CLIENT DEVICE, KEY DEVICE, SERVICE PROVIDING APPARATUS, USER AUTHENTICATION SYSTEM, USER AUTHENTICATION METHOD, PROGRAM, AND RECORDING MEDIUM
First Claim
1. A client device connected through a network to a service providing apparatus, the client device comprising:
- a client authentication information management unit that holds a service information database storing a user ID, a public key, a private key, and a server certificate in association with each service;
a control unit;
a client authentication unit; and
a key generation unit;
wherein the control unit has a request function to send a user registration request and a service request to the service providing apparatus;
the client authentication unit has a server authentication function to verify server authentication information and an authentication request sent from the service providing apparatus;
the client authentication unit has a user information transmission function to obtain a signature for a user ID, a password, a user attribute, and a public key generated by the key generation unit, by using a private key generated corresponding to the public key in the key generation unit, and to send to the service providing apparatus user information that includes the user ID, the password, the user attribute, the public key, and the signature;
the client authentication information management unit has a service information registration function to register service information that includes the user ID, the public key, the private key, and a server certificate, in the service information database; and
the client authentication unit has an authentication response function to calculate, if an authentication method identified from an authentication policy included in the authentication request sent from the service providing apparatus is password authentication, password authentication information with which the possession of the password can be confirmed, from the password, and to send an authentication response that includes the password authentication information, the authentication method, and the user ID to the service providing apparatus;
to calculate, if the authentication method identified from the authentication policy is public key authentication, a signature 1 for the authentication method, the user ID, and a challenge included in the authentication request, and to send an authentication response that includes the signature 1, the authentication method, and the user ID to the service providing apparatus; and
to calculate, if the authentication method identified from the authentication policy is public-key-and-password combination authentication, a signature 2 for the authentication method, the user ID, the challenge included in the authentication request, and the password, and to send an authentication response that includes the signature 2, the authentication method, and the user ID to the service providing apparatus.
1 Assignment
0 Petitions
Accused Products
Abstract
In a user authentication system according to the present invention, at user registration, a client device obtains a signature for a user ID, a password, and a public key by using a private key corresponding to the public key, and sends user information that includes the signature and the above-described information items to a service providing apparatus. The service providing apparatus verifies the signature by using the public key and stores the user information by which the password and the public key are associated with each other. When a request for a service is made, the client device allows authentication processing by sending to the service providing apparatus an authentication response that includes the user ID together with password authentication information, a signature for a challenge sent from the service providing apparatus, or a signature for the password and the challenge, irrespective of whether the authentication method for the service is password authentication, public key authentication, or public-key-and-password combination authentication.
91 Citations
24 Claims
-
1. A client device connected through a network to a service providing apparatus, the client device comprising:
-
a client authentication information management unit that holds a service information database storing a user ID, a public key, a private key, and a server certificate in association with each service; a control unit; a client authentication unit; and a key generation unit; wherein the control unit has a request function to send a user registration request and a service request to the service providing apparatus; the client authentication unit has a server authentication function to verify server authentication information and an authentication request sent from the service providing apparatus; the client authentication unit has a user information transmission function to obtain a signature for a user ID, a password, a user attribute, and a public key generated by the key generation unit, by using a private key generated corresponding to the public key in the key generation unit, and to send to the service providing apparatus user information that includes the user ID, the password, the user attribute, the public key, and the signature; the client authentication information management unit has a service information registration function to register service information that includes the user ID, the public key, the private key, and a server certificate, in the service information database; and the client authentication unit has an authentication response function to calculate, if an authentication method identified from an authentication policy included in the authentication request sent from the service providing apparatus is password authentication, password authentication information with which the possession of the password can be confirmed, from the password, and to send an authentication response that includes the password authentication information, the authentication method, and the user ID to the service providing apparatus;
to calculate, if the authentication method identified from the authentication policy is public key authentication, a signature 1 for the authentication method, the user ID, and a challenge included in the authentication request, and to send an authentication response that includes the signature 1, the authentication method, and the user ID to the service providing apparatus; and
to calculate, if the authentication method identified from the authentication policy is public-key-and-password combination authentication, a signature 2 for the authentication method, the user ID, the challenge included in the authentication request, and the password, and to send an authentication response that includes the signature 2, the authentication method, and the user ID to the service providing apparatus. - View Dependent Claims (3, 5, 12, 23, 24)
-
-
2. A key device connected to a client device connected through a network to a service providing apparatus, the key device comprising:
-
