JP2006209676A - Security system and security method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide user authentication for a plurality of services only by storing one master key in a storage medium. <P>SOLUTION: On user registration, one master key is issued and registered in an IC card 133, and authentication information required for the user authentication for each service which can be used by a user 400 is stored in relation to the master key in a master key database 103 and a personal information database 105 to be consolidated in a management server 101. When the user 400 receives a service from an in-house service server 110, the user transmits the master key registered in the IC card 133 and an application identifier assigned to the service to the management server 101, receives the authentication information required for the user authentication for the service from the management server 101, and is authenticated as a user with this authentication information. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a security system and a security method, and more particularly to a security system and a security method for performing user authentication using a key.

  User authentication is required for ensuring security in systems using networks, entrance / exit management management of offices, electronic transactions, and credit card and cash card payments. Currently, such user authentication is mainly realized using an IC card.

  The IC card includes a CPU, a memory, and a wired or wireless communication circuit, and can exchange data with an external information processing apparatus using a communication function. The IC card also has an advantage that it is easy to add and delete applications. For this reason, it is possible to perform user authentication of a plurality of services with one IC card.

FIG. 13 is a schematic diagram showing a user service system using a conventional IC card.
In the system shown in the figure, a user 2000 uses Internet services, electronic transactions, entry / exit management, and business server services. When the user 2000 uses these various services, user authentication information such as an ID and a password is issued to the user from a company (service providing company) that provides each service.

  Registration of user authentication information issued by the service provider to the IC card is performed, for example, by the service provider directly writing on the IC card, or by the server of the service provider via a network such as the Internet. It was done by a method such as writing on an IC card attached to a personal computer. When the service provider directly writes the user authentication information to the IC card, the IC card with the user authentication written is sent to the user 2000 by mail or the like. The user 2000 can use the service provided by the service providing company by holding the IC card 2100 in which the user authentication information is registered (stored) by the method described above. In other words, by transmitting the user authentication information registered in the IC card 2100 to the system of the service provider, the user is authenticated by the system of the service provider, and the service is provided by being authorized as a legitimate user. It is possible to use services provided by the company.

  The IC card includes a contact type, a non-contact type, and a hybrid type that uses both a contact type and a non-contact type. As a hybrid type, a “Suica compatible hybrid card” that realizes a bank cash card or credit card function as a contact IC card and a ticket or electronic money function as a non-contact IC card is known. (Refer nonpatent literature 1).

An invention relating to a non-contact type (non-contact type) IC card used in an electronic money service providing system is also disclosed (see Patent Document 1).
JP 2002-73797 A http://itpro.nikkeibp.co.jp/free/NC/NEWS/20041015/151302/print.shtmlNikkei Computer (October 15, 2004 issue)

  In the above-described conventional method for registering user authentication on an IC card, different user authentication information is issued for each service, so that all user authentication information for each service must be recorded on the IC card. For this reason, the IC card having a small memory capacity has a drawback that the number of user authentication information that can be registered is limited.

  Also, if the user loses the IC card, the user will stop the service by reporting to all service providers registered for user authentication on the lost IC card in order to prevent unauthorized use. It was necessary to let them. From the user's point of view, this notification was cumbersome and inconvenient.

  An object of the present invention is to realize a security system capable of performing user authentication of all services available to a user using only one master key stored in a storage medium held by the user. That is.

  The security system of the present invention is premised on a security system that performs user authentication of a user of a client terminal when a service provision request is made from a client terminal to a server that provides the service.

  The security system according to the first aspect of the present invention includes a storage medium that stores a master key and can be read by a client terminal, a master key stored in the storage medium, and user authentication for each service used by the user When the user sends the master key and service identification information to request authentication information necessary for user authentication of the service, the user's client A security system comprising: a management server that returns the authentication information to a terminal.

The service identification information is, for example, a service application identifier. In addition, the management server is provided in an outside network, for example.
A security system according to a second aspect of the present invention is the security system according to the first aspect, wherein the client terminal uses reading means for reading a master key from the storage medium, and a master key read by the reading means. Authentication information requesting means for transmitting to the management server together with the service identification information provided to the user and requesting the management server to return authentication information required for user authentication of the service, and receiving from the management server Authentication means for performing user authentication of a user using authentication information to be provided.

  In addition, when the management server receives the authentication information return request from the authentication information request unit, the management server uses the master key and the service identifier as a basis for authentication information used for user authentication of the service. Authentication information return means for returning to the client terminal is provided.

