CLIENT DEVICE, KEY DEVICE, SERVICE PROVIDING APPARATUS, USER AUTHENTICATION SYSTEM, USER AUTHENTICATION METHOD, PROGRAM, AND RECORDING MEDIUM

US 20100088519A1
Filed: 02/07/2008
Published: 04/08/2010
Est. Priority Date: 02/07/2007
Status: Active Grant

First Claim

Patent Images

1. A client device connected through a network to a service providing apparatus, the client device comprising:

a client authentication information management unit that holds a service information database storing a user ID, a public key, a private key, and a server certificate in association with each service;

a control unit;

a client authentication unit; and

a key generation unit;

wherein the control unit has a request function to send a user registration request and a service request to the service providing apparatus;

the client authentication unit has a server authentication function to verify server authentication information and an authentication request sent from the service providing apparatus;

the client authentication unit has a user information transmission function to obtain a signature for a user ID, a password, a user attribute, and a public key generated by the key generation unit, by using a private key generated corresponding to the public key in the key generation unit, and to send to the service providing apparatus user information that includes the user ID, the password, the user attribute, the public key, and the signature;

the client authentication information management unit has a service information registration function to register service information that includes the user ID, the public key, the private key, and a server certificate, in the service information database; and

the client authentication unit has an authentication response function to calculate, if an authentication method identified from an authentication policy included in the authentication request sent from the service providing apparatus is password authentication, password authentication information with which the possession of the password can be confirmed, from the password, and to send an authentication response that includes the password authentication information, the authentication method, and the user ID to the service providing apparatus;

to calculate, if the authentication method identified from the authentication policy is public key authentication, a signature 1 for the authentication method, the user ID, and a challenge included in the authentication request, and to send an authentication response that includes the signature 1, the authentication method, and the user ID to the service providing apparatus; and

to calculate, if the authentication method identified from the authentication policy is public-key-and-password combination authentication, a signature 2 for the authentication method, the user ID, the challenge included in the authentication request, and the password, and to send an authentication response that includes the signature 2, the authentication method, and the user ID to the service providing apparatus.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a user authentication system according to the present invention, at user registration, a client device obtains a signature for a user ID, a password, and a public key by using a private key corresponding to the public key, and sends user information that includes the signature and the above-described information items to a service providing apparatus. The service providing apparatus verifies the signature by using the public key and stores the user information by which the password and the public key are associated with each other. When a request for a service is made, the client device allows authentication processing by sending to the service providing apparatus an authentication response that includes the user ID together with password authentication information, a signature for a challenge sent from the service providing apparatus, or a signature for the password and the challenge, irrespective of whether the authentication method for the service is password authentication, public key authentication, or public-key-and-password combination authentication.

91 Citations

View as Search Results

24 Claims

1. A client device connected through a network to a service providing apparatus, the client device comprising:
- a client authentication information management unit that holds a service information database storing a user ID, a public key, a private key, and a server certificate in association with each service;
  
  a control unit;
  
  a client authentication unit; and
  
  a key generation unit;
  
  wherein the control unit has a request function to send a user registration request and a service request to the service providing apparatus;
  
  the client authentication unit has a server authentication function to verify server authentication information and an authentication request sent from the service providing apparatus;
  
  the client authentication unit has a user information transmission function to obtain a signature for a user ID, a password, a user attribute, and a public key generated by the key generation unit, by using a private key generated corresponding to the public key in the key generation unit, and to send to the service providing apparatus user information that includes the user ID, the password, the user attribute, the public key, and the signature;
  
  the client authentication information management unit has a service information registration function to register service information that includes the user ID, the public key, the private key, and a server certificate, in the service information database; and
  
  the client authentication unit has an authentication response function to calculate, if an authentication method identified from an authentication policy included in the authentication request sent from the service providing apparatus is password authentication, password authentication information with which the possession of the password can be confirmed, from the password, and to send an authentication response that includes the password authentication information, the authentication method, and the user ID to the service providing apparatus;
  
  to calculate, if the authentication method identified from the authentication policy is public key authentication, a signature 1 for the authentication method, the user ID, and a challenge included in the authentication request, and to send an authentication response that includes the signature 1, the authentication method, and the user ID to the service providing apparatus; and
  
