JP3739008B1 - Account management method and system - Google Patents

Abstract

To realize automatic password update and integration of multiple IDs and passwords by a safer and more convenient method.
An account server generates a new password P _{n + 1} for a user, calculates ΔP _{n + 1} using the new password P _{n + 1} , the current password P _n, and a second function G, and registers P _{n + 1} as the current password. And ΔP _{n + 1} is transmitted to the synchronization server. The synchronization server calculates new synchronization data S _{n + 1} using ΔP _{n + 1} received from the account server, the current synchronization data _Sn, and the third function H, and registers S _{n + 1} as the current synchronization data. The client terminal obtains the current synchronization data S _{n + 1} from the synchronization server, and calculates the current password P _{n + 1} using the main password M, the synchronization data S _{n + 1} and the first function F input by the user.
[Selection] Figure 4

Description

The present invention can automatically update a password registered with a service provider who provides a service on a network on the initiative of the service provider, and the same user can set ID / password pairs to a plurality of service providers. The present invention also relates to an account management method and system that enables a user to log in to a plurality of service providers by inputting a set of IDs and passwords.

When providing a service on a network, a service provider may give an ID / password pair to a user. However, if the same user is given ID / password pairs from multiple service providers, the format of the ID / password may depend on the service provider's unique format. It is very unlikely that the value of the password will be exactly the same, and even if the user can change the value, it is a security issue to register the same ID / password pair with multiple independent service providers. In the end, the user often has to store, store, and update a plurality of different ID / password pairs.

This conventional account management structure is likely to cause undesired actions such as the user leaving an ID / password in a memo or delaying the password update, causing a security problem. It has become one of the.

As a means for solving the troublesome management work held by the user as described above and the security problem held by the service provider, for example, there is a method disclosed in Japanese Patent No. 3430896. The method disclosed in Japanese Patent No. 3430896 is a method for storing a plurality of passwords in a terminal and allowing a user to connect to a plurality of Web servers using a single absolute password. It is a method to make it updatable.
Japanese Patent No. 3430896

However, in the method disclosed in Japanese Patent No. 3430896, it is necessary to always store important password data in the terminal, which is problematic in safety. Further, in a situation where the user uses a plurality of different terminals, it is inconvenient because it is necessary to move the stored password data between the terminals. Furthermore, if the terminal is in a stopped state or unconnected state for a long time, the password is not updated during that time. Even if this method is ported to a proxy server that is always in operation, important password data must always be stored, and management of this proxy server is delegated to a third party. However, the administrator of the proxy server can easily read the password.

The present invention has been made to solve the above-described problems, and an object of the present invention is to enable automatic password update and ID / password integration that are safer and more convenient. To provide an account management method and system.

In order to achieve the above object, the first account management method of the present invention includes an account server of one or more service sites, a synchronization server, and one or more clients installed on a mutually accessible network. An account management system that uses the synchronization server to synchronize with the user a password of the user that the account server updates at an arbitrary timing, wherein n is an arbitrary natural number, and the account server manages the account server The user's n-th password is P _n , the n + 1-th password is P _{n + 1} , the n-th synchronization data in the account server of the user managed by the synchronization server is S _n , the n + 1-th synchronization data is S _{n + 1} , Let M be the main password that the user enters into the client terminal. _{P n = F (M, S} n), ΔP n + 1 = G (P n + 1, P n), S n + 1 = H (ΔP n + 1, S n), P n + 1 = F (M, S n + 1), the function satisfies the F , G, and H in order, the first function, the second function, and the third function, the account server generates and registers an arbitrary password P _{n + 1} , and the password P _{n + 1} and the password P _n And the process of calculating the ΔP _{n + 1} using the second function and the process of transmitting the calculated ΔP _{n + 1} to the synchronization server, and the synchronization server receives from the account server a process of calculating and registering the synchronization data S _{n + 1} by using the [Delta] P n _{+ 1} and the synchronization between the data S _n and the third function, the class of the synchronization data S _{n + 1} at the request of the client terminal Processing for transmitting to the client terminal, the client terminal requesting the synchronization data to the synchronization server, the synchronization data received from the synchronization server, the main password, and the first function, The process of calculating the password using is performed.