  The security system according to a third aspect of the present invention is the security system according to the second aspect, wherein the management server requires a master key held by a user for user authentication of a service that can be used by the user. An authentication information acquisition means for searching the database using the master key and the service identifier as a key, and acquiring the authentication information from the database; It is characterized by having.

  The security method of the present invention is premised on a security method for performing user authentication of a user of a client terminal when a service provision request is made from the client terminal to a server that provides the service.

  The security method according to the first aspect of the present invention includes a step of storing a master key in a storage medium readable by a client terminal, a master key stored in the storage medium, and a user of each service used by the user When the authentication information necessary for user authentication of the service is requested by the user transmitting the master key and service identification information and associating and managing the authentication information for authentication in a unified manner, the user Returning the authentication information to the client terminal.

  A security method according to a second aspect of the present invention is the security method according to the first aspect, wherein the client terminal reads a master key from the storage medium and the master key read by the reading step to the user. Using the authentication information received from the management server and a step of requesting the management server to send back authentication information required for user authentication of the service, together with an identifier of the service to be provided And executing the step of performing user authentication of the user, and when the management server receives the authentication information return request, the management server is used for user authentication of the service based on the master key and the service identification information. Performing an authentication information return step of returning authentication information to the client terminal

  A security method according to a third aspect of the present invention is the security method according to the second aspect, wherein the management server uses a master key held by a user for authentication required for user authentication of a service available to the user. In the authentication information return step, the database is searched using the master key and the service identifier as keys, and the authentication information is obtained from the database.

  According to the present invention, identifiers of all services used by a user are associated with one master key and are managed on the server side, so that a storage medium storing only that one master key is used. User authentication of all services provided to the user is possible. Therefore, it is possible to perform user authentication for many services using a small-capacity storage medium. In addition, it is possible to add a service to the user by work only on the server side.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[principle]
FIG. 1 is a diagram for explaining the principle of the present invention.

  In the present invention, only by storing (registering) one master key 13 in the storage medium 10 such as an IC card, the user 11 who owns the storage medium 10 can receive a plurality of services. For example, services such as Internet services, electronic transactions, entry / exit management, and business server services. The authentication information of all services that can be used by the user 11 is registered in the management server 20 in association with one master key 13 registered in the storage medium 10 and is centrally managed by the management server 20. In response to a service request from the user 11, the management server 20 transmits authentication information necessary for the user 11 to use the service to a terminal (such as a personal computer) of the user 11. The authentication information includes, for example, an ID and a password. The user 11 can use the service by transmitting the authentication information received from the management server 20 to a service server (not shown) that provides the service, and being authorized by the service server as an authorized user. It becomes.

  In this way, all services that can be used by the user 11 are collectively managed by the management server 20 in association with the single master key 13 stored in the storage medium 10 owned by the user 11. For this reason, even when the user 11 adds / deletes a service, it is not necessary to update the storage information of the storage medium 10, and the management server 20 associates the master key 13 with the added / deleted service. You only need to update Further, when the user 11 loses the storage medium 10, the management server 20 simply deletes the master key 13 stored in the storage medium 10 from the management information and has been provided to the user 11 until then. All services can be stopped quickly and easily.

[Constitution]
FIG. 2 is a system configuration diagram of an embodiment of the present invention.
The system shown in FIG. 1 includes an internal network (Internet) 100, an Internet 200, a first external network 310, and a second external network 320 of company A.

  The in-house network 100 includes a management server 101, an in-house service server 110, a first client PC (first client / personal computer) 120, a second client PC (second client / personal computer) 130, a firewall 140, and An in-house LAN (Local Area Network) 150 is configured. The in-house service server 110 includes a business server 111 and the like.

  The in-house LAN 150 is a LAN in which a plurality of cables are connected by a hub 160. The management server 101, the business server 111, and the first and second client PCs 120 and 130 are connected to the in-house LAN 150 via individual hubs 160, respectively. The firewall 140 is also connected to the in-house LAN 150 via the hub 160. The in-house network 100 is connected to the Internet 200 through the firewall 140.

  A first client PC 120 which is a desktop personal computer (hereinafter referred to as client PC 120) includes an IC card reader / writer 121 and a USB port (not shown). The IC card reader / writer 121 has a slot in which an IC card 123 can be mounted, and reads / writes data from / to the IC card 123 mounted in the slot. A USB memory 125 can be connected to the USB port, and the client 120 reads / writes data from / to the USB memory 125 connected to the USB port. USB is an abbreviation for “Universal Serial Bus”.

