JP7510340B2 - Authentication device, authentication method, and authentication program - Google Patents

Description

The present invention relates to an authentication system that takes measures against phishing.

Conventionally, in order to prevent unauthorized access to legitimate sites from malicious relay points used by phishing sites, sources that make large amounts of access have been detected and blocked by the legitimate site. For example, Patent Literature 1 proposes a technology for detecting and defending against DoS attacks that send large amounts of packets.

JP 2003-283571 A

However, the spread of botnets and cloud computing has made it possible for attackers to freely change the source IP address, and they can detect a block by a legitimate site and automatically change their IP address. This also raises the risk that legitimate sites will block general users as well, making it difficult to obtain sufficient defensive effects.

As a result, other anti-phishing technologies have become mainstream in recent years, but no matter what countermeasure technology is used, it is difficult to stop users from acting as intended by the attacker, even if phishing sites can be detected, so there is still a need for technology to block malicious relay points.

The present invention aims to provide an authentication device, authentication method, and authentication program that can build an authentication system that is difficult to phish.

The authentication device according to the present invention includes an address storage unit that, when a login terminal attempts to log in to a specified service, associates the IP address of the login terminal with the user ID and holds it valid for a specified period of time at a specified intermediate point that accepts access from the login terminal that can identify a user ID, which is preset in a login sequence, and an address comparison unit that fails the login based on the access if the IP address that accepted the access does not belong to the same subnet as the IP address of the same user ID that is held in the address storage unit.

The authentication device includes an authentication information sending unit that sends logged-in authentication information to a terminal that has completed login, an authentication information receiving unit that receives the logged-in authentication information only when the logged-in terminal holds the logged-in authentication information together with predetermined information defined in the login sequence, and an authentication information verifying unit that verifies the validity of the logged-in authentication information received by the authentication information receiving unit, and the address matching unit may match the IP address when the logged-in authentication information is not received by the authentication information receiving unit.

As the intermediate point, a point that can be assumed to be accessed from a legitimate terminal may be set in advance for each login sequence.

The address matching unit may request the login terminal to input the site used immediately before the access if the IP address that accepted the access belongs to the same subnet as the IP address of the same user ID stored in the address storage unit.

The authentication device may include a logged-in address registration unit that registers the IP address of a terminal that has completed login in association with the user ID at the time of the login, and a network verification unit that verifies that the IP address that accepted the access is a legitimate one that belongs to the same subnet as the IP address of the same user ID registered by the logged-in address registration unit.

The authentication method according to the present invention is executed by a computer to: when a login terminal attempts to log in to a specified service, at a specified intermediate point, which is preset in a login sequence, where the login terminal accepts an access that can identify a user ID, link the IP address of the login terminal to the user ID and hold it valid for a specified period of time; and, if the IP address that accepted the access does not belong to the same subnet as the IP address of the same user ID that is held in the address holding step, cause the login based on the access to fail.

The authentication program according to the present invention is for causing a computer to function as the authentication device.

The present invention creates an authentication system that makes phishing difficult.

2 is a diagram conceptually illustrating a login sequence used by the authentication system in the first embodiment. FIG. FIG. 2 is a diagram illustrating a functional configuration of an authentication device according to the first embodiment. 4 is a flowchart illustrating a process flow of an authentication method according to the first embodiment. FIG. 11 is a diagram illustrating a first example of a login sequence to which the authentication method according to the first embodiment is applied. FIG. 11 is a diagram illustrating a second example of a login sequence to which the authentication method of the first embodiment is applied. FIG. 11 is a diagram illustrating a functional configuration of an authentication device according to a second embodiment.

[First embodiment]
A first embodiment of the present invention will now be described.
In the authentication method of this embodiment, for a logged-in user, a situation is determined in which access from a phishing site is suspected based on the logged-in authentication information previously distributed to the terminal being used by the user and the source IP address, and access is blocked.

