JP2003158516A - Service management system and method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a service management system and method that can provide a proper service to legitimate registration users. SOLUTION: A management apparatus generates a private key and public key in pairs with each customer, generates a certificate of each customer as to the public key by using the private key, issues the certificate to each customer, and stores the created contents by each customer as customer information, a terminal transmits an authentication information request corresponding to the customer of the terminal 1 to the management apparatus at an access request to a service apparatus, the management apparatus transmits authentication information including the private key encrypted by a password of one customer depending on the customer information in response to the authentication request and a random number to the terminal, the terminal decodes the random number depending on the encrypted private key to obtain decoded data and transmits the decoded data and the certificate of the one customer to the management apparatus, and the management apparatus discriminates whether or not the decoded data and the certificate of the one customer are legitimate and permits the terminal to access the service apparatus according to the result of discrimination.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a service management system for managing a customer of a terminal device provided with a service from a service device in a network and a service content for each customer.

[0002]

2. Description of the Related Art Conventionally, a customer (including a group) who wishes to receive a service is registered in a network by using a terminal device, and a predetermined service is provided to the registered customer. A service management system that manages is known. The functions of this service management system relate to a function for generating and issuing authentication information via a network, a function for permitting or prohibiting execution of processing of a service using the authentication information, and a method for starting a service.

[0003]

However, in the above service management system, it is impossible for the registered customer to change the permission / prohibition information of the service processing execution through the network by the individual authority. The management device collectively manages the private key of the customer and the service, and the private key is encrypted and transmitted to the customer and the service on the network. This operation has the advantage that the user only needs to store the password obtained by encrypting the secret key.
However, when it is desired to use a device such as an IC card that can easily hold a secret key, it is a security problem that the secret key is stored in the secret key management device or that the secret key is encrypted and flows on the network.

When a registered customer (including a group) is deleted, the management device not only deletes the corresponding customer, but also changes the service execution permission / prohibition information. Therefore, when the terminal device obtains the certificate from the management device, it should be the latest information. However, the certificate which permits the execution of the service already held by the utilization device is not destroyed. That is, there is a possibility that the service processing may be illegally executed.

Furthermore, when a new customer is added to the service process execution permission / prohibition information, a certificate capable of executing the service process is issued. The certificate does not have a chain of authenticators because the certificate must not be processed by other services. That is, there is no usage restriction, and even if only the user who wants to use it is desired to check it, it must be registered in the management device.

[0006] Therefore, an object of the present invention is to provide a service management system and method for appropriately providing services to authorized registered users.

[0007]

A service management system of the present invention is a service management system for managing a customer who receives a service from a service device at a terminal device in a network. Create a private key and public key, create a customer certificate for the public key using the private key, issue it to the customer, and save the created content as customer information for each customer. Means for transmitting an authentication information request corresponding to one customer of the terminal device to the management device when the terminal device requests access to the service device;
A means for transmitting to the terminal device the authentication information including the secret key encrypted with the password of one customer in response to the authentication request in the management device and the random number value, and the secret encrypted in the terminal device. The means for transmitting the decrypted data and the customer certificate of 1 to the management device by decrypting the random number value according to the key and the decrypted data and the certificate of 1 customer are authentic. Means for determining whether or not there is, and permitting access to the service device according to the result,
It is characterized by having.

A service management method according to the present invention is a service management method for managing a customer who receives a service from a service apparatus at a terminal apparatus in a network, and a private key and a public key paired for each customer in the management apparatus. Create a certificate of the customer for the public key using the private key and issue it to the customer, save the created content as customer information for each customer, and send it to the service device in the terminal device. When an access request is made, an authentication information request corresponding to one customer of the terminal device is transmitted to the management device, and in response to the authentication request at the management device, the secret key encrypted with the password of one customer according to the customer information. Authentication information and a random number value including the password are transmitted to the terminal device, and the random number value is decrypted according to the secret key encrypted in the terminal device to obtain decrypted data and the solution is obtained. The data and the certificate of the customer of 1 are transmitted to the management apparatus, it is determined whether the decrypted data and the certificate of the customer of 1 are legitimate, and the access to the service apparatus is performed according to the result. It is characterized by permitting.

