U.S. patent application number 10/081551 was filed with the patent office on 2003-06-12 for one-time logon method for distributed computing systems.
This patent application is currently assigned to Hitachi, Ltd.. Invention is credited to Aoshima, Tatsundo, Takeda, Kei, Tasaka, Mitsunobu.
Application Number | 20030110381 10/081551 |
Document ID | / |
Family ID | 19184734 |
Filed Date | 2003-06-12 |
United States Patent
Application |
20030110381 |
Kind Code |
A1 |
Aoshima, Tatsundo ; et
al. |
June 12, 2003 |
One-time logon method for distributed computing systems
Abstract
Prior to authentication, a business system generates a password
list and sends the password list to a commercial service system. A
request for use of the commercial service system is sent from a
terminal that a user is using to the business system. In response
to this, the business system that received the request for use
checks the request for use of a commercial service use authority of
the user. A password is selected from the password list and
returned to the terminal. The terminal sends the returned password
to the commercial service system. The commercial service system
compares the password with a password in accounting information
including the password list. If they match, login is permitted and
the used password is nullified.
Inventors: |
Aoshima, Tatsundo;
(Kawasaki, JP) ; Tasaka, Mitsunobu; (Kawasaki,
JP) ; Takeda, Kei; (Kawasaki, JP) |
Correspondence
Address: |
TOWNSEND AND TOWNSEND AND CREW, LLP
TWO EMBARCADERO CENTER
EIGHTH FLOOR
SAN FRANCISCO
CA
94111-3834
US
|
Assignee: |
Hitachi, Ltd.
Tokyo
JP
|
Family ID: |
19184734 |
Appl. No.: |
10/081551 |
Filed: |
February 20, 2002 |
Current U.S.
Class: |
713/168 ;
726/8 |
Current CPC
Class: |
H04L 63/0838 20130101;
G06F 21/31 20130101 |
Class at
Publication: |
713/168 ;
713/202 |
International
Class: |
H04L 009/00 |
Foreign Application Data
Date |
Code |
Application Number |
Dec 11, 2001 |
JP |
2001-376575 |
Claims
1. A login authentication method of a user who uses a business
system and a commercial service system, comprising the steps of:
sending a request for use of said commercial service system from a
terminal that the user is using to said business system, when the
user who logs in said business system uses said commercial service
system, with respect to the user; checking a commercial service use
authority of the user, and returning selects one password from a
password list created prior to authentication to said terminal,
with respect to said business system that received the request of
use; sending the returned password to said commercial service
system, with respect to said terminal; and comparing the password
with accounting information created prior to the authentication,
permitting login when they match, and nullifying said used
password, with respect to said commercial service system.
2. The login authentication method according to claim 1, wherein
said business system generates said password list using a random
number, sends said password list to said commercial service system,
and creates accounting information.
3. The login authentication method according to claim 1, wherein
said commercial service system generates said accounting
information using a random number, sends said accounting
information to said business system, and creates said password
list.
4. The login authentication method according to claim 1, wherein
said business system generates said password list using a numerical
value to which an optional numerical value and a one-way function
were applied sequentially, sends the applicable number of times of
said one-way function and the numerical value of a sequentially
applied final result to said commercial service system, and creates
said accounting information, and when use of a commercial service
system is requested from said terminal, said business system
returns a password and the applicable number of times of said
one-way function to said terminal, compares the result in which
said one-way function was applied to the password sent from said
terminal only for a part in which the applicable number of times of
said one-way function to said password was subtracted from the
applicable number of times of said final result, with the numerical
value of said final result in said accounting information when
login permission in said commercial service system is determined,
and permits login if they match.
5. The login authentication method according to claim 4, wherein
the numerical value of the sequentially applied result is retained
when the login permission in said commercial service system is
determined thereby to apply it to the result in which the numerical
value was retained for the part of the applicable number of times
of said one-way function of the retained result was subtracted from
the applicable number of times of said one-way function of a
determining password.
6. A login authentication program of a user who uses a business
system and a commercial service system, comprising the steps of:
sending a request for use of said commercial service system from
said terminal that the user is using to said business system when
the user who logs in said business system uses said commercial
service system; checking a commercial service use authority,
selecting a password from a password list created prior to
authentication, and returning the password to said terminal with
respect to said business system; sending the returned password to
said commercial service system with respect to said terminal; and
comparing the password with accounting information created prior to
authentication, permitting login when they match, and nullifying
said used password with respect to said commercial service
system.