FIG. 1 is a diagram conceptually showing a login sequence used by the authentication system of this embodiment.
Here, the user authentication procedure is not limited, and a new function is added by the authentication device 1 to the existing login sequence to configure an authentication system.

When a user attempts to log in to a specified service by entering an ID and password, a one-time password, or other operations that are divided into multiple steps using two-step authentication or the like, the completion point of each step (including the completion of all steps) is referred to as the "login midpoint," and the point at which the service becomes available thereafter is referred to as "login completion."
The "login midpoint" is defined as the stage during the login sequence at which the authentication device 1 receives access from the login terminal that can identify an ID that identifies the user attempting to log in. In particular, for each login sequence, a point that can be estimated as being access from a legitimate terminal is predetermined as a predetermined midpoint depending on the authentication method.

Of the terminals used by the user, the terminal from which the user will log in is called the login terminal (login terminal X in Figure 1), and if there are other terminals used in the process, they are called authentication terminals (authentication terminal Y in Figure 1).

FIG. 2 is a diagram showing the functional configuration of the authentication device 1 in this embodiment.
The authentication device 1 is an information processing device (computer) such as a server device or a personal computer, and includes a control unit 10 and a storage unit 20, as well as various data input/output devices and communication devices.

The control unit 10 is a part that controls the entire authentication device 1, and realizes each function in this embodiment by appropriately reading and executing various programs stored in the storage unit 20. The control unit 10 may be a CPU.

The storage unit 20 is a storage area for various programs and various data for causing the hardware group to function as the authentication device 1, and may be a ROM, a RAM, a flash memory, a hard disk drive (HDD), etc. Specifically, the storage unit 20 stores a program (authentication program) for causing the control unit 10 to execute each function of this embodiment, as well as the IP address of the access source terminal, logged-in authentication information, etc.
Here, it is assumed that logged-in authentication information indicating that the user has already logged in to a terminal to which the user has previously "completed logging in" has been distributed.

The control unit 10 includes an authentication information transmission unit 11, an authentication information reception unit 12, an authentication information verification unit 13, an address holding unit 14, and an address matching unit 15.

The authentication information transmission unit 11 transmits the logged-in authentication information to the terminal of the user who has completed the login.

The authentication information receiving unit 12 receives the logged-in authentication information only if the login terminal holds the logged-in authentication information together with the specified information defined in the login sequence at a stage where communication with the authentication device 1 occurs, such as a login intermediate point.

The authentication information verifying unit 13 verifies the validity of the logged-in authentication information received by the authentication information receiving unit 12 .
Verification of authentication information is a procedure to confirm that the logged-in authentication information is data that was previously generated by the authentication system, and is performed through some or all of a database match, digital signature verification, and hash value match.

At the login intermediate point, the address storage unit 14 temporarily stores the IP address of the login terminal in the storage unit 20 validly for a predetermined period of time in association with the user ID.
Here, temporarily stored data refers to data that is stored in a database including the time of storage or expiration date, and data that has been stored for a certain period of time is deleted, or stored with the intention of not using it for the next reference after the certain period of time has passed.

The address matching unit 15 checks the IP address that received the access at the login intermediate point or the like against the IP address of the same user ID stored in the memory unit 20 to see if there is a partial match. Specifically, if the two IP addresses do not belong to the same subnetwork (any of /8 to /32), the address matching unit 15 causes the login based on this access to fail.

In addition, when the authentication information receiving unit 12 receives logged-in authentication information, the address matching unit 15 does not need to perform a verification operation by matching the IP address, but when the authentication information receiving unit 12 does not receive the logged-in authentication information, it performs IP address matching.

FIG. 3 is a flowchart illustrating a process flow of the authentication method according to this embodiment.
This series of processes is executed each time data communication is performed between the login terminal and the authentication device 1 in the login sequence.

In step S1, the authentication device 1 accepts access from the login terminal X, and if the login terminal X holds logged-in authentication information in addition to the information required for login, it receives the logged-in authentication information.

