[go: up one dir, main page]

US20140380440A1 - Authentication information management of associated first and second authentication information for user authentication - Google Patents

Authentication information management of associated first and second authentication information for user authentication Download PDF

Info

Publication number
US20140380440A1
US20140380440A1 US14/482,486 US201414482486A US2014380440A1 US 20140380440 A1 US20140380440 A1 US 20140380440A1 US 201414482486 A US201414482486 A US 201414482486A US 2014380440 A1 US2014380440 A1 US 2014380440A1
Authority
US
United States
Prior art keywords
authentication
password
change
authentication information
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/482,486
Inventor
Itaru Nakagawa
Kazuo Sasaki
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujitsu Ltd
Original Assignee
Fujitsu Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujitsu Ltd filed Critical Fujitsu Ltd
Priority to US14/482,486 priority Critical patent/US20140380440A1/en
Publication of US20140380440A1 publication Critical patent/US20140380440A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/556Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response

Definitions

  • FIG. 2 is a view illustrating a hardware configuration of the authentication system of the present embodiment
  • FIG. 4 is a view illustrating authentication management information
  • FIG. 7 is a sequence diagram illustrating operations of the authentication system concerning login and logout
  • FIG. 8 is a flowchart illustrating operations of change processing performed in the case where the change timing is “change at every login”;
  • the login process of the client terminal 1 to the application is accomplished through a first authentication for the application and a second authentication for the authentication information management server 2 .
  • the first authentication is an application-specific authentication, so that its authentication method depends on the application.
  • the second authentication its authentication method does not depend on the application; therefore an authentication method according to desired authentication strength can be selected.
  • authentication information relating to the first authentication is referred to as “first authentication information”
  • authentication information relating to the second authentication is referred to as “second authentication information”.
  • the authentication information includes a set of an ID and an authentication key.
  • the client terminal 1 , authentication information management server 2 , and AP server 3 in the authentication system of the present embodiment each have a CPU (Central Processing Unit) 90 and a memory 91 .
  • software for the authentication of the present embodiment is installed in the client terminal 1 .
  • the installed software allows the client terminal 1 to function as a second authentication request section 11 , a reception section 12 , a first authentication request section 13 , and an end notification section 14 .
  • the authentication information management server 2 has as its functions an authentication information management section 21 (management section), a second authentication section 22 (authentication section), a reply section 23 , a state management section 24 , a change section 25 , and a transmitting section 26 .
  • the functional sections described above are achieved by the CPUs 90 provided in the client terminal 1 and the authentication information management server 2 .
  • the authentication information management section 21 of the authentication information management server 2 associates applications (application 1 and application 2 ) provided by the AP server 3 , first authentication information, and second authentication information with one another to manage them as authentication management information (correspondence information).
  • the second authentication section 22 executes the second authentication based on the second authentication information and receives the request for transmission of the first authentication information from the client terminal 1 .
  • the reply section 23 transmits, to the client terminal 1 , a reply to the request for execution of the second authentication received by the second authentication section 22 and the first authentication information as a reply to the request for transmission of the first authentication information.
  • the state management section 24 manages an application usage state of the client terminal 1 as state information.
  • the change section 25 changes the first authentication information at the timing based on policy information indicating a predetermined condition.
  • the transmitting section 26 transmits the first authentication information changed by the change section 25 to the AP server 3 for updating first authentication information of terminal 1 .
  • FIG. 5 is a view illustrating the policy information.
  • the second authentication section 22 of the authentication information management server 2 executes the second authentication based on the second authentication information in the authentication information management information according to the request from the client terminal 1 and returns a reply to the client terminal 1 (S 102 ).
  • the second authentication is executed based on determination of whether the second authentication information in the second authentication execution request from the client terminal 1 coincides with the second authentication information in the authentication information management information.
  • the change section 25 refers to the policy information once again for next request (S 201 ).
  • the change section 25 changes the first authentication information in the authentication management information through the authentication information management section 21 (S 207 ).
  • the change section 25 refers to the policy information once again for next request (S 301 ).
  • FIG. 10 is a flowchart illustrating operations of the change processing performed in the case where the change timing is “change at second authentication”.
  • FIG. 12 is a flowchart illustrating the operations of the AP server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

