JP5211579B2 - Authentication system and authentication method using SIP - Google Patents

Description

  The present invention relates to an authentication system and an authentication method, and more particularly to an authentication technique when a user receives a service provided from a service providing server via a communication network using SIP as a signaling protocol for establishing a communication session.

  User authentication is performed directly between the user terminal and the service providing server when the service providing server is accessed via a communication network from a user terminal such as a personal computer (PC) and the service is provided. Is the basic. In SIP (Session Initiation Protocol), which is a signaling protocol for establishing a communication session, the use of a user-user HTTP digest authentication method is specified as a means for confirming who the request sender is on the server side. ing.

  Referring to FIG. 22, in the user-user HTTP digest authentication method defined by SIP, first, a user terminal that operates as a UAC (User Agent Client) is connected to a service providing server that operates as a UAS (User Agent Server). , INVITE without Authorization header is transmitted. This INVITE is relayed by a SIP server (proxy server) between UAC and UAS and responsible for relaying SIP messages, and is delivered to the service providing server.

  The service providing server confirms whether or not there is an Authorization header in the received INVITE. Since there is no such header, a 401 Authenticate including a WWW-Authenticate header describing parameters required as challenge values is returned as a response, as illustrated in FIG. This WWW-Authenticate is relayed by the SIP server and delivered to the user terminal.

  Upon receiving 401 Authenticate, the user terminal creates and sends an Authorization header describing parameters necessary for the response value and INVITE describing other necessary information as illustrated in FIG. This INVITE is relayed by the SIP server and delivered to the service providing server.

  The service providing server confirms whether or not there is an Authorization header in the received INVITE. Since the header is present, authentication is performed based on the described information. As a result, if the authentication is successful, 200 OK is returned as a response, and the service is provided after receiving the ACK.

  On the other hand, in order to reduce the load of the service providing server, a system has been proposed in which an authentication management server is connected to a communication network, and the authentication management server performs user authentication for service provision of the service providing server ( For example, see Patent Document 1).

  For user authentication, various methods using authentication information for confirming the identity of the user, such as an authentication method using a user ID and password and an authentication method using biometric features such as fingerprints, have been proposed or put into practical use. . Also, it is specified for each user by associating the subscriber line connected to the communication network with the user, and performing authentication based on the line identification information of the subscriber line and information uniquely identifying the user. An authentication method has been proposed in which services cannot be used from other than subscriber lines (see, for example, Patent Document 1).

  Further, in a service providing server that provides a plurality of services with different security levels, such as a service that requires a high security level and a service that does not require a very high security level, authentication is performed at an authentication level according to the service provided Has been proposed (see, for example, Patent Document 2 and Patent Document 3). Here, the authentication level means that the higher the level, the higher the security level that can be secured. For example, it can be said that authentication using fingerprints has a higher authentication level than authentication using passwords.

JP 2006-331204 A JP 2007-79992 A JP 2003-248661 A

  As described above, in SIP, a user-user authentication method is defined in order to confirm who a user of a user terminal is on the service providing server side. However, since the service providing server must directly perform authentication processing with the user terminal, the load associated with the authentication of the service providing server is large. Therefore, in SIP, there is a demand for a mechanism that allows an authentication management server to perform user authentication on behalf of a service providing server. However, there is a technical problem of how to apply a mechanism for performing authentication by the authentication management server to the SIP signaling framework.

  An object of the present invention is to provide a mechanism by which an authentication management server performs authentication in order to reduce the load on a service providing server that provides a service through a communication network using SIP as a signaling protocol for establishing a communication session. An object is to provide an authentication system and an authentication method incorporated in a framework.

  In a first authentication system of the present invention, a user terminal, a service providing server, and a SIP server are connected to a communication network that uses SIP as a signaling protocol for establishing a communication session, and an authentication management server is connected to the SIP server. In the connected authentication system, the authentication management server receives and analyzes an INVITE request transmitted from the user terminal to the service providing server from the SIP server, and an authentication header is included in the received INVITE request. Authentication determination means for performing an authentication process based on authentication information described in the authentication header and transferring an INVITE request describing an authentication result to the service providing server through the SIP server, and the service providing A specific request for delegation of authentication sent by the server A 401 Unauthorized response including a WWW-Authenticate header describing a certification scheme name is received from the SIP server and analyzed, and a 401 Unauthorized response including a WWW-Authenticate header describing an authentication method and a specific authentication scheme name is transmitted to the SIP server. Authentication request means for transferring to the user terminal through the server, the service providing server receives and analyzes the INVITE request transmitted from the user terminal, and the received INVITE request does not include an authentication result In this case, a 401 Unauthorized response including a WWW-Authenticate header describing the name of a specific authentication scheme that requests authentication is sent to the user terminal. A proxy requesting means; and a service providing means for judging whether or not to provide a service according to the success or failure of the authentication result when the authentication result by the authentication management server is included in the received INVITE request. The terminal receives and analyzes the 401 Unauthorized response sent by the authentication management server through the SIP server, and provides an INVITE request including an authentication header describing authentication information necessary for authentication of the requested authentication method. Authentication request response means for transmitting to the server.

  According to the first authentication method of the present invention, a) a user terminal connected to a communication network that uses SIP as a signaling protocol for establishing a communication session, sends an INVITE request to a service providing server connected to the communication network. B) a SIP server transfers the INVITE request to the service providing server, and c) the service providing server determines that the received INVITE request does not include an authentication result. A step of responding to the user terminal with a 401 Unauthorized response including a WWW-Authenticate header describing a name of a specific authentication scheme for requesting an authentication proxy; and d) the SIP server authenticating the 401 Unauthorized response to the authentication E) the authentication management server analyzes the received 401 Unauthorized response and sends a 401 Unauthorized response including a WWW-Authenticate header describing the authentication method and a specific authentication scheme name to the SIP server. And f) an INVITE request including an authentication header that describes the received 401 Unauthorized response and describes authentication information necessary for authentication of the requested authentication method. To the service providing server, g) the SIP server transferring the INVITE request to the authentication management server, and h) the INVITE received by the authentication management server. Determining whether the quest includes an authentication header, performing an authentication process based on the authentication information described in the authentication header, and transferring an INVITE request describing the authentication result to the service providing server through the SIP server And i) the service providing server determining that the received INVITE request includes an authentication result, and determining whether or not the service can be provided according to the success or failure of the authentication result.

  The first authentication management server of the present invention provides an INVITE request transmitted from a user terminal connected to a communication network using SIP as a signaling protocol for establishing a communication session to a service providing server connected to the communication network. When the received INVITE request includes an authentication header, an authentication process is performed based on the authentication information described in the authentication header, and an INVITE request describing the authentication result Authentication determination means for transferring the request to the service providing server through the SIP server, and a specific authentication scheme in which the service providing server determines that the received INVITE request does not include an authentication result, and requests a proxy for authentication. WWW-Authenticate head with name When a 401 Unauthorized response containing a response is sent to the user terminal, the 401 Unauthorized response is received from the SIP server and analyzed, and a 401 Unauthorized header containing a WWW-Authenticate header describing the authentication method and a specific authentication scheme name Authentication request means for transferring a response to the user terminal through the SIP server.

  The first service providing server of the present invention receives and analyzes an INVITE request transmitted from a user terminal connected to a communication network using SIP as a signaling protocol for establishing a communication session, and receives the received INVITE. Authentication proxy request for responding to the user terminal with a 401 Unauthorized response including a WWW-Authenticate header that describes the name of a specific authentication scheme for requesting proxy for authentication by the authentication management server when the authentication result is not included in the request And a service providing means for determining whether or not to provide a service according to success or failure of the authentication result when the authentication result by the authentication management server is included in the received INVITE request.

  The first user terminal of the present invention is a user terminal connected to a communication network that uses SIP as a signaling protocol for establishing a communication session, and is connected to a service providing server connected to the communication network. A WWW-Authenticate that describes a service processing means for transmitting a request, and a name of a specific authentication scheme for requesting proxy for the service providing server that has determined that the authentication result is not included in the transmitted INVITE request A 401 Unauthorized response including a header is transmitted to the user terminal, the transmitted 401 Unauthorized response is transferred to the authentication management server by the SIP server, and the 401 Unauthorized response received by the authentication management server is transmitted. When a 401 Unauthorized response including a WWW-Authenticate header describing the authentication method and a specific authentication scheme name is transferred through the SIP server, the 401 Unauthorized response is received and analyzed, and the requested authentication is performed. Authentication request response means for transmitting an INVITE request including an authentication header describing authentication information necessary for method authentication to the service providing server.