In step S2, the authentication device 1 determines whether or not logged-in authentication information has been received. If the determination is YES, the process proceeds to step S3, and if the determination is NO, the process proceeds to step S6.

In step S3, the authentication device 1 verifies that the received logged-in authentication information was issued by the authentication system.

In step S4, the authentication device 1 determines whether or not the verification of the logged-in authentication information has been successful. If the determination is YES, the authentication device 1 determines that the access is from a legitimate logged-in terminal and the process ends. On the other hand, if the determination is NO, the process proceeds to step S5.

In step S5, the authentication device 1 fails the login attempt by the user because the logged-in authentication information is invalid.

In step S6, the authentication device 1 determines whether the IP address associated with the user ID for which the login is being attempted is validly temporarily held. If the determination is YES, the process proceeds to step S7, and if the determination is NO, the process proceeds to step S9.

In step S7, the authentication device 1 compares the IP address of the login terminal that accepted the access with the temporarily stored IP address, and determines whether or not there is a partial match. If the determination is YES, the authentication device 1 determines that the access is from a legitimate login terminal, and the process ends. On the other hand, if the determination is NO, the process proceeds to step S5.

In step S8, the authentication device 1 determines whether the current stage is a preset login intermediate point. If the determination is YES, the process proceeds to step S9, and if the determination is NO, the process ends.

In step S9, the authentication device 1 temporarily stores the IP address of the login terminal in association with the user ID.

As a result of this series of processes, when a user attempts to log in from a new device, excluding devices that the user has logged in to once before, even if the login is not completed, the user will only be able to log in from partially matching IP addresses for a certain period of time.

FIG. 4 is a diagram showing a first example of a login sequence to which the authentication method of the present embodiment is applied.
This example shows a one-time domain authentication method proposed in Japanese Patent Application No. 2020-186412.

In this login sequence, first, the login terminal X accesses the authentication device 1 (1-2) in response to a user operation (1-1), and the authentication device 1 transmits screen data for displaying a login preparation screen to the login terminal X (2).

The login terminal X accepts input of a user ID from the user (3-1) and transmits it to the authentication device 1 in response to pressing of the login button (3-2). After verifying the validity of the password for the user ID, the authentication device 1 randomly generates a first key K and associates it with the user ID (4). Here, the authentication device 1 adds a specific domain information to the first key to create destination information (one-time domain).

The authentication device 1 sends a notification indicating the one-time domain to the authentication terminal Y (5-1), and transitions the login preparation screen of the login terminal X to a login explanation screen, displays a message indicating that the notification has been sent to the authentication terminal Y, and prompts the user to input the one-time domain into the address bar (5-2).

Based on the notification, authentication terminal Y displays a login permission screen and presents the one-time domain to the user (6). The user reads the one-time domain displayed on authentication terminal Y and enters it into the address bar of the browser on login terminal X (7-1), and login terminal X accesses authentication device 1 (7-2).

The authentication device 1 randomly generates a second key for access to the one-time domain and associates it with the user ID that was associated with the first key included in the one-time domain (8-1). The authentication device 1 then transmits screen data for displaying a re-authentication screen describing the second key as a one-time password to the login terminal X (8-2), and the login terminal X displays the re-authentication screen and presents the one-time password to the user (8-3).

The user enters the read one-time password into the login permission screen of authentication terminal Y and presses the approval button (9-1). Authentication terminal Y sends the one-time domain together with the entered one-time password to authentication device 1 (9-2).

When the authentication device 1 receives the one-time password and the one-time domain from the authentication terminal Y, it confirms that the user ID associated with the received one-time password, i.e., the second key, is the same as the user ID associated with the first key included in the one-time domain (10-1). If the user IDs are the same, the authentication device 1 transmits authentication information of the user ID to the login terminal X that displays a re-authentication screen for this user ID, thereby completing the login (10-2, 10-3).
This allows the user to use the service at the login terminal X using the received authentication information.