An authentication information management program of an authentication information management apparatus allowing the authentication information management apparatus to execute: changing the first authentication information in correspondence information which is information including the first authentication information and second authentication information in association with each other and stored in a storage section of the authentication information management apparatus; transmitting the authentication apparatus of the changed first authentication information; determining, in response to a request from the apparatus to be authenticated, whether the second authentication information in the authentication request coincides with the second authentication information in the correspondence information; and returning, in the case where it is determined that the second authentication information in the authentication request coincides with the second authentication information in the correspondence information, the first authentication information associated with the second authentication information read from the storage section.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application is a divisional application of and claims priority to U.S. Ser. No. 12/728,420, which was filed Mar. 22, 2010, is pending, and is hereby incorporated by reference in its entirety for all purposes. U.S. Ser. No. 12/728,420 is based upon and claims the benefit of priority of the prior Japanese Patent Application No. 2009-088745, filed on Apr. 1, 2009, the entire contents of which are incorporated herein by reference.
    • FIELD
  • The embodiments discussed herein are relates to a user authentication technique.
    • BACKGROUND
  • User authentication technique is used for protecting applications. In the case where a user authentication teqnique (e.g., password authentication) that has been introduced for an application is changed to a more robust authentication technique (e.g., biometric authentication), the application itself protected by the user authentication technique needs to be changed.
  • In order to cope with the above problem, there has been proposed an authentication technique using a plurality of authentication methods. For example, there is known a technique that manages user authentication information that a user uses for authentication, terminal authentication information that a user terminal uses for authentication, and a login script to an ASP (Application Service Provider) (refer to, e.g., Japanese Laid-open Patent Publication No. 2002-328904). In this authentication technique, only when user authentication has been successfully completed, the login script to the ASP is sent to the user terminal, and the user terminal acts as the user to execute authentication to the ASP using the terminal authentication information. In this authentication technique, the two pieces of information (user authentication information and terminal authentication information) are managed in association with each other by a management server.
  • However, in the technique disclosed in Japanese Laid-open Patent Publication No. 2002-328904, if the terminal authentication information is leaked, a system is in a vulnerable state until a system administrator or a user changes the terminal authentication information.
    • SUMMARY
  • A computer-readable recording medium that records, in a computer readable manner, an authentication information management program for an authentication information management apparatus that can be connected to an authentication apparatus that executes an authentication based on first authentication information and an apparatus to be authenticated based on the first authentication information, allowing the authentication information management apparatus to execute: changing the first authentication information in correspondence information which is information including the first authentication information and second authentication information different from the first authentication information in association with each other and stored in a storage section of the authentication information management apparatus; transmitting the authentication apparatus of the changed first authentication information; determining, in response to a request for execution of an authentication based on the second authentication information which is issued from the apparatus to be authenticated, whether the second authentication information in the authentication request coincides with the second authentication information in the correspondence information; and returning, in the case where it is determined that the second authentication information in the authentication request coincides with the second authentication information in the correspondence information, the first authentication information associated with the second authentication information read from the storage section as a reply to the request for the execution of the first authentication which is issued from the apparatus to be authenticated.
  • The object and advantages of the invention will be realized and attained by means of the elements and combinations particularly pointed out in the claims.
  • It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are not restrictive of the invention, as claimed.
    • BRIEF DESCRIPTION OF DRAWINGS
  • FIG. 1 is a view illustrating the entire configuration of an authentication system according to an embodiment of the present invention;
  • FIG. 2 is a view illustrating a hardware configuration of the authentication system of the present embodiment;
  • FIG. 3 is a view illustrating functional configurations of a client terminal and an authentication information management server;
  • FIG. 4 is a view illustrating authentication management information;
  • FIG. 5 is a view illustrating policy information;
  • FIG. 6 is a view illustrating state information;
  • FIG. 7 is a sequence diagram illustrating operations of the authentication system concerning login and logout;
  • FIG. 8 is a flowchart illustrating operations of change processing performed in the case where the change timing is “change at every login”;
  • FIG. 9 is a flowchart illustrating operations of the change processing performed in the case where the change timing is “periodic intervals”;
  • FIG. 10 is a flowchart illustrating operations of the change processing performed in the case where the change timing is “change at second authentication”;
  • FIG. 11 is a flowchart illustrating operations of transmitting processing;
  • FIG. 12 is a flowchart illustrating operations of the AP server; and
  • FIG. 13 is a view illustrating an example of a computer system to which the present invention is applied.
    •  DESCRIPTION OF EMBODIMENTS
  • An embodiment of the present invention will be described below with reference to the accompanying drawings.
  • First, the entire configuration of an authentication system according to the present embodiment will be described. FIG. 1 is a view illustrating the entire configuration of an authentication system according to the present embodiment.
  • As illustrated in FIG. 1, an authentication system according to the present embodiment includes a client terminal 1 (apparatus to be authenticated), an authentication information management server 2, and an AP (Application) server 3 (authentication server), which are connected to one another through a network. The AP server 3 provides an application having an authentication function to the client terminal 1. The client terminal 1 uses the application provided by the AP server 3 through a login process. The authentication information management server 2 manages authentication information relating to the login process of the client terminal 1.
  • In the authentication system of the present embodiment, the login process of the client terminal 1 to the application is accomplished through a first authentication for the application and a second authentication for the authentication information management server 2. The first authentication is an application-specific authentication, so that its authentication method depends on the application. In the case of the second authentication, its authentication method does not depend on the application; therefore an authentication method according to desired authentication strength can be selected. Hereinafter, authentication information relating to the first authentication is referred to as “first authentication information”, and authentication information relating to the second authentication is referred to as “second authentication information”. Further, in the present embodiment, the authentication information includes a set of an ID and an authentication key.
