User authentication system for providing online services based on the transmission address
First Claim
1. In an authentication system in which an authentication server which authenticates a user, a user terminal which transmits a user authentication information, and an application server which provides a service to the user through the user terminal are connected together to enable a communication therebetween through a network, the address based authentication system including:
- the authentication server which comprisesauthentication means for authenticating a user based on the user authentication information transmitted together with a key information as an authentication request from the user terminal, the key information representing a public key KPU of the user terminal;
an address allocating means for allocating an address to the user terminal for a successful authentication of the user;
generating means for generating information-for-authentication using at least the allocated address;
a ticket issuing means for issuing a ticket containing the allocated address, the key information which is received from the user terminal and the information-for-authentication;
and a ticket transmitting means for transmitting the ticket issued by the ticket issuing means to the user terminal;
the user terminal which has a pair of the public key KPU and a private key KSU and comprises;
transmitting means for transmitting the user authentication information and the key information to the authentication server for purpose of an authentication request;
a ticket reception means for receiving the ticket which contains the allocated address, the key information and the information-for-authentication and which is transmitted from the authentication server;
means for setting up the allocated address contained in the ticket as a source address for each packet which is to be transmitted from the user terminal to the application server;
a first session key generating means for calculating a first session secret key which is shared with the application server, from the private key KSU of the user terminal and a public key KPS of the application server;
a packet cryptographic processing means for processing each packet to be transmitted to the application server by the first session secret key to guarantee that there is no forgery in each packet;
means for transmitting a first packet including the ticket to the application server for establishing a session; and
a service request means for transmitting a second packet requesting the service to the application server through the session;
and the application server which has a pair of the public key KPS and a private key KSS and comprises;
a second session key generating means for calculating a second session secret key which is shared with the user terminal, from the private key KSS of the application server and the public key KPU of the user terminal;
a packet verifying means for confirming whether or not each packet received from the user terminal is forged using the second session secret key;
a ticket memory means for storing the ticket transmitted from the user terminal;
ticket verifying means for verifying the presence or absence of any forgery in the information-for-authentication in the ticket transmitted from the user terminal to determine if the allocated address contained in the ticket is forged or not and preventing the ticket from being stored in the ticket memory means in the presence of a forgery and further verifying whether or not the key information contained in the ticket in the first packet, which has been verified as not being forged, is the key information representing the public key KPU of the user terminal, and if not, prevent the ticket from being stored in the ticket memory means;
an address comparison means for determining whether or not the allocated address contained in the ticket which is stored in the ticket memory means coincides with the source address of the second packet which is transmitted from the user terminal through the session; and
a service providing means for transmitting to the user terminal packets which provide the service to the user when a coincidence between the addresses is determined by the address comparison means.
1 Assignment
0 Petitions
Accused Products
Abstract
An address allocated to a user by an authentication server is used as an IP address of a packet which is transmitted from a user terminal, preventing an illicit use if the IP address were eavesdropped. An authentication server 100 performs an authentication of a user based on a user authentication information which is transmitted from the user terminal, and upon a successful authentication, allocates an address to the user terminal, and issues a ticket containing the address to be returned to the user terminal. The user terminal sets up the address contained in the ticket as a source address, and transmits the ticket to the application server 300, requesting a session to be established. After verifying that the ticket is authentic, the server 300 stores the ticket and establishes a session with the user terminal. The user terminal transmits a service request packet containing the source address to the server 300 utilizing the session. If the source address coincides with the address contained in the stored ticket, the server 300 provides a service to the user.