In this authentication method, there are four login intermediate points where data is transmitted from the login terminal X to the authentication device 1: steps 3-2, 7-2, 9-2, and 10-2, and login is completed at step 10-3.
Among these steps, 7-2 is the point where there is the highest possibility that the access is from an original legitimate user, and therefore 7-2 is set as a predetermined login intermediate point where the IP address is temporarily held.

As a result, for example, if there is access from an attacker (phishing site) in step 10-2, the authentication device 1 will fail the login since partial address match will not be established.
That is, when the IP address is temporarily stored as a whitelist in step 7-2, login from a source outside the IP range (subnet) is not possible for a certain period of time. As a result, a user who has logged in once will not be phished again even if they receive further instructions on a phishing site, etc.

FIG. 5 is a diagram showing a second example of a login sequence to which the authentication method of the present embodiment is applied.
This example shows an authentication method using a two-dimensional barcode that applies DRM (Digital Rights Management) proposed in Japanese Patent Application No. 2020-127621.

In this login sequence, login terminal X first accesses the service server and requests a login screen for displaying a two-dimensional barcode (1-1). Upon receiving the screen data (1-2), it displays the login screen (1-3).

The login terminal X requests an image display script from the authentication server (authentication device 1) in accordance with an instruction to display a video file included in the login screen (2-1). The authentication server grants a license to the accessing user, generates a DRM-enabled video file, and returns the image display script (2-2). The login terminal X executes the image display script on the login screen and starts playing the video file (2-3).
This video file contains, as display content, a two-dimensional barcode that represents a URL associated with the user.

To display the video file, logged-in terminal X requests DRM license information from the authentication server according to the instructions in the script (3-1). Upon receiving the license information from the authentication server (3-2), it plays the video file and displays the two-dimensional barcode (4).

The user reads a two-dimensional barcode included in the video displayed on the login screen with the camera of the authenticated authentication terminal Y (5), and requests the screen of the URL indicated by the two-dimensional barcode from the authentication server (6-1).
When the authentication server identifies the authenticated user of authentication terminal Y, it returns screen data to authentication terminal Y (6-2), and in response to a request from the script of login terminal X (7), it generates key information for the user of login terminal X by linking the license information with the URL represented by the two-dimensional barcode, thereby completing the login.

In this authentication method, there are three login intermediate points: steps (1, 2-1, 3-1), 6-1, and 7, and login is completed after step 7. Note that the three accesses in steps 1, 2-1, and 3-1 occur within a single screen as viewed from the user, and therefore form a single login intermediate point.
Among these steps, 3-1 is the point where the access is most likely to be from an original legitimate user, so 3-1 is set as the predetermined login intermediate point where the IP address is temporarily stored. If an access is made from an attacker (phishing site) in step 6-1 or 7, the address partial match does not hold, so the authentication device 1 fails the login.

According to this embodiment, when a login terminal attempts to log in to a specified service, the authentication device 1 links the IP address of the login terminal to a user ID at a specified login midpoint and holds it valid for a specified period of time, and if the IP address that subsequently accepts access does not belong to the same subnet as the held IP address of the same user ID, the authentication device 1 causes the login based on this access to fail.
Therefore, the authentication device 1 controls so that logins can only be made from partially matching IP addresses for a certain period of time, causing login attempts from sources that do not belong to the same subnetwork to fail, thereby suppressing unauthorized logins and making it possible to build an authentication system that is difficult to perpetrate phishing attacks.

In particular, by presetting a point that can be assumed to be accessed from a legitimate terminal as a specified login intermediate point for each login sequence, the authentication device 1 can prevent a legitimate user who has successfully logged in from being redirected to a phishing site again.