  • Next, a hardware configuration and a functional configuration of the authentication system of the present embodiment will be described. FIG. 2 is a view illustrating a hardware configuration of the authentication system of the present embodiment. FIG. 3 is a view illustrating functional configurations of the client terminal and authentication information management server.
  • As illustrated in FIG. 2, the client terminal 1, authentication information management server 2, and AP server 3 in the authentication system of the present embodiment each have a CPU (Central Processing Unit) 90 and a memory 91. Further, software for the authentication of the present embodiment is installed in the client terminal 1. As illustrated in FIG. 3, the installed software allows the client terminal 1 to function as a second authentication request section 11, a reception section 12, a first authentication request section 13, and an end notification section 14. The authentication information management server 2 has as its functions an authentication information management section 21 (management section), a second authentication section 22 (authentication section), a reply section 23, a state management section 24, a change section 25, and a transmitting section 26. The functional sections described above are achieved by the CPUs 90 provided in the client terminal 1 and the authentication information management server 2.
  • The second authentication request section 11 of the client terminal 1 requests the authentication information management server 2 to execute the second authentication based on the second authentication information and, after completion of the authentication, requests the authentication information management server 2 to transmit thereto the first authentication information. The reception section 12 receives, from the authentication information management server 2, a reply to the request made from the second authentication request section 11 and first authentication information. The first authentication request section 13 requests the AP server 3 to execute the first authentication based on the first authentication information. The end notification section 14 notifies the authentication information management server 2 of application logout in client terminal 1 as an end notification.
  • The authentication information management section 21 of the authentication information management server 2 associates applications (application 1 and application 2) provided by the AP server 3, first authentication information, and second authentication information with one another to manage them as authentication management information (correspondence information). The second authentication section 22 executes the second authentication based on the second authentication information and receives the request for transmission of the first authentication information from the client terminal 1. The reply section 23 transmits, to the client terminal 1, a reply to the request for execution of the second authentication received by the second authentication section 22 and the first authentication information as a reply to the request for transmission of the first authentication information. The state management section 24 manages an application usage state of the client terminal 1 as state information. The change section 25 changes the first authentication information at the timing based on policy information indicating a predetermined condition. The transmitting section 26 transmits the first authentication information changed by the change section 25 to the AP server 3 for updating first authentication information of terminal 1.
  • Next, the authentication management information will be described. FIG. 4 is a view illustrating the authentication management information.
  • As illustrated in FIG. 4, the authentication management information includes an application, first authentication information, and second authentication information in association with one another. The first authentication information and second authentication information each include an ID which is an identifier uniquely identifying a specific user and an authentication key in association with each other. In the authentication management information illustrated in FIG. 4.
  • Next, the policy information will be described. FIG. 5 is a view illustrating the policy information.
  • As illustrated in FIG. 5, the policy information includes an application and a policy in association with each other. The policy includes a change timing and an authentication key generation condition in association with each other. The authentication key generation condition includes an authentication method and a generation condition in association with each other. The change timing is a condition for changing the first authentication information. The change timing condition includes whether to allow a change to be made “change at every login”, “change at periodic intervals”, and “change at second authentication”, whether to allow a change to be made in-use, and the like. These conditions are examples and other conditions may be set. In the case where the first authentication information is changed “change at periodic intervals”, the associated authentication key is changed in periodic. The authentication method is an authentication system of the associated application. The generation condition is a condition for generating the authentication key corresponding to the associated application.
  • Next, the state information will be described. FIG. 6 is a view illustrating the state information.
  • As illustrated in FIG. 6, the state information includes an ID of the second authentication information, an application, a use state of the application, and a terminal using the application in association with one another. The use state is represented by “in-use” indicating a state where the client terminal is logging in the application or “unused” indicating a state where the client terminal is not logging in the application. In the case where the use state is “in-use”, the client terminal that is logging in the application as a usage source terminal is associated with the second authentication ID and application. Although the use state includes both “in-use” and “unused” in FIG. 6, it may include only an application in-use as a management target. In this case, only a client terminal that utilizes the application to be managed is entered into the state information and, when this client terminal stops utilizing the application, the entry thereof is deleted from the state information.
  • Next, operation of the authentication system concerning login and logout of the client terminal to/from the application will be described using a flowchart. FIG. 7 is a sequence diagram illustrating the operations of the authentication system concerning login and logout. It is assumed in FIG. 7 that the first and second authentication information are stored for management, as authentication information management information, in a storage (e.g., memory 91) by the authentication information management section.
  • The second authentication request section 11 of the client terminal 1 requests the authentication information management server 2 to execute the second authentication based on the second authentication information (S101).
  • The second authentication section 22 of the authentication information management server 2 executes the second authentication based on the second authentication information in the authentication information management information according to the request from the client terminal 1 and returns a reply to the client terminal 1 (S102). The second authentication is executed based on determination of whether the second authentication information in the second authentication execution request from the client terminal 1 coincides with the second authentication information in the authentication information management information.
