This application claims the benefit of Japanese Patent Application No. 2009-097293 filed on Apr. 13, 2009, the disclosure of which is incorporated herein by reference.
The present invention relates to an authentication technique using a mobile terminal carried by a user.
Various types of relay terminal devices such as a digital television and a personal computer have been produced on a commercial basis these years. The relay terminal device is coupled to a fixed network and makes it possible to enjoy a large-capacity broadband communication service (to be referred to as a communication service or a service hereinafter) on a large-sized screen. The relay terminal device receives a communication service from a center apparatus which provides the communication service and outputs a picture image or the like on its display unit. If a user wishes to enjoy such a communication service, the center apparatus performs an authentication processing of the user or the relay terminal device for charging a fee. The relay terminal device also performs an authentication processing of the user.
For example, “Generic Authentication Architecture (GAA), 3GPP TS 33.220 3rd Generation Partnership Project (to be referred to as Non-patent Document 1 hereinafter)” discloses an authentication between a terminal and a center apparatus. Non-patent Document 1 describes that, for the purpose of enjoying a communication service, a mobile phone terminal is used to perform an authentication processing with a center apparatus, and, if the mobile phone terminal has succeeded in the authentication, the mobile phone terminal receives the communication service.
If a function of the relay terminal device of performing an authentication processing is simplified, cost can be effectively reduced, because, as described above, there are a wide variety of different specifications in the relay terminal devices. Further, if a function of the center apparatus of performing an authentication processing is simplified, load of processing communication services on the center apparatus can be effectively reduced.
In particular, in simplifying an authentication processing of the relay terminal device, it is highly convenient for a user to perform an authentication using a mobile terminal (for example, a mobile phone terminal, a personal digital assistance, and a laptop personal computer) which has been widely used and can be easily carried by the user. That is, it is advantageous to use a mobile terminal in performing an authentication of both a user and a relay terminal device. In simplifying an authentication processing of the center apparatus, it is at least necessary that a user who has received a communication service via a relay terminal device located at one site continues to receive the same communication service via another relay terminal device located at another site to which the user travels. This case is hereinafter referred to as handover. Non-patent Document 1 teaches an authentication method of a mobile phone terminal, however, does not teach simplified authentication processings of the relay terminal device and the center apparatus.
The disclosed system provides simplified authentication processings of a relay terminal device and a center apparatus.
An authentication federation system includes: a center apparatus (which may also be referred to as a service device) that provides a communication service; a relay terminal device that a user uses for enjoying the communication service; and an authentication server that performs an authentication. The center apparatus, the relay terminal device, and the authentication server are communicably coupled to a fixed network, and an authentication is performed by a mobile terminal (which may also be referred to as a mobile phone terminal) carried by the user via the relay terminal device. The authentication federation system includes steps as follows.
The mobile terminal and the authentication server perform an authentication processing therebetween and generate first authentication information. Each of the authentication server and the mobile terminal stores therein the first authentication information. The mobile terminal generates second authentication information using service information received from the relay terminal device and the first authentication information, stores therein the second authentication information, and transmits the second authentication information to the authentication server via the relay terminal device and the center apparatus. The authentication server performs an authentication processing using the received second authentication information and the first authentication information and transmits a result of the authentication processing to the center apparatus. The center apparatus makes a determination on the received authentication processing result, and, if the authentication processing result indicates that the authentication has been successfully completed, provides the service to the relay terminal device.
According to the teaching herein, simplified authentication processings of the center apparatus and the relay terminal device can be provided.
These and other benefits are described throughout the present specification. A further understanding of the nature and advantages of the invention may be realized by reference to the remaining portions of the specification and the attached drawings.
Next is described in detail an embodiment for carrying out the present invention, in which a mobile phone terminal is used as a mobile terminal, with reference to related drawings.
An outline of an authentication processing according to the embodiment is described with reference to
Next, a relay terminal device A (30a) transmits an authentication request which is a request of an authentication to the service device 60a, to the mobile phone terminal 20. This step is designated by a reference numeral A2. The mobile phone terminal 20 generates service authentication information A603 using the coupling authentication information A505 stored therein and service information included in the authentication request to the service device 60a. The mobile phone terminal 20 transmits the generated service authentication information A603 to the relay terminal device A (30a). This step is designated by a reference numeral A3. All or part of the coupling authentication information (at least information which allows the mobile phone terminal 20 to be coupled) is stored in the mobile phone terminal 20 as service authentication information A603 (which may also be referred to as second authentication information).
Then, the relay terminal device A (30a) transmits a service request including the service authentication information A603 to the service device A (60a). This step is designated by a reference numeral A4. The service device A (60a) transmits the authentication request including the service authentication information A603 to the authentication server 50. This step is designated by a reference numeral A5. The authentication server 50 performs an authentication using the received service authentication information A603 and the coupling authentication information A505 (which may also be referred to as a second authentication processing), to thereby generate a service authentication result (which may also be referred to as a result of the second authentication processing). Then, the authentication server 50 transmits the service authentication result to the service device A (60a). This step is designated by a reference numeral A6. The service device A (60a) determines whether or not the authentication has been successfully completed, based on the received service authentication result. If the authentication is determined to have been successfully completed, the service device A (60a) provides the service. This step is designated by a reference numeral A7. Further, the service device A (60a) stores therein the service authentication result.