The second account management method of the present invention is the method of the first present invention, wherein the synchronization server further manages one or a plurality of parameters corresponding to the service site of the user, Further executing a process of transmitting the parameter to the client terminal in response to the request of the client terminal, the client terminal requesting the synchronization data and the parameter to the synchronization server, and the received from the synchronization server The process of creating a conversion main password using the parameter, the main password, and a one-way function, and the password using the conversion main password, the synchronization data received from the synchronization server, and the first function And a process of calculating.

According to a third account management method of the present invention, in the first or second method of the present invention, the synchronization server further manages the authentication password of the user, and the synchronization server receives from the client terminal. The process of further authenticating the user using the authentication password is further performed, and the client terminal further executes a process of transmitting the authentication password input by the user to the synchronization server.

According to a fourth account management method of the present invention, in the first to third methods of the present invention, the synchronization server further manages one or a plurality of e-mail addresses of the user, When the user information is requested from the client terminal, a process of transmitting an e-mail to the e-mail address of the user is further executed.

The fifth account management system of the present invention comprises an account server of one or a plurality of service sites, a synchronization server, and one or a plurality of client terminals installed on a mutually accessible network. An account management system that uses the synchronization server to synchronize a user's password that the server updates at an arbitrary timing with the user, wherein n is an arbitrary natural number and the user's nth password managed by the account server _Pn , n + 1th password _{Pn + 1} , the nth synchronization data of the user managed by the synchronization server in the account server _Sn , n + 1th synchronization data _{Sn + 1} , and the user to the client terminal the main password to enter M, _{and, P n = F (M,} S n _{, ΔP n + 1 = G (} P n + 1, P n), S n + 1 = H (ΔP n + 1, S n), P n + 1 = F (M, S n + 1), the function satisfies the F, G, turn first function H , The second function and the third function, the account server uses means for generating / registering an arbitrary password P _{n + 1} , the password P _{n + 1} , the password P _n and the second function. said means for calculating the [Delta] P n _{+ 1,} and means for transmitting the [Delta] P n _{+ 1} the calculated to the synchronization server, the synchronization server, the account server and the [Delta] P n _{+ 1} received from the synchronization and data S _n Means for calculating and registering the synchronization data S _{n + 1} using a third function, and means for transmitting the synchronization data S _{n + 1} to the client terminal in response to a request from the client terminal The client terminal uses the means for requesting the synchronization data to the synchronization server, the synchronization data received from the synchronization server, the main password, and the first function. And means for calculating.

According to a sixth account management system of the present invention, in the system of the fifth present invention, the synchronization server further manages one or a plurality of parameters corresponding to the service site of the user, The client terminal further comprises means for transmitting the parameter to the client terminal in response to a request from the client terminal, the client terminal requesting the synchronization server for the synchronization data and the parameter, and the parameter received from the synchronization server. And means for generating a converted main password using the main password and a one-way function, and calculating the password using the converted main password, the synchronization data received from the synchronization server, and the first function And means for carrying out the above.

In a seventh account management system of the present invention, in the system of the fifth or sixth present invention, the synchronization server further manages the authentication password of the user, and the synchronization server receives from the client terminal The apparatus further comprises means for authenticating the user using the authentication password, and the client terminal further comprises means for transmitting the authentication password input by the user to the synchronization server.

According to an eighth account management system of the present invention, in the systems of the fifth to seventh aspects of the present invention, the synchronization server further manages one or more email addresses of the user, and the synchronization server The information processing apparatus further includes means for transmitting an e-mail to the e-mail address of the user when the user information is requested from the client terminal.

As described above, according to the present invention, it is possible to perform automatic password updating and ID / password integration with higher safety and convenience.

Hereinafter, the best mode for carrying out the present invention will be described with reference to the drawings.

FIG. 1 is a block diagram showing an embodiment of an account management system according to the present invention.