a client authentication information management unit that holds a service information database storing a user ID, a public key, a private key, and a server certificate in association with each service; a client authentication unit; and a key generation unit; wherein the client authentication unit has a server authentication function to verify server authentication information and an authentication request sent from the service providing apparatus; the client authentication unit has a user information transmission function to obtain a signature for a user ID, a password, a user attribute, and a public key generated by the key generation unit, by using a private key generated corresponding to the public key in the key generation unit, and to send to the service providing apparatus user information that includes the user ID, the password, the user attribute, the public key, and the signature; the client authentication unit has an authentication response function to calculate, if an authentication method identified from an authentication policy included in the authentication request sent from the service providing apparatus is password authentication, password authentication information with which the possession of the password can be confirmed, from the password, and to send an authentication response that includes the password authentication information, the authentication method, and the user ID to the service providing apparatus;
to calculate, if the authentication method identified from the authentication policy is public key authentication, a signature 1 for the authentication method, the user ID, and a challenge included in the authentication request, and to send an authentication response that includes the signature 1, the authentication method, and the user ID to the service providing apparatus; and
to calculate, if the authentication method identified from the authentication policy is public-key-and-password combination authentication, a signature 2 for the authentication method, the user ID, the challenge included in the authentication request, and the password, and to send an authentication response that includes the signature 2, the authentication method, and the user ID to the service providing apparatus; andthe client authentication information management unit has a service information registration function to register service information that includes the user ID, the public key, the private key, and a server certificate, in the service information database; - View Dependent Claims (4, 6, 13)
-
-
7. A service providing apparatus connected through a network to a client device, the service providing apparatus comprising:
-
a service-providing-apparatus authentication information management unit that holds a user information database storing a user ID, a password, a user attribute, and a public key in association with each user; a service providing unit; and a service-providing-apparatus authentication unit; wherein the service-providing-apparatus authentication unit has a registration request response function to send server authentication information that includes a server certificate and a signature to the client device in response to a user registration request sent from the client device; the service-providing-apparatus authentication unit has a user registration function to receive user information from the client device, to verify a signature, and, if the verification is successful, and to allow the service-providing-apparatus authentication information management unit to register user information that includes a user ID, a password, a user attribute, and a public key, in the user information database and to send a message indicating a successful user registration to the client device; the service-providing-apparatus authentication unit has a service request response function to send to the client device in response to a request for a service, sent from the client device, an authentication request that includes an authentication policy indicating an authentication method of the service, a server certificate, and a signature; the service-providing-apparatus authentication unit has an authentication processing function to receive an authentication response from the client device, to confirm an authentication method included in the authentication response, and, if the confirmation is successful, to allow the service-providing-apparatus authentication information management unit to identify an entry corresponding to a user ID included in the authentication response and to perform authentication processing corresponding to the confirmed authentication method; and the service providing unit has a service providing function to judge whether the service can be provided and to provide the service if the service can be provided. - View Dependent Claims (8, 9, 10, 11, 14, 15, 16, 17)
-
-
18. A user authentication method for authenticating a user with a client device and a service providing apparatus being operated and connected by a network, the user authentication method comprising:
-
a registration request step in which the client device sends a user registration request to the service providing apparatus; a registration request response step in which the service providing apparatus sends server authentication information that includes a server certificate and a signature to the client device in response to the user registration request; an authentication information verification step in which the client device verifies the server authentication information; a user information transmission step in which the client device obtains a signature for a user ID, a password, a user attribute, and a public key, by using a private key generated corresponding to the public key, and sends user information that includes the user ID, the password, the user attribute, the public key, and the signature, to the service providing apparatus; a user registration step in which the service providing apparatus verifies the signature in the user information and, if the verification is successful, registers user information that includes the user ID, the password, the user attribute, and the public key and sends a message indicating a successful user registration to the client device; a service information registration step in which the client device registers service information that includes the user ID, the public key, the private key, and the server certificate, in a service information database; a service request step in which the client device sends a service request to the service providing apparatus; a service request response step in which the service providing apparatus sends to the client device in response to a request for a service an authentication request that includes an authentication policy indicating an authentication method of the service, a server certificate, and a signature; an authentication request verification step in which the client device verifies the authentication request; an authentication response step in which the client device calculates an authentication response corresponding to the authentication method determined with reference to the authentication policy included in the authentication request and sends the result to the service providing apparatus; an authentication processing step in which the service providing apparatus confirms the authentication method included in the authentication response and, if the confirmation is successful, performs authentication processing in accordance with the confirmed authentication method; and a service provision step in which the service providing apparatus judges whether the service can be provided and provides the service if the service can be provided. - View Dependent Claims (19, 20, 21, 22)
-
Specification