  • After completion of the second authentication by the authentication information management server 2, the second authentication request section 11 of the client terminal 1 requests the authentication information management server 2 to transmit thereto the first authentication information (S103).
  • The second authentication section 22 of the authentication information management server 2 changes the application use state of the client terminal 1 to “in-use” through the state management section 24 (S104). After the change, the second authentication section 22 refers to the authentication management information illustrated in FIG. 4 and returns as a reply the first authentication information associated with the second authentication information based on which second authentication of the client terminal 1 has been executed (S105).
  • The reception section 12 of the client terminal 1 receives the first authentication information from the authentication information management server 2 (S106). The first authentication request section 13 detects an authentication screen of the application to be logged in and requests the application to execute the first authentication based on the first authentication information received by the reception section 12 (S107). The authentication screen is a screen for inputting the ID and a password serving as the authentication key. The first authentication request section 13 automatically inputs the ID and password for the first authentication.
  • The application performs the first authentication based on the first authentication information according to the request from the client terminal 1 and returns a reply to the client terminal 1 (S108). The first authentication is executed based on determination of whether the first authentication information used in the first authentication execution request from the client terminal 1 coincides with the first authentication information transmitted by the authentication information management server 2.
  • After returning the reply about completion of the first authentication by the application, the client terminal 1 logs in the application (S109) and uses the application (S110). When the client terminal 1 logs out from the application after usage (S111), the end notification section 14 transmits a end notification to the authentication information management server 2 (S112).
  • After the transmission of the end notification from the client terminal 1, the state management section 24 of the authentication information management server 2 changes the application use state of the client terminal 1 to “unused” (S113).
  • Next, operation of change processing performed by the change section will be described for each change timing. First, the change processing performed in the case where the change timing is “change at every login” will be described. FIG. 8 is a flowchart illustrating operations of the change processing.
  • The change section 25 refers to the policy information (S201) and determines whether the change timing is “change at every login” (S202).
  • In the case where the change timing is “change at every login” (YES in S202), the change section 25 determines whether the client terminal 1 tries to log in the application or has logged out from the application (S203). The determination of whether the client terminal 1 tries to log in or has logged out from the application is made based on whether the first authentication information has been requested by the client terminal 1.
  • In the case where the client terminal 1 has logged in the application (YES in S203), the change section 25 refers to the state information (S204) through the state management section 24 and determines whether the client terminal 1 is using an application which has been associated with the first authentication information to be changed in the authentication management information (S205).
  • In the case where the client terminal 1 is using the application (YES in S205), the change section 25 determines whether a change of the first authentication information that is being used is allowed (S206).
  • In the case where the change of the first authentication information that is being used is allowed (YES in S206), the change section 25 changes the first authentication information in the authentication management information through the authentication information management section 21 (S207) and refers to the policy information once again for next request (S201).
  • On the other hand, in the case where the change of the first authentication information that is being used is not allowed (NO in S206), the change section 25 refers to the policy information once again for next request (S201).
  • In the case where the client terminal 1 is not using the application (NO in S205), the change section 25 changes the first authentication information in the authentication management information through the authentication information management section 21 (S207).
  • In the case where the client terminal 1 has not logged in the application (NO in S203), the change section 25 refers to the policy information once again for next request (S201).
  • In the case where the change timing is not “change at every login” (NO in S202), the change section 25 refers to the policy information once again for next request (S201).
  • Next, operation of the change processing performed in the case where the change timing is “periodic intervals” will be described. FIG. 9 is a flowchart illustrating operations of the change processing performed in the case where the change timing is “periodic intervals”.
  • The change section 25 refers to the policy information (S301) and determines whether the change timing is “periodic intervals” (S302).
  • In the case where the change timing is “periodic intervals” (YES in S302), the change section 25 determines whether a predetermined period has elapsed based on, e.g., the date of a previous change (S303).
  • In the case where the predetermined period has elapsed (YES in S303), the change section 25 refers to the state information through the state management section 24 (S304) and determines whether the client terminal 1 is using an application which has been associated with the first authentication information to be changed in the authentication management information (S305).
  • In the case where the client terminal 1 is using the application (YES in S305), the change section 25 determines whether a change of the first authentication information that is being used is allowed (S306).
  • In the case where the change of the first authentication information that is being used is allowed (YES in S306), the change section 25 changes the first authentication information in the authentication management information through the authentication information management section 21 (S307) and refers to the policy information once again for next request (S301).
  • On the other hand, in the case where the change of the first authentication information that is being used is not allowed (NO in S306), the change section 25 refers to the policy information once again for next request (S301).
  • In the case where the client terminal 1 is not using the application (NO in S305), the change section 25 changes the first authentication information in the authentication management information through the authentication information management section 21 (S307).
  • In the case where the predetermined period has not elapsed (NO in S303), the change section 25 refers to the policy information once again for next request (S301).
  • In the case where the change timing is not “periodic intervals” (NO in S302), the change section 25 refers to the policy information once again for next request (S301).
  • Next, operation of the change processing performed in the case where the change timing is “change at second authentication” will be described. FIG. 10 is a flowchart illustrating operations of the change processing performed in the case where the change timing is “change at second authentication”.