  A first SIP server of the present invention is a SIP server connected to a communication network that uses SIP as a signaling protocol for establishing a communication session, and a service providing server in which a user terminal is connected to the communication network When the received INVITE request does not include an authentication header, the INVITE request is transferred to the service providing server, and the authentication header is included. Performs authentication processing based on the authentication information described in the authentication header, transfers an INVITE request describing the authentication result to the service providing server, and authenticates the received INVITE request to the service providing server. Determining that the result is not included, authentication When a 401 Unauthorized response including a WWW-Authenticate header describing the name of a specific authentication scheme to be requested is responded to the user terminal, the 401 Unauthorized response is received and analyzed, and an authentication method and a specific authentication scheme name are obtained. Authentication request means for transferring a 401 Unauthorized response including the described WWW-Authenticate header to the user terminal.

  A first program of the present invention is a service in which a user terminal connected to a communication network using SIP as a signaling protocol for establishing a communication session is connected to the communication network. The INVITE request transmitted to the providing server is received from the SIP server and analyzed. When the received INVITE request includes an authentication header, an authentication process based on the authentication information described in the authentication header is performed. Authentication determination means for transferring an INVITE request describing an authentication result to the service providing server through the SIP server, and the service providing server determining that the received INVITE request does not include an authentication result, and The name of a specific authentication scheme that requires When a 401 Unauthorized response including a WW-Authenticate header is responded to the user terminal, the 401 Unauthorized response is received from the SIP server, analyzed, and a WWW-Authenticate header describing an authentication method and a specific authentication scheme name 401 Authenticated response including the authentication request means for transferring to the user terminal through the SIP server.

  The second program of the present invention receives an INVITE request transmitted from a user terminal connected to a communication network that uses SIP as a signaling protocol for establishing a communication session, from a computer constituting a service providing server. If the authentication result is not included in the received INVITE request, the user receives a 401 Unauthorized response including a WWW-Authenticate header that describes the name of a specific authentication scheme that requests authentication by the authentication management server. Acting as an authentication agent requesting means for responding to the terminal, and a service providing means for determining whether or not to provide a service according to the success or failure of the authentication result when the received INVITE request includes an authentication result by the authentication management server Make

  According to a third program of the present invention, a computer constituting a user terminal connected to a communication network that uses SIP as a signaling protocol for establishing a communication session is transferred to a service providing server connected to the communication network. A WWW-Authenticate that describes a service processing means for transmitting a request, and a name of a specific authentication scheme for requesting proxy for the service providing server that has determined that the authentication result is not included in the transmitted INVITE request A 401 Unauthorized response including a header is transmitted to the user terminal, the transmitted 401 Unauthorized response is transferred to the authentication management server by the SIP server, and the 401 Unauthorized received by the authentication management server. When a 401 Unauthorized response including a WWW-Authenticate header describing the authentication method and a specific authentication scheme name is transferred through the SIP server, the 401 unauthenticated response is received, analyzed, and requested. And an authentication request response means for transmitting an INVITE request including an authentication header describing authentication information necessary for authentication of the authentication method to the service providing server.

  The fourth program of the present invention provides a computer comprising a SIP server connected to a communication network using SIP as a signaling protocol for establishing a communication session, and a service providing a user terminal connected to the communication network When the INVITE request transmitted to the server is received and analyzed, and the received INVITE request does not include an authentication header, the INVITE request is transferred to the service providing server, and the authentication header is included Includes authentication determination means for performing an authentication process based on the authentication information described in the authentication header and transferring an INVITE request describing the authentication result to the service providing server, and the service providing server receiving the received INVITE request Determine that authentication result is not included When a 401 Unauthorized response including a WWW-Authenticate header that describes the name of a specific authentication scheme that requests authentication proxy is returned to the user terminal, the 401 Unauthorized response is received and analyzed to identify the authentication method and It functions as an authentication request means for transferring a 401 Unauthorized response including the WWW-Authenticate header describing the authentication scheme name to the user terminal.

  According to the present invention, it is possible to provide an authentication system and an authentication method in which a mechanism in which an authentication management server performs authentication is incorporated in a SIP framework. Thereby, it is possible to reduce the load on the service providing server that provides the service through the communication network using SIP.

“First Embodiment”
Referring to FIG. 1, in the first embodiment of the present invention, a user equipment 100, a service providing server 200, and a SIP server 500 are connected through a network 400 that uses SIP as a signaling protocol for establishing a communication session. The authentication management server 300 is connected to the network 400 via the SIP server 500 so that they can communicate with each other.

  The user facility 100 is an electronic facility provided for each home, for example, and includes a user terminal 101 and a home gateway 102. The user terminal 101 is constituted by an information processing device such as a personal computer, and the user accesses the service providing server 200 through the user terminal 101 and receives a service. The home gateway 102 is a communication device for connecting one or more user terminals 101 to the network 400 through the line 103. For example, the home gateway 102 is rented to each home from a communication provider that manages and operates the network 400.

  The service providing server 200 is a computer that provides various services such as video on demand and online shopping to the user terminal 101. When the service providing server 200 receives a service request from the user terminal 101, the service providing server 200 provides the service on the condition that authentication at an authentication level corresponding to the service to be provided is obtained.

  The SIP server 500 is a proxy server that relays SIP messages between the user terminal 101 that actually communicates and the service providing server 200. The SIP server 500 is configured to transfer only those that satisfy a specific condition among the relayed SIP messages to the authentication management server 300. The authentication management server 300 performs predetermined processing such as authentication proxy processing based on the transferred SIP message. The SIP message output from the authentication management server 300 is routed again in the SIP server 500 and transferred to the user terminal 101 and the service providing server 200. Here, as a specific method for determining whether or not the SIP message to be relayed satisfies a specific condition in the SIP server 500, for example, the specific condition is described in iFC (Initial Filter Criteria) and relayed. There is a method of determining whether or not a specific condition is satisfied by referring to iFC every time a SIP message is received.

An example of specific conditions described in the iFC of the SIP server 500 is shown in FIG. The description in iFC in FIG. 1 indicates that a specific condition is satisfied if the method name is INVITE. Under this condition, an INVITE request transmitted from the user terminal 101 to the service providing server 200 is taken into the authentication management server 300 when relaying by the SIP server 500. Since the SIP response basically follows the route through which the request has passed, the INVITE response 401 Unauthorized is also taken into the authentication management server 300 when relaying by the SIP server 500. Although the specific conditions illustrated in FIG. 1 are used in the present embodiment, the specific conditions described in the iFC of the SIP server 500 are not limited to the above examples, and the following examples are also conceivable.
1: Method name = “INVITE” & Header name = “Authorization”
2: Status code = “401” & Header name = “WWW-Authenticate” & Authentication scheme name = “IntegratedAuth”
The first description indicates that a specific condition is satisfied if the method name is INVITE and the header name is Authorization. Under this condition, only the INVITE having an authentication header among the INVITE requests transmitted from the user terminal 101 to the service providing server 200 is taken into the authentication management server 300 when relaying by the SIP server 500.
The second description indicates that a specific condition is satisfied if the status code is 401, the header name is WWW-Authenticate, and the authentication scheme name is IntegratedAuth. With this condition, out of 401 Unauthorized transmitted from the service providing server 200 to the user terminal 101, the 401 Unauthorized requested by the service providing server 200 to perform authentication is the authentication management server when relaying by the SIP server 500. 300. In this case, the response from the service providing server 200 is also determined by referring to the iFC in the SIP server 500. If the condition is satisfied, the response is transferred to the authentication management server 300 and then to the user terminal 101. Is assumed to be correctly transferred.

  In FIG. 1, the SIP server 500 and the authentication management server 300 are illustrated as separate blocks, but this restricts that the SIP server 500 and the authentication management server 300 are physically mounted on separate computers. The SIP server 500 and the authentication management server 300 can be mounted on the same computer. The authentication management server 300 can also be realized as an extended function (additional function) of the SIP server 500. The specific implementation method of the authentication management server 300 is arbitrary, and may be realized by a configuration like a relay server, or a B2BUA (Back to Back User Agent) in which two SIP UAs are internally mounted back to back. ).