-
Citations
11 Claims
-
1. In an authentication system in which an authentication server which authenticates a user, a user terminal which transmits a user authentication information, and an application server which provides a service to the user through the user terminal are connected together to enable a communication therebetween through a network, the address based authentication system including:
-
the authentication server which comprises authentication means for authenticating a user based on the user authentication information transmitted together with a key information as an authentication request from the user terminal, the key information representing a public key KPU of the user terminal; an address allocating means for allocating an address to the user terminal for a successful authentication of the user; generating means for generating information-for-authentication using at least the allocated address; a ticket issuing means for issuing a ticket containing the allocated address, the key information which is received from the user terminal and the information-for-authentication; and a ticket transmitting means for transmitting the ticket issued by the ticket issuing means to the user terminal; the user terminal which has a pair of the public key KPU and a private key KSU and comprises; transmitting means for transmitting the user authentication information and the key information to the authentication server for purpose of an authentication request; a ticket reception means for receiving the ticket which contains the allocated address, the key information and the information-for-authentication and which is transmitted from the authentication server; means for setting up the allocated address contained in the ticket as a source address for each packet which is to be transmitted from the user terminal to the application server; a first session key generating means for calculating a first session secret key which is shared with the application server, from the private key KSU of the user terminal and a public key KPS of the application server; a packet cryptographic processing means for processing each packet to be transmitted to the application server by the first session secret key to guarantee that there is no forgery in each packet; means for transmitting a first packet including the ticket to the application server for establishing a session; and a service request means for transmitting a second packet requesting the service to the application server through the session; and the application server which has a pair of the public key KPS and a private key KSS and comprises; a second session key generating means for calculating a second session secret key which is shared with the user terminal, from the private key KSS of the application server and the public key KPU of the user terminal; a packet verifying means for confirming whether or not each packet received from the user terminal is forged using the second session secret key; a ticket memory means for storing the ticket transmitted from the user terminal; ticket verifying means for verifying the presence or absence of any forgery in the information-for-authentication in the ticket transmitted from the user terminal to determine if the allocated address contained in the ticket is forged or not and preventing the ticket from being stored in the ticket memory means in the presence of a forgery and further verifying whether or not the key information contained in the ticket in the first packet, which has been verified as not being forged, is the key information representing the public key KPU of the user terminal, and if not, prevent the ticket from being stored in the ticket memory means; an address comparison means for determining whether or not the allocated address contained in the ticket which is stored in the ticket memory means coincides with the source address of the second packet which is transmitted from the user terminal through the session; and a service providing means for transmitting to the user terminal packets which provide the service to the user when a coincidence between the addresses is determined by the address comparison means. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An application server in an authentication system in which an authentication of a user utilizing a user terminal is performed by an authentication server and a request to provide a service is made to an application server on the basis of the authentication, comprising
a session establishing means for establishing a session with a user terminal in response to a reception of a session establishment request packet containing a ticket from the user terminal, said ticket containing an address allocated by the authentication server to the user terminal, a key information representing a public key KPU of the user terminal and information-for-authentication generated by the authentication server using at least the allocated address; -
a ticket memory means in which the ticket transmitted from the user terminal is stored; an address comparison means to which a source address of a service request packet which is transmitted from the user terminal and received through the established session is input and which determines whether or not the source address coincides with an allocated address of the user terminal contained in the ticket stored in the ticket memory means; and a service providing means which provides a service to the user terminal when the output of the address comparison means indicates a coincidence, wherein said session establishing means comprises a ticket verifying means for verifying authenticity of the ticket, which is received from the user terminal for establishing the session, by checking the information-for-authentication contained in the ticket to determine if the allocated address contained in the ticket is forged or not and preventing the ticket from being stored in the ticket memory means when verification is not successful, and further verifying whether or not the key information contained in the ticket in the first packet, which has been verified as not being forged, is the key information representing the public key KPU of the user terminal, and if not, prevent the ticket from being stored in the ticket memory means. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A non-transitory computer readable storage medium having stored thereon an application server program for programming a computer to function as an application server in an authentication system in which an authentication of a user utilizing a user terminal is performed by an authentication server and a request to provide a service is made by the user terminal to the application server on the basis of the authentication, the application server comprising:
-
a session establishing means for establishing a session with a user terminal in response to a reception of a session establishment request packet containing a ticket from the user terminal, said ticket containing an address allocated by the authentication server to the user terminal, a key information representing a public key KPU of the user terminal and information-for-authentication generated by the authentication server using at least the allocated address; a ticket memory means in which the ticket transmitted from the user terminal is stored; an address comparison means to which a source address of a service request packet which is transmitted from the user terminal and received through the established session is input and which determines whether or not the source address coincides with an allocated address of the user terminal contained in the ticket stored in the ticket memory means; and a service providing means which provides a service to the user terminal when the output of the address comparison means indicates a coincidence, wherein said session establishing means comprises a ticket verifying means for verifying authenticity of the ticket, which is received from the user terminal for establishing the session, by checking the information-for-authentication contained in the ticket to determine if the allocated address contained in the ticket is forged or not and preventing the ticket from being stored in the ticket memory means when verification is not successful and further verifying whether or not the key information contained in the ticket in the first packet, which has been verified as not being forged, is the key information representing the public key KPU of the user terminal, and if not, prevent the ticket from being stored in the ticket memory means.
-
Specification