, 103 password input unit, 104 storage unit, 105 appearance setting unit, 106 password generation unit, 107 password communication unit, 108 IC card, 109 terminal device, 110 terminal input unit, 111 Terminal display unit, 112 Terminal communication unit, 113 server device, 114 authentication random number generation unit, 115 authentication determination unit, 116 management unit, 117 server communication unit, 118 authentication communication unit, 201 authentication screen, 202 user ID input field, 203 one Time password input field, 204 execution button, 301, 401 one-time password generation screen, 302, 402 password array, 403 random number for selection.

Claims (42)

In a password generation device that generates a one-time password to be transmitted to an authentication device that determines success or failure of authentication with a one-time password that is disposable for each authentication,
A storage unit for storing user identification information (user ID) for identifying a user;
A password communication unit that transmits the user ID stored in the storage unit to the authentication device and receives a random number from the authentication device;
A password input unit that accepts input values;
An appearance setting unit for setting the appearance of password candidate characters based on the random number received by the password communication unit and the input value received by the password input unit;
A password display unit for displaying password candidate characters having the appearance set by the appearance setting unit;
A password generation unit configured to generate a one-time password based on an input value received by the password input unit with respect to a password candidate character displayed by the password display unit, and to output the one-time password; Password generator. The storage unit further includes:
Stores an appearance change pattern indicating rules for changing the appearance of password candidate characters,
The appearance setting unit further includes:
The password generation device according to claim 1, wherein an appearance of a password candidate character is set based on an appearance change pattern stored in the storage unit. The storage unit further includes:
Storing a random number received by the password communication unit;
The appearance setting unit
The password generation device according to claim 1 or 2, wherein an appearance of a password candidate character is set based on at least one of random numbers stored in the storage unit and an input value received by the password input unit. The password communication unit further includes:
4. The password generating apparatus according to claim 1, wherein a random number request indicating that a random number is requested and the number of requested random numbers is transmitted. The storage unit further includes:
Store the lower limit number representing the lower limit value of the number of random numbers to be stored,
The password communication unit
The password generation device according to claim 4, wherein when the number of random numbers stored in the storage unit is equal to or greater than a lower limit number, a random number request is not transmitted. The storage unit further includes:
Store the upper limit number representing the upper limit of the number of random numbers to be stored,
The password communication unit
6. The password generation apparatus according to claim 4, wherein a random number request in which the number of requested random numbers is set to be equal to or less than an upper limit number stored in the storage unit is transmitted. The appearance setting unit further includes:
Set up a selection interface that lets the user choose the type of appearance,
The password display unit further includes:
7. The password generation apparatus according to claim 1, wherein the selection interface set by the appearance setting unit is displayed. The storage unit further includes:
Stores a common key for data encryption,
The password generation unit further includes:
8. The password generation apparatus according to claim 1, wherein the generated one-time password is encrypted with a common key stored in the storage unit. The storage unit further includes:
Remember the public key that encrypts the data,
The password generation unit further includes:
8. The password generation apparatus according to claim 1, wherein the generated one-time password is encrypted with a public key stored in the storage unit. In a password generation method for generating a one-time password to be transmitted to an authentication device that determines success or failure of authentication with a one-time password disposable for each authentication,
A storage step of storing user identification information (user ID) for identifying a user;
A password communication step of transmitting the user ID stored in the storage step to the authentication device and receiving a random number from the authentication device;
A password input process for accepting input values;
An appearance setting step for setting the appearance of password candidate characters based on the random number received in the password communication step and the input value received in the password input step;
A password display step for displaying password candidate characters having the appearance set in the appearance setting step;
A password generation step of generating a one-time password based on the input value received in the password input step with respect to the password candidate characters displayed in the password display step, and outputting the one-time password. Password generation method. In the storing step,
Stores an appearance change pattern indicating rules for changing the appearance of password candidate characters,
In the appearance setting step,
The password generation method according to claim 10, wherein the appearance of the password candidate character is set based on the appearance change pattern stored in the storing step. In the storing step,
Storing the random number received in the password communication step;
In the appearance setting step,
The password generation method according to claim 10 or 11, wherein an appearance of a password candidate character is set based on at least one of the random numbers stored in the storage step and the input value received in the password input step. In the password communication step,
13. The password generation method according to claim 10, wherein a random number request indicating that a random number is requested and the number of requested random numbers is transmitted. In the storing step,
Store the lower limit number representing the lower limit value of the number of random numbers to be stored,
In the password communication step,
14. The password generation method according to claim 13, wherein a random number request is not transmitted when the number of random numbers stored in the storing step is equal to or greater than a lower limit number. In the storing step,
Store the upper limit number representing the upper limit of the number of random numbers to be stored,
In the password communication step,
15. The password generation method according to claim 13, wherein a random number request in which the number of requested random numbers is set to be equal to or less than the upper limit number stored in the storing step is transmitted. In the appearance setting step,
Set up a selection interface that lets the user choose the type of appearance,
In the password display step,
16. The password generation method according to claim 10, wherein the selection interface set in the appearance setting step is displayed. In the storing step,
Stores a common key for data encryption,
In the password generating step,
The password generation method according to any one of claims 10 to 16, wherein the generated one-time password is encrypted with the common key stored in the storage step. In the storing step,
Remember the public key that encrypts the data,
In the password generating step,
The password generation method according to any one of claims 10 to 18, wherein the generated one-time password is encrypted with the public key stored in the storage step. A password having a password generation device that generates a disposable one-time password for each authentication, and an authentication device that determines the success or failure of authentication based on the one-time password transmitted by the terminal device that transmits the one-time password generated by the password generation device In the generation system,
The password generator is
A storage unit for storing user identification information (user ID) for identifying a user;
A password communication unit that transmits the user ID stored in the storage unit and receives a random number;
A password input unit that accepts input values;
An appearance setting unit for setting the appearance of password candidate characters based on the random number received by the password communication unit and the input value received by the password input unit;
A password display unit for displaying password candidate characters having the appearance set by the appearance setting unit;
A password generation unit that generates a one-time password based on an input value received by the password input unit with respect to a password candidate character displayed by the password display unit, and outputs the one-time password,
The authentication device
An authentication random number generator for generating random numbers;
An authentication communication unit that receives the user ID transmitted by the password communication unit and transmits the random number generated by the authentication random number generation unit to the password communication unit;
A management unit that stores a user ID, a normal password character string of a user corresponding to the user ID, and a random number generated by the authentication random number generation unit when the authentication communication unit receives the user ID;
A server communication unit that receives the user ID and the one-time password transmitted by the terminal device;
For the user ID and one-time password received by the server communication unit, a predetermined calculation is performed using the user's regular password character string and random number corresponding to the user ID stored in the management unit, and authentication is performed. A password generation system comprising: an authentication determination unit that determines success or failure. The storage unit further includes:
Stores an appearance change pattern indicating rules for changing the appearance of password candidate characters,
The appearance setting unit further includes:
Set the appearance of password candidate characters based on the appearance change pattern stored in the storage unit,
The management unit further includes:
The password generation system according to claim 19, wherein an appearance change pattern is stored. The storage unit further includes:
Storing a random number received by the password communication unit;
The appearance setting unit
21. The password generation system according to claim 19 or 20, wherein an appearance of a password candidate character is set based on at least one of random numbers stored in the storage unit and an input value received by the password input unit. The password communication unit further includes:
Send a random number request indicating the request for random numbers and the number of random numbers requested,
The authentication communication unit further includes:
The random number request transmitted by the password communication unit is received, and the random number generated by the authentication random number generation unit is transmitted to the password communication unit by the number indicated by the random number request. Password generation system described in. The storage unit further includes:
Store the lower limit number representing the lower limit value of the number of random numbers to be stored,
The password communication unit
23. The password generation system according to claim 22, wherein a random number request is not transmitted when the number of random numbers stored in the storage unit is equal to or greater than a lower limit number. The storage unit further includes:
Store the upper limit number representing the upper limit of the number of random numbers to be stored,
The password communication unit
The password generation system according to claim 22 or 23, wherein a random number request in which the number of requested random numbers is set to be equal to or less than the upper limit number stored in the storage unit is transmitted. The appearance setting unit further includes:
Set up a selection interface that lets the user choose the type of appearance,
The password display unit further includes:
25. The password generation system according to claim 19, wherein the selection interface set by the appearance setting unit is displayed. The storage unit further includes:
Stores a common key for data encryption,
The password generation unit further includes:
Encrypt the generated one-time password with a common key stored in the storage unit,
The management unit further includes:
26. The password generation system according to claim 19, wherein a common key corresponding to each user ID is stored. The storage unit further includes:
Remember the public key that encrypts the data,
The password generation unit further includes:
Encrypt the generated one-time password with the public key stored in the storage unit,
The management unit further includes:
27. The password generation system according to claim 19, wherein a secret key corresponding to the public key stored in the storage unit is stored. An integrated circuit (IC) that is inserted into a password generation device that generates a one-time password to be transmitted to an authentication device that determines success or failure of authentication using a disposable one-time password for each authentication, and exchanges data with the password generation device ) In the card,
An appearance setting unit that obtains a random number and an input value from the password generation device, and sets an appearance of a password candidate character based on the random number and the input value;
A password generation unit that acquires an input value for a password candidate character from the password generation device, generates a one-time password based on the input value, and provides the password generation device with the one-time password. IC card to do. The IC card further includes:
A storage unit for storing an appearance change pattern indicating a rule for changing the appearance of the password candidate character;
The appearance setting unit further includes:
29. The IC card according to claim 28, wherein an appearance of a password candidate character is set based on an appearance change pattern stored in the storage unit. The storage unit further includes:
Storing a random number obtained from the password generating device;
The appearance setting unit
30. The IC card according to claim 28 or 29, wherein an appearance of a password candidate character is set based on at least one of random numbers stored in the storage unit and an input value acquired from the password generation device. The appearance setting unit further includes:
31. The IC card according to claim 28, wherein a selection interface that allows a user to select a type of appearance is set. The storage unit further includes:
Stores a common key for data encryption,
The password generation unit further includes:
32. The IC card according to claim 28, wherein the generated one-time password is encrypted with a common key stored in the storage unit. The storage unit further includes:
Remember the public key that encrypts the data,
The password generation unit further includes:
32. The IC card according to claim 28, wherein the generated one-time password is encrypted with a public key stored in the storage unit. In an authentication device that determines success or failure of authentication by a one-time password transmitted by a terminal device that transmits a one-time password generated by a password generation device that generates a disposable one-time password for each authentication,
An authentication random number generator for generating random numbers;
An authentication communication unit that receives user identification information (user ID) for identifying a user from the password generation device, and transmits the random number generated by the authentication random number generation unit to the password generation device;
A management unit that stores a user ID, a normal password character string of a user corresponding to the user ID, and a random number generated by the authentication random number generation unit when the authentication communication unit receives the user ID;
A server communication unit that receives a user ID and a one-time password from the terminal device;
For the user ID and one-time password received by the server communication unit, a predetermined calculation is performed using the user's regular password character string and random number corresponding to the user ID stored in the management unit, and authentication is performed. An authentication apparatus comprising: an authentication determination unit that determines success or failure. The management unit further includes:
Memorize the appearance change pattern,
The authentication determination unit further includes:
35. The user authentication and the one-time password received by the server communication unit are subjected to a predetermined calculation using an appearance change pattern stored in the management unit to determine whether authentication is successful or not. The authentication device described. The management unit further includes:
Remember the appearance of the user's legitimate password character,
The authentication determination unit further includes:
35. The user ID and one-time password received by the server communication unit are subjected to a predetermined calculation using an appearance of a password character stored in the management unit to determine whether or not the authentication is successful. Or the authentication apparatus of 35. The authentication determination unit further includes:
When the authentication is not successful, for the user ID and the one-time password received by the server communication unit, the management unit stores a random number corresponding to the user ID that is unused for the calculation related to the authentication. The authentication unit performs a predetermined calculation using at least one of the regular password character string of the user corresponding to the user ID stored in the management unit and the random number, and determines the success or failure of the authentication. The authentication device according to any one of claims 34 to 36. The authentication communication unit further includes:
The random number request is received from the password generation device, and the random number generated by the authentication random number generation unit is transmitted to the password generation device by the number indicated by the random number request. Authentication device. The management unit further includes:
Storing a common key corresponding to each user ID;
The authentication determination unit further includes:
For the user ID and one-time password received by the server communication unit, the one-time password is decrypted with a common key corresponding to the user ID stored in the management unit, and a predetermined calculation is performed, and the success or failure of the authentication is performed. The authentication apparatus according to any one of claims 34 to 38, wherein the determination is performed. The management unit further includes:
Storing a secret key corresponding to the public key stored in the storage unit;
The authentication determination unit further includes:
For the user ID and one-time password received by the server communication unit, the one-time password is decrypted with a secret key corresponding to the public key associated with the user ID stored in the management unit, and a predetermined calculation is performed. The authentication apparatus according to any one of claims 34 to 38, wherein the authentication success / failure determination is performed. A password generation device that generates a disposable one-time password for each authentication, a terminal device that transmits the one-time password generated by the password generation device, and an authentication that determines success or failure of authentication based on the one-time password transmitted by the terminal device In an authentication method of an authentication system having a device,
The password generation device is
A storage step of storing user identification information (user ID) for identifying a user;
A password communication step of transmitting the user ID stored in the storage step and receiving a random number;
A password input process for accepting input values;
An appearance setting step for setting the appearance of password candidate characters based on the random number received in the password communication step and the input value received in the password input step;
A password display step for displaying password candidate characters having the appearance set in the appearance setting step;
Generating a one-time password based on the input value received in the password input step for the password candidate characters displayed in the password display step, and a password generation step for outputting the one-time password;
The terminal device is
A terminal display step for displaying an authentication screen requesting the user to input a user ID and the one-time password displayed in the password display step;
A terminal input process for receiving input values;
A terminal communication step of transmitting a user ID and a one-time password included in the input value received in the terminal input step;
The authentication device is
An authentication random number generating step for generating a random number;
An authentication communication step of receiving the user ID transmitted in the password communication step, and transmitting the random number generated in the authentication random number generation step to the password generation device;
A management step of storing a user ID and a normal password character string of the user corresponding to the user ID and the random number generated in the authentication random number generation step when the user ID is received in the authentication communication step;
A server communication step of receiving the user ID and the one-time password transmitted in the terminal communication step;
For the user ID and the one-time password received in the server communication step, a predetermined calculation is performed using a normal password character string and a random number of the user corresponding to the user ID stored in the management step, and authentication is performed. An authentication method comprising: an authentication determination step for determining success or failure. A password generation device that generates a disposable one-time password for each authentication, a terminal device that transmits the one-time password generated by the password generation device, and an authentication that determines success or failure of authentication based on the one-time password transmitted by the terminal device In an authentication system having a device,
The password generator is
A storage unit for storing user identification information (user ID) for identifying a user;
A password communication unit that transmits the user ID stored in the storage unit and receives a random number;
A password input unit that accepts input values;
An appearance setting unit for setting the appearance of password candidate characters based on the random number received by the password communication unit and the input value received by the password input unit;
A password display unit for displaying password candidate characters having the appearance set by the appearance setting unit;
A password generation unit that generates a one-time password based on an input value received by the password input unit with respect to a password candidate character displayed by the password display unit, and outputs the one-time password,
The terminal device
A terminal display unit that displays an authentication screen requesting the user to input a user ID and a one-time password displayed on the password display unit;
A terminal input unit that accepts input values;
A terminal communication unit that transmits a user ID and a one-time password included in the input value received by the terminal input unit;
The authentication device
An authentication random number generator for generating random numbers;
An authentication communication unit that receives the user ID transmitted by the password communication unit and transmits the random number generated by the authentication random number generation unit to the password communication unit;
A management unit that stores a user ID, a normal password character string of a user corresponding to the user ID, and a random number generated by the authentication random number generation unit when the authentication communication unit receives the user ID;
A server communication unit that receives the user ID and the one-time password transmitted by the terminal communication unit;
For the user ID and one-time password received by the server communication unit, a predetermined calculation is performed using the user's regular password character string and random number corresponding to the user ID stored in the management unit, and authentication is performed. An authentication system comprising: an authentication determination unit that determines success or failure.

Images