  • The change section 25 refers to the policy information (S401) and determines whether the change timing is “change at second authentication” (S402).
  • In the case where the change timing is “change at second authentication” (YES in S402), the change section 25 determines whether a second authentication of the client terminal 1 has been succeeded (S403).
  • In the case where the second authentication of the client terminal 1 has been succeeded (YES in S403), the change section 25 refers to the state information through the state management section 24 (S404) and determines whether the client terminal 1 is using an application which has been associated with the first authentication information to be changed in the authentication management information (S405).
  • In the case where the client terminal 1 is using the application (YES in S405), the change section 25 determines whether a change of the first authentication information that is being used is allowed (S406).
  • In the case where the change of the first authentication information that is being used is allowed (YES in S406), the change section 25 changes the first authentication information in the authentication management information through the authentication information management section 21 (S407) and refers to the policy information once again (S401).
  • On the other hand, in the case where the change of the first authentication information that is being used is not allowed (NO in S406), the change section 25 refers to the policy information once again (S401).
  • In the case where the client terminal 1 is not using the application (NO in S405), the change section 25 changes the first authentication information in the authentication management information through the authentication information management section 21 (S407).
  • In the case where the second authentication of the client terminal 1 has not been succeeded (NO in S403), the change section 25 refers to the policy information once again (S401).
  • In the case where the change timing is not “change at second authentication” (NO in S402), the change section 25 refers to the policy information once again (S401).
  • Next, operation of transmitting processing performed by the transmitting section will be described. FIG. 11 is a flowchart illustrating operations of the transmitting processing.
  • The transmitting section 26 determines whether the first authentication information in the authentication management information has been changed (S501).
  • In the case where the first authentication information has been changed (YES in S501), the transmitting section 26 transmits an application with which the first authentication information before change has been associated of the first authentication information after change (S502). After the transmitting has been made, the transmitting section 26 determines once again whether the first authentication information in the authentication management information has been changed (S501).
  • Next, operation of the AP server concerning the change of the first authentication information will be described. FIG. 12 is a flowchart illustrating the operations of the AP server.
  • The AP server 3 determines whether the first authentication information has been transmitted from the authentication information management server 2 (S601).
  • In the case where the first authentication information has been transmitted from the authentication information management server 2 (YES in S601), the AP server 3 updates the first authentication information (S602) and determines once again whether the first authentication information has been transmitted from the authentication information management server 2 (S601).
  • On the other hand, in the case where the first authentication information has not been transmitted from the authentication information management server 2 (NO in S601), the AP server 3 determines once again whether the first authentication information has been transmitted from the authentication information management server 2 (S601).
  • As described above, actively changing the first authentication information allows quick action against a leakage of the first authentication information. Further, the authentication method of the second authentication is not dependent on the application, so that the strength of authentication can be increased by employing, e.g., biometrics as the method employed in the second authentication.
  • Further, freely setting a condition for changing the first authentication information allows a flexible response to the application function or situation in which a user utilizes the application. Further, by changing the first authentication information under a condition according to a situation in which the client terminal 1 utilizes the application, it is possible to prevent an abnormality of the application due to the change of the first authentication information. Such an abnormality can occur in, e.g., an application that uses the first authentication information once again during login state. In this case, making a setting so as not to change the first authentication information during use of the application prevents the abnormality of the application.
  • The present invention may be applied to a computer system as described below. FIG. 13 is a view illustrating an example of a computer system to which the present invention is applied. A computer system 900 illustrated in FIG. 13 includes a main body 901 incorporating a CPU, a disk drive, and the like, a display 902 that displays an image according to an instruction from the main body 901, a keyboard 903 for a user to input various pieces of information in the computer system 900, a mouse 904 for a user to specify a given position on a display screen 902 a of the display 902, and a communication unit 905 that accesses an external database or the like to download, e.g., a program stored in another computer system. As the communication unit 905, a network communication card, a modem, and the like may be employed.
  • It is possible to provide as an authentication information management program a program that allows a computer to execute the above steps in a computer system constituting the authentication information management apparatus. By storing the above program in a storage medium that can be read by the computer system, it is possible to allow the computer system constituting the authentication information management apparatus to execute the program. The program executing the above steps is stored in a portable recording medium such as a disk 910 or downloaded from a recording medium 906 of another computer system by the communication unit 905. An authentication information management program (authentication information management software) allowing the computer system 900 to exert at least an authentication information management function is input to the computer system 900 and is compiled therein. The compiled program allows the computer system 900 to operate as an authentication information management apparatus having the authentication information management function. The program may be stored in a computer-readable storage medium such as a disk 910. The recording medium that can be read by the computer system 900 mentioned here includes: an internal storage device mounted in a computer, such as HDD, ROM or RAM, a portable storage medium such as the disk 910, a flexible disk, a DVD disk, a magneto-optical disk, or an IC card; a database that holds computer program; another computer system and database thereof; and various recording media that can be accessed from a computer system connected thereto through a communication means such as the communication unit 905.
  • All examples and conditional language recited herein are intended for pedagogical purposes to aid the reader in understanding the invention and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions, nor does the organization of such examples in the specification relate to a showing of the superiority and inferiority of the invention. Although the embodiments of the present inventions have been described in detail, it should be understood that the various changes, substitutions, and alterations could be made hereto without departing from the spirit and scope of the invention.