  The authentication management server 300 performs user authentication on behalf of the service providing server 200 for providing the service. The authentication management server 300 authenticates the user of the user terminal 101 using an authentication method with an authentication level corresponding to the service provided by the service providing server 200 to the user terminal 101 among a plurality of authentication levels. Act on behalf.

  As an authentication method of a plurality of authentication levels, authentication based on the line identification information of the line 103 to which the user terminal 101 is connected and one or more different authentication information different from each other is used. As the line identification information of the line 103, an IP address issued from the network 400 to the home gateway 102 is used. Further, as one or more other authentication information, for example, terminal information of a user terminal, a biometric feature such as a password or a fingerprint is used. The terminal information of the user terminal may be information that can be used for terminal authentication, such as the MAC address of the user terminal or information that can be acquired from a TPM (Trusted Platform Module).

In the present embodiment, the following three authentication level authentication methods described in the authentication method information table T3 in FIG. 2 are used. Of course, there may be two authentication levels or four or more authentication levels.
Authentication level 1: Authentication by line identification information and terminal information of user terminal Authentication level 2: Authentication by line identification information, terminal information of user terminal and password Authentication level 3: Line identification information, terminal information of user terminal and password And fingerprint authentication

  In the authentication method of authentication level 1, it is confirmed whether or not a service request is transmitted from the line 103 specified for each user terminal 101. At authentication level 2, in addition to authentication at authentication level 1, the identity of the user is confirmed by authentication with a password. At the authentication level 3, in addition to the authentication at the authentication level 2, the identity of the user is more strictly confirmed by the authentication by the fingerprint. Accordingly, the security level increases in the order of authentication level 3, authentication level 2, and authentication level 1.

  In order to realize the authentication method as described above, the line authentication table T1 and the terminal / personal authentication table T2 shown in FIG. 2 are registered in the authentication management server 300 prior to the actual authentication processing.

  The line authentication table T1 holds the IP address of the home gateway 102 connected to the line 103 in association with the line ID for uniquely identifying the line 103. As the line ID, any one or more of an identification number assigned in the network 400 for uniquely identifying the line 103, a telephone number of the line 103, or a MAC address of the home gateway 102 is used. The registration of the IP address of the home gateway 102 in the line authentication table T1 is performed every time a new IP address is issued to the home gateway 102. Specifically, when the power of the home gateway 102 is turned on and a DHCP packet is transmitted from the home gateway 102 to the network 400, the network 400 indicates that the MAC address of the home gateway 102 that transmitted the DHCP packet is on the line 103. On the other hand, it is checked whether or not it matches the MAC address of the rented home gateway, and the IP address is paid out to the home gateway 102 only when they match. The line authentication table T1 is updated at the timing of this payout. In the case of using IPv6, a new IP address may be issued every time according to the above procedure, or an IP address associated with a line ID is determined in advance, and the same IP address corresponding to the line is issued every time. Also good.

  The terminal / personal authentication table T2 is associated with the line ID of the line 103, the terminal information of the user terminal 101 connected to the line 103 through the home gateway 102, the password of the user of the user terminal 101, and the fingerprint information. Hold. Registration of such information in the terminal / personal authentication table T2 is performed online or offline.

  Next, the authentication processing procedure in the present embodiment will be described with reference to the sequence diagram of FIG.

  First, the user terminal 101 transmits an INVITE that does not include an authentication header as illustrated in FIG. 4 to the service providing server 200 as a service request (S111). In the INVITE shown in FIG. 4, To: <sipuser1 @ xx. xx. xx. xx> is the SIP URL of the recipient of the request, but also serves as information for specifying the service to be used.

  The INVITE transmitted from the user terminal 101 is transferred and received from the SIP server 500 to the authentication management server 300 when a specific condition is satisfied (S311). The authentication management server 300 checks whether or not the header describing the authentication information is included in the INVITE (S312). Since it is not included in the present case, the INVITE is sent to the service providing server 200 through the SIP server 500. Transfer (S313).

  When receiving the INVITE (S211), the service providing server 200 confirms whether or not the authentication result is included in the INVITE (S212). Since it is not included in the present case, the service providing server 200 executes a procedure for requesting the authentication. First, the authentication level corresponding to the requested service is determined (S213). Next, 401 Unauthorized including a WWW-Authenticate header as illustrated in FIG. 5 is returned to the user terminal 101 (S214). IntegratedAuth in the WWW-Authenticate header is an authentication scheme name assigned to distinguish from HTTP digest authentication defined by SIP. Also, authlevel is a parameter name indicating an authentication level, 2 is the parameter value, and in this example, the authentication level is 2.

  401 Unauthorized is defined in SIP as used when the UAS requests HTTP digest authentication when the request has no authentication information or includes inappropriate authentication information. In that case, the authentication scheme name of the WWW-Authenticate header is described as Digest, and then <Challenge value> is described. In this embodiment, by using IntegratedAuth as an authentication scheme name, 401 Unauthorized is used as a response for requesting authentication management server 300 to perform authentication. Also, by entering a description of authlevel = 2, it is used as a response for requesting the authentication management server 300 to perform authentication level 2 authentication.

  The 401 Unauthorized transmitted from the service providing server 200 is transferred from the SIP server 500 to the authentication management server 300 and received (S314). The authentication management server 300 analyzes the received 401 Unauthorized WWW-Authenticate header to recognize the authentication level, and determines an authentication method for realizing the authentication level authentication (S315). Then, the description part of the parameter name authlevel in the WWW-Authenticate header is rewritten with the description of the authentication method for realizing the authentication at the authentication level, and transferred to the user terminal 101 through the SIP server 500 (S316).

  Specifically, if “authlevel = 2” as illustrated in FIG. 5, the authentication management server 300 rewrites and transfers to “authmethod =“ MINFO & PW ”” as illustrated in FIG. 6. Here, authmethod is a parameter name indicating an authentication method, “MINFO & PW” is the parameter value, MINFO indicates authentication based on terminal information of the user terminal, and PW indicates authentication based on a password. For example, if “authlevel = 1”, the authentication management server 300 rewrites and transfers to “authmethod =“ MINFO ””, and if “authlevel = 3”, the authentication management server 300 changes to “authmethod =” MINFO & PW & FINGERPRINT ””. Rewrite and transfer. Here, FINGERPRINT indicates fingerprint authentication.

  Upon receiving the above 401 Unauthorized (S112), the user terminal 101 analyzes the WWW-Authenticate header and inputs authentication information necessary for authentication of the requested authentication method from the user as required (S113). ). Then, an INVITE as illustrated in FIG. 7 including the authentication header describing the authentication information is created and transmitted to the service providing server 200 (S114). In FIG. 7, “Authorization: IntegratedAuth MINFO =“ AA-BB-CC-DD ”, PW =“ password ”is an authentication header describing authentication information, and“ AA-BB-CC-DD ”is a user terminal MAC address, “password” indicates a password.

  The INVITE transmitted again from the user terminal 101 is transferred and received from the SIP server 500 to the authentication management server 300 when a specific condition is satisfied (S317). The authentication management server 300 checks whether or not the header describing the authentication information is included in the INVITE (S318), and since it is included, the authentication information, the line authentication table T1 shown in FIG. Authentication is performed based on the authentication table T2 (S319). Then, INVITE as illustrated in FIG. 8 in which the authentication result is described in the authentication header is transferred to the service providing server 200 through the SIP server 500 (S320). In FIG. 8, “Authentication: Integrated Auth authorization =“ OK ”” is an authentication header describing the authentication result, authresult is a parameter name indicating the authentication result, and “OK” is a parameter value indicating that the authentication is successful. . If authentication fails, the parameter value becomes “NG”.

  When receiving the INVITE (S215), the service providing server 200 checks whether or not the authentication result is included in the INVITE (S216), and confirms whether or not the authentication is successful (S217). If the authentication is successful, the requested service is provided to the user terminal 101 (S218).

  The user terminal 101 receives a service provided from the service providing server 200 (S115).

  Next, the effect of this embodiment will be described.

  According to the present embodiment, in order to establish a communication session by incorporating a mechanism in which the authentication management server 300 performs user authentication in order to provide a service of the service providing server 200 in the message flow of the SIP signaling operation. In the service providing system that provides a service through the network 400 using SIP as the signaling protocol of the authentication, the authentication management server 300 performs processing for the user authentication for the service provided by the service providing server 200 using the SIP framework. It can be realized without change.

