USER AUTHENTICATION SYSTEM AND METHOD FOR THE SAME

US 20110047373A1
Filed: 06/25/2008
Published: 02/24/2011
Est. Priority Date: 10/19/2007
Status: Active Grant

First Claim

Patent Images

1. A user authentication system which performs user authentication utilizing a terminal certificate between a user authentication apparatus and a user terminal, whereinat least one user terminal having a certification authority secret key and a certification authority identifier, and at least one user authentication apparatus having a certification authority public key and a certification authority identifier are connected to at least a network,the user terminal includes:

terminal certificate generation means which is configured to calculate a terminal signature using the certification authority secret key for signature subject information which is discretionary data, and generate a terminal certificate which is a self-signed certificate containing at least the signature subject information, the terminal signature, and the certification authority identifier;

terminal information storage means which is configured to save the terminal certificate;

registration request means which is configured to transmit at least the terminal certificate as a user registration request to the user authentication apparatus; and

service request means which is configured to acquire from the terminal information storage means a terminal certificate corresponding to a certification authority identifier received from a user authentication apparatus upon a service request, and transmit the terminal certificate to the user authentication apparatus; and

the user authentication apparatus includes;

authentication information storage means;

user registration means which is configured to register in the authentication information storage means a terminal certificate received from a user terminal; and

user authentication means which is configured to notify, in response to a service request from a user terminal when authenticating the user terminal, the certification authority identifier to the user terminal, obtain a corresponding terminal certificate from the user terminal, and verify the terminal signature contained in the terminal certificate using the certification authority public key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

At the user authentication apparatus 30, an identifier of a certification authority (CA) certificate that a CA information disclosure server 20 discloses in advance is registered in an identifier list of the CA. At the user terminal 10, a key pair consisting of a terminal public key and a terminal secret key is generated, the terminal signature is generated for information containing the terminal public key using the CA secret key acquired in advance, and a self-signed certificate of the same form as the certificate issued from CA, that is, a terminal certificate containing at least a terminal public key, a terminal signature, and a CA identifier, is created and stored, and registered in the user authentication apparatus 30. The terminal certificate having the same issuer information as the CA identifier in the identifier list of the CA notified from the user authentication apparatus 30 at the time of the service request is selected, and user authentication in accordance with a well-known user authentication protocol is executed using the terminal certificate.

Citations

21 Claims

1. A user authentication system which performs user authentication utilizing a terminal certificate between a user authentication apparatus and a user terminal, whereinat least one user terminal having a certification authority secret key and a certification authority identifier, and at least one user authentication apparatus having a certification authority public key and a certification authority identifier are connected to at least a network,the user terminal includes:
- terminal certificate generation means which is configured to calculate a terminal signature using the certification authority secret key for signature subject information which is discretionary data, and generate a terminal certificate which is a self-signed certificate containing at least the signature subject information, the terminal signature, and the certification authority identifier;
  
  terminal information storage means which is configured to save the terminal certificate;
  
  registration request means which is configured to transmit at least the terminal certificate as a user registration request to the user authentication apparatus; and
  
  service request means which is configured to acquire from the terminal information storage means a terminal certificate corresponding to a certification authority identifier received from a user authentication apparatus upon a service request, and transmit the terminal certificate to the user authentication apparatus; and
  
  the user authentication apparatus includes;
  
  authentication information storage means;
  
  user registration means which is configured to register in the authentication information storage means a terminal certificate received from a user terminal; and
  
  user authentication means which is configured to notify, in response to a service request from a user terminal when authenticating the user terminal, the certification authority identifier to the user terminal, obtain a corresponding terminal certificate from the user terminal, and verify the terminal signature contained in the terminal certificate using the certification authority public key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The user authentication system according to claim 1, whereinthe terminal certificate generation means of the user terminal includes a terminal key pair generation part which is configured to generate a pair consisting of a terminal secret key and a terminal public key, the signature subject information contains at least the terminal public key,wherein the terminal information storage means of the user terminal stores the terminal certificate, and the terminal secret key which is contained in the terminal certificate and constitutes a pair with the terminal public key,the service request means of the user terminal includes a first authentication protocol processing part which, at the time of user authentication when receiving the certificate request containing a random number together with the certification authority identifier from the user authentication apparatus in response to the service request to the user authentication apparatus, reads the terminal certificate corresponding to the certification authority identifier and the terminal secret key corresponding to the terminal certificate from the terminal information storage means, generates a user signature for data containing the random number with the terminal secret key, and transmits the user signature together with the terminal certificate to the user authentication apparatus, andthe user authentication means of the user authentication apparatus includes a second authentication protocol processing part which, at the time of user authentication, in response to the service request from the user terminal, transmits a certificate request containing a random number together with the certification authority identifier to the user terminal, and in response to the certificate request, verifies a user signature for data containing the random number received from the user terminal with a terminal public key contained in the terminal certificate.
  - 3. The user authentication system according to claim 2, whereinthe signature subject information further includes user information, the terminal certificate includes the user information,the user registration means of the user authentication apparatus includes a terminal certificate-user information associating part which is configured to register, at the time of user registration, user information contained in the terminal certificate received from the user terminal into the authentication information storage means in association with the terminal certificate or at least a terminal public key contained in the terminal certificate, andthe user authentication apparatus further includesservice provision means which is configured to search for the terminal certificate received in response to a service request by the user terminal or user information corresponding to a terminal public key contained in the terminal certificate in the authentication information storage means, and provide service to the user terminal using the obtained user information.
  - 4. The user authentication system according to any one of claims 1 to 3, whereinthe terminal certificate generation means includes:
    - a certification authority information storage device which is configured to store a certification authority certificate that contains at least a certification authority public key, a certification authority signature, and a certification authority identifier of the signed higher rank certification authority or own and that is data pre-embedded in a storage part of the user terminal, in association with a certification authority secret key that constitutes a pair with the certification authority public key contained in the certification authority certificate; and
      
      a terminal certificate generation part which is configured to acquire a certification authority secret key and a certification authority certificate from the certification authority information storage part, generate the terminal signature for the signature subject information using the certification authority secret key, and generate the terminal certificate containing at least the signature subject information, the terminal signature, and the certification authority identifier.
  - 5. The user authentication system according to any one of claims 1 to 4, whereinthe registration request means of the user terminal includes a first user confirmation part which is configured to execute user confirmation processing with the user authentication apparatus using confirmation information at the time of terminal certificate registration, andthe user registration means of the user authentication apparatus includes a second user confirmation part which is configured to execute user confirmation processing with the user terminal using the confirmation information received from the user terminal at the time of terminal certificate registration.
  - 6. The user authentication system according to claim 5, whereinat least one mail server is connected to the network,the first user confirmation part is configured to transmit user information containing an e-mail address of the user to the user authentication apparatus, and upon receiving an e-mail transmitted to the e-mail address from the user authentication apparatus via the mail server, transmit the confirmation information contained in the e-mail to the user authentication apparatus, andthe second user confirmation part, upon receiving user information containing an e-mail address from the user terminal, transmits an e-mail containing confirmation information to the e-mail address via the mail server, and upon receiving confirmation information from the user terminal, registers the terminal certificate into the authentication information storage means.
  - 7. The user authentication system according to claim 5, wherein:
    - an SIP server or a switch is connected to the network, a user telephone number and user information are registered in the SIP server or the switch,the first user confirmation part in the user terminal is configured to transmit confirmation information containing a user telephone number at the time of user registration to the user authentication apparatus, and to establish a connection session with user authentication apparatus using the telephone number via the SIP server or the switch, andthe second user confirmation part in the user authentication apparatus is configured to establish a connection session with the user terminal via the SIP server or the switch using a telephone number contained in the confirmation information received at the time of user registration, and to register the terminal certificate into the authentication information storage means if the connection establishment is successful.
  - 8. The user authentication system according to claim 5, whereina web server which issues an URI unique to the user is connected to the network,the first user confirmation part in the user terminal is configured to transmit confirmation information containing an URI of a user to the user authentication apparatus at the time of user registration, and to perform user authentication with the web server, andthe second user confirmation part in the user authentication apparatus is configured to request user authentication to the web server using an URI contained in the confirmation information received at the time of user registration, and to register the terminal certificate into the authentication information storage means if the user authentication is successful.
  - 9. The user authentication system according to claim 5, whereina line authentication server in which user information corresponding to an identifier of a line for use by a user is registered is connected to the network,the first user confirmation part in the user terminal is configured to transmit confirmation information containing a line identifier of a line for use at the time of user registration to the user authentication apparatus, and to perform user authentication with the line authentication server, andthe second user confirmation part in the user authentication apparatus is configured to request authentication for a line identifier contained in the confirmation information received at the time of user registration to the line authentication server, and to register the terminal certificate into the authentication information storage means if the line authentication is successful.
  - 10. The user authentication system according to claim 5, whereinat least one service provision server which is capable of communicating with the user terminal and the user authentication apparatus via the network and provides service to a user using predetermined identification information for each user is connected to the network,the first user confirmation part in the user terminal is configured to execute user confirmation processing with the user authentication apparatus using the predetermined identification information and the service provision server at the time of user authentication, andthe second user confirmation part is configured to execute user confirmation processing with the user terminal using the predetermined identification information and the service provision server at the time of user authentication.

11. A user authentication method which performs user authentication utilizing a terminal certificate between a user authentication apparatus and a user terminal, whereinat least one user terminal having a certification authority secret key and a certification authority identifier, and at least one user authentication apparatus having a certification authority public key and a certification authority identifier are connected to at least a network, the method comprising steps:
- in the user terminal,a terminal certificate generation step which calculates a terminal signature using the certification authority secret key for signature subject information which is discretionary data, and generates a terminal certificate which is a self-signed certificate containing at least the signature subject information, the terminal signature, and the certification authority identifier;
  
  a terminal information storing step which saves the terminal certificate;
  
  a registration request step which transmits at least the terminal certificate as a user registration request to the user authentication apparatus; and
  
  a service request step which acquires from terminal information storage means a terminal certificate corresponding to a certification authority identifier received from a user authentication apparatus upon a service request, and transmits the terminal certificate to the user authentication apparatus; and
  
  in user authentication apparatus,a user registration step which registers into the authentication information storing step a terminal certificate received from a user terminal; and
  
  a user authentication step which, in response to a service request from a user terminal, upon authentication of the user terminal, notifies the certification authority identifier to the user terminal, obtains a corresponding terminal certificate from the user terminal, and verifies the terminal signature contained in the terminal certificate using the certification authority public key.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The user authentication method according to claim 11, whereinthe terminal certificate generation step of the user terminal includes a terminal key pair generation step which generates a pair consisting of a terminal secret key and a terminal public key,the signature subject information contains at least the terminal public key,the terminal information storing step of the user terminal stores the terminal certificate, and the terminal secret key which is contained in the terminal certificate and constitutes a pair with the terminal public key,the service request step of the user terminal includes a first authentication protocol processing step which, at the time of user authentication, upon receiving the certificate request containing a random number together with the certification authority identifier from the user authentication apparatus in response to the service request to the user authentication apparatus, reads the terminal certificate corresponding to the certification authority identifier and the terminal secret key corresponding to the terminal certificate from the terminal information storage means, generates a user signature for data containing the random number with the terminal secret key, and transmits the user signature together with the terminal certificate to the user authentication apparatus, andthe user authentication step of the user authentication apparatus includes a second authentication protocol processing step which, at the time of user authentication, in response to the service request from the user terminal, transmits a certificate request containing a random number together with the certification authority identifier to the user terminal, and in response to the certificate request, verifies a user signature for data containing the random number received from the user terminal with a terminal public key contained in the terminal certificate.
  - 13. The user authentication method according to claim 12, whereinthe signature subject information further includes user information, the terminal certificate includes the user information,the user registration step of the user authentication apparatus includes a terminal certificate-user information associating step which, at the time of user registration, registers user information contained in the terminal certificate received from the user terminal into authentication information storage means in association with the terminal certificate or at least a terminal public key contained in the terminal certificate, andthe user authentication apparatus further includesservice provision step which searches for the terminal certificate received in response to a service request by the user terminal and successfully verified or user information corresponding to a terminal public key contained in the terminal certificate in the authentication information storage means, and provides service to the user terminal using the obtained user information.
  - 14. The user authentication method according to any one of claims 11 to 13, further comprises certification authority information storing step including:
    - a certification authority information storage means which stores a certification authority certificate that contains at least a certification authority public key, a certification authority signature, and a certification authority identifier of the signed higher rank certification authority or own and that is data pre-embedded in a storage means of the user terminal, in association with a certification authority secret key that constitutes a pair with the certification authority public key contained in the certification authority certificate; and
      
      a terminal certificate generation step which acquires a certification authority secret key and a certification authority certificate from the certification authority information storage means, generates the terminal signature for the signature subject information using the certification authority secret key, and generates the terminal certificate containing at least the signature subject information, the terminal signature, and the certification authority identifier.
  - 15. The user authentication method according to any one of claims 11 to 14, whereinthe registration request step of the user terminal includes a first user confirmation step which executes user confirmation processing with the user authentication apparatus using confirmation information at the time of terminal certificate registration, andthe user registration step of the user authentication apparatus includes a second user confirmation step which executes user confirmation processing with the user terminal using the confirmation information received from the user terminal at the time of terminal certificate registration.

16. A user authentication system which performs, by a user authentication apparatus, authentication utilizing a certificate between the user authentication apparatus and a user terminal, the user authentication system comprising at least:
- a user terminal for use by a user;
  
  a certification authority information disclosure server which discloses certification authority information;
  
  a user authentication apparatus which authenticates the user to provide service; and
  
  a network which connects the user terminal, the certification authority information disclosure server, and the user authentication apparatus; and
  
  whereinthe user terminal includes at least;
  
  a terminal key pair generation part which is configured to generate a key pair consisting of a public key and a secret key;
  
  a terminal certificate generation part which is configured to acquire a certification authority secret key and a certification authority certificate from a certification authority information disclosure server, makes a signature using the certification authority secret key for at least a terminal public key generated at the terminal key pair generation part, and generate a terminal certificate which is a self-signed certificate containing at least the terminal public key, the signature, and an identifier of the certification authority certificate; and
  
  a terminal information database which is configued to store the terminal certificate generated in the terminal certificate generation part in association with the terminal secret key which constitutes a pair with the terminal public key included in the terminal certificate; and
  
  whereinthe certification authority information disclosure server includes at least;
  
  a first certification authority information database which is configured to store a certification authority certificate containing at least a certification authority public key, a signature, and an identifier of the signed higher rank certification authority or own certification authority in association with a certification authority secret key which constitutes a pair with the certification authority public key contained in the certification authority certificate; and
  
  a certification authority information notifying part which is configured to acquire a certification authority secret key and a certification authority certificate from the first certification authority information database in response to the certification authority information request from the user terminal, and transmit the certification authority secret key and the certification authority certificate to the user terminal; and
  
  whereinthe user authentication apparatus includesa second certification authority information database which is configured to store a certification authority certificate that the certification authority information disclosure server discloses.
- View Dependent Claims (18, 19)
- - 18. The user authentication system according to claim 16 or 17, whereinthe user terminal further includes:
    - a first user confirmation part which is configured to execute user confirmation processing with the user authentication apparatus at the time of terminal certificate registration;
      
      a terminal certificate notifying part which is configured to transmit the terminal certificate generated in the terminal certificate generation part to the user authentication apparatus;
      
      a first authentication protocol processing part which at the time of user authentication upon receiving a certificate request containing an identifier of a trusted certification authority and a random number from the user authentication apparatus in response to a service request to the user authentication apparatus in accordance with a standard security protocol, reads the terminal certificate that matches the identifier of the certification authority and the terminal secret key corresponding to the terminal certificate from the terminal information database, makes a user signature on the random number using the terminal secret key, and transmits the user signature together with the terminal certificate to the user authentication apparatus; and
      
      the user authentication apparatus further includesan authentication information database which is configured to store the user information in association with a user terminal certificate received from the user terminal or at least the terminal public key contained in the terminal certificate;
      
      a second user confirmation part which is configured to execute user confirmation processing with the user terminal at the time of terminal certificate registration;
      
      a terminal certificate-user information associating part which is configured to receive the terminal certificate from the user terminal, and if the user confirmation processing by the second user confirmation part is successful, registers the user information in association with the terminal certificate or at least the terminal public key contained in the terminal certificate;
      
      a second authentication protocol processing part which, at the time of user authentication, in accordance with a standard security protocol, in response to a service request from the user terminal, reads a trusted certification authority certificate from the second certification authority information database, transmits a certificate request containing a certification authority identifier of the certification authority certificate and a random number, and in response to the certificate request, verifies the user signature for the random number received from the user terminal together with the terminal certificate using the terminal public key of the user terminal;
      
      a database reference part which is configured to search for user information corresponding to the terminal certificate received together with the user signature succeeded in the verification or at least the terminal public key contained in the terminal certificate in the authentication information database; and
      
      a service provision part which is configured to provide service to the user terminal using user information acquired at the database reference part.
  - 19. The user authentication system according to claim 18 further includinga service provision server which is configured to be capable of communicating with the user terminal and the user authentication apparatus via the network, and provide service to a user using predetermined identification information for each user, and whereinthe user terminal includesa user confirmation part which is configured to execute, at the time of user authentication, user confirmation processing with the user authentication apparatus using the predetermined identification information and the service provision server, and whereinthe user authentication apparatus includesa user confirmation part which is configured to execute, at the time of user authentication, user confirmation processing with the user terminal using the predetermined identification information and the service provision server.

17. A user authentication system in which a user authentication apparatus performs authentication utilizing a certificate between the user authentication apparatus and a user terminal, the user authentication system comprising at least:
- a user terminal for use by a user;
  
  a certification authority information disclosure server which is configured to disclose certification authority information;
  
  a user authentication apparatus which is configurated to authenticate the user to provide service; and
  
  a network which is connected to the user terminal, the certification authority information disclosure server, and the user authentication apparatus; and
  
  whereinthe user terminal includes at least;
  
  a first certification authority information database which is a database pre-embedded by a vendor of base software or hardware of the user terminal, and is configured to store the certification authority certificate containing at least a certification authority public key which the vendor discloses, a signature, and an identifier of the signed higher rank certification authority or own certification authority in association with a certification authority secret key which constitutes a pair with the certification authority public key contained in the certification authority certificate;
  
  a terminal key pair generation part which is configured to generate a key pair consisting of a public key and a secret key;
  
  a terminal certificate generation part which is configured to acquire a certification authority secret key and a certification authority certificate from the first certification authority information database, make a user signature using the certification authority secret key for at least a public key generated at the terminal key pair generation part, and generate a terminal certificate which is a self-signed certificate containing at least the public key, the user signature, and a certification authority identifier of the certification authority certificate; and
  
  a terminal information database which is configured to store the terminal certificate generated in the terminal certificate generation part in association with the terminal secret key which constitutes a pair with the terminal public key included in the terminal certificate; and
  
  whereinthe user authentication apparatus includesa second certification authority information database which is configured to store a certification authority certificate that is disclosed by the certification authority information disclosure server,the certification authority information disclosure server includes at leasta third certification authority information database which is configured to store a certification authority certificate containing at least a certification authority public key that the vendor of the base software or the hardware of the user terminal discloses, a signature, and an identifier of the signed higher rank certification authority or own certification authority.

20. A user authentication method in which a user authentication apparatus performs authentication with the user terminal utilizing a certificate in a user authentication system comprising at least:
- a user terminal for use by a user;
  
  a certification authority information disclosure server which discloses certification authority information;
  
  a user authentication apparatus which authenticates the user to provide service; and
  
  a network which connects the user terminal, the certification authority information disclosure server, and the user authentication apparatus;
  
  the method including;
  
  a step by the user terminal of generating a key pair consisting of a terminal public key and a terminal secret key, and requesting certification authority information to the certification authority information disclosure server;
  
  a step by the certification authority information disclosure server of reading a certification authority secret key and a certification authority identifier from the certification authority information database in response to the request, and notifying to the user terminal; and
  
  a step by the user terminal of making, upon receiving the certification authority secret key and the certification authority identifier from the certification authority information disclosure server, a signature using the certification authority secret key on at least the generated terminal public key, generating the terminal certificate which is a self-signed certificate containing at least the terminal public key, the signature, and the certification authority identifier, and registering the terminal certificate in the terminal information database in association with the terminal secret key which constitutes a pair with the terminal public key contained in the terminal certificate.
- View Dependent Claims (21)
- - 21. The user authentication method according to claim 20 further including:
    - a step of executing user confirmation processing for terminal certificate registration between the user terminal and the user authentication apparatus;
      
      a step by the user terminal of transmitting the terminal certificate to the user authentication apparatus;
      
      a step by the user authentication apparatus of registering, upon receiving the terminal certificate from the user terminal, if the user confirmation processing is successful, the user information in the authentication information database in association with the terminal certificate or at least the terminal public key contained in the terminal certificate;
      
      a step by the user authentication apparatus of reading, in response to a service request from the user terminal, in accordance with a standard security protocol, an identifier of a trusted certification authority from the certification authority information database, and transmitting the certificate request containing the identifier of the trusted certification authority and a random number to the user terminal;
      
      a step by the user terminal of reading, upon receiving the certificate request containing the identifier of the trusted certification authority and the random number from user authentication apparatus in accordance with a standard security protocol, the terminal certificate that matches the identifier of the certification authority and the corresponding terminal secret key from the terminal information database, making a user signature on the random number using the terminal secret key, and transmitting the user signature together with the terminal certificate to the user authentication apparatus;
      
      a step by the user authentication apparatus of verifying the user signature made on the random number received from the user terminal with the terminal public key of the user terminal, and confirming the authenticity, in accordance with a standard security protocol;
      
      a step by the user authentication apparatus of searching for the terminal certificate received together with the user signature that succeeded the verification or at least the user information corresponding to the terminal public key contained in the terminal certificate in the authentication information database; and
      
      a step by the user authentication apparatus of providing service to the user terminal using the user information by means of the service provision part.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nippon Telegraph and Telephone Corporation
Original Assignee
Nippon Telegraph and Telephone Corporation
Inventors
Takahashi, Kenji, Karasawa, Kei, Ueno, Nachi, Tsuruoka, Yukio, Orihara, Shingo

Granted Patent

US 8,595,816 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0823   using certificates cryptogr...

H04L 9/3247   involving digital signatures

H04L 9/3268   using certificate validatio...

USER AUTHENTICATION SYSTEM AND METHOD FOR THE SAME

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

USER AUTHENTICATION SYSTEM AND METHOD FOR THE SAME

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links