Here, the following characteristics can be seen in the behavior of users who have begun to act completely in accordance with the attacker's intentions, even if strong warning messages are displayed.
1. First, follow the instructions displayed on the screen in front of you.
2. If you are still unable to log in to the phishing site, follow the instructions on the phishing site.
3. Ignore any warnings and keep trying to log into the phishing site until you succeed.

For such users, for example, in the one-time domain authentication method described above, if a phishing site states, "If you access the URL displayed on another terminal and are unable to log in to this site, please try logging in again and enter the displayed URL into the input field on this site," the user may be at risk of being phished by following the instructions of a newly opened phishing site or a phishing site that remains in a browser tab and has failed to log in. The authentication system of this embodiment can prevent such a situation from occurring for a certain period of time until the user has calmed down.

In addition, the authentication device 1 transmits logged-in authentication information to the terminal that has completed the login and verifies the validity of the logged-in authentication information received from the logged-in terminal, thereby eliminating the need to verify the IP address when logging in again from the same terminal and simplifying the authentication sequence.
In this embodiment, since the logged-in authentication information and IP addresses are registered as a whitelist, the authentication device 1 can safely accept only logins from authorized terminals.

[Second embodiment]
A second embodiment of the present invention will now be described.
In this embodiment, the authentication device 1 registers, in addition to the logged-in authentication information in the first embodiment, information indicating networks used for logging in in the past as a whitelist, and permits the same user to log in from the same network on a new terminal.

FIG. 6 is a diagram showing the functional configuration of the authentication device 1 in this embodiment.
The control unit 10 of the authentication device 1 includes a logged-in address registration unit 16 and a network verification unit 17 in addition to the functional units in the first embodiment.

The logged-in address registration unit 16 links the IP address of the terminal that has completed the login with the user ID at the time of the login and registers it in the memory unit 20 as a whitelist for permitting login.

The network verification unit 17 verifies that the IP address that has been accessed is a legitimate one that belongs to the same subnet as the IP address of the same user ID registered by the logged-in address registration unit 16.

The logged-in authentication information in the first embodiment is used as a whitelist when a terminal that has logged in in the past attempts to log in to another network.
On the other hand, the IP address registered by the logged-in address registration unit 16 is information for permitting login from the same subnet as the IP address used when the user normally logged in. In other words, this list of IP addresses is used as a whitelist when attempting to log in from a new terminal within a network that was previously used for logging in.

Although the embodiments of the present invention have been described above, the present invention is not limited to the above-described embodiments. Furthermore, the effects described in the above-described embodiments are merely a list of the most favorable effects resulting from the present invention, and the effects of the present invention are not limited to those described in the embodiments.

In the above-described embodiment, if the IP address that has been accessed belongs to the same subnet as the IP address of the same user ID stored by the address storage unit 14, the address matching unit 15 may request the login terminal X to input the site that was used immediately before the access.

For example, let us assume that a valid user is attempting to log in from a PC (login terminal X) using an authenticated smartphone (authentication terminal Y), and the site accessed from the PC turns out to be a phishing site, and the authentication method using the one-time domain described above is used. In this case, the following series of steps will prompt the user to investigate and take action to address the login failure, making it possible to efficiently discover and eliminate the phishing site.

(1) By adding the IP address of the PC that first displays the screen immediately after the one-time domain is entered to a whitelist, the authentication system can detect phishing attempts based on the behavior of a legitimate user while logged in on the PC.
At this point, the authentication system recognizes that it has detected a phishing site, but cannot actually rule out the possibility that a system malfunction has prevented the user from logging in, or that the user has performed an inexplicable operation (for example, logging in simultaneously on multiple PCs). Therefore, while it can warn that it may be a phishing site, it cannot determine that it is a malicious site and display a message informing the user that the site in question cannot be used.

(2) The authentication system detects phishing and fails the login attempt, but the user finds the failure puzzling and tries to log in again.

(3) The user follows the instructions on the phishing site and sends the one-time domain to the phishing site, but the phishing attempt is unsuccessful because the one-time domain has already been whitelisted.

