1. Field of the Invention
The present invention relates to an authentication system and an authentication method between a client terminal and a server which are connected through a network.
2. Description of the Related Art
In the related art, as disclosed in PTL 1 (Japanese Patent No. 4693171), when a server which provides an on-line service (for example, on-line banking) provides various services to one or more client terminals which are connected through a network (for example, the Internet), the server authenticates whether or not a terminal which requests the provision of a service is a client terminal which is approved in advance.
An authentication system disclosed in PTL 1 includes an on-line service server which provides an on-line service, an information terminal apparatus which receives the provision of the on-line service, a one-time password server which executes processes related to login authentication of the information terminal apparatus in the on-line service server and transaction content authentication in the on-line service, and a mobile terminal apparatus which is carried by a user who receives the on-line service of the information terminal apparatus and which displays a one-time password used for the login authentication and the transaction content authentication.
In the authentication system, the mobile terminal apparatus respectively transmits acquisition requests for a one-time password for the login authentication and a one-time password for the transaction content authentication, which are necessary when the information terminal apparatus receives an on-line service from the on-line service server, to the one-time password server, and then the mobile terminal apparatus respectively receives the one-time password for the login authentication and the one-time password for the transaction content authentication from the one-time password server, and displays the one-time password for the login authentication and the one-time password for the transaction content authentication.
The information terminal apparatus transmits a login authentication screen acquisition request to the on-line service server, and receives and displays a login authentication screen, including a challenge generated in the one-time password server, according to an instruction transmitted from the on-line service server to the one-time password server. The information terminal apparatus transmits the received challenge to the mobile terminal apparatus, and receives the one-time password for the login authentication, which is generated using the challenge, from the mobile terminal apparatus.
In addition, the information terminal apparatus transmits a transaction authentication screen acquisition request including the transaction content to the on-line service server, and receives and displays the transaction authentication screen, to which transaction preparation information, in which a set of the one-time password for the transaction content authentication, generated by the one-time password server, and the transaction content is encrypted using a common key shared by the one-time password server and the mobile terminal apparatus, and the transaction content are added, according to the instruction transmitted from the on-line service server to the one-time password server.
Further, the information terminal apparatus transmits the transaction preparation information to the mobile terminal apparatus, and receives the one-time password for the transaction content authentication, which is acquired by causing the mobile terminal apparatus to decode the transaction preparation information using the common key which is shared between the mobile terminal apparatus and the one-time password server, from the mobile terminal apparatus. Therefore, the authentication system disclosed in PTL 1 discriminately generates the one-time password for the login authentication and the one-time password for the transaction content authentication respectively. Therefore, as long as the one-time password for the transaction content authentication does not leak out even when the one-time password for the login authentication leaks out by, for example, spyware, it is possible to avoid the falsification of the transaction content even if a malicious third party illegally uses the one-time password for the login authentication.