1. Field of the Invention
The present invention relates to a device for authenticating user's access rights to resources.
2. Discussion of the Related Art
Program execution control technologies are known in the field to which the present invention belongs. The program execution control technologies are technologies to:
1. Embed a routine for user authentication during the use of an application program; PA1 2. Have the routine examine whether the user attempting execution of the application possesses a key for proper authentication; and PA1 3. Continue the program only when the existence of the key for authentication is verified, otherwise to halt execution. PA1 1. The user authentication routine generates and transmits an appropriate number to the hardware in which the key is embedded. PA1 2. The hardware in which the key is embedded encrypts the number using the embedded authentication key and transmits it back to the authentication routine. PA1 3. The authentication routine determines whether or not the number transmitted back is the number expected beforehand, or, in other words, the number obtained by encrypting the number with a correct authentication key. PA1 4. If the number transmitted back coincides with the expected number, the execution of the program is continued, otherwise the execution is halted. PA1 5. In this case, communication between the application program and the hardware in which the authentication key is embedded must be different for each execution even if it is between the same location in the same application with the same hardware.
By using these technologies, execution of the application program is enabled only for proper users having the authentication key. The technologies are commercialized in the software marketing field, two examples being Sentine/SuparPro (trade mark) from Rainbow Technologies, Inc. and HASP (trade mark) from Aladdin Knowledge Systems, Ltd.
In the use of program execution control technologies, a user who executes software possesses an authentication key as user identification information. The authentication key is a key for encryption and is distributed to the user by a party who allows use of software, a software vender, for example. The authentication key is securely sealed in a memory, or the like, of hardware to prevent duplication, and is delivered to the user using physical means such as the postal service. The user mounts personal computer/workstation using a designated method. When the user starts up the application program and when the execution of the program reaches the user authentication routine, the program communicates with the hardware in which the authentication key of the user is embedded. Based on the results of the communication, the program identifies the authentication key, and moves the execution to the following step upon confirmation of existence of the correct authentication key. If the communication fails and the verification of the existence of the authentication key is not established, the program stops automatically, discontinuing the execution of subsequent steps.
Identification of the authentication key by the user authentication routine is executed according to the following protocol, for example:
Otherwise, a user who does not possess the correct authentication key may be able to execute the program by recording once the content of communication during the normal execution process, and by responding to the application program according to the recording each time the subsequent program is executed. Such improper execution of the application program by replaying the communication content is called a replay attack.
In order to prevent a replay attack, in general, a random number is generated and used for each communication as the number to be transmitted to the hardware in which the key is embedded.