  to calculate, if the authentication method identified from the authentication policy is public-key-and-password combination authentication, a signature 2 for the authentication method, the user ID, the challenge included in the authentication request, and the password, and to send an authentication response that includes the signature 2, the authentication method, and the user ID to the service providing apparatus.
- View Dependent Claims (3, 5, 12, 23, 24)
- - 3. The client device according to claim 1,wherein the client authentication unit stores an authentication method correspondence table that includes an authentication method registered for each authentication policy made up of a combination of a degree of authentication strength and a level of consent confirmation;
    - andin the authentication response function, the client authentication unit reads from the authentication method correspondence table all authentication methods corresponding to the authentication policy included in the authentication request sent from the service providing apparatus, and specifies a user-selected authentication method or an executable authentication method among all the authentication methods as the authentication method identified from the authentication policy.
  - 5. The client device according to claim 3, wherein, in the user information transmission function, the client authentication unit obtains a signature for a user policy serving as a user-requested authentication policy, the user ID, the password, the user attribute, and the public key generated by the key generation unit, by using the private key generated corresponding to the public key in the key generation unit, and sends user information that includes the user policy, the user ID, the password, the user attribute, the public key, and the signature to the service providing apparatus.
  - 12. A user authentication system comprising:
    - the client device according to claim 1;
      
      the service providing apparatus according to claim 7; and
      
      a network connecting the client device and the service providing apparatus.
  - 23. A program for operating a computer as the device or apparatus according to one of claims 1, 2, or 7.
  - 24. A computer-readable recording medium having recorded thereon the program according to claim 23.

2. A key device connected to a client device connected through a network to a service providing apparatus, the key device comprising:
- a client authentication information management unit that holds a service information database storing a user ID, a public key, a private key, and a server certificate in association with each service;
  
  a client authentication unit; and
  
  a key generation unit;
  
  wherein the client authentication unit has a server authentication function to verify server authentication information and an authentication request sent from the service providing apparatus;
  
  the client authentication unit has a user information transmission function to obtain a signature for a user ID, a password, a user attribute, and a public key generated by the key generation unit, by using a private key generated corresponding to the public key in the key generation unit, and to send to the service providing apparatus user information that includes the user ID, the password, the user attribute, the public key, and the signature;
  
  the client authentication unit has an authentication response function to calculate, if an authentication method identified from an authentication policy included in the authentication request sent from the service providing apparatus is password authentication, password authentication information with which the possession of the password can be confirmed, from the password, and to send an authentication response that includes the password authentication information, the authentication method, and the user ID to the service providing apparatus;
  
  to calculate, if the authentication method identified from the authentication policy is public key authentication, a signature 1 for the authentication method, the user ID, and a challenge included in the authentication request, and to send an authentication response that includes the signature 1, the authentication method, and the user ID to the service providing apparatus; and
  
  to calculate, if the authentication method identified from the authentication policy is public-key-and-password combination authentication, a signature 2 for the authentication method, the user ID, the challenge included in the authentication request, and the password, and to send an authentication response that includes the signature 2, the authentication method, and the user ID to the service providing apparatus; and
  
  the client authentication information management unit has a service information registration function to register service information that includes the user ID, the public key, the private key, and a server certificate, in the service information database;
- View Dependent Claims (4, 6, 13)
- - 4. The key device according to claim 2,wherein the client authentication unit stores an authentication method correspondence table that includes an authentication method registered for each authentication policy made up of a combination of a degree of authentication strength and a level of consent confirmation;
    - andin the authentication response function, the client authentication unit reads from the authentication method correspondence table all authentication methods corresponding to the authentication policy included in the authentication request sent from the service providing apparatus, and specifies a user-selected authentication method or an executable authentication method among all the authentication methods as the authentication method identified from the authentication policy.
  - 6. The key device according to claim 4, wherein, in the user information transmission function, the client authentication unit obtains a signature for a user policy serving as a user-requested authentication policy, the user ID, the password, the user attribute, and the public key generated by the key generation unit, by using the private key generated corresponding to the public key in the key generation unit, and sends user information that includes the user policy, the user ID, the password, the user attribute, the public key, and the signature to the service providing apparatus.
  - 13. A user authentication system comprising:
    - the key device according to claim 2;
      
      a client device connected to the key device;
      
      the service providing apparatus according to claim 7; and
      
      a network connecting the client device and the service providing apparatus.