  Further, according to the present embodiment, the user terminal 101 is used by using an authentication method of an authentication level corresponding to a service provided to the user terminal 101 by the service providing server 200 among a plurality of authentication methods. Since the authentication management server 300 that performs the authentication of the user is provided, it is possible to reduce the load accompanying the authentication of the service providing server 200 that requires the authentication at the authentication level corresponding to the service.

  Moreover, according to this Embodiment, the load concerning the authentication of the service provision server 200 can be reduced more. The reason is that if the authentication level corresponding to the service is determined and a proxy for the authentication is requested, other processing such as determination of a specific authentication method for realizing the authentication level is performed by the authentication management server 300. is there.

  Further, according to the present embodiment, since a service cannot be received from a line other than a previously registered line even at the lowest authentication level, a high security level can be ensured even at the lowest authentication level.

  Moreover, according to this Embodiment, the burden of the user who enjoys the service of the lowest authentication level can be reduced. The reason is that the authentication information required at the authentication level 1 which is the lowest authentication level is two in total, that is, the IP address of the home gateway 102 and the terminal information of the user terminal, which are circuit identification information. Is automatically added to the IP header by the home gateway 102, and the terminal information of the latter user terminal can be read from the terminal itself, so that the user does not have to do anything.

  Next, the details of the user terminal 101, the service providing server 200, and the authentication management server 300 constituting this embodiment will be described.

  Referring to FIG. 9, an example of the authentication management server 300 includes hardware resources such as a line authentication information database 311, a terminal / personal authentication information database 312, and an authentication method information database 313, a database management unit 314, an authentication determination unit 315, an authentication And a functional unit such as a request unit 316, a packet analysis unit 317, and a packet transmission / reception unit 318. When the authentication management server 300 is configured by a computer such as a workstation, the line authentication information database 311, the terminal / personal authentication information database 312 and the authentication method information database 313 are realized by a main storage device or an auxiliary storage device, and database management The unit 314, the authentication determination unit 315, the authentication request unit 316, the packet analysis unit 317, and the packet transmission / reception unit 318 can be realized by a program. The program is provided by being recorded on a computer-readable recording medium such as a hard disk, and is read by the computer when the computer is started up, etc., and the above-described functional units are realized on the computer by controlling the operation of the computer. Then, a predetermined process is performed.

  The line authentication information database 311 stores the line authentication table T1 illustrated in FIG.

  The terminal / personal authentication information database 312 stores the terminal / personal authentication table T2 illustrated in FIG.

  The authentication method information database 313 stores an authentication method information table T3 describing information on authentication methods corresponding to the respective authentication levels exemplified in FIG.

  The database management unit 314 manages searches and updates for the databases 311 to 313.

  The authentication request unit 316 requests authentication of each authentication level from the user terminal 101 instead of the service providing server 200.

  The authentication determination unit 315 performs authentication at each authentication level based on authentication information transmitted from the user terminal 101 instead of the service providing server 200.

  The packet analysis unit 317 analyzes the SIP packet transferred from the SIP server 500 and divides it into processing by the authentication request unit 316 and processing by the authentication determination unit 315. In addition, the SIP packet transmitted from the authentication request unit 316 and the authentication determination unit 315 is output to the packet transmission / reception unit 318.

  The packet transmission / reception unit 318 transmits / receives SIP packets between the authentication management server 300 and the SIP server 500.

  Next, the operation of the authentication management server 300 will be described with reference to the sequence diagram of FIG. 3 and the block diagram of FIG.

  When the INVITE transmitted from the user terminal 101 in step S111 in FIG. 3 is transferred from the SIP server 500, it is received by the packet transmitting / receiving unit 318 (S311) and transmitted to the packet analyzing unit 317. The packet analysis unit 317 checks whether or not the header describing the authentication information is included in the INVITE (S312), and since it is not included, transmits the INVITE to the SIP server 500 through the packet transmission / reception unit 318. The SIP server 500 transfers this INVITE to the service providing server 200 (S313).

  Further, when 401 Unauthorized illustrated in FIG. 5 transmitted from the service providing server 200 in step S214 in FIG. 3 is transferred from the SIP server 500, the packet is transmitted and received by the packet transmitting / receiving unit 318 (S314), and is received by the packet analyzing unit 317. Communicated. The packet analysis unit 317 analyzes that the received packet is 401 Unauthorized including a WWW-Authenticate header describing Integrated Auth, and transmits the packet to the authentication request unit 316.

  The authentication request unit 316 recognizes the authentication level by analyzing the received 401 Unauthorized WWW-Authenticate header, searches the authentication method information database 313 through the database management unit 314, and realizes authentication of the recognized authentication level. Is determined (S315). Then, the authentication request unit 316 rewrites 401 Unauthorized WWW-Authenticate header as illustrated in FIG. 6 based on the determined authentication method, and transmits it to the SIP server 500 through the packet analysis unit 317 and the packet transmission / reception unit 318. The SIP server 500 transfers this to the user terminal 101 (S316).

  Further, when the INVITE transmitted again from the user terminal 101 in step S114 in FIG. 3 is transferred from the SIP server 500, it is received by the packet transmitting / receiving unit 318 (S317) and transmitted to the packet analyzing unit 317. The packet analysis unit 317 checks whether or not the header describing the authentication information is included in the INVITE (S318), and transmits the INVITE to the authentication determination unit 315 because it is included.

  The authentication determination unit 315 receives the received authentication information in INVITE, the information retrieved from the line authentication table T1 of the line authentication information database 311 and the terminal / personal authentication table T2 of the terminal / personal authentication information database 312 through the database management unit 314, Authentication is performed based on (S319). Then, the authentication determination unit 315 transmits INVITE as illustrated in FIG. 8 in which the authentication result is described in the authentication header to the SIP server 500 through the packet analysis unit 317 and the packet transmission / reception unit 318. The SIP server 500 transfers this to the service providing server 200 (S320).

  Referring to FIG. 10, an example of the service providing server 200 includes hardware resources such as a provided service information storage unit 211 and an authentication level information storage unit 212, a service providing unit 213, an authentication level determination unit 214, an authentication proxy request unit 215, It includes functional means such as a packet analysis unit 216 and a packet transmission / reception unit 217. When the service providing server 200 is configured by a computer such as a workstation, the provided service information storage unit 211 and the authentication level information storage unit 212 are realized by a main storage device or an auxiliary storage device, and the service providing unit 213, authentication level determination Unit 214, authentication proxy request unit 215, packet analysis unit 216, and packet transmission / reception unit 217 can be realized by a program. The program is provided by being recorded on a computer-readable recording medium such as a hard disk, and is read by the computer when the computer is started up, etc., and the above-described functional units are realized on the computer by controlling the operation of the computer. Then, the processing described later is performed.

  The provided service information storage unit 211 stores information such as images and sounds provided by the service providing server 200 to the user terminal 101, Web pages that provide online shopping services, and the like.

  The authentication level information storage unit 212 stores authentication level information for each service provided by the service providing server 200. For example, when the service providing server 200 provides three services A, B, and C, the authentication level of the service A is 1, the authentication level of the service B is 2, and the authentication level of the service C is 3, the authentication level information storage unit 212 stores authentication level information as exemplified in FIG.

  The service providing unit 213 provides a service to the user terminal 101 using information stored in the provided service information storage unit 211.

  The authentication level determination unit 214 performs processing for determining the authentication level of the service requested by the user terminal 101 with reference to the authentication level information storage unit 212.

  The authentication proxy requesting unit 215 performs processing for requesting the authentication management server 300 to perform proxy authentication of the user of the user terminal 101 that requests service provision.

  The packet analysis unit 216 analyzes the SIP packet transferred from the SIP server 500 and divides the processing into processing such as processing by the authentication proxy requesting unit 215 and processing by the service providing unit 213.

  The packet transmission / reception unit 217 transmits / receives SIP packets and packets of other communication protocols (for example, HTTP protocol) between the user terminal 101 and the SIP server 500 through the network 400.

  Next, the operation of the service providing server 200 will be described with reference to the sequence diagram of FIG. 3 and the block diagram of FIG.

  When the INVITE without the authentication header transmitted from the authentication management server 300 in step S313 in FIG. 3 is transferred from the SIP server 500, it is received by the packet transmission / reception unit 217 (S211) and transmitted to the packet analysis unit 216. The packet analysis unit 216 confirms whether or not the authentication result is included in the INVITE (S212). Since the packet analysis unit 216 does not include the authentication result, the packet analysis unit 216 transmits the received INVITE to the authentication proxy request unit 215.

  The authentication proxy request unit 215 determines an authentication level corresponding to the requested service (S213). Specifically, the service name is determined based on the logical request transmission destination described in the To header in INVITE, the determined service name is notified, and the authentication level determination unit 214 is requested for the authentication level. The authentication level determination unit 214 searches the authentication level information storage unit 212 using the notified service name, and returns the corresponding authentication level to the authentication proxy request unit 215. Next, the authentication proxy request unit 215 creates 401 Unauthorized including a WWW-Authenticate header describing the authentication level as illustrated in FIG. 5, and the user is transmitted via the network 400 through the packet analysis unit 216 and the packet transmission / reception unit 217. It responds to the terminal 101 (S214).

  Further, when the INVITE with the authentication header transmitted from the authentication management server 300 in step S320 in FIG. 3 is transferred from the IP server 500, the packet transmitting / receiving unit 217 receives it (S215), and is transmitted to the packet analysis unit 216. The The packet analysis unit 216 confirms whether or not the authentication result is included in the received INVITE (S216). If included, the packet analysis unit 216 further confirms whether or not the authentication is successful (S217). If the authentication is successful, the packet analysis unit 216 transmits the received INVITE to the service providing unit 213. The service providing unit 213 provides the requested service to the user terminal 101 according to this INVITE (S218).

  Referring to FIG. 12, an example of the user terminal 101 includes a hardware resource such as a keyboard 111, a display device 112 such as a liquid crystal display, a fingerprint input device 113, and a user terminal information storage unit 114, a fingerprint input unit 115, and a password input. Unit 116, user terminal information input unit 117, authentication request response unit 118, packet analysis unit 119, packet transmission / reception unit 120, and service processing unit 121. When the user terminal 101 is configured by a computer such as a personal computer, the user terminal information storage unit 114 is realized by a main storage device or an auxiliary storage device, and includes a fingerprint input unit 115, a password input unit 116, and user terminal information. The input unit 117, the authentication request response unit 118, the packet analysis unit 119, the packet transmission / reception unit 120, and the service processing unit 121 can be realized by a program. The program is provided by being recorded on a computer-readable recording medium such as a hard disk, and is read by the computer when the computer is started up, etc., and the above-described functional units are realized on the computer by controlling the operation of the computer. Then, the processing described later is performed.

  For example, a MAC address is stored in the user terminal information storage unit 114 as the terminal information of the user terminal 101.

  The user terminal information input unit 117 reads the MAC address of the user terminal from the user terminal information storage unit 114 in accordance with an instruction from the authentication request response unit 118 and transmits it to the authentication request response unit 118.

  The password input unit 116 inputs a password from the user of the user terminal 101 in accordance with an instruction from the authentication request response unit 118 and transmits the password to the authentication request response unit 118. Specifically, a password input screen is displayed on the screen of the display device 112, and when the user operates the keyboard 111 to input the password on the password input screen, the input password is captured and the authentication request response unit 118 is sent. Output.

  The fingerprint input unit 115 inputs the user's fingerprint information from the fingerprint input device 113 in accordance with an instruction from the authentication request response unit 118 and transmits it to the authentication request response unit 118.

  The authentication request response unit 118 analyzes the 401 Unauthorized WWW-Authenticate header received from the packet analysis unit 119, and inputs the requested authentication information from the user terminal information input unit 117, password input unit 116, and fingerprint input unit 115. Then, an INVITE describing the input authentication information is created and transmitted to the packet analysis unit 119.

  The service processing unit 121 performs a process such as requesting a service from the service providing server 200 according to an instruction input from the keyboard 111 and displaying the service provided in accordance with the request on the display device 112.

  The packet analysis unit 119 receives a packet transferred from the SIP server 500 or the service providing server 200 from the packet transmission / reception unit 120 and transmits the packet to the authentication request response unit 118 and the service processing unit 121. Conversely, the packet transmitted from the authentication request response unit 118 and the service processing unit 121 is transmitted to the packet transmitting / receiving unit 120.

  The packet transmitting / receiving unit 120 transmits / receives SIP packets and packets of other communication protocols (for example, HTTP protocol) to / from the user terminal 101 and the SIP server 500 through the home gateway 102 and the network 400.

  Next, the operation of the user terminal 101 will be described with reference to the sequence diagram of FIG. 3 and the block diagram of FIG.

  When the user terminal 101 accesses the service providing server 200 to receive the service of the service providing server 200, the service processing unit 121 creates INVITE, and the network is transmitted through the packet analyzing unit 119, the packet transmitting / receiving unit 120, and the home gateway 102. It is transmitted to the service providing server via 400 (S114).

  Further, when 401 Unauthorized as illustrated in FIG. 6 transmitted from the authentication management server 300 through the SIP server 500 in step S316 in FIG. 3 is transferred from the home gateway 102, it is received by the packet transmitting / receiving unit 120 (S112), It is transmitted to the packet analysis unit 119. Since the received packet is 401 Unauthorized and the WWW-Authenticate header has a description requesting authentication information such as “WWW-Authenticate: Integrated Auth method =“ MINFO & PW ””, the packet analysis unit 119 401 Unauthorized is transmitted to the authentication request response unit 118.

  The authentication request response unit 118 determines the authentication information requested in the received 401 Unauthorized WWW-Authenticate header, and uses the requested authentication information as the user terminal information input unit 117, password input unit 116, fingerprint input unit 115. (S113). Then, an INVITE in which the input authentication information is described in the authentication header is created and transmitted to the service providing server via the network 400 through the packet analysis unit 119, the packet transmission / reception unit 120, and the home gateway 102 (S114).

  Further, when the packet related to the service information transmitted from the service providing server 200 in step S218 in FIG. 3 is received and transferred by the home gateway 102, the packet transmitting / receiving unit 120 receives (S115), and the packet analyzing unit 119 is received. Is transmitted to. The packet analysis unit 119 transmits a packet related to the received service information to the service processing unit 121, and the service processing unit 121 executes a process of displaying the received information on the display device 112.

  In the above description, only one authentication method of the authentication level corresponding to the service has been defined in advance. However, a plurality of authentication methods are defined for the same authentication level, and any authentication method among them is defined. You may make it select and use. Further, instead of the authentication method information table T3 shown in FIG. 2, as shown in FIG. 13, a plurality of basic authentication methods, their selection conditions (mandatory or optional), and authentication when using them An authentication method information table T4 that defines level increase points may be used, and an authentication method of an authentication level corresponding to a service may be determined by dynamically combining several authentication methods. According to the authentication method information table T4 illustrated in FIG. 13, the authentication method at the authentication level 1 is determined as authentication by the line identification information and the user terminal information, and the authentication method at the authentication level 2 is determined by the line identification information and the user terminal. Authentication level 3 authentication method is determined as a combination of information authentication and password authentication, and authentication level 3 authentication method is determined as a combination of line identification information and user terminal information authentication and fingerprint authentication. It is determined as a combination of authentication by line identification information and user terminal information, authentication by password and authentication by fingerprint.

  In the above description, the terminal information, password, and fingerprint of the user terminal 101 are used as other authentication information different from the line identification information of the line 103 to which the user terminal 101 is connected. Any other type of information can be used as long as it is information for confirming. Further, the attribute level information such as the sex and age of the user, which is considered to be less effective for confirming the identity of the user, is used as the authentication information, and the authentication level as exemplified in the authentication method information table T5 in FIG. May be further subdivided according to user attributes. In this case, if the user inputs attribute information, the user is burdened. Therefore, as exemplified in the terminal / personal authentication table T6 in FIG. It is desirable to register in the authentication information database 312 and confirm the attribute information of the user after the user is specified by other authentication information.

  In the above description, the IP address of the home gateway 102 is used as the line identification information of the line 103 to which the user terminal 101 is connected. However, instead of or in addition to the IP address of the line 103 from the network 400. The assigned telephone number may be used as the line identification information. In this case, the line authentication table T1 is configured as illustrated in FIG. On the user terminal 101 side, the telephone number may be stored in advance in the storage unit, or may be input from the keyboard each time. The telephone number is described in an INVITE authentication header and transmitted, as with other authentication information such as terminal information.

  When a telephone number is used as line identification information, the following two authentication methods are conceivable. The first method is a method of performing authentication using the telephone number instead of the IP address of the home gateway 102 when a telephone number is included in the authentication header. Specifically, the authentication management server 300 searches the line authentication table T1 of FIG. 16 using the telephone number described in the authentication header as a key, and acquires the line ID corresponding to the matching telephone number. Next, using this acquired line ID as a key, the terminal / personal authentication table T2 of FIG. 2 is searched to acquire other authentication information such as terminal information and compare it with the terminal information in the authentication header.

  The second method searches the line authentication table T1 of FIG. 16 using the IP address of the home gateway 102 as a key, and acquires the line ID corresponding to the matching IP address, as in the above-described embodiment and examples. Next, when the terminal / personal authentication table T2 in FIG. 2 is searched using the acquired line ID as a key, and the terminal information is acquired and compared with the terminal information in the authentication header, the telephone number This is a method of switching to the first method using. In this case, the user terminal 101 may be notified once of the authentication failure and may be requested to input a telephone number. If the telephone number is already described in the authentication header, it may be used.

  The configuration using the telephone number as the line identification information is effective, for example, when visiting another person's house and wanting to receive a service by borrowing the line of the house using his / her user terminal. In the sense of authentication associated with a line, the line is not identified as a regular (registered) user, but it is registered on which line based on the telephone number (which line is a legitimate user). It is effective as an authentication method when using the service on the go.

“Second Embodiment”
17, the second embodiment of the present invention is different from the first embodiment shown in FIG. 1 in that the service providing server 201 and the authentication management server 300 are replaced with the service providing server 201 and The difference is that an authentication management server 301 is provided.

  Compared to the service providing server 200 of the first embodiment, the service providing server 201 does not specify an authentication level when requesting the authentication management server 301 to perform an authentication level authentication according to the service. Is different.

  Compared to the authentication management server 300 of the first embodiment, the authentication management server 301 provides the user terminal 101 with the service providing server 201 when an authentication proxy is requested from the service providing server 201. The difference is that the authentication level of the service is determined and authentication of the determined authentication level is performed.

  Next, the authentication processing procedure in the present embodiment will be described with reference to the sequence diagram of FIG.

  First, the user terminal 101 transmits an INVITE that does not include an authentication header as illustrated in FIG. 4 to the service providing server 201 as a service request (S111). In the INVITE shown in FIG. 4, To: <sipuser1 @ xx. xx. xx. xx> is the SIP URL of the recipient of the request, but also serves as information for specifying the service to be used.

  The INVITE transmitted from the user terminal 101 is transferred and received from the SIP server 500 to the authentication management server 301 when a specific condition is satisfied (S311). The authentication management server 301 checks whether or not the header describing the authentication information is included in the INVITE (S312). Since it is not included in the present case, the INVITE is sent to the service providing server 201 through the SIP server 500. Transfer (S313).

  When receiving the INVITE (S211), the service providing server 201 checks whether or not the authentication result is included in the INVITE (S212). Since it is not included in the present case, the WWW- as illustrated in FIG. 401 Unauthorized including the Authenticate header is returned to the user terminal 101 (S222). IntegratedAuth in the WWW-Authenticate header is an authentication scheme name assigned to distinguish from HTTP digest authentication defined by SIP. Also, authreq is a parameter name indicating an authentication request, and “” is the parameter value, which indicates that authentication at the authentication level corresponding to the service is requested.

  401 Unauthorized is defined in SIP as used when the UAS requests HTTP digest authentication when the request has no authentication information or includes inappropriate authentication information. In that case, the authentication scheme name of the WWW-Authenticate header is described as Digest, and then <Challenge value> is described. In the present embodiment, by using IntegratedAuth as an authentication scheme name, 401 Unauthorized is used as a response for requesting authentication management server 301 to perform authentication. Also, by entering a description of authreq = “”, it is used as a response for requesting the authentication management server 301 to perform authentication at the authentication level corresponding to the service.

  The 401 Unauthorized transmitted from the service providing server 201 is transferred from the SIP server 500 to the authentication management server 301 and received (S322). The authentication management server 301 analyzes the received 401 Unauthorized WWW-Authenticate header and determines that the authentication level corresponding to the requested service is the first because an authentication level authentication corresponding to the service is requested. (S323). Next, an authentication method for realizing authentication at this authentication level is determined (S315). Then, the description part of the parameter name authreq in the WWW-Authenticate header is rewritten to the description of the authentication method for realizing the authentication at the authentication level, and transferred to the user terminal 101 through the SIP server 500 (S316).

  Specifically, in the case of the authentication level 2, the authentication management server 301 rewrites and transfers to “authmethod =“ MINFO & PW ”” as illustrated in FIG. Here, authmethod is a parameter name indicating an authentication method, “MINFO & PW” is the parameter value, MINFO indicates authentication based on terminal information of the user terminal, and PW indicates authentication based on a password. Further, the authentication management server 301 rewrites and transfers to “authmethod =“ MINFO ”” when the authentication level is 1, and rewrites and transfers to “authmethod =” MINFO & PW & FINGERPRINT ”when the authentication level is 3. Here, FINGERPRINT indicates fingerprint authentication.

  Thereafter, the same procedure as in the first embodiment is executed (S112 to S115, S317 to S320, S215 to S218).

  As described above, according to the present embodiment, since the service providing server 201 does not need to determine the authentication level according to the service, the load on the service providing server 201 related to authentication can be further reduced.

  Next, details of the service providing server 201 and the authentication management server 301 constituting this embodiment will be described. The user terminal 101 is the same as that in the first embodiment.

  Referring to FIG. 20, the authentication management server 301 used in this embodiment has a new authentication level information storage unit 321 compared to the authentication management server 300 used in the first embodiment shown in FIG. And the point that an authentication request unit 322 is provided instead of the authentication request unit 316.

  The authentication level information storage unit 321 stores authentication level information indicating the correspondence between service names and authentication levels as illustrated in FIG.

  The authentication request unit 322 has a function of determining an authentication level corresponding to a service in addition to the function of the authentication request unit 316.

  Next, the operation of the authentication management server 301 of this embodiment will be described with reference to the sequence diagram of FIG. 18 and the block diagram of FIG.

  When the 401 Unauthorized illustrated in FIG. 19 transmitted from the service providing server 201 in step S222 of FIG. 18 is transferred from the SIP server 500, it is received by the packet transmitting / receiving unit 318 (S322) and transmitted to the packet analyzing unit 317. The The packet analysis unit 317 analyzes that the received packet is 401 Unauthorized including a WWW-Authenticate header in which Integrated Auth is described, and transmits the packet to the authentication request unit 322.

  The authentication request unit 322 analyzes the received 401 Unauthorized WWW-Authenticate header, determines a service name based on a logical request destination described in the To header, and manages the database using the determined service name as a key. The authentication level information storage unit 321 is searched through the unit 314, and the corresponding authentication level is acquired (S323). Next, the authentication method information database 313 is searched through the database management unit 314 using this authentication level as a key, and an authentication method for realizing authentication of the recognized authentication level is determined (S315). Then, the authentication request unit 322 rewrites 401 Unauthorized WWW-Authenticate header based on the determined authentication method as shown in FIG. The SIP server 500 transfers this to the user terminal 101 (S316).

  Other operations are the same as those of the authentication management server 300 in the first embodiment.

  Referring to FIG. 21, an example of the service providing server 201 used in this embodiment is different from the service providing server 200 of the first embodiment shown in FIG. The difference is that the level determination unit 214 is omitted and an authentication proxy request unit 221 is provided instead of the authentication proxy request unit 215.

  The authentication proxy request unit 221 has a simplified function compared to the authentication proxy request unit 215 in that it does not perform the process of determining the authentication level according to the service.

  Next, the operation of the service providing server 201 of this embodiment will be described with reference to the sequence diagram of FIG. 18 and the block diagram of FIG.

  When the INVITE without the authentication header transmitted from the authentication management server 301 in step S313 in FIG. 18 is transferred from the SIP server 500, it is received by the packet transmission / reception unit 217 (S211) and transmitted to the packet analysis unit 216. The packet analysis unit 216 confirms whether or not the authentication result is included in the INVITE (S212). Since the packet analysis unit 216 does not include the authentication result, the packet analysis unit 216 transmits the received INVITE to the authentication proxy request unit 221.

  The authentication proxy request unit 221 creates 401 Unauthorized including a WWW-Authenticate header as illustrated in FIG. 19, and responds to the user terminal 101 via the network 400 through the packet analysis unit 216 and the packet transmission / reception unit 217 (S222). .

  Other operations are the same as those of the server providing server 200 used in the example of the first embodiment.

  Although the embodiment of the present invention has been described above, the present invention is not limited to the above embodiment, and various other additions and modifications can be made. For example, in the above-described embodiment, authentication at an authentication level corresponding to a service is performed. However, the present invention can be applied to a system that always performs the same level of authentication regardless of a service. In the above-described embodiment, the authentication is performed using the line identification information of the line to which the user terminal is connected. The present invention is applicable to the system.

  The present invention is effective for an authentication technique when a user receives provision of a service from a service providing server via a communication network, and in particular, user authentication in a network using SIP as a signaling protocol for establishing a communication session. Suitable for use in.

It is a block diagram of a 1st embodiment of the present invention. It is a figure which shows an example of the line authentication table used in the 1st Embodiment of this invention, a terminal and personal authentication table, and an authentication method information table. It is a sequence diagram which shows the operation | movement of the 1st Embodiment of this invention. It is a figure which shows an example of INVITE (no authentication header) transmitted from a user terminal in the 1st Embodiment of this invention. It is a figure which shows an example of 401 Unauthorized transmitted from the service provision server in the 1st Embodiment of this invention. It is a figure which shows an example of 401 Unauthorized transmitted to a user terminal from the authentication management server in the 1st Embodiment of this invention. It is a figure which shows an example of INVITE (with an authentication header) transmitted from a user terminal in the 1st Embodiment of this invention. It is a figure which shows an example of INVITE (with an authentication result) transmitted to the service provision server from the authentication management server in the 1st Embodiment of this invention. It is a block diagram of the authentication management server in the 1st Embodiment of this invention. It is a block diagram of the service provision server in the 1st Embodiment of this invention. It is a figure which shows an example of the authentication level information which memorize | stores a response | compatibility with a service and an authentication level. It is a block diagram of the user terminal in the 1st Embodiment of this invention. It is a figure which shows the other example of the authentication method information table used in the 1st Embodiment of this invention. It is a figure which shows another example of the authentication method information table used in the 1st Embodiment of this invention. It is a figure which shows another example of the terminal and personal authentication table used in the 1st Embodiment of this invention. It is a figure which shows another example of the line | wire authentication table used in the 1st Embodiment of this invention. It is a block diagram of the 2nd Embodiment of this invention. It is a sequence diagram which shows operation | movement of the 2nd Embodiment of this invention. It is a figure which shows an example of 401 Unauthorized transmitted from the service provision server in the 2nd Embodiment of this invention. It is a block diagram of the authentication management server in the 2nd Embodiment of this invention. It is a block diagram of the service provision server in the 2nd Embodiment of this invention. It is an operation | movement sequence diagram of the user-user HTTP digest authentication system prescribed | regulated by SIP. It is a figure which shows the example of the content of the 401 Unauthorized WWW-Authenticate header in the user-user HTTP digest authentication system prescribed | regulated by SIP. It is a figure which shows the example of the content of the Authorization header of INVITE in the user-user HTTP digest authentication system prescribed | regulated by SIP.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 ... User equipment 101 ... User terminal 102 ... Home gateway 103 ... Line 200, 201 ... Service provision server 300, 301 ... Authentication management server 400 ... Network 500 ... SIP server

Claims (30)