This block diagram shows that an account server, a synchronization server, and a client terminal of a service site are installed on a mutually accessible network, and a user operates the client terminal. The service site here refers to a user identifier (registered user ID, such as a user ID, a store number / account number, a user number, etc. registered in advance in the service site when providing a service to a user on the network). Is used in this sense) and a service provider that needs to receive a pair of secret data such as a password, passphrase, personal identification number (hereinafter used in this sense) from the user via the network. Furthermore, it means a service provider who registers an account for a service site in the synchronization server. An account server is a server that has the authority and means to update the password of one or more users among the users registered in the service site, and is also stored in the synchronization server. This server has authority / means for updating the data. A user is a user who has registered an account on the service site, has registered a user account on the synchronization server, and has the authority to update his / her password to the account server and synchronization. A user who has been given the authority to update data in the server. The client terminal basically has a character input device, a display display device, and an arithmetic processing mechanism, and may be of any form as long as it can be connected to a network, but an IC card, magnetic card, floppy (registered trademark) It is even better if a device for reading a portable storage medium such as a disk is provided. For example, a personal computer, a mobile terminal such as a mobile phone / PDA, and a dedicated terminal such as a cash dispenser. The network is a network configured by only one or a combination of a dedicated line, a LAN, the Internet, a wireless network, and the like, and it is further preferable that communication data is encrypted. The account server, the synchronization server, and the client terminal perform mutual data communication via this network. A plurality of service sites, account servers, client terminals, and users may exist for one synchronization server.

FIG. 2 is a diagram illustrating an example of data stored in the account server.

The UID described in the table 101 indicates the user ID, P _n indicates the n-th (current) password, SID described in the table 102 indicates the site ID, and SP indicates the site password. (Hereinafter, when a symbol is described, the meaning of the symbol is common throughout the present description). The table 101 stores a plurality of user IDs and passwords of users, and the table 102 stores only one set of site ID and site password for this service site. In addition to the data, management data such as the last update date / time and update flag may be added to the table 101 and the table 102. The storage location of these data may be in another node as long as it can be read and written from the account server.

FIG. 3 is a diagram illustrating an example of data stored in the synchronization server.

SID described in the table 201 is a site ID, SP is a site password, MID described in the table 202 is a main ID, SID is a site ID, UID is a user ID, and _Sn is an nth time. Each means (current) synchronization data. The table 201 stores a plurality of sets of site IDs and site passwords stored in the table 102 of FIG. 2 for each service site, and the table 202 includes a main ID that is an identifier of a user who uses the synchronization server, and A plurality of site IDs of service sites used by the user, user IDs for the service sites, and synchronization data used for obtaining a current password for the user IDs are stored. As shown in the table 202, it is possible to store a plurality of sets of site IDs, user IDs, and synchronization data for one main ID, whereby a plurality of combinations of user IDs and passwords possessed by a user can be stored in one Grouped under the main ID. Regarding the site ID, the site ID of the table 202 shares the same data as the site ID of the table 201 and the table 102 of FIG. 2 (this is used for authentication between an account server and a synchronization server, which will be described later). For the above reason, another data may be assigned to the site ID of the table 202 and a column for that data may be added to the table 201 and the table 102 of FIG. In addition to the data, management data such as the last update date and time and an update flag may be added to the tables 201 and 202.

Next, processing that is the center of the account management system will be described with reference to FIG. FIG. 4 is a conceptual diagram showing processing that is the center of the present invention.

First, the client terminal 300 acquires the current synchronization data S _n from the synchronization server 200 (P1), the main password M and synchronous data input by a user S _n and current password P by using the first function F _n is calculated (P2), and authentication is performed using the password _Pn (P3). On the other hand, the account server 100 generates a new password P _{n + 1} for the user, calculates ΔP _{n + 1} using the new password P _{n + 1} , the current password P _n and the second function G, and registers P _{n + 1} as the current password. (P4) and ΔP _{n + 1} is transmitted to the synchronization server 200 (P5). The synchronization server 200 calculates new synchronization data S _{n + 1} using ΔP _{n + 1} received from the account server 100, the current synchronization data S _n and the third function H, and registers S _{n + 1} as the current synchronization data (P6). ). The client terminal 300 obtains the current synchronization data S _{n + 1} from the synchronization server 200 (P7), and uses the main password M, the synchronization data S _{n + 1} and the first function F input by the user to obtain the current password P _{n + 1} . Calculation (P8) and authentication is performed using the password _{Pn + 1} (P9).

An arbitrary method may be used to generate a new password P _{n + 1} , but it may be generated using a random number. The initial password P1, the synchronization data S1, and the main password M are set in advance so as to satisfy the first function F.