7. The login authentication program according to claim 6, further
comprising the step of allowing said business system to generate
said password list using a random number, send said password list
to said commercial service system, and create said accounting
information.
8. The login authentication program according to claim 6, further
comprising the step of allowing said commercial service system to
generate said accounting information using a random number, send
said accounting information to said business system, and create
said password list.
9. The login authentication program according to claim 6, further
comprising the steps of: allowing said business system to generate
said password list using a value to which an optional value and a
one-way function are applied sequentially, send the applicable
number of times of said one-way function and a numerical value of
the sequentially applied final result, and create said accounting
information; and allowing said business system to return a password
and the applicable number of times of said one-way function to said
terminal when use of a commercial service system is requested from
said terminal, compare a result in which said one-way function was
applied to the password sent from said terminal only for a part in
which the applicable number of times of said one-way function for
the password was subtracted from the applicable number of times of
said final result, with the numerical value of said final result in
said accounting information, and permit login if they match.
10. The login authentication program according to claim 9, further
comprising the step of retaining the value of the sequentially
applied result when the login permission in said commercial service
system is determined thereby to apply it to the result in which the
numerical value was retained for the part in which the number of
times of said one-way function of the retained result was
subtracted from the applicable number of times of said one-way
function of a determining password.
Description
BACKGROUND OF THE INVENTION
[0001] The present invention relates to a login authentication
technique that allows a user who is using a business system to use
a commercial service system safely and enables multiple users who
are using the business system to share an account of the commercial
service system.
[0002] At present, a user frequently uses various commercial
services via an intranet business system and the Internet at the
same time. The intranet business system performs login
authentication to enable processing in accordance with the user's
official authority. However, if a service via the Internet is
charged, the login authentication is required for utilization of
the service. The following requirements are provided for
utilization of these multiple systems.
[0003] (1) When a user uses a commercial service system from inside
an enterprise, the user needs not to be aware of the system or
service that the user is using. That is, the login authentication
of the commercial service system needs not to be performed
explicitly.
[0004] (2) Because in-house users who can use a commercial service
system must be limited in accordance with their official authority,
security concerning information (accounting) about login
authentication needs also to be considered. That is, even if a
password is leaked to another user, the password is rejected by the
login authentication.
[0005] (3) Because a business system that is already operating and
a commercial service may be linked, a load on the business system
is minimized.
[0006] (4) Because it is mostly unrealistic from the standpoint of
accounting that accounts for in-house users who use a commercial
service are secured, multiple in-house users can share an
account.
[0007] To satisfy the requirement (1), a method for transferring a
special key generated in accordance with a protocol arranged
between a business system and a service system to a client
(terminal) is considered so that the commercial service can
directly be used from the client. In this case, to satisfy the
requirement (2), a fixed user ID and a password in the normal login
authentication cannot be used as the key. To realize the above
login authentication function, utilization of what is called a
one-time password is considered. The prototype of the one-time
password is a Lamport's Hash algorithm, and is described in
`Password Authentication with Insecure Communication` by Leslie
Lamport of "Communications of the ACM, Volume 24, Issue 11
(November 1981)", pages 770 to 772.
SUMMARY OF THE INVENTION
[0008] In a Lamport's hash algorithm, a password that will be used
next is determined by inquiring an numerical value n that indicates
how far the password was consumed and the service system side ought
to store this n and only the corresponding hash value. However,
there are the following two problems to apply this one-time
password to the business system and the commercial service
system.
[0009] The first problem is that because communication is performed
between the business system and the service system in accordance
with the Lamport's hash algorithm, the communication needs to be
performed multiple times between the business system and the
service system, thereby increasing the load of the business
system.
[0010] The second problem is that only one hash value is stored at
the service side and one account cannot be used by multiple persons
at the same time.
[0011] An object of the present invention is to provide a login
authentication method for reducing traffic and enabling concurrent
utilization of one account by the multiple persons and its
implementation system.
[0012] According to the method described in a first aspect of the
present invention, because the communication that inquires how far
a password has been used at present needs not to be performed, the
traffic can be reduced. Further, according to the method described
in claim 2 or 3, all passwords have previously been sent to the
commercial service system, multiple persons can perform login
processing at the same time.
BRIEF DESCRIPTION OF THE DRAWING
[0013] FIG. 1 is a general drawing of a processing method according
to one example of the present invention.