  A second client PC 130 (hereinafter referred to as a client PC 130), which is a notebook personal computer, has substantially the same configuration as the client PC 120, and includes an IC card reader / writer 131 and a USB port (not shown). An IC card 133 is attached to the IC card reader / writer 131 of the client PC 130, and a USB memory 135 is connected to the USB port. The client PC 130 reads / writes data to / from the IC card 133 and the USB memory 135 in the same manner as the client PC 120.

  In this embodiment, one master key of the user is stored in the IC card (123, 133) or the USB memory (125, 135). This master key is issued by the management server 101 in response to a request from the client PC (120 130), and is transmitted by the management server 101 to the requesting client PC. The data is written into the IC card (123, 133) or the USB memory (125, 135) by the client.

  The in-house service server 110 is a server that provides services to users of client PCs in the in-house network 100. The business server 111 stores an application (service application) that is software for providing various in-house services, and provides the various in-house services to the user of the client PC by executing this application.

  The first external network 310 (hereinafter referred to as the external network 310) and the second external network 320 (hereinafter referred to as the external network 320) serve users of client PCs (120, 130) in the internal network 100. It is a network of service providers that provide services. These external networks (310, 320) are connected to the internal network 100 via the Internet 200.

  The external network 310 includes an external service server 311 and a firewall 312, and is connected to the Internet 200 via the firewall 312. The external network 320 has substantially the same configuration as the external network 310, and includes an external service server 321 and a firewall 322, and is connected to the Internet 200 via the firewall 322.

  When the external service server 311 receives access from a user of the client PC (120, 130) in the internal network 100, the external service server 311 performs user authentication for the user, and as a result of the user authentication, the user is a regular user. If it is determined that there is, the service requested by the user is provided.

  FIG. 3 is a diagram showing a software configuration of the client PCs (120, 130), the management server 101, and the external service servers (310, 320) in the in-house network 100 shown in FIG.

  The client PC (120 130) includes a service application 501, a device library (dummy) 502, an authentication client application 503, a Web client 506, a master key reception / storage application 507, and a driver group 508 including a device driver and a LAN driver. Has software. The service application 501 is composed of one or a plurality of service applications according to the number of services used by the user.

  The service application 501 is an application that provides a service to the user 400 of the client PC (120, 130), and displays a service login screen and a service information screen. A device library (dummy) 502 is a driver for a storage medium device such as an IC card (123, 133) or a USB memory (125, 13).

  When the device library (dummy) 502 receives an authentication information request with the application identifier (identifier assigned to the service application 501) as an argument from the service application 501, the device library (dummy) 502 requests authentication information from the authentication client application 503 with the application identifier as an argument. To do. Then, authentication information of the service having the application identifier is received from the authentication client application 503. Then, the authentication information is returned to the service application 501.

  Upon receiving an authentication information request with an application identifier as an argument from the device library (dummy) 502, the authentication client application 503 reads the master key 13 from the IC card 133 or the USB memory 135, and uses the master key and the application identifier as a management server. The authentication information of the service having the application identifier is received from the management server 101, and the authentication information is returned to the device library (dummy) 502.

  A Web client 506 is a browser that provides a Web service using the Internet 200 to a user 400 of a client PC via a Web screen or the like. In the present embodiment, a Web screen for service use application is displayed, personal information regarding the user 400 such as “personal code” and “employee number” input by the user 400 via the Web screen, and “registered client” “PC identification number” is transmitted to the management server 101.

  The master key reception / storage application 507 receives the master key issued to the registered user 400 from the management server 101 during the “user registration process”, and receives the master key from the IC card 133 via the device driver. Alternatively, it is stored in the USB memory 135.

  The driver group 508 includes various drivers such as a device driver that writes / reads a master key to / from the IC card 133 and the USB memory 135 and a LAN driver that communicates with the management server 101 via the in-house LAN 150. .

  The management server 101 includes software such as a LAN driver 601, an authentication server application 602, a Web application 606, and a user registration application 607. A master key database 103 and a personal information database 105 are also provided. The master key database 103 and the personal information database 105 are created in, for example, an external storage device.

  The LAN driver 601 performs communication between the management server 101 and the client PC (120, 130) via the in-house LAN 150 in cooperation with the LAN driver in the driver group 508 of the client PC (120, 130).

  The authentication server application 602 receives an application identifier and a master key from the authentication client application 503 of the client PC (120, 130), searches the master key database 103 and the personal information database 105 using the master key as a key, and requests a service. The user 400 of the client PC (120, 130) to be authenticated is authenticated, and the service authentication information is returned to the client PC (120, 130) for the authenticated user 400.

  When the Web application 606 receives a service use application request from the client PC (120, 130) and confirms that the user 400 is a regular employee, the Web application 606 generates a master key. Then, the master key is registered in the master key database 103 and transmitted to the master key receiving / storing application 507.

