1. Field of the Invention
The present invention relates to an authentication technology enabling a server to verify whether a client connected to the server via a network has valid authorization to access services on the server.
2. Description of the Related Art
Most servers providing services to client computers that are connected thereto via a network have a process for determining, prior to providing these services, whether the client has proper access privileges for these services or whether the client computer is currently being operated by a user having proper access privileges for the services. This process is called client authentication.
Pages 353–359 of “Microsoft Internet Information Server Resource Kit” issued by Microsoft Corporation of the U.S. describe client authentication functions possessed by a Microsoft Internet Information Server (hereinafter abbreviated to IIS. “Microsoft” is a trademark of Microsoft Corporation). The IIS has a system for client authentication called Basic Authentication. In Basic Authentication, an account is assigned to the user who accesses a server using a client. The accounts of the users that are authorized to access files stored on the server are determined.
When receiving a request from a client for a file on the server, the server requests the user to input a user ID and password. Based on the inputted user ID and password, the server identifies the user's account, determines whether the requested file can be accessed by that account, and provides the requested file to the client computer when access is authorized.
Authentication methods such as Basic Authentication in IIS are extremely common. In fact, nearly all applications using the Web, whether via the Internet or an intranet, employ similar authentication methods with Basic Authentication for restricting user access.
The following two problems exist in client authentication using user accounts, such as Basic Authentication in IIS.
(1) Management of user accounts places heavy maintenance and operation cost on the server
(2) User anonymity on the server end is not guaranteed
Next, these problems will be described in greater detail.
In client authorization using user accounts, it is essential that the server can identify the user's account. This means that the server must manage the user accounts. Accordingly, the server must have a database for managing the accounts. This database must be modified daily in response to the addition and deletion of accounts, resulting in considerable maintenance and operating costs.
When many servers are performing the same client authorization process, a main server (account server) is provided for managing the user accounts. Each server refers to the main server for account information. This method requires increased communication costs and security problems between individual servers and the account server. In addition, users must reveal their accounts to the server. This means that the history of service usage by each user is exposed to the server.
Considering the innumerable cases of abusing private data collected on servers in today's society, it is inevitable that this method poses a large risk for users.