[0014] FIG. 2 is a block diagram of the password list of the
present invention.
[0015] FIG. 3 is a general drawing of the processing method in the
accounting information of the present invention.
DESCRIPTION OF THE PREFERRED EMBODIMENTS
[0016] One embodiment of the present invention is described
below.
[0017] FIG. 1 shows a general drawing of a processing method
according to one example of the present invention. In an
enterprise, there are a business system 1 and a client 3 (terminal
or computer) that a user uses. The user logs in the business system
1. Further, the user also uses a service system that exists in an
external commercial service site. A commercial service system has
accounting information 41 every user to manage the user. The case
where multiple users share and use this accounting information 41
is considered.
[0018] Prior to login authentication, a password list 40 is
generated in a business system. There are N passwords in this
password list 40. Here, an individual password is assumed to be
generated from a random number. This password list 40 is sent 500
to a service system 2 and stored in the password of the accounting
information 41. Further, each password stores a pair of flags that
indicate whether this password is already used or unused. The
initial value of this flag is unused. When the user uses a
commercial service, the user sends 501 a request for use of the
commercial service system 2 from the client 3 that the user is
using to the business system 1.
[0019] The business system 1 that received the request for use
checks 502 a commercial service use authority of the user. If the
use authority is provided, any password 401 is selected 503 from
the password list 40 and returned 504 to a client.
[0020] To prevent that the selected password is allocated to a
clients again, the selected password is eliminated from the
password list or the line for the selected password is made
blank.
[0021] The client 3 sends 505 the returned password to the
commercial service system 2. The commercial service system 2 makes
a comparison 506 with a password within the accounting information
41, and permits login if a matching password (411 in this case) is
provided. Further, the commercial service system 2 changes a flag
paired with the used password to the used flag in order to nullify
507 the used password.
[0022] In a series of processing described above, login
authentication processing can be performed by multiple users to one
account at the same time by always allocating a different password
to each user.
[0023] The one embodiment was described above, but as a
modification example of this example, an example when one-time
password algorithm is modified and applied to a processing method
of the present invention is described below.
[0024] A second example in which the password list 40 in a first
example was replaced is described using the password list of FIG.
2. At this point, an individual password is generated by
sequentially applying a hash function to an optional initial value
r. Here, Hash[n](r) 402 indicates the result in which the hash
function is applied to r n times (402).
[0025] Prior to login authentication, a business system sends 500
the total applicable number of times N of the hash function and
only Hash[N](r) to the service system 2.
[0026] A third example in which the accounting information 41 in
the first example was replaced is described using the accounting
information of FIG. 3. Here, each password stores the applicable
number of times of the hash function and a pair of flags that
indicate whether this password is already used or unused (412). In
the initial state, the accounting information stores Hash [N](r),
N, and only unused pair of flags.
[0027] When a request for use of a commercial service is received
from a user, the password selection processing 503 of the business
system 1 allocates a password sequentially from the password of
which the applicable number of times n is high.
[0028] The return processing 504 to a client also returns the
password 402 and the applicable number of times n. The comparison
processing 506 in the commercial service system 2 compares the
result (Hash [N-n](password) in which a hash function was applied
to the password Hash[n](r) sent from the client only for the part
in which the applicable number of times n was subtracted from the
total number of applicable times N and a numerical value of
Hash[N](r), and permits login if they match.
[0029] An example for reducing computational complexity of a hash
function in the commercial service system 2 is shown. Because the
comparison processing 506 in the commercial service system 2
performs computation to which the hash function is applied multiple
times, each intermediate result is added to the accounting
information 41. Here, when the computation is performed until the
applicable number of times is set to m, the computation of the hash
function results in Hash [m-n](password) and the result is compared
with Hash [m](r). On this occasion, the intermediate result from
the applicable number of times n to m is stored. Subsequently, in
the compare processing of the password of which the applicable
number of times is higher than n and lower than m, the hash
function is not computed.
[0030] A user can use a business system and a commercial service
system without needing to be aware of the system or service that
the user is using.
[0031] A business limit indicating that "Only a specific user can
use a commercial service" can be satisfied safely.
[0032] The traffic between the business system and the commercial
service system can be reduced.
[0033] Further, one account of the commercial service system can be
shared by multiple persons.
[0034] As a result, the traffic is reduced and the concurrent
utilization of the one account by the multiple persons is
enabled.
* * * * *