Further, the first function F, the second function G, and the third function H are arbitrary functions having the above-described properties, and whether the configuration of each function is the same as the configuration of other functions. It doesn't matter. For example, the case where the second function G has the same configuration as the first function F is FF type, and the case where the third function H has the same configuration as the first function F is FG. -F type, the second function G, and the third function H are the same as the first function F. The FF type, the third function H is the same as the second function G. If the configuration is FGG type, the first variable of the function is V1, and the second variable is V2, then the configuration of the function F in the FFH type is V1-V2, function -V1 + V2 as the configuration of H, V1 + V2 as the configuration of the function F in the FGF type, V1-V2 as the configuration of the function G, V1 (+) V2, F- as the configuration of the function F in the FFF type A combination of V1 + V2 as a configuration of the function F in the GG type, −V1 + V2 as a configuration of the function G, and the like. In addition, said symbol (+) has shown exclusive OR. Further, assuming that the first function F, the second function G, and the third function H have different configurations, the F-GH type, the configuration of the function F in the F-GH type is V1- As the configuration of V2, the function G, -V1 + V2, the configuration of the function H, a combination of V1 + V2, and the like can be given. Further, even when a method such as changing the constant is used for the n-th function F and the (n + 1) -th function F, the configuration of both is assumed to be the same, and both are assumed to be function F (see FIG. 5).

FIG. 6 is a diagram showing a processing example of the first account management method in the present invention.

In order for a user to know his / her user ID and password registered in an arbitrary service site, it is necessary to first know the site ID of the service site by some method. As the method, the synchronization server transmits the selection menu to the client terminal, the method of storing the selection menu in the portable storage medium, or the case of using the WEB page, it is embedded in the link from the WEB page of the service site to the page of the synchronization server Method, etc. Any method may be used as long as the site ID can be acquired. When the client terminal operated by the user acquires the site ID, the acquired site ID and the main ID input by the user are transmitted to the synchronization server to request synchronization data (A1). Synchronization server acquires the user ID and the current synchronization data S _n for site s are determined in the site ID in the Main ID and Site ID received in the key from the table 202 of FIG. 3, the User ID · Synchronous Data Is transmitted to the client terminal (A2). When the client terminal receives the user ID / synchronization data from the synchronization server, the client terminal calculates the current password P _n using the main password, the synchronization data, and the first function input by the user (A3), and sends the current password P _n to the account server. The ID and password are transmitted (A4). When the account server receives the user ID and password from the client terminal and completes user authentication (A5), the account server generates a random number by generating a random number (A6), the new password, the current password, and the second function G. Are used to calculate ΔP _{n + 1} (A7). Thereafter, the calculated ΔP _{n + 1} , the user ID, the site ID of the table 102 in FIG. 2 and the site password are transmitted to the synchronization server (A8), and the new password is registered as the current password (A9). When the synchronization server receives the site ID and the site password from the account server and completes the site authentication (A10), the synchronization server uses the user ID and the site ID as keys to determine the site ID for the site s determined from the table 202 in FIG. The current synchronization data is obtained, new synchronization data is calculated using ΔP _{n + 1} , the current synchronization data, and the third function (A11), and the new synchronization data is registered as the current synchronization data (A12). After that, when the client terminal again sends the site ID and main ID to the synchronization server and requests the synchronization data (A13), the synchronization server uses the received main ID and site ID as a key from the table 202 in FIG. The user ID for the site s to be confirmed and the current synchronization data _{Sn + 1} are acquired, and the user ID / synchronization data is transmitted to the client terminal (A14). When the client terminal receives the user ID / synchronization data from the synchronization server, the client terminal calculates the current password P _{n + 1} by using the main password and the synchronization data input by the user and the first function (A15), and sends the user to the account server. The ID and password are transmitted (A16). The account server receives the user ID and password from the client terminal and authenticates the user (A17).

In the account management method using this method, the password does not flow in the communication between the account server and the synchronization server and the communication between the synchronization server and the client terminal. Further, it is not necessary to store the password in the client terminal / synchronization server. As for ΔP _{n + 1} · S _n · S _{n + 1} , the password and the main password cannot be calculated using only them. Further, it is not necessary to transmit the main password over the network, and it is not necessary to store it in the account server, the synchronization server, or the client terminal. For this reason, the method in which a third party including the synchronization server knows the password illegally is the same as the method in which the password is illegally obtained from the usual communication between the client terminal and the service site. Under this condition, the service site-led password update function and the multiple ID / password integration function are realized, which is beneficial in terms of convenience and safety.

FIG. 7 is a diagram showing a processing example of the second account management method in the present invention.