Claims (22)

What is claimed is:
1. A method for controlling an authentication server which manages a first password for a login process from a client terminal to an application comprising:
managing the first password and authentication information for the login process from the client terminal to the authentication server; and
generating a second password which is different from the first password based on policy information to change the first password.
2. The method for controlling the authentication server according to claim 1, further comprising:
requesting the application to change the first password to the second password; and
changing the first password which is managed in association with the authentication information to the second password.
3. The method for controlling the authentication server according to claim 2, wherein the policy information includes an authentication key generation condition.
4. The method for controlling the authentication server according to claim 3, wherein the authentication key generation condition includes a character type, an occurrence frequency of characters, a password length or dissimilarity among passwords.
5. The method for controlling the authentication server according to claim 2, wherein the policy information includes a change timing.
6. The method for controlling the authentication server according to claim 5, wherein the change timing includes change at every login, change at periodic intervals, change at every authentication, or whether to allow a change to be made in-use.
7. An authentication method for a login process from a client terminal to an application comprising:
receiving authentication information inputted to the client terminal;
managing a first password for the login process to the application in association with the authentication information; and
generating a second password which is different from the first password based on policy information to change the first password.
8. The authentication method according to claim 7, wherein an authentication method of the authentication information inputted to the client terminal is different from an authentication method for a login process to the application.
9. The authentication method according to claim 8, wherein the authentication method of the authentication information inputted to the client terminal is a biometric authentication method.
10. The authentication method according to claim 8, wherein the authentication method of the authentication information inputted to the client terminal is selectable among a plurality of authentication methods which an authentication strength differ from each other.
11. The authentication method according to claim 7, wherein the generated second password is transmitted to a screen for a change of a password of the application.
12. The authentication method according to claim 11, wherein the second password is stored in association with the authentication information after the password of the application is changed to the second password.
13. The authentication method according to claim 7, wherein the policy information includes an authentication key generation condition.
14. The authentication method according to 13, wherein the authentication key generation condition includes a character type, an occurrence frequency of characters, a password length or dissimilarity among passwords.
15. The authentication method according to 13, wherein the authentication key generation condition includes a character type.
16. The authentication method according to 13, wherein the authentication key generation condition includes an occurrence frequency of characters.
17. The authentication method according to 13, wherein the authentication key generation condition includes a password length.
18. The authentication method according to 13, wherein the authentication key generation condition includes dissimilarity among passwords.
19. The authentication method according to 13, wherein the policy information includes a change timing.
20. The authentication method according to 19, wherein the change timing includes change at every login, change at periodic intervals, change at every authentication, or whether to allow a change to be made in-use.
21. An authentication server which manages a first password for a login process from a client terminal to an application comprising:
a storage configured to store the first password and authentication information for the login process from the client terminal to the authentication server, the authentication information being associated with the first password; and
a CPU configured to generate a second password which is different from the first password based on policy information to change the first password.
22. The authentication server according to claim 17, wherein the CPU further requests the application to change the first password to the second password and changes the first password which is managed in association with the authentication information to the second password.
US14/482,486 2009-04-01 2014-09-10 Authentication information management of associated first and second authentication information for user authentication Abandoned US20140380440A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/482,486 US20140380440A1 (en) 2009-04-01 2014-09-10 Authentication information management of associated first and second authentication information for user authentication