As described above, the authentication processing of Case A shown in
As described above, in Case B shown in
As described above, in Case C shown in
A configuration example of an authentication federation system 1 according to this embodiment is described with reference to
Next are described major functions of the devices 20, 30, 50, and 60 with reference to
As shown in
As shown in
As shown in
The CPU 401 is, for example, a CPU of a computer. The CPU 401 embodies a calculation processing in the devices 20, 30, 50, 60 by loading an application program in the memory 402 and executing the program. The storage unit 403 may be, for example, a storage medium such as a CD-R (Compact Disc Recordable), a DVD-RAM (Digital Versatile Disk-Random Access Memory), and a silicon disk, and a HDD (Hard Disk Drive) as a drive unit of the storage medium. The storage unit 403 stores therein various types of information used in a calculation or an application program executed in the CPU 401. The input unit 404 is, for example, a keyboard, a mouse, a scanner, and a microphone. The output unit 405 is, for example, a display unit, a speaker, and a printer. The communication unit 406 functions as the communication units 21, 31, 51, 61 of the respective devices 20, 30, 50, 60.
Next are described flows of processings in this embodiment with reference to
As shown in
In step S503, the relay terminal device 30a transfers the received coupling authentication request A502 to the mobile phone terminal 20. Instep S504, the mobile phone terminal 20 generates coupling authentication information using the received coupling authentication request A502 and a key for the coupling authentication stored in the key storage unit 24. In step S505, the mobile phone terminal 20 stores all or part (at least a part that allows the authentication) of the generated coupling authentication information as the coupling authentication information A505 (the first authentication information), in the coupling authentication information storage unit 25. Further, the mobile phone terminal 20 transmits the coupling authentication information A505 to the relay terminal device 30a. The relay terminal device 30a transfers the received coupling authentication information A505 to the authentication server 50.
In step S506, the authentication server 50 carries out the coupling authentication using the received coupling authentication information A505 and the key for the coupling authentication stored in the key storage unit 54. The authentication server 50 transmits a coupling authentication result A506 (that is, a result of the first authentication processing) to the relay terminal device 30a. Besides the authentication result, the coupling authentication result A506 includes at least, for example, a session ID for identifying a session assuming that a series of steps from step S501 to S506 is one session. In step S507, the relay terminal device 30a determines whether or not the authentication has been successfully completed, based on the received coupling authentication result A506. If the relay terminal device 30a determines that the authentication has not been successfully completed (if No in step S507), in step S508, the relay terminal device 30a displays that the authentication has failed in the output unit 405 (see
As shown in
In step S605, the service device 60 transmits a service authentication request A605 including the service authentication information A603, to the authentication server 50. In step S606, the authentication server 50 carries out the service authentication processing (the second authentication processing) using the service authentication information A603 and the coupling authentication information A505 stored in the authentication information storage unit 55. The authentication server 50 transmits a service authentication result A606 which is a result of the service authentication processing (a result of the second authentication processing), to the service device 60.
In step S607, the service device 60 determines whether or not the authentication has been successfully completed, based on the received service authentication result A606. Further, the service device 60 stores the received service authentication result A606 in association with the service authentication information A603, in the authentication information storage unit 65. If the service device 60 determines that the authentication has failed (if No in step S607), the service device 60 transmits an error notification A607 indicating the authentication failure to the relay terminal device 30a, based on the relay terminal device ID stored in the authentication information storage unit 65. The relay terminal device 30a then terminates the processing. If the service device 60 determines that the authentication has been successfully completed (if Yes in step S607), in step S608, the service device 60 provides a prescribed service such as a transmission of a service data A608 to the relay terminal device 30a, based on the relay terminal device ID stored in the authentication information storage unit 65. In step S609, the relay terminal device 30a receives the service data A608, which allows the relay terminal device 30a to enjoy the prescribed service (for example, if the relay terminal device 30a is a digital television, contents for the digital television can be enjoyed).
In step S701, the mobile phone terminal 20 transmits a federation request A701 (information used for a federated authentication) to the relay terminal device 30b. The federation request A701 includes a random number. In step S702, the relay terminal device 30b generates federated authentication information using the federation request A701 and a key stored in the key storage unit 34 (which may also be referred to as a third authentication processing). The relay terminal device 30b refers to all or part (at least apart that allows the authentication) of the generated federated authentication information, as federated authentication information A702 (which may also be referred to as third authentication information). The relay terminal device 30b then transmits the federated authentication information A702 and communication information A712 to the mobile phone terminal 20. The communication information A712 is information shared by the mobile phone terminal 20 and the relay terminal device 30b so as to newly perform a communication therebetween.