[0009]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will now be described in detail with reference to the drawings. FIG. 1 shows a service management system according to the present invention. Service management system
Authentication device 10, management device 20, and service device 40
And a plurality of terminal devices 50 for users, and the devices 20, 40 and 50 except the authentication device 10 are connected to each other via a network line 70. The authentication device 10 is connected to the management device 20 and the network line 70 via a dedicated line 60 independent from each other. The connection referred to here may be any accessible connection state.

The authentication device 10 authenticates the public key of the management device 20. This authentication device 10 is not a use restriction for all services, and is not essential when there is no service for which the user is desired to be specified. The management device 20 has a function of managing permission / prohibition of services, and a function of issuing authentication information used by the service device 40 and the terminal device 50.

The service device 40 is a device that uses the authentication information issued by the management device 20 and provides a service to only a specific terminal device among all the terminal devices 50. Each of the user terminal devices 50 uses the authentication information issued by the management device 20, connects to the authentication device 20, and requests the service device to process the service.

The authentication information generated by the management device 20 has different contents for the user and for the service. The contents of the authentication information are (1) user or service name, (2) alias information list, (3) authentication device 1
0 certificate group, (4) certificate of management device 20, (5) certificate of user or service issued by management device 20, (6) private key encrypted by password of user or service ( There is a user list (only for services) of (7) lower service level, which is not necessary for IC cards.

When the card is not an IC card, the authentication information includes an encrypted private key. The private key is encrypted with the password, and when the password is entered, it is decrypted. The decrypted private key exists only in the memory, and the decrypted private key cannot be used in a file system or network. The management device 20 holds a certificate whose public key is signed by the authentication device 10 and a certificate group of the authentication device. The certificate group of the authentication device is a chain of the certificate of the authentication device that issued the certificate and the certificate of the authentication device that certified the authentication device,
At the end, the self-certificate of the authentication device ends.

Further, the management device 20 includes users, groups,
It has a function to manage services, service levels and their relationships. The user uses the activation device or the terminal device. The management device 20 manages a private key (unnecessary when using an IC card) and a public key encrypted by the password of the user.

A group is a set of users or groups. The group has information only and does not have a private key. The service is activated by the service device and provided to the user. The management device 20 manages the private key and the public key encrypted by the service password. For example, the service includes a process of managing the schedule for each project of a company.

The service level is information associated with a service, and a plurality of levels can be associated with one service. The service level is set when you want to change the meaning of connection for one service. For example, if the service is schedule management for each project of a company as described above, the main line table can be changed only by the relevant project manager, and the progress status can be changed by individual personnel. There will be a level of administrator who can change the level and a level of person who can set the progress.

The management device 20 includes (1) user management information for managing users and groups, (2) group property management information, (3) service, service management information for managing service levels, and (4) service property management information. (5) Five pieces of management information of service level property management information are stored in the internal memory to manage the service provision. FIG. 2 is an example of user management information expressing the relationship between users and groups managed by the management device 20. Its constituent elements are only users, groups and their aliases, and are managed by a tree structure. In this management information, a group can hold users and groups (including aliases) under it, but it is not possible to hold users and groups (including aliases) under users. Further, it is also impossible to hold users and groups (including aliases) under the aliases of users and groups.

In this management information, users and groups (including aliases) that are subordinate to the group are members. The arrangement of the groups will be specifically described. As shown in FIG. 2, immediately below the group A, there are a user Al, a user A2, a group B, a user X (alias), and a group C.
There are five (alias). However, Group A
The members of include not only these five, but also users and groups subordinate to the users or groups of the members. That is, there is a user Bl under the group B, and this user Bl is also a member of the group A. Further, since the group C (alias) is an alias of the group C, the users Cl and the users X (alias) who are members of the group C are also members of the group A.

Therefore, the members of group A are user A
l, user A2, group B, user Bl, two users X (alias), group C (alias), and user C.
The members of group A are users X directly under group A.
Although the (alias) and the user X (alias) directly under the group C are included, they are actually the user X and indicate the same user.

FIG. 3 exemplifies the state of the group managed by the management device 20 based on the group management information. In the example of FIG. 3, it is expressed that the administrator of group A is user X. A user or a group can be designated as the group manager. When a group is designated by the administrator, all members of the designated group have the authority of the group administrator. The group administrator has the authority to add or delete users and groups (including aliases) directly under the group.