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2009088745A JP5365311B2 (en) 2009-04-01 2009-04-01 Authentication information management program, authentication information management apparatus, and authentication method
JP2009-088745 2009-04-01
US12/728,420 US8863254B2 (en) 2009-04-01 2010-03-22 Authentication information management of associated first and second authentication information for user authentication
US14/482,486 US20140380440A1 (en) 2009-04-01 2014-09-10 Authentication information management of associated first and second authentication information for user authentication

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US12/728,420 Division US8863254B2 (en) 2009-04-01 2010-03-22 Authentication information management of associated first and second authentication information for user authentication

Publications (1)

Publication Number Publication Date
US20140380440A1 true US20140380440A1 (en) 2014-12-25

Family

ID=42827251

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/728,420 Active 2032-03-19 US8863254B2 (en) 2009-04-01 2010-03-22 Authentication information management of associated first and second authentication information for user authentication
US14/482,486 Abandoned US20140380440A1 (en) 2009-04-01 2014-09-10 Authentication information management of associated first and second authentication information for user authentication

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US12/728,420 Active 2032-03-19 US8863254B2 (en) 2009-04-01 2010-03-22 Authentication information management of associated first and second authentication information for user authentication

Country Status (2)

Country Link
US (2) US8863254B2 (en)
JP (1) JP5365311B2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107113308A (en) * 2015-05-06 2017-08-29 华为技术有限公司 Authentication method and access device
CN108111310A (en) * 2017-03-09 2018-06-01 张长富 A kind of generation method and device of candidate password dictionary
US20230139695A1 (en) * 2021-10-29 2023-05-04 Citrix Systems, Inc. User authentication techniques

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5051238B2 (en) * 2007-11-13 2012-10-17 富士通株式会社 Control proxy device
JP2011171983A (en) * 2010-02-18 2011-09-01 Sony Corp Apparatus and, processing information method, and computer-readable recording medium
JP5135458B1 (en) * 2011-07-28 2013-02-06 京楽産業.株式会社 Authentication method for gaming machines and electronic devices
JP5135460B1 (en) * 2011-07-28 2013-02-06 京楽産業.株式会社 Authentication method for gaming machines and electronic devices
JP5135459B1 (en) * 2011-07-28 2013-02-06 京楽産業.株式会社 Authentication method for gaming machines and electronic devices
JP5183785B2 (en) * 2011-08-29 2013-04-17 京楽産業.株式会社 Authentication method for gaming machines and electronic devices
JP5183787B2 (en) * 2011-08-29 2013-04-17 京楽産業.株式会社 Authentication method for gaming machines and electronic devices
JP5183786B2 (en) * 2011-08-29 2013-04-17 京楽産業.株式会社 Authentication method for gaming machines and electronic devices
JP5211224B2 (en) * 2011-11-30 2013-06-12 京楽産業.株式会社 Authentication method for gaming machines and electronic devices
JP5211225B2 (en) * 2011-11-30 2013-06-12 京楽産業.株式会社 Authentication method for gaming machines and electronic devices
JP5211226B2 (en) * 2011-11-30 2013-06-12 京楽産業.株式会社 Authentication method for gaming machines and electronic devices
JP6901531B2 (en) * 2019-08-23 2021-07-14 Kddi株式会社 Management equipment, management methods and programs
JP7047179B2 (en) 2019-08-23 2022-04-04 Kddi株式会社 Management device, user terminal, management method and program