(4) When a user who has tried and failed tries again accesses the legitimate authentication system from their own PC that has been whitelisted (for example, via a search), a report form containing information about the site they had previously used is displayed.

(5) The user believes that because the login attempt was unsuccessful, the service provider is asking him to enter the cause of the failure in order to investigate the cause, and reports the URL of the phishing site that he was originally using.
At this point, the user's mind is preoccupied with the enticing offers of the phishing site (e.g., the ability to purchase bargain-priced products), and they may pay no attention to any warnings that may be displayed, and may even be furious at the phishing detection message. However, since they are determined to achieve their goal, it is likely that they will respond to the troublesome report form.

(6) Once the business is able to confirm that the site reported by the user is a phishing site, it is determined at this point that the user attempted to use a phishing site.
Therefore, it is possible to conclusively inform the user that the site they are using is a malicious site the next time they use the site, or by phone, etc. If several days have passed, the user will have calmed down and it is expected that they will readily accept the warning.

The authentication method by the authentication device 1 is realized by software. When realized by software, the programs that make up this software are installed in an information processing device (computer). These programs may be recorded on removable media such as CD-ROM and distributed to users, or may be distributed by being downloaded to the user's computer via a network. Furthermore, these programs may be provided to the user's computer as a web service via a network without being downloaded.

REFERENCE SIGNS LIST 1 Authentication device 10 Control unit 11 Authentication information transmission unit 12 Authentication information reception unit 13 Authentication information verification unit 14 Address storage unit 15 Address matching unit 16 Logged-in address registration unit 17 Network verification unit 20 Storage unit

Claims (7)

an address storage unit that, when a login terminal attempts to log in to a predetermined service, associates an IP address of the login terminal with a user ID and stores the IP address validly for a predetermined period of time at a predetermined intermediate point that accepts an access from the login terminal that can identify a user ID, the intermediate point being preset in a login sequence;
an address matching unit that, when a new access is accepted after the IP address of the login terminal is held in the address holding unit, causes the login based on the access to fail if the IP address from which the access is accepted does not belong to the same subnet as the IP address of the same user ID held in the address holding unit. an authentication information transmission unit that transmits logged-in authentication information to a terminal that has completed login;
an authentication information receiving unit that receives the logged-in authentication information only when the login terminal holds the logged-in authentication information together with predetermined information defined in the login sequence;
an authentication information verification unit that verifies the validity of the logged-in authentication information received by the authentication information receiving unit,
The authentication device according to claim 1 , wherein the address matching unit matches the IP address when the authentication information receiving unit does not receive the logged-in authentication information. The authentication device according to claim 1 or 2, wherein a point that can be assumed to be accessed from a legitimate terminal is set in advance as the intermediate point for each login sequence. The authentication device according to any one of claims 1 to 3, wherein the address matching unit requests the login terminal to input the site used immediately before the access when the IP address that accepted the access belongs to the same subnet as the IP address of the same user ID stored in the address storage unit. a logged-in address registration unit that registers the IP address of a terminal that has completed login in association with the user ID at the time of the login;
5. The authentication device according to claim 1, further comprising: a network verification unit that verifies that the IP address that has been accessed is a legitimate IP address that belongs to the same subnet as an IP address of the same user ID registered by the logged-in address registration unit. an address retention step of, when a login terminal attempts to log in to a predetermined service, linking an IP address of the login terminal with a user ID and retaining the address validly for a predetermined period of time at a predetermined intermediate point where an access capable of identifying a user ID is accepted from the login terminal, the intermediate point being preset in a login sequence;
and an address matching step of failing the login based on any new access received after the IP address of the login terminal is stored in the address storage step, if the IP address used to receive the access does not belong to the same subnet as the IP address of the same user ID stored in the address storage step. An authentication program for causing a computer to function as an authentication device according to any one of claims 1 to 5.

Images