7. A service providing apparatus connected through a network to a client device, the service providing apparatus comprising:
- a service-providing-apparatus authentication information management unit that holds a user information database storing a user ID, a password, a user attribute, and a public key in association with each user;
  
  a service providing unit; and
  
  a service-providing-apparatus authentication unit;
  
  wherein the service-providing-apparatus authentication unit has a registration request response function to send server authentication information that includes a server certificate and a signature to the client device in response to a user registration request sent from the client device;
  
  the service-providing-apparatus authentication unit has a user registration function to receive user information from the client device, to verify a signature, and, if the verification is successful, and to allow the service-providing-apparatus authentication information management unit to register user information that includes a user ID, a password, a user attribute, and a public key, in the user information database and to send a message indicating a successful user registration to the client device;
  
  the service-providing-apparatus authentication unit has a service request response function to send to the client device in response to a request for a service, sent from the client device, an authentication request that includes an authentication policy indicating an authentication method of the service, a server certificate, and a signature;
  
  the service-providing-apparatus authentication unit has an authentication processing function to receive an authentication response from the client device, to confirm an authentication method included in the authentication response, and, if the confirmation is successful, to allow the service-providing-apparatus authentication information management unit to identify an entry corresponding to a user ID included in the authentication response and to perform authentication processing corresponding to the confirmed authentication method; and
  
  the service providing unit has a service providing function to judge whether the service can be provided and to provide the service if the service can be provided.
- View Dependent Claims (8, 9, 10, 11, 14, 15, 16, 17)
- - 8. The service providing apparatus according to claim 7,wherein the authentication policy indicates whether the authentication method of the service is password authentication, public key authentication, or public-key-and-password combination authentication;
    - andin the authentication processing function, verification is performed in the following way as the authentication processing corresponding to the authentication method;
      
      if the confirmed authentication method is password authentication, a password is obtained from the entry corresponding to the user ID included in the authentication response and is collated with a password or password authentication information included in the authentication response;
      
      if the confirmed authentication method is public key authentication, a public key is obtained from the entry, and the validity of a signature 1 included in the authentication response is confirmed; and
      
      if the confirmed authentication method is public-key-and-password combination authentication, a public key is obtained from the entry, and the validity of a signature 2 included in the authentication response is confirmed.
  - 9. The service providing apparatus according to claim 7, further comprising:
    - an authentication information conversion unit that holds an authentication information conversion database storing a user ID, a password, and a public key in association with each user;
      
      wherein the service-providing-apparatus authentication information management unit serves as a component holding the user information database storing a user ID, a password, and a user attribute in association with each user;
      
      in the user registration function, when the service-providing-apparatus authentication unit receives the user information from the client device and verifies the signature, if the verification is successful, the service-providing-apparatus authentication information management unit registers the user ID, the password, and the user attribute, of the user information, in the user information database, and the authentication information conversion unit registers the user ID, the password, and the public key, of the user information, in the authentication information conversion database and sends a message indicating a successful user registration to the client device; and
      
      in the authentication processing function, verification is performed in the following way;
      
      when the service-providing-apparatus authentication unit receives the authentication response from the client device and confirms the authentication method included in the authentication response and when the confirmation is successful, if the confirmed authentication method is password authentication, a password or password authentication information is obtained from the authentication response;
      
      if the confirmed authentication method is public key authentication, the authentication information conversion unit identifies a corresponding user entry by searching the authentication information conversion database in accordance with the user ID included in the authentication response, confirms the validity of a signature 1 included in the authentication response by obtaining a public key, and obtains a password from the entry; and
      