FIG. 4 shows the relationship between services managed by the management device 20 and service levels in a tree structure. Its components are services and service levels only.
With this management information, it is possible to hold only the service level below the service, but it is impossible to hold any node below the service level.

Next, a specific example of the service management information will be described with reference to FIG. Here, it is assumed that a process for managing a schedule in a project in a company is performed. The schedule management is a set of processes that require various access controls, such as service activation, termination, management work, progress reports by project members. The method of executing such service management is service management information.

Service A in FIG. 4 is a representative name that bundles processes and corresponds to schedule management. The activation of the service level below the service A is the processing of activating the service, and corresponds to the activation of the service for schedule management. Service level A
1 and service level A2 are processing levels unique to the service, and processing such as service termination, management work, and progress report by project members is assigned to the service level A1 and service level A2. That is, as many service levels as necessary are required to change the members to access (use).

FIG. 5 is an example of service property management information showing the status of services managed by the management device 20. Figure 5
In the case of, it is expressed that the administrator of the service A in FIG. 4 belongs to the group C. A user or a group can be designated as the administrator of the service. When a group is designated for the administrator, all members of the group have the authority of the administrator of the service. The service administrator has the right to add or delete service levels directly under the service.

FIG. 6 is an example of service level property management information showing the status of service levels managed by the management device 20. In the case of FIG. 6, it is expressed that the administrator of the service level A1 of FIG. 4 is the user X shown in FIG. A user or a group can be designated as the administrator of the service level. When a group is specified for the administrator, all the members of the group have the authority of the service level administrator. The service level manager has the authority to specify users or groups or service levels in the service level user list.

Further, the service level can be designated by users, groups, and service levels that can access the service level, as in A1, C, and B1. When a group is specified, it indicates that all members of the group can access. In the case of FIG. 6, since the group C is registered, the user C1 who is a member of the group C of FIG. 2 and the user X (alias) can access.

Next, the initial start-up operation of the management device 20 that needs to be started first in the service management system will be described with reference to FIG. In step S100, a key pair (public key and private key) of the public key cryptosystem of the administrator (Admin) of the management device 20 is created. In step S110, the public key of the key pair is supplied to the authentication device 10, and the authentication device 10 is requested to create a certificate. Then, the certificate of the authentication device 10 and the certificate of the administrator created by the authentication device 10 are stored in the management device 20.

In step S120, the administrator (Admin) is registered in the management device 20 as a user. This administrator (Admin) is a user who cannot be deleted. When the administrator (Admin) is registered as a user in the management device 20, management and operation from the network line 70 becomes possible. In step S130, the port of the management device 20 is opened so that it can be accessed via the network line 70.

In the open state, the management device 2
A user registered in 0 uses the terminal device 50 to access the management device 20 via the network line 70,
The settings in the management device 20 can be freely changed within the authority. In that case, the management device 20 needs to recognize the user who is using the terminal device 50. The recognition method will be described below.

FIG. 8 shows a sequence for recognizing the user of the terminal device 50 to which the management device 20 is connected. In step S200, the terminal device 50 of the user issues an authentication information request to the management device 20. Management device 20
The name of the user who can access via the terminal device 50 is registered and stored in.

In step S210, it is checked whether the name of the user designated by the authentication information request in the management device 20 is a user registered in the management device 20, and if it is a registered user, authentication is performed. Information is transmitted from the management device 20 to the terminal device 50. Step S22
0 is executed only when the user does not have an IC card. If you do not have an IC card, step S220
Then, when the terminal device 50 receives the authentication information transmitted by the execution of step S210, since the terminal device 50 holds the secret key encrypted with the user's password in the authentication information, Decryption of the code is performed.

In step S230, the connection request is transmitted from the terminal device 50 to the management device 20. This connection request has no additional information. However, after step S230, the communication in the encrypted line such as SSL or IPsec is performed by decrypting the code in step S220. The management device 20 that has received the connection request performs step S24.
A random number value is generated with 0 and sent back to the terminal device 50.

When the terminal device 50 receives the random number value, in step S250, the random number signature data obtained by encrypting the random number value with the user's private key and the user certificate are transmitted to the management device 20. . Upon receiving the signature data and the certificate, the management apparatus 20 determines whether the user's certificate is correct in step S255, and also determines whether the random number signature data is correct. This judgment confirms that the registered legitimate user is accessing.

In step S260, the management device 20 transmits to the terminal device 50 the result of step S255 indicating whether or not the user is an authorized user. This result shows that the authorized user is permitted to access the service device 40, and the non-authorized user is denied access. When the access is continued, the management device 20 provides the service to the user through the terminal device 50. Further, since the management device 20 is aware of the context (access-permitted terminal device), the management device 20 can take out the user of the terminal device that is accessing at any time. Further, the management device 20 does not perform the service providing operation only after the authentication operation in FIG. 8 is completed.

Services of the management device 20 include addition and deletion of users. User addition and deletion services will be described with reference to the flowcharts of FIGS. 9 and 10. The operation shown in FIG. 9 is an operation of the management device 20 when a user (including an administrator) additionally registers another user from the terminal device 50 to the management device 20. In the operation of adding a user, first, the name of the user to be added in the terminal device 50, the public key of the user to be added in the case of an IC card, and the password of the user to be added in the case of not being an IC card are input. , Their input data are supplied to the management device 20.

When the management device 20 receives the input data of the terminal device 50, in step S300, the upper domain is searched from the user management information based on the name (domain notation) of the user to be added. When the upper domain (group) exists, its group property management information is read from the internal memory. In step S310, the administrator indicated by the read group property management information is retrieved. When the retrieved administrator is a user (individual), it is determined whether or not the accessing user is the administrator himself.
If the retrieved administrator is a group, it is determined whether the accessing user is any one of the members.
If the accessing user is not the administrator, the additional processing is terminated halfway through the execution of step S310.

When it is confirmed that the access is made by the administrator in step S310, the process proceeds to step 320, but in the case of the IC card type, step S320 is not executed. If it is not the IC card type, in step S310 a key pair (private key and public key) of the public encryption method of the user to be added is created. Also, the secret key of the created key pair is encrypted with the password.

At step 330, a certificate is created for the public key of the created key pair using the private key of the management device 20. Then, the additional user is added to the user management information. FIG. 10 shows an operation when a user (including an administrator) deletes another user from the terminal device 50 with respect to the management device 20. In the user deleting operation, when the name of the user to be deleted is input from the terminal device 50 and the input data is transmitted to the management device 20, the management device 20
Then, by receiving the data of the name of the user to be deleted, the operations of the following steps S400 to S450 are executed.

In step S400, the upper domain is searched from the user management information based on the name (domain notation) of the user to be deleted. When the upper domain (group) exists, its group property management information is read.
In step S410, the manager of the read group property management information is retrieved. Administrator is user (individual)
If it is, it is determined whether or not the accessing user is the administrator himself. If the accessing user is not the administrator, the deletion process is terminated halfway through the execution of step S410.

In step S420, if the user to be deleted is registered as the administrator in all the group property management information, that user is the administrator (Admi).
n). In step S430, if the user to be deleted is registered as the administrator in the service property management information, the user is registered as the administrator (Admi).
n).

In step S440, if the user to be deleted is registered as the administrator in all the service level property management information, all the users are the administrator (A
dmin). Further, if there is a user to be deleted in the user list, that user is deleted from that list. In step S450, the user to be deleted is deleted from the user management information. The deletion information is notified to the authentication information of the user, and the information of the user is deleted from the authentication information.

In the case of adding a group to the user addition shown in FIG. 9, the adding operation is started by designating the name of the group to be added to the management device 20 from the terminal device 50. The adding operation is similar to the case of adding a user, and steps S300 and S310 are executed. It is not necessary to generate a key or issue a certificate when adding a group. Therefore, after the execution of step S310, the group property management information is generated, and the user who is accessing as the administrator of the group property management information is set. Finally, the group property management information is added to the user management information.

In the case of deleting a group, the deleted user in the case of deleting the user shown in FIG. 10 is changed to the group, and in step S450, the deleting operation is performed for all members of the group. Be done. The information is also notified to the authentication information of the users who are all members of the group, and the information of all the users of that member is deleted from the alias information list of the authentication information.

Registration of an alias of a user or a group is similar to that of a group. Further, regarding the deletion of the alias of the user or the group, the user to be deleted in the case of the deletion of the user shown in FIG. 10 is changed to the group. Then, the information is notified to the authentication information of the original user of the alias, and the information is deleted from the alias information list of the authentication information.

FIG. 11 shows the operation of the management device 20 when a user (including a manager) adds a service to the management device 20 from the terminal device 50. The operation of adding a service is started by inputting the name of the service to be added and the password of the service from the terminal device 50 and supplying the input data to the management device 20. When the management device 20 receives the input data, first, in step S500.
Check whether the name of the service to be added in is used before.

If the name of the service to be added has not been used before, a key pair (private key and public key) of the public key cryptosystem for the service is generated in step S510. Also, the private key of the generated key pair is encrypted with the password. At step 520, a certificate is created for the public key of the generated key pair using the private key of the management device 20. Then, the service is added to the service management information, and the service property management information of the service is further generated.

FIG. 12 shows the operation of the management device 20 when a user (including a manager) adds a service level via the terminal device 50. The service level adding operation is started by inputting the name of the service level to be added from the terminal device 50 and supplying the input data to the management device 20. Upon receiving the input data, the management device 20 first searches the service management information for a service that is an upper domain from the service level name (domain notation) added in step S600. When the upper domain (service) exists, its service property management information is read.

In step S610, the management device 20 takes out the manager of the read service property management information. If the taken-out manager is a user (individual), the accessing user is the manager himself. Or not. When the administrator is a group, it is determined whether the accessing user is a member. If the accessing user is not the administrator or the member of the group, the process is terminated in step S610.

In step S620, the management device 20 adds the service level received as input data to the service level management information. Furthermore, the service level property management information of the service level is generated. FIG. 13 shows the operation of the management device 20 when a user (including a manager) adds a user list via the terminal device 50.
The addition of the user list is started by designating the service level name (domain notation) and the user or group and supplying the designated data to the management device 20.

Upon receiving the designated data, the management device 20 first searches for the service level property management information from the designated service level name (domain notation) in step S700. Also, it is searched whether or not the name (domain notation) of the designated user, group or service level exists in the user management information or the service level management information. If they do not exist, the process ends.

If the administrator of the service level property management information is the user (individual) in step S710, the management apparatus 20 determines whether the accessing user is the administrator himself. When the administrator is a group, it is determined whether the accessing user is included in the members. If the accessing user is not the administrator himself or a member of the group, the process ends.

In step S720, the management device 20 adds the designated user to the user list of the service level property management information. The operation of deleting the user list is almost the same as the operation of adding the user list shown in FIG. 13, except for step S720. In the delete operation,
In step 720, the management device 20 operates to delete the designated user from the user list of the service level property management information. In addition, the deleted user information is immediately notified to the authentication information, and the authentication information is updated.

The service level deleting operation is almost the same as the service level adding operation shown in FIG. 12, except for step S620. In the deleting operation, the management device 20 deletes the designated service level from the service management information in step S620. Furthermore, if the service level is included in the user list of all service property management information, the list is deleted. In addition, the deleted user information is immediately notified to the authentication information, and the authentication information is updated.

The service deleting operation is almost the same as the service deleting operation shown in FIG. 11, but step S520
Only the operation of is different. In the deleting operation, the management device 20
In step S520, all service levels under the service are deleted. Then, the service is deleted from the service management information. As described above, the user registered in the management device 20 can safely change the access authority required for the service through the network within the range of the individual authority.

Further, such a service management system can be applied only to the conventional system in which only the password is stored by the user, and can be operated even in a system in which the private key such as an IC card is not exposed to the outside, and a high security system is constructed. It is possible to Next, the network line 70
An access control operation in the case of using the service device 40 from the terminal device 50 based on the service registered from the terminal device 50 to the management device 20 via the and the access control setting of the user will be described.

FIG. 14 shows a flowchart for performing access control based on the access control information of the service set by the management device 20. In step S800, the service device 40 requests the management device 20 to acquire the authentication information using the service name of the service device as an argument. In step S810, the management device 20 retrieves the service name from the service management information and extracts the service property management information. Further, all lower service levels of the service are extracted, and the service level property management information is also extracted. The service authentication information is generated according to the information and sent back to the service device 40.

Upon receiving the service authentication information, the service device 40 prompts the user to enter the password, and decrypts the encrypted secret key of the authentication information with the entered password (step S815). In step S820, the terminal device 50 requests the management device 20 to acquire the authentication information by using the user name of the terminal user as an argument. The execution of step S820 is step S
There is no problem either before or after 810.

In response to the authentication information acquisition request, the management device 20 retrieves the user name from the user management information in step S830 and extracts the user property management information. Further, the user management information is searched for all links of the user. The authentication information of the user is generated based on the information, and the authentication information is transmitted to the terminal device 50. If the IC card is not used for the user authentication information, the terminal device 50
Prompts the user to enter a password, and decrypts the encrypted secret key of the authentication information with the password (step S8).
35).

The operation after step S840 can be performed by using encryption such as SSL or IPsec. In the case of SSL, (1) the certificate group of the authentication device 10 included in the private key and the authentication information obtained in step S815, (2) the certificate of the management device 20, and (3) the management device 20 are Enables encrypted communication by using the issued service certificate.

In step S840, the terminal device 50 transmits a connection request to the service device 40. In the connection request, the terminal device ID issued individually each time the user uses the terminal device 50 is used as an argument. Service device 50
If there is a cache of the terminal device ID of the terminal device 50, the process proceeds to step S870, and the permission of access is transmitted to the terminal device 50.

Step S850 is a case where the cache of the terminal device ID does not exist in the service device 40, and in this step S850, the service device 50 transmits a random number to the terminal device 50 as a challenge code.
In step S860, the terminal device 50 performs step S83.
A challenge response is sent with the result obtained by encrypting a random number using the private key obtained with 0 or the private key of the IC card and the user certificate issued by the management device 20 of the user authentication information as arguments. To do.

Upon receiving the challenge response, the service device 40 determines whether the information in the challenge response is correct, and the user who is accessing the user list of the lower service level included in the authentication information of the service determines It is determined whether or not it is included (step S86).
5). The service device 40 caches the data that makes a pair of the terminal device ID and the accessing user, and transmits the permission of access to the terminal device 50 (step S870).

By the access permission in step S870, the service unique to the service device 40 is executed with the terminal device 50 in step S880. It should be noted that steps S820 and S8 of access control in FIG.
By not executing step 30, it is possible to provide a service with very loose access restrictions that permits access to users who are registered only in the authentication device 10 but are not registered in the management device 20.

As described above, according to the access control operation shown in FIG. 14, by using the authentication information issued by the management device 20, the service device 40 identifies the user who is accessing from the terminal device 50. It becomes possible to do. When the registered user, group, alias, or user in the user list is deleted, the management device 20 not only deletes the corresponding user or group, but also notifies the authentication information of the deletion information. That is, even if the user illegally holds the certificate of the authentication information, the authentication information is updated in the service device 40, and thus unauthorized access is impossible.

Since the service device 40 is a service for handling secret information, the service operation cannot be started unless the user gives some information (for example, a password) via the terminal device 50. This is the service device 40
The same applies when a restart is required due to a malfunction or power down. In the case of restarting, the decrypted private key of the authentication information stored in the memory has evaporated. Therefore, at restarting, it is necessary to enter the password again to decrypt the private key from the authentication information. Next, a configuration and operation for safely and automatically returning the service device 40 at the time of restart will be described.

FIG. 15 shows a system configuration for automatically returning the service device 40. The configuration shown in FIG. 15 differs from the system configuration shown in FIG. 1 in that the restoration device 30 is included. The restoration device 30 is connected to the management device 20 and the service device 40 by individual lines independent of the network line 70. The restoration device 30 detects that the service device 40 has been restarted, and performs a process of restoring the service device 40 to an accessible state for providing a service without requiring the user of the service device 40 to re-enter the password.

In order for the service device 40 to automatically return, a return service level needs to be added to the management device 20. Return service level is a special form of service level. When adding a return service level, (1) the name of the service level, (2) the password specified when creating the service, (3) the name of the user who performs the return, and (4) the password for returning the service device are specified. It

The return service level adding operation is further added to the service level adding operation shown in FIG. That is, it is added to step S600 whether or not the name (domain notation) of the designated user exists. In step S610, the encrypted secret key is extracted from the service management information, and the secret key encrypted with the password specified when the service is created is decrypted to obtain the secret key. Further, the secret key obtained by the password for returning the service device 40 is encrypted.

An operation of adding the encrypted private key in step S610 to the service level property management information is added to step S620. The service authentication information also includes the encrypted private key. next,
The automatic return operation of the service device 40 will be described with reference to the sequence diagram of FIG.

In this automatic restoration operation, the restoration device 30 is first activated. To start it, there are four pieces of information: (1) user name (domain format), (2) service name (domain format), (3) user password, and (4) service activation password. is necessary. These pieces of information are secured in the internal memory of the management device 20. In step S900, the restoration device 30 transmits an authentication information request with the name of the user who can restore the service device 40 from the management device 20 as an argument to the management device 20.

When the management device 20 receives the authentication information request, it retrieves the user according to the user name (domain format) of the argument in step S910, generates the authentication information of the user, and returns the device 30. Send to.
Upon receiving the authentication information, the restoration device 30 specifies the user password in the authentication information to obtain the encrypted private key included in the authentication information. Then, periodic polling is executed to determine whether the service device 40 is in a normal operating state (step S915). In this polling state, the service device 40 can be restarted even if the service device 40 is stopped due to a malfunction or a temporary power failure.

As shown in FIG. 16, the service device 40 falls into the operation stop state and is restarted, and the recovery device 30 starts the operation by confirming the restart and opens the restart port, A return request is transmitted to the service device 40 using the access method for accessing the port as an argument (step S920). Upon receiving the return request, the service device 40 transmits a try request to the port of the return device 30 with a random number as an argument, based on the access method indicated in the return request in step S930. However, it is necessary to confirm that this access will not be leaked to others. Normally, line level encryption such as HTTPS will be used. This lower line level encrypted communication is continued until step S960.

When the restoration device 30 receives the try request,
In step S940, the random number indicated in the try request is encrypted with the secret key of the authentication information held by the restoration device 30, and the management device 20 included in the encryption result and the authentication information is encrypted.
The trial response is transmitted to the service device 40 by using the certificate issued by the service provider as an argument. When the service device 40 receives the try response, in step S950, it is determined whether the random number encrypted by the specified secret key is based on the sent random number and whether the certificate is correct. And do. Based on this judgment, the restoration device 30
The user of can be specified. Further, the service device 40 returns the decryption request to determine whether the user is registered as a user for return from the user list of the lower service level included in the authentication information of the service device 40. Send to device 30.

When the restoration device 30 receives the decryption request, it returns from the user list to step S950 in step S960.
The encrypted private key for return of the user specified in step S21 is taken out, and the decryption result is used as an argument with the service device 40.
Send to. When the service device 40 receives the decryption result, in step S970, the secret key indicated in the decryption result is decrypted with the password for activating the service designated when the restoration device 30 is activated, and the information having the argument as the argument is restored. Send to device 40.

By the automatic start operation, the service device 40 can acquire the secret key and can provide the service. That is, the service device 40 is equivalent to the state where step S815 of the access control flowchart shown in FIG. 14 is completed. Further, according to the automatic return operation, when the service device 40 is restarted due to the power down or the like, the service device 40 can be accessed for providing the service without requiring the user to re-enter the password. It is possible to return to.

[0076]

As described above, according to the present invention, proper services can be provided to authorized registered users.

[Brief description of drawings]

FIG. 1 is a system configuration diagram showing an embodiment of the present invention.

FIG. 2 is a diagram showing a configuration of user management information.

FIG. 3 is a diagram showing a structure of group property management information.

FIG. 4 is a diagram showing a structure of service management information.

FIG. 5 is a diagram showing a structure of service property management information.

FIG. 6 is a diagram showing a structure of service level property management information.

FIG. 7 is a flowchart showing an initial activation operation of the management device.

FIG. 8 is a diagram showing an operation sequence for the management device to recognize the user of the terminal device.

FIG. 9 is a flowchart showing a user addition operation.

FIG. 10 is a flowchart showing a user deletion operation.

FIG. 11 is a flowchart showing a service addition operation.

FIG. 12 is a flowchart showing a service level addition operation.

FIG. 13 is a flowchart showing a user list addition operation.

FIG. 14 is a diagram showing an access control operation sequence.

FIG. 15 is a system configuration diagram showing an embodiment of the present invention.

FIG. 16 is a diagram showing a return operation sequence.

[Explanation of symbols for main parts]

10 Authentication device 20 Management device 30 Return device 40 service equipment 50 terminal equipment

─────────────────────────────────────────────────── ─── Continued Front Page (51) Int.Cl. ⁷ Identification Code FI Theme Coat (Reference) G06F 17/60 512 H04L 9/00 675Z H04L 9/08 601B 673A

Claims (7)

[Claims] 1. A service management system for managing a customer who receives a service from a service device at a terminal device in a network, wherein a secret key and a public key paired for each customer are created in the management device. Issuing / storing means for creating a customer certificate for the public key by using the private key, issuing it to the customer, and saving the created contents as customer information for each customer, to the service device in the terminal device. Means for transmitting an authentication information request corresponding to one customer of the terminal device to the management device at the time of access request, and the one customer according to the customer information in response to the authentication request in the management device. Means for transmitting to the terminal device authentication information including a secret key encrypted with the password and a random number value; Means for decrypting a random number value in accordance with the generated secret key to obtain decryption data and transmitting the decryption data and the certificate of the first customer to the management device; the decryption data and the certificate of the first customer And a means for determining whether or not is authorized and permitting access to the service device according to the result, and a service management system. 2. The issuing / storing means determines, when a customer who uses the terminal device requests a change in the customer information, that the customer is a predetermined manager, and then from the terminal device. The service management system according to claim 1, wherein the customer information is changed according to a command. 3. A service management method for managing a customer who receives a service from a service device at a terminal device in a network, wherein a secret key and a public key paired for each customer are created in the management device. When a customer certificate for the public key is created using the private key and issued to the customer, the created contents are saved as customer information for each customer, and when the terminal device requests access to the service device. An authentication information request corresponding to one customer of the terminal device is transmitted to the management device, and the management device responds to the authentication request and is encrypted with the password of the one customer according to the customer information. The authentication information including the secret key and the random number value are transmitted to the terminal device, and the random number value is decrypted in the terminal device according to the encrypted secret key. After obtaining the decrypted data and transmitting the decrypted data and the certificate of the first customer to the management device, it is determined whether or not the decrypted data and the certificate of the first customer are legitimate. A service management method characterized by permitting access to a service device according to a result. 4. A service management system for managing a customer who receives a service from a service device at a terminal device in a network and a service content for each customer, wherein the management device has a private key and a public key for the service device. Issuing and storing means for creating and holding in advance, means for transmitting an authentication information request including a password in the service device to the management device, and the management device for responding to the authentication request from the service device. First authentication information transmitting means for transmitting authentication information including a secret key encrypted with the password to the service apparatus, and first decryption means for decrypting the encrypted secret key in the service apparatus with its own password And showing the name and password of one customer on the terminal device Means for transmitting a certification information request to the management device; and, in the management device, in response to the authentication request from the terminal device, authentication information including a secret key encrypted with the password of the one customer. Second authentication information transmitting means for transmitting to the terminal device, second decrypting means for decrypting the encrypted secret key from the second authentication information transmitting means in the terminal device with its own password, the first and second A service management system, comprising means for enabling communication between the terminal device and the service device using at least the private key decrypted by the second decryption means. 5. The communication means uses, in addition to the decrypted private key, a certificate group of an authentication device, a certificate of the management device, and a service certificate for communication. The described service management system. 6. Detecting means for detecting restart of the service device; means for transmitting a return request to the service device when the detecting means detects restart of the service device; Means for transmitting a random number in response to a return request; means for encrypting the random number with a secret key and transmitting it to the service device together with a certificate; and the random number encrypted with a secret key in the service device. 5. The service management system according to claim 4, further comprising: a means for obtaining the encrypted private key decrypted by the first decryption means based on the certificate. 7. A service management method for managing a customer who receives a service from a service device at a terminal device in a network, and a service content for each customer, wherein the management device has a private key and a public key for the service device. Is created and stored in advance, the service device transmits an authentication information request including a password to the management device, and the management device responds to the authentication request from the service device and is encrypted with the password. Authentication information including the secret key that is transmitted to the service device, the service device decrypts the encrypted secret key with its own password, and the terminal device requests authentication information indicating the name and password of one customer. To the management device, the management device In response to the authentication request from the end device, the authentication information including the secret key encrypted with the password of the first customer is transmitted to the terminal device, and the terminal device transmits the authentication information from the second authentication information transmitting unit. A service management method characterized by decrypting an encrypted private key with its own password, and enabling communication between the terminal device and the service device using at least each of the decrypted private keys.