  The user registration application 607 registers the identification information of the user 400 input by the administrator 700 in the master key database 103. Also, the service authentication information of the user 400 such as an ID and password input by the administrator 700 is registered in the personal information database 105.

The in-house service server 110 includes a LAN driver 801 and a business server 804.
The LAN driver 801 communicates with the LAN driver of the driver group 508 of the client PC (120, 130) and the LAN driver 601 of the management server 101 via the in-house LAN 150. The business server 804 provides an in-house service to the user 400 of the client PC.

FIG. 4 is a diagram showing the data structures (schema) of the master key database 103 and the personal information database 105.
The master key 13 shown in FIG. 5A is, for example, 1024 bits, and is generated based on “employee number”, “personal code”, “arbitrary numerical value”, and the like. This master key is also stored in the IC card 133 and the USB memory 135 connected to the client PC (120, 130).

  As shown in FIG. 4B, the master key database 103 includes “master key”, “personal code”, “random number”, “registration date / time”, “registration client PC identification number”, “user name”, “ It consists of the items "user employee number", "employee affiliation code", and "registration deletion date".

  In this embodiment, when the master key 13 is exchanged between the client PC (120 130) and the management server 101, the master key is encrypted and transmitted, but is not encrypted in the master key database 103 (decryption). Stored) master key.

“Personal code” is an identification code of the user 400 of the client PC.
“Registration date / time” is the date / time when the master key is registered in the master key database 103.
The “registered client PC identification number” is an identification number of the client PC (120, 130).

The “user name” is the name of the user of the client PC (120, 130).
“User employee number” is the employee number of the user of the client PC (120, 130).

The “employee number affiliation code” is a code of a department to which the user of the client PC (120, 130) belongs.
“Registration deletion date” is the date when the master key 13 was deleted from the master key database 103.

  The personal information database 105 includes a “master key”, “number of services provided”, “service 1 security information relation information”, “service 2 security information relation information”,. 16 security information relation information ".

The “master key” is an unencrypted (decrypted) master key.
The “number of services provided” is the number of service / security information registered in the personal information database 105. In this embodiment, the maximum value of this number is 16, and “0” is set when the service / security information is not registered.

“Service i authentication information link information (i = 0 to 16)” is link information to the authentication information of service i.
The service i authentication information link information includes “application identifier (application name)”, “ID”, and “password”. Information other than “ID” and “password” may be included.

The “application identifier” is an identifier (application name) of the service application.
“ID” is the ID of the user of the client PC (120, 130).

“Password” is the password of the user of the client PC (120, 130).
[Operation]
Next, the operation of the embodiment having the above configuration will be described.

FIG. 5 is a diagram showing an outline of the master key issuing process.
Here, a case where the master key 13 is issued to the user 400 of the client PC 130 will be described.
(1) First, the administrator 700 of the management server 101 issues and lends the storage medium 10 such as an IC card to the user 400 of the client PC 130. At this time, the master key 13 is not stored in the storage medium 10.
(2) The user 400 of the client PC 130 makes an application for issuing a master key to the management server 101.
(3) The administrator 700 of the management server 101 issues the master key 13 to the user 400 of the client PC 130 and transmits it to the client PC 130 of the user 400. At this time, the master key is preferably transmitted after being encrypted.
(4) Upon receiving the master key 13 by the client PC 130, the user 400 of the client PC 130 writes and stores it in the storage medium 10 connected to the client PC 130. At this time, if the master key is encrypted, the master key is restored and stored. In order to enhance security, the encrypted master key may be stored as it is.

FIG. 6 is a diagram for explaining service registration processing performed before the user uses the service.
[Pre-registration to service database]
The administrator 700 sends the information of the user 400 (“registered client PC identification number”, “user name”, “user employee number”, “employee affiliation code”) together with the “registration date” to the management server. It is registered in the master key database 103 via 101 (step S11).

  Next, the administrator 700 performs user registration on the internal service server 110 or the external service server (310, 320) for the service permitted to be used by the user 400, and the “ID” of the user 400 is registered from these service servers. And “password” are obtained (step S12).

  Subsequently, the administrator 700 registers the acquired “ID” and “password” as service authentication information in the personal information database 105 together with the “application identifier” of the service (step S13). At this time, the “service provision number” corresponding to the number of registered service authentication information is also registered in the personal information database 105.

Through the above processing, authentication information of all services permitted for the user 400 is registered in the personal information database 105.
[Additional registration to service database]
The administrator 700 adds a service used by the user 400 in response to an application from the user 400.

  When the administrator 700 receives a service application request from the user 400, the administrator 700 performs user registration on the internal service server 110 or the external service server (310, 320) for the service permitted to the user 400, and “ Authentication information such as “ID” and “password” is obtained (step S21). Then, the process of step S13 described above is performed, and service authentication information is added / registered in the personal information database 105. At this time, the “service provision quantity” in the personal information database 105 is updated.

[Issue / Registration of Master Key]
In the following description, the client PC 120 and the client PC 130 are collectively expressed as a client PC.

  The IC card 133 is installed in the IC card reader / writer connected to the client PC, or the USB memory 135 is inserted into the USB interface (USB port) of the client PC (step S31).

  The user 400 inputs an arbitrary “personal code”, “employee number (of the user 400)”, and “registered client PC identification number” from the Web screen displayed on the display of the client PC, and the management server A service use application request is transmitted to 101 (step S32).

  Upon receiving the service use application request, the management server 101 searches the master key database 103 to confirm whether “employee number” as an argument of the service use application request is registered in the master key database 103 ( Step S33).

  When the employee number is confirmed, the master key 13 is generated from the “employee number”, “personal code”, and “random number” that are arguments of the service use application request (step S34).

  Subsequently, the management server 101 stores the generated master key 13 in the master key database 103 and the personal information database 105 (step S35). Then, the master key 13 is transmitted to the client PC (step S36).

  The client PC receives the master key 13 transmitted from the management server 101 and registers it in the IC card 133 or the USB memory 135 (step S37). Then, the client PC ends the registration process on the Web screen (step S38).

  Through the above processing procedure, the master key 13 of the user 400 is generated, the master key 13 is stored in the master key database 103 and the personal information database 105 of the management server 101, and the storage medium 10 (IC of the user 400) Card 133 or USB memory 135).

FIG. 7 is a diagram for explaining the details of the processing performed in steps S32 to S36 of FIG.
The client PC transmits a service use application request packet 1010 to the management server 101. The service use application request packet 1010 shown in FIG. 7 includes a 64-bit “personal code (arbitrary 10-digit number)”, a 32-bit “user employee number”, a 32-bit “registered client PC identification number”, and It includes the “unique identification code” of the storage medium 10 (IC card 133 or USB memory 135) of the 128-bit user 400. Although not shown, for example, a “service use application request” command is added to the head of the packet 1010.

  Upon receiving the service use application request packet 1010, the management server 101 extracts the “registered client PC identification number (32 bits)” and the “user employee number (32 bits)” from the packet 1010, and these numbers are the master. It is compared and verified whether it is registered in the key database 103. As a result of the comparison / verification, when it is confirmed that both numbers are registered in the master key database 103, the following equation (1) is calculated to generate a master key 13 (1024 bits).

Master key = (personal code (64 bits) + first longword of unique identification code (64 bits) + second longword of unique identification code (64 bits)) × random number (64 bits) (1)
Then, the management server 101 transmits the generated master key 13 to the client PC.

  When the client PC makes an authentication information request to the management server 101, the client PC transmits an authentication information request packet 1020 including “unique identification code” and “master key 13” shown in FIG. 7 to the management server 101. For example, a command “authentication information request” is added to the head of the authentication information request packet 1020.

FIG. 8 is a diagram for explaining the “service addition registration process” in step S21 of FIG. 6 in detail.
The “service addition registration process” will be described with reference to FIG.
(1) The user 400 transmits a “service application screen display request” from the client PC 130 to the management server 101.
(2) Upon receiving the request from the client PC 130, the management server 101 displays a service application (service use application) screen on the display of the client PC 130.

  The service application screen 900 shown in the figure has a table format in which each row includes three items of “service name i” (i is a natural number), “service provider (service provider) i”, and “check box (◯)”. The check sheet 901 includes an application button 903 and a cancel button 905.

The user 400 selects a service to be used by checking a “check box” corresponding to the service by clicking the mouse or the like. In the figure, three services whose service names are service name 2, service name 4, and service name 5 are selected.
(3) When the user 400 finishes selecting the service to be used on the service application screen 900, the user 400 clicks the application button 903 with the mouse. By this click operation, an application request for the service selected on the service application screen 900 is sent to the management server 101. At this time, the application identifier of the selected service is also transmitted to the management server 101.

  When the management server 101 receives a “service application request” from the client PC 130, the administrator 700 determines whether or not the service requested by the user 400 (employee) can be used (step S41).