The client terminal transmits the site ID and the main ID input by the user to the synchronization server and requests synchronization data (B1). The synchronization server uses the received main ID and site ID as keys, and the user ID for the site s determined by the site ID from the table 202 in FIG. 3, the current synchronization data _Sn, and m parameters Pr [s1] ˜ Pr [sm] is acquired, and the user ID, synchronization data, and parameters are transmitted to the client terminal (B2). When the client terminal receives the user ID, the synchronization data, and the parameter from the synchronization server, the client terminal calculates the conversion password TP using the main password, the parameter, and the one-way function O input by the user (B3), The current password P _n is calculated using the synchronization data and the first function (B4), and the user ID and password are transmitted to the account server (B5). Thereafter, processing similar to steps A5 to A12 in FIG. 6 is performed, and when the client terminal transmits the site ID and main ID again to the synchronization server and requests synchronization data (B6), the synchronization server receives the received main ID and site. The user ID for the site s determined by the site ID, the current synchronization data Sn _{+ 1,} and m parameters Pr [s1] to Pr [sm] are acquired from the table 202 in FIG. User ID, synchronization data, and parameters are transmitted to the client terminal (B7). When the client terminal receives the user ID, the synchronization data, and the parameter from the synchronization server, the client terminal calculates the conversion password TP using the main password, the parameter, and the one-way function O input by the user (B8), The current password P _{n + 1} is calculated using the synchronization data and the first function (B9), and the user ID and password are transmitted to the account server (B10).

Random numbers may be used as the parameter values described above. Further, when the same user registers a plurality of service sites, parameters are assigned at least as many as the number of service sites. However, it is preferable that the parameters have different values.

Any configuration of the unidirectional function O may be used. For example, a hash value is calculated using a value obtained by concatenating the main password and the first parameter as an input value of SHA-1, and the hash value and the second parameter are exclusive ORed, and the exclusive OR is performed. It may be configured such that the calculation for further calculating the hash value is repeated a predetermined number of times using the obtained value as the input value of SHA-1. In this case, the finally calculated hash value becomes the converted main password. Further, the unidirectional function O may be configured by applying a common key cryptosystem. For example, a configuration may be used in which the first parameter is ciphertext, a value obtained by concatenating the main password and the second parameter is a common key, and the ciphertext is decrypted by DES using this common key. In this case, the decrypted plaintext becomes the converted main password.

In the account management method using this method, in addition to the advantage of the first method, when the accounts of a plurality of service sites are managed, even if a malicious service site exists, the conversion main password is the target service. This is a different value for each site, and since a one-way function is used to calculate the conversion main password, it is difficult to reversely calculate from the conversion main password to the main password.

FIG. 8 is a diagram showing a processing example of the third account management method in the present invention.

The client terminal sends the site ID, the main ID input by the user, and the authentication password CP to the synchronization server and requests synchronization data (C1). The synchronization server authenticates the user using the received main ID and authentication password (C2). Once authenticated, the user ID and the current synchronous data _{S n} and m number of parameters Pr [s1] for the site s are determined in the site ID from the table 202 of FIG. 3 by a main ID and Site ID in the key ~Pr [Sm] is acquired, and the user ID, synchronization data, and parameters are transmitted to the client terminal (C3). Thereafter, processing similar to steps B3 to B5 in FIG. 7 and steps A5 to A12 in FIG. 6 is performed, and when the client terminal transmits the site ID, main ID, and authentication password CP to the synchronization server again and requests synchronization data (C4 The synchronization server authenticates the user using the received main ID and authentication password (C5). When authenticated, the user ID for the site s determined by the site ID from the table 202 of FIG. 3 using the main ID and the site ID as keys, the current synchronization data Sn _{+ 1,} and m parameters Pr [s1] to Pr [Sm] is acquired, and the user ID, synchronization data, and parameters are transmitted to the client terminal (C6).

In the account management method using this method, synchronization data and parameters are not sent to an unspecified number of service sites and third parties, so it is very difficult to estimate the main password by brute force calculation on any computer. become. Although the authentication password is stored in the synchronization server, the authentication password itself is independent of the password calculation process. Therefore, if the communication between the client terminal and the synchronization server and the synchronization server itself are highly reliable, the security is further enhanced and beneficial. It is.

In the first to third account management methods, it is better to add a process in which the synchronization server reports the access status to the user using email. In this case, the synchronization server additionally stores one or more email addresses for each user. Mail shown in the table 202 of FIG. 3 means an e-mail address.