      if the confirmed authentication method is public-key-and-password combination authentication, the authentication information conversion unit identifies the corresponding user entry by searching the authentication information conversion database in accordance with the user ID included in the authentication response, obtains the public key and confirms the validity of a signature 2 included in the authentication response, and obtains the password from the entry, and the service-providing-apparatus authentication information management unit identifies a corresponding user entry by searching the user information database in accordance with the user ID included in the authentication response and collates a password of the entry and the password obtained by the authentication information conversion unit.
  - 10. The service providing apparatus according to claim 7, wherein, in the service request response function, the authentication policy sent to the client device indicates a combination of a degree of authentication strength and a level of consent confirmation.
  - 11. The service providing apparatus according to claim 10,wherein, in the user registration function, when the service-providing-apparatus authentication unit receives the user information from the client device and verifies the signature, if the verification is successful, the service-providing-apparatus authentication information management unit registers user information that includes a user policy, the user ID, the password, the user attribute, and the public key, in the user information database, and sends a message indicating a successful user registration to the client device;
    - andin the service request response function, the service-providing-apparatus authentication unit determines, in response to the request for the service sent from the client device, the authentication policy from the user policy and a service policy serving as an authentication policy corresponding to the service, and sends to the client device an authentication request that includes the determined authentication policy, the server certificate, and the signature.
  - 14. A user authentication system comprising:
    - the client device according to claim 3;
      
      the service providing apparatus according to claim 10; and
      
      a network connecting the client device and the service providing apparatus.
  - 15. A user authentication system comprising:
    - the client device according to claim 4;
      
      a client device connected to the key device;
      
      the service providing apparatus according to claim 10; and
      
      a network connecting the client device and the service providing apparatus.
  - 16. A user authentication system comprising:
    - the client device according to claim 5;
      
      the service providing apparatus according to claim 11; and
      
      a network connecting the client device and the service providing apparatus.
  - 17. A user authentication system comprising:
    - the key device according to claim 6;
      
      a client device connected to the key device;
      
      the service providing apparatus according to claim 11; and
      
      a network connecting the client device and the service providing apparatus.

18. A user authentication method for authenticating a user with a client device and a service providing apparatus being operated and connected by a network, the user authentication method comprising:
- a registration request step in which the client device sends a user registration request to the service providing apparatus;
  
  a registration request response step in which the service providing apparatus sends server authentication information that includes a server certificate and a signature to the client device in response to the user registration request;
  
  an authentication information verification step in which the client device verifies the server authentication information;
  
  a user information transmission step in which the client device obtains a signature for a user ID, a password, a user attribute, and a public key, by using a private key generated corresponding to the public key, and sends user information that includes the user ID, the password, the user attribute, the public key, and the signature, to the service providing apparatus;
  
  a user registration step in which the service providing apparatus verifies the signature in the user information and, if the verification is successful, registers user information that includes the user ID, the password, the user attribute, and the public key and sends a message indicating a successful user registration to the client device;
  
  a service information registration step in which the client device registers service information that includes the user ID, the public key, the private key, and the server certificate, in a service information database;
  
  a service request step in which the client device sends a service request to the service providing apparatus;
  
  a service request response step in which the service providing apparatus sends to the client device in response to a request for a service an authentication request that includes an authentication policy indicating an authentication method of the service, a server certificate, and a signature;
  
  an authentication request verification step in which the client device verifies the authentication request;
  
  an authentication response step in which the client device calculates an authentication response corresponding to the authentication method determined with reference to the authentication policy included in the authentication request and sends the result to the service providing apparatus;
  
  an authentication processing step in which the service providing apparatus confirms the authentication method included in the authentication response and, if the confirmation is successful, performs authentication processing in accordance with the confirmed authentication method; and
  
  a service provision step in which the service providing apparatus judges whether the service can be provided and provides the service if the service can be provided.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The user authentication method according to claim 18,wherein the authentication policy indicates whether the authentication method of the service is password authentication, public key authentication, or public-key-and-password combination authentication;
    - in the authentication response step, if the authentication method determined with reference to the authentication policy is password authentication, password authentication information with which the possession of the password can be confirmed is calculated from the password, and an authentication response that includes the password authentication information, the authentication method, and the user ID is sent to the service providing apparatus;
      