  The administrator 700 makes a use application (account application) from the management server 101 to the internal service server 110 or the external service server (310, 320) for the service determined to be available, and “ID” is sent from those service servers. Authentication information such as “password” is acquired (step S42).

  When the management server 101 receives the authentication information of the user 400 from the internal or external service server (110, 310, 320), the administrator 700 registers the authentication information in the personal information database 105 (step S43).

As described above, the service requested by the user 400 is registered in the personal information database 105.
[Service use]
FIG. 9 is a diagram illustrating an operation when a user uses a service (authentication service) of the internal service server 110 or the external service server (310, 320) using a client PC. In the following description, the internal service server 110 and the external service servers (310, 320) are collectively expressed as a service server.

With reference to FIG. 9, processing when the user receives service provision from the service server will be described.
The user 400 requests service use of the service server via the Web screen displayed by the Web client 506 (step S51).

  The Web client 506 requests authentication information of the server application that provides the requested service from the device library (dummy) 502 (step S52).

  Upon receiving the authentication information request from the Web client 506, the device library (dummy) 502 requests authentication information from the authentication client application 503 using the application identifier as an argument (step S53).

  Upon receiving the authentication information request from the device library (dummy) 502, the authentication client application 503 reads the master key 13 from the storage medium 10 (step S54). Then, an application identifier is acquired from the authentication information request packet (step S55).

  Next, the authentication client application 503 transmits “master key 13”, “unique identification code of the storage medium 10”, and “application identifier” to the management server 101, and requests service authentication information from the management server 101. (Step S56).

  The authentication server application 602 of the management server 101 receives the service authentication information request from the authentication client application 503 of the client PC (step S57). The authentication server application 602 searches the master key database 103 using the received master key 13 as a key, and reads registration data that matches the master key 13 (step S58). Then, using the “unique identification code of the storage medium 10” received in step S57, the “personal code” and the “random number” in the registration data, the calculation of the formula (1) is performed to generate a master key, User authentication is performed by comparing the master key with the master key 13 received from the authentication client application 503 (step S59).

  If it is confirmed that the user is 400 users, the personal information database 105 is searched using the master key 13 and the application identifier received from the authentication client application 503 as a key, and service authentication link information matching the key is read (step). S60). Next, based on the service authentication information link information, the service authentication information of the user 400 is read from the personal information database 105, and the service authentication information is returned to the authentication client application 503 of the client PC (step S61).

  The authentication client application 503 of the client PC receives the service authentication information from the management server 10 (step S62), and returns the service authentication information (authentication information) to the device library (dummy) 502 (step S63).

  The device library (dummy) 502 receives the authentication information from the authentication server application 602 (step S64), and returns the authentication information to the service application 501 (step S65). The service application 501 receives the authentication information (step S66), performs user authentication based on the authentication information, and provides a service when it is confirmed that the user is 400 (step S67).

FIG. 10 is a diagram illustrating an example in which a USB device is used as the storage medium 10 of the present embodiment. In this example, an IC card 133 is used as the storage medium 10.
The IC card reader / writer (121, 131) has a USB interface and is connected to the USB interface of the client PC. The client PC includes a USB interface 1201, and an IC card reader / writer 131 is connected to the USB interface 1201. Further, the client PC includes a LAN interface 1203 and is connected to the hub 160 via the LAN interface 1203.

  The driver group 508 mounted on the client PC includes a USB kernel mode device driver 508A and a USB bus driver 508B. In addition, a USB user mode library 509, which is a dynamic link library, is mounted on the client PC.

  The client PC controls the IC card reader / writer 131 via the USB user mode library 509, the USB kernel mode device driver 508A, the USB bus driver 508B, and the USB interface 1201, and the IC card mounted on the IC card reader / writer 131. The master key 13 is written / read to / from 133.

