1. Field of the Invention
The present invention relates to a technology for an authentication processing for authenticating a communication party or a user in an information communication system.
2. Description of the Related Art
Conventionally, when an authenticator (server) authenticates a party to be authenticated (user), a password authentication method is widely used, in which the server requests the user to input a password, and authenticate the user with a validity of the input password. In addition, to secure a safety, a one-time password method in which a password valid for only one authentication is used, or an authentication method in which authentication information created from a password is used instead of the password itself is used.
A simple and secure password authentication protocol Ver. 2 (SAS-2) authentication method is an example of the password authentication method in which a server authenticates a user based on following procedures (see, for example, Information and Communication Engineers, OIS2002-30, Vol. 102, No. 314, pp. 7-11, 2002, The Institute of Electronics, “Simple and secure password authentication protocol, Ver. 2 (SAS-2)” by Takasuke Tsuji, et. al.). FIG. 10 and FIG. 11 are flowcharts of a processing procedure for a user authentication in the SAS-2 authentication method.
In the following explanation, “←” indicates a substitution to a left-hand side by a right-hand side, “S” represents a password that is privately held by a user, “ID” represents an identifier for a user, “XOR” represents an exclusive-OR operator, “n” is the number of authentication, and “Nn” is a random number (n is a positive integer equal to or greater than “1”, and is used for specifying the random number). In addition, “F” and “H” represent one-way functions that do not use the password S, “X” is a one-way function that uses the password S and the random number Nn, and Xn=X(ID, S XOR Nn).
Initially, a user makes a registration in a server from which the user wants to get an authentication (hereinafter, the operation of the registration is referred to as “an initial registration”). FIG. 10 is a flowchart of the initial registration of a user, according to the conventional technology. The user possesses a user identifier ID and a password S in advance.
The user creates a random number N1 and stores the created random number N1 (step S1001). The user calculates initial authentication information A1 defined by Equation 1 using the random number N1, the password S that is held privately, and the user identifier ID (step S1002), and transmits the authentication information A1 with the user identifier ID via a safe means (step S1003). The safe means includes a dedicated line for the authentication information, and a mailing of a recording medium in which the authentication information is stored. The authentication information A1 is authentication information used for the first time (n=1) authentication.A1←X1(ID, S XOR N1)  (1)
The server stores the authentication information A1 in association with the user identifier ID, which is transmitted at step S1003 (step S1004). In this manner, the initial registration of the user is completed.
FIG. 11 is a flowchart of an nth time authentication after the first time (n=1) authentication, according to the conventional technology. At this moment, the user possesses ID, S, and Nn, and the server holds ID and An (at the time of the first time authentication, n=1). The user calculates An defined by Equation 2, from the stored random number Nn (step S1101).An←Xn(ID, S XOR Nn)  (2)
Then, the user creates a new random number Nn+1 and stores the created random number Nn+1, or takes An as Nn+1 and stores Nn+1 (step S1102). Subsequently, C and D defined by Equations 3 and 4, respectively, are calculated using Nn+1, and α, AND β defined by Equations 5 and 6, respectively, are calculated using C, D, and An (step S1103).C←Xn(ID, S XOR Nn+1)  (3)D←F(ID, C)  (4)α←C XOR (D+An)  (5)β←D XOR An  (6)
Finally, the user transmits calculated α AND β together with ID to the server (step S1104). At this time, An is current authentication information used for a current authentication process, C is next authentication information to be used for a next authentication process, and D is another next authentication information obtained by unidirectional conversion of the next authentication information C.
Upon receiving α AND β from the user, the server calculates D defined by Equation 7 using the current authentication information An that is registered corresponding to ID, and calculates C defined by Equation 8 using calculated D and the current authentication information, with respect to received α AND β (step S1105).D←β XOR An  (7)C←α XOR (D+An)  (8)
Thereafter, the server carries out a unidirectional conversion of C calculated from Equation 8 with ID, and verifies if a result of the unidirectional conversion is identical to D (F(ID, C)=D?) (step S1106). If the result of the unidirectional conversion is identical to D (“YES” at step S1106), the server authenticates the user (authentication complete), and stores the next authentication information C as authentication information to be used for the next ((n+1)th) authentication (step S1107).
On the other hand, if the result of the unidirectional conversion is not identical to D (“NO” at step S1106), the server denies the authentication of the user (step S1108), and ends the process of the flowchart. By carrying out the above process, the server determines whether to authenticate a user who calls for an authentication.
According to the above conventional technology, the authentication process is carried out based on transmission information that is mask-processed using the current authentication information A that is registered in the server. Therefore, it is possible to create the transmission information with ease by stealing the current authentication information stored in the server, and as a result, a malice third party can carry out an illegal authentication.
In particular, a server installed in a public place or a server installed by a person who does not have enough knowledge of a security is apt to be a target of a malice, and the current authentication information can be easily stolen. In addition, when there is a malice on the server side, the malice can take on the position of a legal user to be authenticated by using the current authentication information stored in the server.
Furthermore, if the malice can succeed to obtain an illegal authentication by taking on the position of the legal user, private information can be leak, or information of the legal user can be illegally modified. Once information is disclosed, it cannot be returned to a private state, resulting in a serious damage to both the authenticator and the user.