      if the authentication method determined with reference to the authentication policy is public key authentication, a signature 1 is calculated for the authentication method, the user ID, and a challenge included in the authentication request, and an authentication response that includes the signature 1, the authentication method, and the user ID is sent to the service providing apparatus; and
      
      if the authentication method determined with reference to the authentication policy is public-key-and-password authentication, a signature 2 is calculated for the authentication method, the user ID, the challenge included in the authentication request, and the password, and an authentication response that includes the signature 2, the authentication method, and the user ID is sent to the service providing apparatus;
      
      in the authentication processing step performed by the service providing apparatus, verification is performed in the following way as the authentication processing determined by the authentication method;
      
      if the confirmed authentication method is password authentication, the password corresponding to the user ID is obtained and collated with the password or password authentication information included in the authentication response;
      
      if the confirmed authentication method is public-key authentication, the public key corresponding to the user ID is obtained, and the validity of the signature 1 included in the authentication response is confirmed; and
      
      if the confirmed authentication method is public-key-and-password combination authentication, the public key corresponding to the user ID is obtained, and the validity of the signature 2 included in the authentication response is confirmed.
  - 20. The user authentication method according to claim 18,wherein, in the user registration step, the service providing apparatus verifies the signature in the user information and, if the verification is successful, registers the user ID, the password, and the user attribute, of the user information, in a user information database, registers the user ID, the password, and the public key, of the user information, in an authentication information conversion database, and sends a message indicating a successful user registration, to the client device;
    - andin the authentication processing step, the service providing apparatus confirms the authentication method included in the authentication response and when the confirmation is successful, verification is performed in the following way;
      
      if the confirmed authentication method is password authentication, a password or password authentication information is obtained from the authentication response;
      
      if the confirmed authentication method is public key authentication, the authentication information conversion database is searched in accordance with a user ID included in the authentication response to obtain a public key corresponding to the user ID, the validity of a signature 1 included in the authentication response is confirmed, and a password corresponding to the user ID is obtained; and
      
      if the confirmed authentication method is public-key-and-password combination authentication, the authentication information conversion database is searched in accordance with the user ID included in the authentication response to obtain the public key corresponding to the user ID, the validity of a signature 2 included in the authentication response is confirmed, the password corresponding to the user ID is obtained; and
      
      the password is collated with the password corresponding to the user ID, obtained by searching the user information database in accordance with the user ID included in the authentication response.
  - 21. The user authentication method according to claim 18,wherein, in the authentication response step, a selected or executable authentication method of authentication methods corresponding to the authentication policy included in the authentication request is specified as the authentication method identified from the authentication policy;
    - andin the service request response step, the authentication policy sent to the client device indicates a combination of a degree of authentication strength and a level of consent confirmation.
  - 22. The user authentication method according to claim 21, wherein, in the user information transmission step, the client device obtains a signature for a user policy serving as a user-requested authentication policy, the user ID, the password, the user attribute, and the public key, by using the private key generated corresponding to the public key, and sends user information that includes the user policy, the user ID, the password, the user attribute, the public key, and the signature to the service providing apparatus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nippon Telegraph and Telephone Corporation
Original Assignee
Nippon Telegraph and Telephone Corporation
Inventors
Takahashi, Kenji, Karasawa, Kei, Tsuruoka, Yukio, Orihara, Shingo

Granted Patent

US 8,352,743 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

G06F 21/33   using certificates

G06F 21/445   by mutual authentication, e...

G06Q 30/06   Buying, selling or leasing ...

H04L 2209/60   Digital content management,...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/08   for authentication of entit...

H04L 63/20   for managing network securi...

H04L 9/3226   using a predetermined code,...

H04L 9/3247   involving digital signatures

H04L 9/3273   for mutual authentication n...

CLIENT DEVICE, KEY DEVICE, SERVICE PROVIDING APPARATUS, USER AUTHENTICATION SYSTEM, USER AUTHENTICATION METHOD, PROGRAM, AND RECORDING MEDIUM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

91 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

CLIENT DEVICE, KEY DEVICE, SERVICE PROVIDING APPARATUS, USER AUTHENTICATION SYSTEM, USER AUTHENTICATION METHOD, PROGRAM, AND RECORDING MEDIUM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links