FIG. 9 is a diagram showing a processing example of the fourth account management method in the present invention.

The client terminal transmits the site ID, the main ID input by the user, and the authentication password CP to the synchronization server and requests synchronization data (D1). The synchronization server authenticates the user using the received main ID and authentication password (D2). Regardless of whether or not authenticated, the e-mail address is acquired from the table 202 in FIG. 3 using the main ID and site ID as keys, and the e-mail is transmitted to the e-mail address via the mail server in FIG. (D3). When the user is authenticated in step D2, the user ID for the site s determined by the site ID from the table 202 of FIG. 3 using the main ID and site ID as keys, the current synchronization data _Sn, and m parameters Pr. [S1] to Pr [sm] are acquired, and the user ID, synchronization data, and parameters are transmitted to the client terminal (D4). Thereafter, processing similar to steps B3 to B5 in FIG. 7 and steps A5 to A12 in FIG. 6 is performed, and when the client terminal transmits the site ID, the main ID, and the authentication password CP to the synchronization server again and requests synchronization data (D5 The synchronization server authenticates the user using the received main ID and authentication password (D6). Regardless of whether or not authenticated, the e-mail address is acquired from the table 202 in FIG. 3 using the main ID and site ID as keys, and the e-mail is transmitted to the e-mail address via the mail server in FIG. (D7). When the user is authenticated in step D6, the user ID for the site s determined by the site ID from the table 202 of FIG. 3 using the main ID and the site ID as keys, the current synchronization data _{Sn + 1,} and m parameters Pr. [S1] to Pr [sm] are acquired, and the user ID, synchronization data, and parameters are transmitted to the client terminal (D8).

In addition to the advantages of the first to third methods, the account management method using this method enables the user to quickly detect unauthorized use of the user's own account or its sign, and thus is further enhanced in safety and beneficial. is there.

When registering / changing the main password, it is necessary to change the password in the account server, and the change data is transferred from the client terminal to the account server via the synchronization server. In the case of transmission, the public key for each service site is stored in the table 201 of FIG. 3, the synchronization server transmits the public key of the service site to the client terminal, and the client terminal encrypts the changed data with the public key. It is good to transmit to a synchronous server above. If authentication is required for access from the synchronization server to the account server, the ID / password of the synchronization server is stored in the account server, and the synchronization server may store the ID / password for each service site in the table 201.

The client terminal or the portable storage medium may store at least one of the main ID, site ID, user ID, and parameter. In particular, when storing a user ID, if the client terminal adds and transmits a user ID in step A1 of FIG. 6, a plurality of user IDs / passwords registered in the same service site can be managed under the same main ID. , Improve convenience.

It is a block diagram which shows one Example of the account management system in this invention. It is a figure which shows an example of the memory | storage data of an account server. It is a figure which shows an example of the memory | storage data of a synchronous server. It is a conceptual diagram which shows the process which becomes the center of this invention. It is a figure which shows the structural example of a function. It is a figure which shows one processing example of the 1st account management method in this invention. It is a figure which shows one processing example of the 2nd account management method in this invention. It is a figure which shows one processing example of the 3rd account management method in this invention. It is a figure which shows one processing example of the 4th account management method in this invention.

Explanation of symbols

100 Account server 200 Synchronization server 300 Client terminal 101, 102, 201, 202 Table UID User ID
P _n nth (current) password SID site ID
SP Site password MID Main ID
S _n n-th (current) synchronization data M main password F first function P _{n + 1} n + 1-th (new) password G second function ΔP _{n + 1} value calculated by second function H third function S _{n + 1} n + 1-th (new) synchronous data Pr Parameter O Unidirectional function TM Conversion main password CP Authentication password Mail Email address

Claims (8)