Even when the USB memory 135 is used as the storage medium 10, the writing / reading of the master key 13 to / from the USB memory 135 can be controlled with substantially the same configuration.
Next, a processing procedure for acquiring authentication information of the client PC in this embodiment will be described with reference to FIG. In this description, the processing already described above is omitted.
(1) The service application 501 issues a request for reading authentication information stored in the IC card 133.
(2) The device library (dummy) 502 receives a request for reading authentication information of the service application 501 and issues the request to the authentication client application 503. In response to the request from the device library (dummy) 502, the authentication client application 503 issues a request for reading the master key 13 from the IC card 133 to the USB user mode library 509.
(3) Upon receiving the request from the authentication client application 503, the USB user mode library 509 receives the IC card reader via the USB kernel mode device driver 508A, the USB bus driver 508B, the USB interface 1201, and the IC card reader / writer 131. / The master key 13 stored (registered) in the IC card 133 attached to the writer 131 is acquired. Then, the master key 13 is passed to the authentication client application 503.
(4) The authentication client application 503 transmits the master key 13 and the application identifier to the management server 101 via the LAN interface 1203, and transmits an authentication information read request to the management server 101 to the LAN interface 1203.
(5) The LAN interface 1203 transmits the authentication information read request to the management server 101 via the in-house LAN 150.
(6) The management server 101 acquires the corresponding authentication information (service authentication information) from the personal information database 105 based on the master key 13 and the application identifier by the process as described above, and transmits it to the LAN interface 1203. .
(7) The LAN interface 1203 sends the received authentication information to the authentication client application 503. The authentication client application 503 acquires the authentication information returned from the management server 101.
(8) The authentication client application 503 returns the acquired authentication information to the device library (dummy) 502. When the device library (dummy) 502 receives the authentication information from the authentication client application 503, it returns it to the service application 501. The service application 501 receives authentication information from the device library (dummy) 502.

  Thus, in this embodiment, the management server 101 performs centralized management (collective management) of the authentication information of each service application 501 in association with the master key 13 stored in the IC card 133 and the application identifier of each service application 501. Therefore, the service application 501 acquires authentication information necessary for user authentication from the management server 101 via the device library (dummy) 502. In acquiring the authentication information, the service application 501 only needs to issue an authentication information read request to the device library (dummy) 502.

Here, a conventional processing procedure in which the service application 501 acquires authentication information will be described with reference to FIG.
Conventionally, authentication information of each service application 501 is stored in the IC card 133 (see FIG. 13).

For this reason, the service application 501
(1) The service application 501 issues an authentication information read request to the USB user mode library 509.
(2) Upon receiving the authentication information reading request from the service application 501, the USB user mode library 509 receives the IC via the USB kernel mode device driver 508A, the USB bus driver 508B, the USB interface 1201, and the IC card reader / writer 131. The authentication information registered in the card 133 is acquired.
The authentication information was acquired by the processing procedure.

  In the present embodiment, the device library (dummy) 502 intercepts the authentication information read request issued by the service application 501 to the USB user mode library 509, so that the service application 501 does not change the conventional service application 501. The acquisition of authentication information is realized. Therefore, the existing service application 501 can be used as it is simply by installing the device library (dummy) 502 and the authentication client application 503 on the client PC.

FIG. 11 is a diagram showing the overall operation of this embodiment described above.
An “authentication input window” is displayed on the display of the client PC, and input of authentication information is awaited (step S71). This authentication input window is a window for inputting authentication information (ID and password) of the user 400.

  When the display of the authentication input window is detected (step S72), the master key 13 is read from the storage medium 10, the master key 13 and the application identifier are transmitted to the management server 101, and the personal information database managed by the management server 101 is obtained. Necessary authentication information is acquired from 105 (step S73).

  The acquired authentication information is output to the input area in the authentication input window (step S74). This output verifies that the user is 400 users by user authentication (step S75), and the service server provides a service to the client PC (step S76).

  As described above, in this embodiment, one master key 13 is stored in the storage medium 10 (IC card 133, USB memory 135, etc.). Further, authentication information necessary for user authentication when the user 400 of the client PC in the in-house network 100 uses the service application is centrally managed by the management server 101 in association with the master key 13. When the user 400 uses the service application, the master key 13 is read from the storage medium 10, and the master key 13 and the application identifier of the service application are transmitted to the management server 101, whereby user authentication of the service application is performed. Necessary authentication information is acquired from the management server 101, and user authentication is performed using this authentication information.

  In the above embodiment, the service server provides various services. However, as shown in FIG. 12, a service application may provide services in place of the service server. In FIG. 12, the same step number is assigned to the step of the same process. Therefore, explanation of the operation of this system is omitted.

In the embodiment of FIG. 12, a service application installed in a client PC provides a service to a user. In other words, the system shown in FIG. 12 is a service providing system that does not require network communication such as the in-house LAN 150.
As described above, according to the present embodiment, all of the services that can be used by the user 400 using the single master key 13 registered in the IC card 133 or the USB memory 135 held by the user 400 can be used. User authentication can be performed. In this embodiment, the user authentication can be realized without changing an existing service application.
In addition, since all the services used by the user 400 are centrally managed (collectively managed) by the master key database 103 and the personal information database 105 of the management server 101, addition / deletion of services used by the user 400 and users To add / delete 400, the management server 101 only needs to update the personal information database 105 and the master key database 103.