An authentication system in which a user terminal, a service providing server, and a SIP server are connected to a communication network that uses SIP as a signaling protocol for establishing a communication session, and an authentication management server is connected to the SIP server,
The authentication management server receives and analyzes the INVITE request transmitted from the user terminal to the service providing server from the SIP server, and when the received INVITE request includes an authentication header, the authentication management server Authentication processing is performed based on the authentication information described in the header, an INVITE request describing the authentication result is transferred to the service providing server through the SIP server, and a request for authentication sent by the service providing server is requested. 401 including a WWW-Authenticate header describing a specific authentication scheme name to be received from the SIP server and analyzed, 401 including a WWW-Authenticate header describing an authentication method and a specific authentication scheme name An authentication requesting means for transferring an Unauthorized response to the user terminal through the SIP server,
The service providing server receives and analyzes the INVITE request transmitted from the user terminal, and if the received INVITE request does not include an authentication result, specifies a specific authentication scheme name for requesting proxy for authentication. Authentication success request means for responding to the user terminal with a 401 Unauthorized response including the WWW-Authenticate header described, and if the authentication result by the authentication management server is included in the received INVITE request. Service providing means for determining whether to provide the service according to
The user terminal receives and analyzes the 401 Unauthorized response transmitted by the authentication management server through the SIP server, and receives an INVITE request including an authentication header describing authentication information necessary for authentication of the requested authentication method. An authentication system comprising authentication request response means for transmitting to the service providing server.   The authentication requesting unit of the authentication management server selects an authentication method of an authentication level corresponding to a service provided by the service providing server to the user terminal from among a plurality of authentication methods of the authentication level, and the selected The authentication system according to claim 1, wherein a 401 Unauthorized response including a WWW-Authenticate header describing an authentication method and a specific authentication scheme name is transferred to the user terminal through the SIP server.   The authentication request means of the authentication management server determines an authentication level of a service described in the WWW-Authenticate header of the 401 Unauthorized response transmitted from the service providing server. Authentication system.   The authentication requesting means of the authentication management server specifies a service from the SIP URL of the service providing server described in the To header of the 401 Unauthorized response received from the service providing server, and performs authentication according to the specified service The authentication system according to claim 2, wherein the level is determined. a) a user terminal connected to a communication network using SIP as a signaling protocol for establishing a communication session sends an INVITE request to a service providing server connected to the communication network;
b) the SIP server forwarding the INVITE request to the service providing server;
c) The service providing server determines that the received INVITE request does not include an authentication result, and sends a 401 Unauthorized response including a WWW-Authenticate header that describes the name of a specific authentication scheme for requesting authentication. Responding to the user terminal;
d) wherein the SIP server, and transferring the 401 Unauthorized response to the authentication management server,
e) The authentication management server analyzes the received 401 Unauthorized response, and forwards the 401 Unauthorized response including the WWW-Authenticate header describing the authentication method and a specific authentication scheme name to the user terminal through the SIP server. Steps,
f) the user terminal analyzing the received 401 Unauthorized response and sending an INVITE request including an authentication header describing authentication information necessary for authentication of the requested authentication method to the service providing server;
g) wherein the SIP server, and transferring the INVITE request to the authentication management server,
h) The authentication management server determines that the received INVITE request includes an authentication header, performs authentication processing based on the authentication information described in the authentication header, and outputs an INVITE request describing the authentication result. Transferring to the service providing server through the SIP server;
i) a step of determining that the service providing server includes an authentication result in the received INVITE request and determining whether or not the service can be provided according to the success or failure of the authentication result. Method.   In the step e, the authentication management server selects an authentication method of an authentication level corresponding to a service provided by the service providing server to the user terminal among a plurality of authentication methods of the authentication level, and the selected 6. The authentication method according to claim 5, wherein a 401 Unauthorized response including a WWW-Authenticate header describing an authentication method and a specific authentication scheme name is transferred to the user terminal through the SIP server.   The authentication method according to claim 6, wherein a description of a service authentication level is included in the WWW-Authenticate header of the 401 Unauthorized response transmitted from the service providing server.   In step e, identifying a service from the SIP URL of the service providing server described in the To header of the 401 Unauthorized response received from the service providing server, and determining an authentication level according to the identified service The authentication method according to claim 6.   A user terminal connected to a communication network that uses SIP as a signaling protocol for establishing a communication session receives an INVITE request transmitted from a SIP server to a service providing server connected to the communication network, analyzes and receives it. When the authentication header is included in the INVITE request, the authentication processing based on the authentication information described in the authentication header is performed, and the INVITE request describing the authentication result is transferred to the service providing server through the SIP server. 401 that includes an authentication determination unit that includes the WWW-Authenticate header that describes that the service providing server determines that the authentication result is not included in the received INVITE request, and describes the name of a specific authentication scheme for requesting authentication Unauthor When a zed response is returned to the user terminal, the 401 Unauthorized response is received from the SIP server and analyzed, and a 401 Unauthorized response including a WWW-Authenticate header describing an authentication method and a specific authentication scheme name is received. An authentication management server comprising authentication request means for transferring to the user terminal through a SIP server.   The authentication requesting unit selects an authentication method of an authentication level corresponding to a service provided to the user terminal by the service providing server from a plurality of authentication methods of an authentication level. The authentication management server according to claim 9, wherein a 401 Unauthorized response including a WWW-Authenticate header describing an authentication scheme name is transferred to the user terminal through the SIP server.   The authentication management server according to claim 10, wherein the authentication request unit determines an authentication level of a service described in the WWW-Authenticate header of the 401 Unauthorized response transmitted from the service providing server.   The authentication request unit specifies a service from the SIP URL of the service providing server described in the To header of the 401 Unauthorized response received from the service providing server, and determines an authentication level according to the specified service. The authentication management server according to claim 10.   When an INVITE request transmitted from a user terminal connected to a communication network using SIP as a signaling protocol for establishing a communication session is received and analyzed, and the authentication result is not included in the received INVITE request , An authentication proxy request means for responding to the user terminal with a 401 Unauthorized response including a WWW-Authenticate header that describes the name of a specific authentication scheme for requesting a proxy for authentication by the authentication management server, and the authentication to the received INVITE request A service providing server, comprising: a service providing unit that determines whether or not to provide a service according to success or failure of an authentication result when an authentication result by the management server is included.   14. The service providing server according to claim 13, wherein the authentication agent requesting means describes an authentication level corresponding to the requested service in the WWW-Authenticate header.   Service processing means for transmitting an INVITE request to a service providing server connected to a communication network using SIP as a signaling protocol for establishing a communication session, the service terminal being connected to the communication network, and the transmission The service providing server that has determined that the authentication result is not included in the received INVITE request, the user terminal sends a 401 Unauthorized response including a WWW-Authenticate header that describes the name of a specific authentication scheme for requesting authentication. And the transmitted 401 Unauthorized response is forwarded to the authentication management server by the SIP server, and the authentication management server receives the 401 Unauthorized response and analyzes the authentication method and the specific When a 401 Unauthorized response including a WWW-Authenticate header describing the authentication scheme name is transferred through the SIP server, the 401 Unauthorized response is received and analyzed, and authentication information necessary for authentication of the requested authentication method is obtained. A user terminal comprising: an authentication request response means for transmitting an INVITE request including the described authentication header to the service providing server.   An INVITE request sent from a user terminal connected to a communication network using SIP as a signaling protocol for establishing a communication session to a service providing server connected to the communication network is transmitted to the service providing server connected to the communication network. If the received INVITE request includes an authentication header, the authentication process is performed based on the authentication information described in the authentication header, and the INVITE request describing the authentication result is Authentication determination means for transferring to the service providing server through the SIP server, and the service providing server determines that the received INVITE request does not include an authentication result, and specifies a specific authentication scheme name for requesting proxy WWW-Authentica described When a 401 Unauthorized response including an e header is responded to the user terminal, the 401 Unauthorized response is received from the SIP server and analyzed, and includes a WWW-Authenticate header describing an authentication method and a specific authentication scheme name 401. A program for causing an Unauthorized response to function as an authentication request unit that transfers an unauthenticated response to the user terminal through the SIP server.   The authentication requesting unit selects an authentication method of an authentication level corresponding to a service provided to the user terminal by the service providing server from a plurality of authentication methods of an authentication level. The program according to claim 16, wherein a 401 Unauthorized response including a WWW-Authenticate header describing an authentication scheme name is transferred to the user terminal through the SIP server.   18. The program according to claim 17, wherein the authentication request unit determines an authentication level of a service described in the WWW-Authenticate header of the 401 Unauthorized response transmitted from the service providing server.   The authentication request unit specifies a service from the SIP URL of the service providing server described in the To header of the 401 Unauthorized response received from the service providing server, and determines an authentication level according to the specified service. The program according to claim 17.   The computer constituting the service providing server receives and analyzes an INVITE request transmitted from a user terminal connected to a communication network that uses SIP as a signaling protocol for establishing a communication session, and analyzes the received INVITE request. An authentication agent requesting means for responding to the user terminal with a 401 Unauthorized response including a WWW-Authenticate header describing a name of a specific authentication scheme for requesting an agent for authentication by the authentication management server when an authentication result is not included; When the received INVITE request includes an authentication result by the authentication management server, a program for functioning as a service providing unit that determines whether or not to provide a service according to the success or failure of the authentication result.   21. The program according to claim 20, wherein the authentication proxy requesting unit describes an authentication level corresponding to the requested service in the WWW-Authenticate header.   Service processing means for sending a computer constituting a user terminal connected to a communication network using SIP as a signaling protocol for establishing a communication session to send an INVITE request to a service providing server connected to the communication network; The service providing server that has determined that the authentication result is not included in the transmitted INVITE request, uses the 401 Unauthorized response including a WWW-Authenticate header that describes a specific authentication scheme name that requests proxy of authentication. The transmitted 401 Unauthorized response is transferred to the authentication management server by the SIP server, and the 401 Unauthorized response received by the authentication management server is analyzed. When a 401 Unauthorized response including a WWW-Authenticate header describing the authentication method and a specific authentication scheme name is transferred through the SIP server, the 401 Unauthenticated response is received and analyzed, and authentication of the requested authentication method is performed. A program for causing an INVITE request including an authentication header describing necessary authentication information to function as an authentication request response means for transmitting to the service providing server.   A SIP server connected to a communication network that uses SIP as a signaling protocol for establishing a communication session, and receives and analyzes an INVITE request sent by a user terminal to a service providing server connected to the communication network If the received INVITE request does not include an authentication header, the INVITE request is transferred to the service providing server. If the authentication header is included, the authentication described in the authentication header is transferred. Authentication determination means for performing an authentication process based on information and transferring an INVITE request describing an authentication result to the service providing server, and the service providing server determining that the received INVITE request does not include an authentication result , The name of the specific authentication scheme that requires authentication delegation When a 401 Unauthorized response including the described WWW-Authenticate header is responded to the user terminal, the 401 Unauthorized response is received and analyzed, and includes a WWW-Authenticate header describing the authentication method and a specific authentication scheme name. 401. An SIP server comprising: an authentication requesting means for transferring an Unauthorized response to the user terminal.   The authentication requesting unit selects an authentication method of an authentication level corresponding to a service provided to the user terminal by the service providing server from a plurality of authentication methods of an authentication level. The SIP server according to claim 23, wherein a 401 Unauthorized response including a WWW-Authenticate header describing an authentication scheme name is transferred to the user terminal.   25. The SIP server according to claim 24, wherein the authentication request unit determines an authentication level of a service described in the WWW-Authenticate header of the 401 Unauthorized response transmitted from the service providing server.   The authentication request unit specifies a service from the SIP URL of the service providing server described in the To header of the 401 Unauthorized response received from the service providing server, and determines an authentication level according to the specified service. The SIP server according to claim 24.   A computer constituting a SIP server connected to a communication network that uses SIP as a signaling protocol for establishing a communication session receives an INVITE request sent from a user terminal to a service providing server connected to the communication network. If the received INVITE request does not contain an authentication header, the INVITE request is transferred to the service providing server. If the received INVITE request contains an authentication header, it is described in the authentication header. An authentication determination unit that performs an authentication process based on the authentication information and transfers an INVITE request describing an authentication result to the service providing server, and that the service providing server does not include an authentication result in the received INVITE request. Judgment and identification requesting proxy When a 401 Unauthorized response including a WWW-Authenticate header describing an authentication scheme name is responded to the user terminal, the 401 Unauthorized response is received and analyzed, and an authentication method and a specific authentication scheme name WWW- A program for causing a 401 Unauthorized response including an Authenticate header to function as an authentication requesting unit that transfers to the user terminal.   The authentication requesting unit selects an authentication method of an authentication level corresponding to a service provided to the user terminal by the service providing server from a plurality of authentication methods of an authentication level. 28. The program according to claim 27, wherein a 401 Unauthorized response including a WWW-Authenticate header describing an authentication scheme name is transferred to the user terminal.   29. The program according to claim 28, wherein the authentication request unit determines an authentication level of a service described in the WWW-Authenticate header of the 401 Unauthorized response transmitted from the service providing server. The authentication request unit specifies a service from the SIP URL of the service providing server described in the To header of the 401 Unauthorized response received from the service providing server, and determines an authentication level according to the specified service. The program according to claim 28.

Images