An account server of one or a plurality of service sites, a synchronization server, and one or a plurality of client terminals installed on a mutually accessible network, and the account server updates at an arbitrary timing. In an account management system that uses the synchronization server to synchronize a password with the user,
n is an arbitrary natural number, the nth password of the user managed by the account server is _Pn , the n + 1th password is _{Pn + 1} , and the nth synchronization data of the user managed by the synchronization server in the account server is S _n , the n + 1th synchronization data is S _{n + 1} , the main password that the user inputs to the client terminal is M,
P _n = F (M, _Sn ),
ΔP _{n + 1} = G (P _{n + 1} , P _n ),
S _{n + 1} = H (ΔP _{n + 1} , S _n ),
P _{n + 1} = F (M, S _{n + 1} ),
Assuming that the functions F, G, and H satisfying the conditions are the first function, the second function, and the third function in this order,
A process in which the account server generates and registers an arbitrary password P _{n + 1} ; a process in which ΔP _{n + 1} is calculated using the password P _{n + 1} , the password P _n, and the second function; Performing a process of transmitting ΔP _{n + 1} to the synchronization server;
The synchronization server calculates and registers the synchronization data S _{n + 1} using the ΔP _{n + 1} received from the account server, the synchronization data _Sn, and the third function, and the client terminal requests A process of transmitting the synchronization data S _{n + 1} to the client terminal,
A process in which the client terminal requests the synchronization data from the synchronization server; and a process of calculating the password by using the synchronization data received from the synchronization server, the main password, and the first function. An account management method characterized by executing. The synchronization server further manages one or more parameters corresponding to the service site of the user;
The synchronization server further executes a process of transmitting the parameter to the client terminal according to a request from the client terminal,
A process in which the client terminal requests the synchronization data and the parameter from the synchronization server, and a process of creating a converted main password using the parameter, the main password, and the one-way function received from the synchronization server 2. The account according to claim 1, further comprising: calculating the password using the converted main password, the synchronization data received from the synchronization server, and the first function. Management method. The synchronization server further manages the authentication password of the user,
The synchronization server further executes a process of authenticating the user using the authentication password received from the client terminal,
The account management method according to claim 1, wherein the client terminal further executes a process of transmitting the authentication password input by the user to the synchronization server. The synchronization server further manages one or more email addresses of the user;
4. The method according to claim 1, wherein the synchronization server further executes a process of sending an e-mail to the e-mail address of the user when the client terminal requests the user information. Account management method described in An account server of one or a plurality of service sites, a synchronization server, and one or a plurality of client terminals installed on a mutually accessible network, and the account server updates at an arbitrary timing. An account management system that uses the synchronization server to synchronize a password with the user,
n is an arbitrary natural number, the nth password of the user managed by the account server is _Pn , the n + 1th password is _{Pn + 1} , and the nth synchronization data of the user managed by the synchronization server in the account server is S _n , the n + 1th synchronization data is S _{n + 1} , the main password that the user inputs to the client terminal is M,
P _n = F (M, _Sn ),
ΔP _{n + 1} = G (P _{n + 1} , P _n ),
S _{n + 1} = H (ΔP _{n + 1} , S _n ),
P _{n + 1} = F (M, S _{n + 1} ),
Assuming that the functions F, G, and H satisfying the conditions are the first function, the second function, and the third function in this order,
The account server includes means for generating / registering an arbitrary password P _{n + 1} , means for calculating the ΔP _{n + 1} using the password P _{n + 1} , the password P _n, and the second function, and the calculated Means for transmitting ΔP _{n + 1} to the synchronization server,
The synchronization server calculates and registers the synchronization data S _{n + 1} using the ΔP _{n + 1} received from the account server, the synchronization data _Sn, and the third function, and requests the client terminal to Means for transmitting synchronization data S _{n + 1} to the client terminal,
Means for requesting the synchronization data from the synchronization server; and means for calculating the password using the synchronization data received from the synchronization server, the main password, and the first function. An account management system characterized by comprising. The synchronization server further manages one or more parameters corresponding to the service site of the user;
The synchronization server further comprises means for transmitting the parameter to the client terminal in response to a request from the client terminal;
The client terminal requests the synchronization server for the synchronization data and the parameter, and creates a converted main password using the parameter, the main password, and a one-way function received from the synchronization server. 6. The account management according to claim 5, further comprising: means for calculating the password using the converted main password, the synchronization data received from the synchronization server, and the first function. system. The synchronization server further manages the authentication password of the user,
The synchronization server further comprises means for authenticating the user using the authentication password received from the client terminal,
The account management system according to claim 5, wherein the client terminal further includes means for transmitting the authentication password input by the user to the synchronization server. The synchronization server further manages one or more email addresses of the user;
8. The synchronization server according to claim 5, further comprising means for transmitting an e-mail to an e-mail address of the user when the user information is requested from the client terminal. Account management system described in.

Images