In step S703, the mobile phone terminal 20 performs a federated authentication processing, using the received federated authentication information A702 and the key stored in the key storage unit 24. In step S704, the mobile phone terminal 20 determines whether or not the authentication has been successfully completed, based on a result of the federated authentication processing (which may also be referred to as a result of the third authentication processing). If the mobile phone terminal 20 determines that the authentication has failed (if No in step S704), the mobile phone terminal 20 displays the authentication failure in the output unit 405 (see
In step S708, the service device 60 determines whether or not the service authentication has already been successfully completed. To make the determination, the service device 60 retrieves information on whether or not the authentication information storage unit 65 has already stored therein the service authentication result A606 concerning the service authentication information A603. For example, the service device 60 determines that the service authentication has already been successfully completed, if the authentication information storage unit 65 has already stored therein the service authentication result A606 concerning the service authentication information A603 received from the authentication server 50.
If the service device 60 determines that the service authentication has not yet been completed (if No in step S708), in step S605, the service device 60 transmits the service authentication request A605 including the service authentication information A603, to the authentication server 50. In step S606, the authentication server 50 performs a processing of a service authentication, using the service authentication information A603 and the coupling authentication information A505 stored in the authentication information storage unit 55. The authentication server 50 transmits the service authentication result A606 which is a result of the service authentication processing, to the service device 60.
In step S607, the service device 60 determines whether or not the authentication has been successfully completed, based on the received service authentication result A606. The service device 60 stores the received service authentication result A606 in association with the service authentication information A603, in the authentication information storage unit 65. If the service device 60 determines that the authentication has failed (if No in step S607), the service device 60 transmits the error notification A607 indicating the authentication failure to the relay terminal device 30b, based on the relay terminal device ID stored in the authentication information storage unit 65. The relay terminal device 30b then terminates the processing.
If the service device 60 determines that the service authentication has already been completed (if Yes in step S708) or if the service device 60 determines that the authentication has been successfully completed (if Yes in step S607), then, in step S709, the service device 60 references the authentication information storage unit 65 using the service authentication information A603, to thereby determine whether or not the service of interest has being provided to another relay terminal device 30a. In other words, the service device 60 determines whether or not the relay terminal device ID received upon the service request A707 is identical with the relay terminal device ID received upon the service request A604 shown in
If the requested service has being provided to another relay terminal device (if Yes in step S709), in step S710, the service device 60 stops providing the service to another relay terminal device (in
In the authentication federation system 1 according to this embodiment, the mobile phone terminal 20 and the authentication server 50 store each therein the coupling authentication information A505 generated in an initial coupling authentication. If the relay terminal device 30 is provided with a service by the service device 60, the mobile phone terminal 20 generates the service authentication information A603 using the coupling authentication information A505, stores therein the service authentication information A603, and also transmits the service authentication information A603 to the authentication server 50. The authentication server 50 performs a service authentication using the coupling authentication information A505 and the service authentication information A603 and transmits the service authentication result A606 to the service device 60. The service device 60 stores therein the service authentication result A606 and determines whether or not the service authentication has been successfully completed, based on the service authentication result A606 service authentication. Thus, the authentication processing is performed only at the mobile phone terminal 20 and the authentication server 50. This means that the authentication processing at the relay terminal device 30 and the service device 60 can be simplified.
Further, at handover, a federated authentication is performed between the mobile phone terminal 20 and the relay terminal device 30. If the authentication has been successfully completed, the mobile phone terminal 20 reads the service authentication information A603 stored therein and transmits the service authentication information A603 to the service device 60. The service device 60 retrieves a service authentication result concerning the service authentication information A603 having been stored therein. If the authentication has been successfully completed, the service device 60 provides a service. Note that, if the service device 60 has not stored therein the service authentication result, the service device 60 does not provide the service. As described above, the authentication processing at handover can also be simplified, because the service device 60 just determines, based on the authentication result which has already been stored therein, whether or not the authentication concerning the service authentication information A603 has been successfully completed. Moreover, an authentication of the relay terminal device 30 to be otherwise performed by the service device 60 can be omitted, because, instead of the service device 60, the mobile phone terminal 20 which has already been authenticated performs an authentication of the relay terminal device 30 through the federated authentication.
Herein, the relay terminal device 30 includes the coupling authentication information storage unit 35 and the service authentication information storage unit 36. However, the relay terminal device 30 may obtain authentication information from the coupling authentication information storage unit 25 and the service authentication information storage unit 26 of the mobile phone terminal 20. This eliminates the use of the coupling authentication information storage unit 35 and the service authentication information storage unit 36 of the relay terminal device 30.
The processings in
In step S702 of
In the flow of the processing of
This does not change a flow of a processing performed by the relay terminal device 30a.
The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense. It will, however, be evident that various modifications and changes may be made thereto without departing from the spirit and scope of the invention as set forth in the claims.
Number | Date | Country | Kind |
---|---|---|---|
2009-097293 | Apr 2009 | JP | national |