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070044146A1 (en) * 2003-08-11 2007-02-22 Sony Corporation Authentication method, authentication system, and authentication server
US20080289022A1 (en) * 2007-05-14 2008-11-20 Chiu Yeong-How Internet business security system
US20090235345A1 (en) * 2008-03-14 2009-09-17 Mitsuhiro Oikawa Authentication system, authentication server apparatus, user apparatus and application server apparatus
US20100019908A1 (en) * 2008-07-24 2010-01-28 International Business Machines Corporation Circuit structure and method of fabrication for facilitating radio frequency identification (rfid)
US8495715B2 (en) * 2009-02-23 2013-07-23 Oracle International Corporation Techniques for credential auditing

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002328904A (en) * 2001-03-01 2002-11-15 Appresso:Kk System for managing application service providers
JP3642044B2 (en) * 2001-11-06 2005-04-27 日本電気株式会社 Password management device, password management system, password management method, and program thereof
JP4377679B2 (en) * 2003-12-26 2009-12-02 キヤノンマーケティングジャパン株式会社 Authentication server, information server, client, authentication method, authentication system, program, recording medium
JP2006279407A (en) * 2005-03-29 2006-10-12 Konica Minolta Medical & Graphic Inc Medical image managing system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070044146A1 (en) * 2003-08-11 2007-02-22 Sony Corporation Authentication method, authentication system, and authentication server
US20080289022A1 (en) * 2007-05-14 2008-11-20 Chiu Yeong-How Internet business security system
US20090235345A1 (en) * 2008-03-14 2009-09-17 Mitsuhiro Oikawa Authentication system, authentication server apparatus, user apparatus and application server apparatus
US20100019908A1 (en) * 2008-07-24 2010-01-28 International Business Machines Corporation Circuit structure and method of fabrication for facilitating radio frequency identification (rfid)
US8495715B2 (en) * 2009-02-23 2013-07-23 Oracle International Corporation Techniques for credential auditing

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107113308A (en) * 2015-05-06 2017-08-29 华为技术有限公司 Authentication method and access device
CN108111310A (en) * 2017-03-09 2018-06-01 张长富 A kind of generation method and device of candidate password dictionary
US20230139695A1 (en) * 2021-10-29 2023-05-04 Citrix Systems, Inc. User authentication techniques
US12386928B2 (en) * 2021-10-29 2025-08-12 Citrix Systems, Inc. User authentication techniques

Also Published As

Publication number Publication date
JP2010244100A (en) 2010-10-28
US20100257595A1 (en) 2010-10-07
US8863254B2 (en) 2014-10-14
JP5365311B2 (en) 2013-12-11

Similar Documents

Publication Publication Date Title
US8863254B2 (en) Authentication information management of associated first and second authentication information for user authentication
CN100444544C (en) Authentication system, server, and authentication method and program
US8479268B2 (en) Securing asynchronous client server transactions
US8844014B2 (en) Managing access to a document-processing device using an identification token
CN109873805A (en) Cloud desktop login method, device, device and storage medium based on cloud security
US20110087888A1 (en) Authentication using a weak hash of user credentials
US8375424B2 (en) Replicating selected secrets to local domain controllers
US11063922B2 (en) Virtual content repository
US20190394188A1 (en) Information processing apparatus, information processing method, and authentication linking system
US8695085B2 (en) Self-protecting storage
US20090228713A1 (en) Authentication device, biological information management apparatus, authentication system and authentication method
WO2018118029A1 (en) Authenticate a first device based on a push message to a second device
US7478433B2 (en) Program execution system having authentication function
JP5254755B2 (en) Privilege ID management system
JP4989935B2 (en) Session management method, server used therefor, session management program, and recording medium recording the program
JP2020060904A (en) Information processing system and program
US20250106029A1 (en) User authentication system capable of generating one-time password having fixed effective period, and storage medium
US11843595B2 (en) Information processing apparatus, information processing method, and storage medium
JP2007329731A (en) Certificate renewal method, system and program
US20230188348A1 (en) Service management system, token issuing server, and method for token issuing server
CN102833229B (en) Data interaction method and device for information system
KR101600596B1 (en) Method for managing password, device for changing password, and computer readable recording medium applying the same
JP2005148952A (en) Information processing apparatus, control method therefor, and program
JP2023115743A (en) Network systems and how single sign-on is handled
JP2015176238A (en) Authentication control apparatus, authentication system, authentication method, and program

Legal Events

Date Code Title Description
STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION