USER AUTHENTICATION SYSTEM AND METHOD FOR THE SAME
First Claim
1. A user authentication system which performs user authentication utilizing a terminal certificate between a user authentication apparatus and a user terminal, whereinat least one user terminal having a certification authority secret key and a certification authority identifier, and at least one user authentication apparatus having a certification authority public key and a certification authority identifier are connected to at least a network,the user terminal includes:
- terminal certificate generation means which is configured to calculate a terminal signature using the certification authority secret key for signature subject information which is discretionary data, and generate a terminal certificate which is a self-signed certificate containing at least the signature subject information, the terminal signature, and the certification authority identifier;
terminal information storage means which is configured to save the terminal certificate;
registration request means which is configured to transmit at least the terminal certificate as a user registration request to the user authentication apparatus; and
service request means which is configured to acquire from the terminal information storage means a terminal certificate corresponding to a certification authority identifier received from a user authentication apparatus upon a service request, and transmit the terminal certificate to the user authentication apparatus; and
the user authentication apparatus includes;
authentication information storage means;
user registration means which is configured to register in the authentication information storage means a terminal certificate received from a user terminal; and
user authentication means which is configured to notify, in response to a service request from a user terminal when authenticating the user terminal, the certification authority identifier to the user terminal, obtain a corresponding terminal certificate from the user terminal, and verify the terminal signature contained in the terminal certificate using the certification authority public key.
1 Assignment
0 Petitions
Accused Products
Abstract
At the user authentication apparatus 30, an identifier of a certification authority (CA) certificate that a CA information disclosure server 20 discloses in advance is registered in an identifier list of the CA. At the user terminal 10, a key pair consisting of a terminal public key and a terminal secret key is generated, the terminal signature is generated for information containing the terminal public key using the CA secret key acquired in advance, and a self-signed certificate of the same form as the certificate issued from CA, that is, a terminal certificate containing at least a terminal public key, a terminal signature, and a CA identifier, is created and stored, and registered in the user authentication apparatus 30. The terminal certificate having the same issuer information as the CA identifier in the identifier list of the CA notified from the user authentication apparatus 30 at the time of the service request is selected, and user authentication in accordance with a well-known user authentication protocol is executed using the terminal certificate.
-
Citations
21 Claims
-
1. A user authentication system which performs user authentication utilizing a terminal certificate between a user authentication apparatus and a user terminal, wherein
at least one user terminal having a certification authority secret key and a certification authority identifier, and at least one user authentication apparatus having a certification authority public key and a certification authority identifier are connected to at least a network, the user terminal includes: -
terminal certificate generation means which is configured to calculate a terminal signature using the certification authority secret key for signature subject information which is discretionary data, and generate a terminal certificate which is a self-signed certificate containing at least the signature subject information, the terminal signature, and the certification authority identifier; terminal information storage means which is configured to save the terminal certificate; registration request means which is configured to transmit at least the terminal certificate as a user registration request to the user authentication apparatus; and service request means which is configured to acquire from the terminal information storage means a terminal certificate corresponding to a certification authority identifier received from a user authentication apparatus upon a service request, and transmit the terminal certificate to the user authentication apparatus; and the user authentication apparatus includes; authentication information storage means; user registration means which is configured to register in the authentication information storage means a terminal certificate received from a user terminal; and user authentication means which is configured to notify, in response to a service request from a user terminal when authenticating the user terminal, the certification authority identifier to the user terminal, obtain a corresponding terminal certificate from the user terminal, and verify the terminal signature contained in the terminal certificate using the certification authority public key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A user authentication method which performs user authentication utilizing a terminal certificate between a user authentication apparatus and a user terminal, wherein
at least one user terminal having a certification authority secret key and a certification authority identifier, and at least one user authentication apparatus having a certification authority public key and a certification authority identifier are connected to at least a network, the method comprising steps: -
in the user terminal, a terminal certificate generation step which calculates a terminal signature using the certification authority secret key for signature subject information which is discretionary data, and generates a terminal certificate which is a self-signed certificate containing at least the signature subject information, the terminal signature, and the certification authority identifier; a terminal information storing step which saves the terminal certificate; a registration request step which transmits at least the terminal certificate as a user registration request to the user authentication apparatus; and a service request step which acquires from terminal information storage means a terminal certificate corresponding to a certification authority identifier received from a user authentication apparatus upon a service request, and transmits the terminal certificate to the user authentication apparatus; and in user authentication apparatus, a user registration step which registers into the authentication information storing step a terminal certificate received from a user terminal; and a user authentication step which, in response to a service request from a user terminal, upon authentication of the user terminal, notifies the certification authority identifier to the user terminal, obtains a corresponding terminal certificate from the user terminal, and verifies the terminal signature contained in the terminal certificate using the certification authority public key. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A user authentication system which performs, by a user authentication apparatus, authentication utilizing a certificate between the user authentication apparatus and a user terminal, the user authentication system comprising at least:
-
a user terminal for use by a user; a certification authority information disclosure server which discloses certification authority information; a user authentication apparatus which authenticates the user to provide service; and a network which connects the user terminal, the certification authority information disclosure server, and the user authentication apparatus; and
whereinthe user terminal includes at least; a terminal key pair generation part which is configured to generate a key pair consisting of a public key and a secret key; a terminal certificate generation part which is configured to acquire a certification authority secret key and a certification authority certificate from a certification authority information disclosure server, makes a signature using the certification authority secret key for at least a terminal public key generated at the terminal key pair generation part, and generate a terminal certificate which is a self-signed certificate containing at least the terminal public key, the signature, and an identifier of the certification authority certificate; and a terminal information database which is configued to store the terminal certificate generated in the terminal certificate generation part in association with the terminal secret key which constitutes a pair with the terminal public key included in the terminal certificate; and
whereinthe certification authority information disclosure server includes at least; a first certification authority information database which is configured to store a certification authority certificate containing at least a certification authority public key, a signature, and an identifier of the signed higher rank certification authority or own certification authority in association with a certification authority secret key which constitutes a pair with the certification authority public key contained in the certification authority certificate; and a certification authority information notifying part which is configured to acquire a certification authority secret key and a certification authority certificate from the first certification authority information database in response to the certification authority information request from the user terminal, and transmit the certification authority secret key and the certification authority certificate to the user terminal; and
whereinthe user authentication apparatus includes a second certification authority information database which is configured to store a certification authority certificate that the certification authority information disclosure server discloses. - View Dependent Claims (18, 19)
-
-
17. A user authentication system in which a user authentication apparatus performs authentication utilizing a certificate between the user authentication apparatus and a user terminal, the user authentication system comprising at least:
-
a user terminal for use by a user; a certification authority information disclosure server which is configured to disclose certification authority information; a user authentication apparatus which is configurated to authenticate the user to provide service; and a network which is connected to the user terminal, the certification authority information disclosure server, and the user authentication apparatus; and
whereinthe user terminal includes at least; a first certification authority information database which is a database pre-embedded by a vendor of base software or hardware of the user terminal, and is configured to store the certification authority certificate containing at least a certification authority public key which the vendor discloses, a signature, and an identifier of the signed higher rank certification authority or own certification authority in association with a certification authority secret key which constitutes a pair with the certification authority public key contained in the certification authority certificate; a terminal key pair generation part which is configured to generate a key pair consisting of a public key and a secret key; a terminal certificate generation part which is configured to acquire a certification authority secret key and a certification authority certificate from the first certification authority information database, make a user signature using the certification authority secret key for at least a public key generated at the terminal key pair generation part, and generate a terminal certificate which is a self-signed certificate containing at least the public key, the user signature, and a certification authority identifier of the certification authority certificate; and a terminal information database which is configured to store the terminal certificate generated in the terminal certificate generation part in association with the terminal secret key which constitutes a pair with the terminal public key included in the terminal certificate; and
whereinthe user authentication apparatus includes a second certification authority information database which is configured to store a certification authority certificate that is disclosed by the certification authority information disclosure server, the certification authority information disclosure server includes at least a third certification authority information database which is configured to store a certification authority certificate containing at least a certification authority public key that the vendor of the base software or the hardware of the user terminal discloses, a signature, and an identifier of the signed higher rank certification authority or own certification authority.
-
-
20. A user authentication method in which a user authentication apparatus performs authentication with the user terminal utilizing a certificate in a user authentication system comprising at least:
-
a user terminal for use by a user; a certification authority information disclosure server which discloses certification authority information; a user authentication apparatus which authenticates the user to provide service; and a network which connects the user terminal, the certification authority information disclosure server, and the user authentication apparatus; the method including; a step by the user terminal of generating a key pair consisting of a terminal public key and a terminal secret key, and requesting certification authority information to the certification authority information disclosure server; a step by the certification authority information disclosure server of reading a certification authority secret key and a certification authority identifier from the certification authority information database in response to the request, and notifying to the user terminal; and a step by the user terminal of making, upon receiving the certification authority secret key and the certification authority identifier from the certification authority information disclosure server, a signature using the certification authority secret key on at least the generated terminal public key, generating the terminal certificate which is a self-signed certificate containing at least the terminal public key, the signature, and the certification authority identifier, and registering the terminal certificate in the terminal information database in association with the terminal secret key which constitutes a pair with the terminal public key contained in the terminal certificate. - View Dependent Claims (21)
-
Specification