  The present invention is not limited to the above embodiments. The storage medium 10 may be a storage medium other than the IC card 133 and the USB memory 135. Further, the storage medium 10 may be a non-contact type storage medium. The numbers of client PCs, internal service servers, and external service servers are not limited to the embodiments. Further, the management server and the in-house service server may be the same server. Furthermore, a master key database and a personal information database may be constructed in a storage separated from the server.

  The present invention can be applied not only to B to E (Business to Employee) but also to user authentication in electronic commerce by B to C (Business to Consumer).

It is a figure explaining the principle of this invention. It is a hardware block diagram of the system of an Example. FIG. 3 is a diagram showing a software configuration of the system shown in FIG. 2. It is a figure which shows the data structure of a master key database and a personal information database. It is a figure which shows the outline | summary of the issuing process of a master key. It is a figure explaining the service registration process performed before a user's service utilization. It is a figure explaining the detail of the process performed by step S32-S36 of FIG. It is a figure explaining the "service addition registration process" of step S21 of FIG. 6 in detail. It is a figure explaining operation | movement at the time of a user using the service (authentication service) of an internal service server or an external service server using a client PC. It is a figure which shows the example at the time of using a USB device as a storage medium of a present Example. It is a figure which shows the operation | movement of a present Example entirely. It is a figure which shows the other Example of this invention. It is a schematic diagram which shows the user's service system using the conventional IC card. It is a figure explaining the process sequence in which the conventional service application acquires authentication information.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Storage medium 13 Master key 11 User 20 Management server 100 Internal network 101 Management server 103 Master key database 105 Personal information database 110 In-house service server 120, 130 Client PC
121, 131 IC card reader / writer 123, 133 IC card 125, 135 USB memory 140 Firewall 150 Internal LAN
160 Hub 200 Internet 310, 320 External network 311, 321 External service server 312, 322 Firewall 400 User 501 Service application 502 Device library (dummy)
503 Authentication client application 506 Web client 507 Master key reception / storage application 508 Driver group 601 LAN driver 602 Authentication server application 603 Web application 607 User registration application 700 Administrator 801 LAN driver 804 Business server 900 Service application screen 901 Check sheet 903 Application Button 905 Cancel button 1010 Service use application request packet 1020 Authentication information request packet 1201 USB interface 1203 LAN interface

Claims (6)

A security system that performs user authentication of a user of a client terminal when a service provision request is issued from a client terminal to a server that provides the service,
A storage medium that stores the master key and can be read by the client terminal;
The master key stored in the storage medium and the authentication information for user authentication of each service used by the user are associated and managed in an integrated manner, and the user transmits the master key and service identification information A management server that returns the authentication information to the client terminal of the user when requesting authentication information required for user authentication of the service;
A security system comprising: The security system according to claim 1,
The client terminal is
Reading means for reading a master key from the storage medium;
The master key read by the reading means is transmitted to the management server together with the service identifier provided to the user, and the management server is requested to return authentication information required for user authentication of the service. An authentication information requesting means;
Using authentication information received from the management server, comprising authentication means for performing user authentication of a user;
The management server
Authentication for returning authentication information used for user authentication of the service to the client terminal based on the master key and the service identification information when the authentication information return request is received from the authentication information requesting unit Information return means
It is characterized by providing. The security system according to claim 2,
The management server
A database for storing a master key held by a user in association with authentication information necessary for user authentication of a service available to the user,
The authentication information reply means includes
It has an authentication information acquisition means for searching the database using the master key and the service identifier as a key and acquiring the authentication information from the database. A security method for performing user authentication of a user of a client terminal when a service provision request is made from a client terminal to a server that provides the service,
Storing the master key in a storage medium readable by the client terminal;
The master key stored in the storage medium and the authentication information for user authentication of each service used by the user are associated and managed in an integrated manner, and the user transmits the master key and service identification information A step of returning the authentication information to the client terminal of the user when requesting authentication information required for user authentication of the service;
A security method comprising: The security method according to claim 4,
The client terminal is
Reading a master key from the storage medium;
The master key read in the reading step is transmitted to the management server together with the service identifier provided to the user, and a response of authentication information required for user authentication of the service is requested to the management server. Steps,
Using the authentication information received from the management server, executing the user authentication of the user,
The management server
An authentication information return step of returning authentication information used in user authentication of the service to the client terminal based on the master key and the service identification information when receiving the authentication information return request,
It is characterized by performing. The security method according to claim 5,
The management server
The master key held by the user is stored in the database in association with the authentication information required for user authentication of the service available to the user,
In the authentication information reply step,
The database is searched using the master key and the service identifier as keys, and the authentication information is obtained from the database.